Scheduled Task/Job - The Most Used MITRE ATT&CK Persistence Technique

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

Picus Labs published The Red Report 2023 research and the 10 Most Prevalent MITRE ATT&CK techniques used by adversaries. The study analyzes over 200,000 malware samples and gives insights to help you defend.

We are continuing our blog series on the techniques listed in The Picus Red Report 2023 Top Ten List.  In this blog, we explained the T1053 Scheduled Task/Job technique of the MITRE ATT&CK framework. 

red-report-mockup-small  

The Red Report 2023
The 10 Most Prevalent MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD NOW!

MITRE ATT&CK T053 Scheduled Task/Job

Establishing persistence in the victim’s network is an essential objective for adversaries. Otherwise, they would need to repeat their initial access tactics to access the target system each time and risk being detected. Adversaries use task scheduling utilities of operating systems to execute malicious payloads on a defined schedule or at system startup to achieve persistence. 

Operating systems and platforms provide utilities to automate the execution of programs or scripts on a defined schedule:

  • schtasks.exe (Microsoft Windows)
  • at.exe (Microsoft Windows)
  • at (Linux)
  • cron (Linux)
  • launchd (macOS)
  • systemd timers (Linux)
  • cronjobs (Kubernetes)

What is a Scheduled Task/Job?

A scheduled task or job is a command, program, or script to be executed periodically (e.g., every Friday at 1:00 a.m.) or when a certain event occurs (e.g., a user logs on the system). Legitimate users, like domain administrators, use scheduled tasks to create and run operational tasks automatically.

Sub-technique 1:  Scheduled Task/Job: T1053.001 At (Linux)

at is a command-line tool that allows users to schedule commands in various operating systems, such as Unix-like operating systems (e.g., BSD, macOS, and Linux distributions) and Microsoft Windows. Although this sub-technique covers the at command within Linux, it may be extended to other Unix-like operating systems.

Adversary Use of At (Linux)

The at utility in Linux allows users to schedule commands to be executed only once at a particular time. An adversary may use the at command to schedule one-time execution of malicious code at a point in time in the future.

Sub-technique 2: Scheduled Task/Job: T1053.002 At (Windows)

In addition to a graphical user interface (GUI) for Task Scheduler, Microsoft Windows offers two native command-line utilities for task scheduling: schtasks.exe and at.exe

There are two requirements to use the at command in Windows:

  • The user must be logged on as a Local Administrator.
  • The Task Scheduler service must be running.

Adversary Use of At (Windows)

Adversaries utilize at.exe to create recurring tasks that run periodically. For example, at.exe can be used to establish persistence and keep reverse shell sessions alive.

at.exe can also be used to run a command on remote systems. For example, the TG-0416 Threat Group uses at.exe for lateral movement [1]. BRONZE BUTLER APT group uses the at command to execute a malicious batch file on a remote system during lateral movement.

Sub-technique 3: Scheduled Task/Job: T1053.003 At (Cron)

Cron  is a utility to configure scheduled tasks in Unix-like operating systems. It can schedule tasks to periodically execute a command, script, or program. As mentioned above, at is also a task scheduling utility in Unix-like OSs. However, they have different use cases. While cron is suitable for repetitive tasks, at is suitable for one-time tasks.

Adversary Use of At (Cron)

Adversaries use cron to establish persistence and execute their malicious payloads at regular intervals. For example, attackers use cron to run the downloaded malicious payload every minute in the Ngrok Mining Botnet campaign.

Sub-technique 4: Scheduled Task/Job: T1053.004 Launchd

Launchd is the OS service management daemon that boots the system and loads and maintains services for macOS. It is similar to Service Control Manager on Microsoft Windows and systemd on Linux distributions.

Adversary Use of Launchd

Launchd is the first process launched after the kernel when a macOS system starts up. Adversaries use the launchd daemon to schedule their malicious executables to run at system startup. As an example, the Olyx macOS backdoor uses launchd to ensure the backdoor executable automatically launches when the user logs in [2]. 

Sub-technique 5: Scheduled Task/Job: T1053.005 Scheduled Task

This sub-technique refers to Windows Task Scheduler [3]. Windows Task Scheduler enables users to schedule tasks with time-based or event-based triggers.

  • A time-based trigger runs the scheduled task at a certain time or at a specified time interval, such as daily, weekly, or monthly.
  • An event-based trigger runs the scheduled task at a specific system event, such as when a user logs on, or the system starts up.

Task Scheduler also supports the use of multiple triggers.

Adversary Use of Scheduled Task

The most common method is running schtasks on the command line. For example, the Quakbot banking trojan uses schtasks.exe on the command line to create a scheduled task that executes a JavaScript downloader [4]. Adversaries also use a .NET wrapper, or the Windows netapi32 library to create a scheduled task to run the payload on the remote system as used by the Disttrack wiper malware [5]. Some attackers with visual remote access to the target system use Task Scheduler GUI within the Control Panel to create scheduled tasks.

Sub-technique 6: Scheduled Task/Job: T1053.006 Systemd Timers

Systemd has provided timers that can be used as an alternative to cron. Timers provided by systemd include built-in support for calendar and monotonic time events, as well as the ability to run asynchronously. Therefore, adversaries can abuse systemd timers to perform task scheduling [6].

Like cron jobs, systemd timers enable adversaries to trigger a script or program at specified intervals (e.g., once a week, every 5 minutes during business hours from 8 a.m. to 6 p.m., on the first Monday of each month) [7]. 

Systemd timers also allow for more precise control of events than cron jobs do. For example, it enables attackers to trigger a script or program to run a specific time after an event, such as startup, completion of a previous task, or even the completion of the service unit called by the timer.

Adversary Use of Systemd Timers

A malware found in the Arch Linux AUR package repository uses systemd timers [8]. When the user installs the xeactor package, the user’s machine downloads and executes the "x.sh" file. Then, the x.sh file downloads and executes another file named "u.sh", modifies systemd, and adds a timer to run the "u.sh" file every 360 seconds with the below code [8]:

 

SYSTEMD_TIMER="[Timer]
OnCalendar=4d
Persistent=true
OnActiveSec=360
[Install]
WantedBy=timers.target"
SYSTEMD_SERVICE="[Unit]
Type=simple
ExecStart=/usr/lib/xeactor/u.sh"
echo "$SYSTEMD_SERVICE" > usr/lib/systemd/system/xeactor.service
echo "$SYSTEMD_TIMER" > usr/lib/systemd/system/xeactor.timer

Sub-technique 7: Scheduled Task/Job: T1053.007 Container Orchestration Job

Container Orchestration Job covers task scheduling functionalities provided by container orchestration tools. For example, Kubernetes provides the CronJob workload (application) for task scheduling similar to cron jobs on a Linux system. Adversaries may abuse this functionality to schedule the deployment of containers configured to execute malicious code [9]. 

A CronJob generates Jobs on a recurring basis, and a Job can be used to run containers that perform finite tasks for batch jobs [10]. A CronJob object corresponds to a single line in a crontab (cron table) file in Linux [11]. It executes a job on a specified schedule in Cron format.

Adversary use of Container Orchestration Job

A CronJob is used to automate routine tasks such as backups and report generation. Each of those tasks should be configured to repeat indefinitely (for example, once a day/week /month); you can specify a time interval within which the job should begin. Attackers may use CronJobs to schedule the execution of malicious code that would run as a container in the cluster [10].

References

[1] https://www.intezer.com/container-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud//where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems.

[2]   Microsoft Corporation, “Backdoor:MacOS_X/Olyx.A.” https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:MacOS_X/Olyx.A.

[3]   “Scheduled Task/Job: Scheduled Task.” https://attack.mitre.org/techniques/T1053/005/.

[4]   “Qakbot levels up with new obfuscation techniques.” http://blog.talosintelligence.com/2019/05/qakbot-levels-up-with-new-obfuscation.html.

[5]   R. Falcone, “Shamoon 2: Return of the Disttrack Wiper,” 30-Nov-2016. https://unit42.paloaltonetworks.com/unit42-shamoon-2-return-disttrack-wiper/.

[6]   “Scheduled Task/Job: Systemd Timers.” https://attack.mitre.org/techniques/T1053/006/.

[7]   “Use systemd timers instead of cronjobs.” https://opensource.com/article/20/7/systemd-timers.

[8]   C. Cimpanu, “Malware Found in Arch Linux AUR Package Repository,” BleepingComputer, 10-Jul-2018. https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/.

[9]   “Scheduled Task/Job: Container Orchestration Job.” https://attack.mitre.org/techniques/T1053/007/.

[10]   Y. Weizman, “Threat matrix for Kubernetes,” 02-Apr-2020. https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/.

[11]   “CronJob.” https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/.