1. Home
  2. Techniques
  3. Enterprise
  4. 预定任务/作业

预定任务/作业

ID Name
T1053.001 系统进程任务注入
T1053.002 动态定时任务调度
T1053.003 任务链分段隐匿

预定任务/作业(T1053)指攻击者滥用操作系统或应用程序的任务调度功能实现恶意代码执行的技术,通常用于持久化、权限提升或绕过安全监控。攻击者通过创建计划任务触发恶意负载,可能利用系统工具(如Windows schtasks、Linux cron)或API实现远程任务部署。传统防御手段主要通过监控任务创建事件、分析任务配置异常(如未知作者、非常规定时器)以及检测可疑子进程链来识别恶意行为。

为规避基于任务特征匹配与行为规则检测的防御体系,攻击者发展出多层次任务隐匿技术,通过合法机制滥用、任务逻辑解构、执行环境融合等策略,将恶意操作深度嵌入系统运维流程,实现攻击链的"去异常化"与"业务化"改造。

现有预定任务匿迹技术的核心演进路径体现为任务形态的合法化重构与执行维度的时空扩展。攻击者通过寄生系统信任链(系统进程任务注入)、动态调整执行节奏(动态定时任务调度)、分解攻击链(任务链分段隐匿)三大技术方向,突破传统单维检测范式:在时间维度,将固定周期任务改造为基于系统上下文的动态触发机制,消除定时器特征;在功能维度,将敏感操作拆解为多个低特权任务,利用合法工具链实现操作伪装;在数据维度,进行合法任务元数据伪装规避任务配置扫描。这些技术通过重新定义任务与系统环境的交互边界,使得恶意任务在创建、存储、触发、执行全生命周期均符合系统白名单机制的行为预期。

匿迹技术的复杂化导致传统基于任务配置静态分析、进程树监控的检测方法面临严峻挑战。防御方需构建任务行为图谱分析能力,结合跨主机任务关联、上下文敏感基线建模等技术,同时加强内存取证与加密流量解析能力,实现对新型隐匿任务的深度检测。

ID: T1053
Sub-techniques:  T1053.001, T1053.002, T1053.003
Platforms: Containers, Linux, Windows, macOS
Permissions Required: Administrator, SYSTEM, User
Effective Permissions: Administrator, SYSTEM, User
Supports Remote:  Yes
Contributors: Alain Homewood, Insomnia Security; Andrew Northern, @ex_raritas; Bryan Campbell, @bry_campbell; Leo Loobeek, @leoloobeek; Prashant Verma, Paladion; Selena Larson, @selenalarson; Travis Smith, Tripwire; Zachary Abzug, @ZackDoesML
Version: 2.3
Created: 31 May 2017
Last Modified: 15 October 2024

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

通过模仿系统管理任务的特征参数(如任务名称、描述信息、触发器等),将恶意任务配置伪装成系统内置的合法计划任务。利用系统进程注入技术将任务执行体寄生在可信进程中,使得任务在资源管理器、日志审计等环节均呈现为正常系统行为,有效规避基于任务属性特征的检测。

行为透明

攻击者能够利用系统原生任务调度接口(如Windows Task Scheduler服务)执行恶意操作,避免触发异常进程创建事件,从而规避对非授权API调用的检测。同时任务链分段隐匿技术将敏感操作分散到多个系统合规任务中,使单次操作不触发安全告警,实现绕过检测机制执行定时任务。

时空释痕

通过设置长周期触发间隔或基于系统事件的智能触发条件,将恶意任务执行分散在正常管理任务的时间序列中,稀释行为特征密度。利用任务触发时间的随机化算法与执行节点的动态轮换机制,使得攻击痕迹分散在多个系统的海量任务日志中,传统基于单系统日志关联分析的检测方法难以有效聚合攻击证据链。

Procedure Examples

ID Name Description
S1052 DEADEYE

DEADEYE has used the scheduled tasks \Microsoft\Windows\PLA\Server Manager Performance Monitor, \Microsoft\Windows\Ras\ManagerMobility, \Microsoft\Windows\WDI\SrvSetupResults, and \Microsoft\Windows\WDI\USOShared to establish persistence.[1]
G1006 Earth Lusca

Earth Lusca used the command schtasks /Create /SC ONLOgon /TN WindowsUpdateCheck /TR "[file path]" /ru system for persistence.[2]
S0447 Lokibot

Lokibot's second stage DLL has set a timer using "timeSetEvent" to schedule its next execution.[3]
S0125 Remsec

Remsec schedules the execution one of its modules by creating a new scheduler task.[4]
S1034 StrifeWater

StrifeWater has create a scheduled task named Mozilla\Firefox Default Browser Agent 409046Z0FF4A39CB for persistence.[5]

Mitigations

ID Mitigation Description
M1047 Audit

Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. [6]
M1028 Operating System Configuration

Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SubmitControl. The setting can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled. [7]
M1026 Privileged Account Management

Configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority. [8]
M1022 Restrict File and Directory Permissions

Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.
M1018 User Account Management

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

Analytic 1 - Look for task scheduling commands being executed with unusual parameters.

index=security (sourcetype="WinEventLog:Security" OR sourcetype="linux_secure" OR sourcetype="macos_secure" OR sourcetype="container_logs")| eval CommandLine = coalesce(CommandLine, process)| where (sourcetype="WinEventLog:Security" AND EventCode IN (4697, 4702, 4698)) OR (sourcetype="linux_secure" AND CommandLine LIKE "%cron%" OR CommandLine LIKE "%at%") OR (sourcetype="macos_secure" AND CommandLine LIKE "%launchctl%" OR CommandLine LIKE "%cron%") OR (sourcetype="container_logs" AND (CommandLine LIKE "%cron%" OR CommandLine LIKE "%at%"))| where (sourcetype="WinEventLog:Security" AND (CommandLine LIKE "%/create%" OR CommandLine LIKE "%/delete%" OR CommandLine LIKE "%/change%")) OR (sourcetype="linux_secure" AND (CommandLine LIKE "%-f%" OR CommandLine LIKE "%-m%" OR CommandLine LIKE "%--env%")) OR (sourcetype="macos_secure" AND (CommandLine LIKE "%/Library/LaunchDaemons%" OR CommandLine LIKE "%/Library/LaunchAgents%" OR CommandLine LIKE "%/System/Library/LaunchDaemons%" OR CommandLine LIKE "%/System/Library/LaunchAgents%")) OR (sourcetype="container_logs" AND (CommandLine LIKE "%-f%" OR CommandLine LIKE "%--schedule%" OR CommandLine LIKE "%--env%"))

DS0032 Container Container Creation

Monitor for newly constructed containers that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

Analytic 1 - Look for new container creation events with unusual parameters.

index=container_logs sourcetype="docker_events" OR sourcetype="kubernetes_events"| eval event_action=coalesce(action, status)| where (event_action="create" OR event_action="start")| search event_type="container"| search (parameters="--privileged" OR parameters="--cap-add=" OR parameters="--volume=" OR parameters="--network=host" OR parameters="--device")

DS0022 File File Creation

Monitor newly constructed files that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

Analytic 1 - Look for new task files with unusual parameters.

index=security_logs OR index=system_logs(sourcetype="docker_events" OR sourcetype="kubernetes_events" OR sourcetype="wineventlog:security" OR sourcetype="linux_secure" OR sourcetype="syslog" OR sourcetype="file_monitoring")| eval platform=case( sourcetype=="docker_events" OR sourcetype=="kubernetes_events", "Containers", sourcetype=="wineventlog:security", "Windows", sourcetype=="linux_secure" OR sourcetype=="syslog", "Linux", sourcetype=="mac_os_events", "macOS")| search ( (platform="Containers" AND (event_type="file_create" AND (file_path="/etc/cron.d/" OR file_path="/etc/systemd/system/"))) OR (platform="Windows" AND EventCode=4663 AND (ObjectName="C:\Windows\System32\Tasks\" OR ObjectName="C:\Windows\Tasks\")) OR (platform="Linux" AND (file_path="/etc/cron.d/" OR file_path="/etc/systemd/system/")) OR (platform="macOS" AND (file_path="/Library/LaunchDaemons/" OR file_path="/Library/LaunchAgents/")))
File Modification

Monitor for changes made to files that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

Analytic 1 - Look for task file modifications with unusual parameters.

index=security_logs OR index=system_logs(sourcetype="docker_events" OR sourcetype="kubernetes_events" OR sourcetype="wineventlog:security" OR sourcetype="linux_secure" OR sourcetype="syslog" OR sourcetype="file_monitoring")| eval platform=case( sourcetype=="docker_events" OR sourcetype=="kubernetes_events", "Containers", sourcetype=="wineventlog:security", "Windows", sourcetype=="linux_secure" OR sourcetype=="syslog", "Linux", sourcetype=="mac_os_events", "macOS")| search ( (platform="Containers" AND (event_type="file_modify" AND (file_path="/etc/cron.d/" OR file_path="/etc/systemd/system/" OR file_path="/etc/crontab"))) OR (platform="Windows" AND EventCode=4663 AND (ObjectName="C:\Windows\System32\Tasks\" OR ObjectName="C:\Windows\Tasks\")) OR (platform="Linux" AND (file_path="/etc/cron.d/" OR file_path="/etc/systemd/system/" OR file_path="/etc/crontab")) OR (platform="macOS" AND (file_path="/Library/LaunchDaemons/" OR file_path="/Library/LaunchAgents/")))

DS0009 Process Process Creation

Monitor for newly executed processes that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

Note: Below is the relevant Events and SourcesWindows:

  • Sysmon Event ID 1: Process creation, particularly for schtasks.exe, at.exe, Taskeng.exe, crontab, etc.
  • Windows Event Log EventCode 4688: Process creation that might involve task scheduling.
  • Windows Task Scheduler Logs: Task creation, modification, or deletion.

Linux/macOS:

  • Auditd logs: Monitoring for cron job creation or modifications.
  • Syslog: Logs related to cron jobs or scheduled tasks.
  • File integrity monitoring (FIM): For changes to /etc/cron, /var/spool/cron/, or user-specific cron jobs.

Containers:- Container logs: Detection of scheduled tasks or cron jobs within container environments.

Analytic 1 - Look for task execution with unusual parameters.

(sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security" OR sourcetype="linux_auditd" OR sourcetype="syslog") | where Image IN ("schtasks.exe", "at.exe", "Taskeng.exe", "cron", "crontab", "systemd-timers")
DS0003 Scheduled Job Scheduled Job Creation

Monitor newly constructed scheduled jobs that may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.

On Windows systems, security event ID 4698 (A scheduled task was created) provides information on newly created scheduled tasks. It includes the TaskContent field, which contains an XML blob that captures key information on the scheduled task including the command to be executed.

Analytic 1 - Scheduled Task Execution

source="*WinEventLog:Security" EventCode="4698" | where NOT (TaskName IN ("\Microsoft\Windows\UpdateOrchestrator\Reboot", "\Microsoft\Windows\Defrag\ScheduledDefrag"))| search TaskContent="powershell.exe" OR TaskContent="cmd.exe"

References

  1. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
  2. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  3. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.
  4. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  1. Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022.
  2. PowerSploit. (n.d.). Retrieved December 4, 2014.
  3. Microsoft. (2012, November 15). Domain controller: Allow server operators to schedule tasks. Retrieved December 18, 2017.
  4. Microsoft. (2013, May 8). Increase scheduling priority. Retrieved December 18, 2017.