We commonly observe the following binaries in malicious scheduled task execution:
For defenders and hunt teams, if you find one malicious scheduled task in your environment, consider using properties of that event—task name, start time, task run, etc.—as elements in your hunt or even detection logic. Use available tooling to collect scheduled tasks from across your enterprise and search for specific properties that match the known malicious scheduled task (i.e., recurring start times of unusual scheduled tasks across endpoints). Understanding what is normal in your environment is a tremendous boon for identifying suspicious scheduled task activity.
Two elements of scheduled tasks that may lend themselves to threat hunting and/or detection are
taskrun, which are passed arguments to the
/TR flags respectively,
Tasknames vary widely in our data set. Though Blue Mockingbird dominated our dataset with the taskname
Windows Problems Collection, other threat actors and malware families commonly use GUIDs, as is the case with QBot, or names that attempt to blend in with seemingly legitimate system activity (e.g.,
setup service Management,
WindowsServerUpdateService, etc.). Random strings between seven and nine characters are also common. It’s worth looking out for scheduled task executions containing the
/TN value and any of the above examples. These won’t always be malicious, but with some baselining, you should be able to sort normal and benign from unusual and suspicious.
Taskrun values, on the other hand, specify what should be executed at the scheduled time. Expect attackers to try and blend in here as well, with LOLBINs or by naming their on-disk malware to resemble legitimate system utilities. Blue Mockingbird dominated once again, with more than 2,000 scheduled tasks with a
taskrun value of
regsvr32.exe /s c:\windows\system32\wercplsupporte.dll. Searching for execution of scheduled tasks with
wercplsupporte.dll in the
taskrun is a viable method of detecting Blue Mockingbird, but don’t confuse the above DLL with the legitimate
wercplsupport.dll in the same directory.
Of all the properties in a scheduled task,
taskrun is probably the most critical to scrutinize. If you see a strange binary, investigate it. Any
taskrun value that points to a script deserves a closer look, as adversaries may modify an existing benign script by adding malicious code to it. Building automation to return cryptographic hashes of these scripts and monitoring them for changes may be useful in detection efforts.
Scheduling tasks without
Adversaries can create or modify tasks without calling
taskschd.msc directly with the help of COM objects. Therefore, monitoring for file creation and modification events in
\Windows\SysWow64\Tasks directories may provide added value in identifying interesting activity. This may be particularly useful on critical systems where scheduled tasks should be relatively static.
Unusual module loads
Monitoring for image loads—specifically of
\Windows\System32\taskschd.dll by processes that wouldn’t normally load that DLL like Excel or Word—may indicate that a macro is creating or modifying a scheduled task.
Weeding out false positives
Any detection strategy should start with a baseline understanding of what is in your environment normally. Current Windows systems commonly include more than 100 scheduled tasks by default. As more software packages are installed, they may create additional scheduled tasks for regular updates and other reasons. Knowing what these tasks are, their normal schedules, and their
taskrun values will be essential to filtering them out of the review process.