Why do adversaries use scheduled tasks?
As is the case with every legitimate Windows utility in this report, benign software and operating system functions routinely use scheduled tasks for a variety of reasons, ranging from provisioning to backup maintenance to health checks to updates and everything in between. Ultimately, you can’t turn off scheduled tasks, and therefore they enable adversaries to inconspicuously conduct an array of malicious activity.
How do adversaries use scheduled tasks?
Adversaries use scheduled tasks to accomplish two primary objectives:
- establish persistence in an environment
- execute processes—ideally with elevated privileges and at customized intervals
Importantly, these things aren’t mutually exclusive, and a majority of the scheduled task-leveraging threats we detect every year are set to run as SYSTEM—the most privileged account on Windows systems. By default, however, a scheduled task will run with the privilege level of the user who created it. Considering this, the following examples of scheduled task abuse are largely intended to establish persistence, but they can also do so at elevated privilege levels.
We often see adversaries using the task scheduler to execute binaries—arbitrary or native (albeit relocated)—from user-writable directories like
appdata/roaming. This is ostensibly an effort to schedule the execution of code from directories that can be manipulated by other users, regardless of their privilege level. Another common behavior involves leveraging scheduled tasks to open the Windows Command Shell, generally in an effort to establish persistence or otherwise call on the command shell’s versatility to execute code or launch other system binaries. Adversaries also abuse scheduled tasks to call on
regsvr32.exe to download and execute a DLL, a behavior that we’ve previously associated with crimeware like Qbot.
In terms of specific scheduled task commands that adversaries abuse, we most frequently see them execute tasks with the
/Create flag of
schtasks.exe to create a scheduled task, generally in the service of establishing persistence. Adversaries also abuse the
/Query flags to change, run, delete, or display information about one or more scheduled task, respectively. Adversaries can also schedule tasks to run at set times—including any one of the 84,600 seconds in the day—or in response to a triggering event on the endpoint by leveraging the
/st command. Further, they can also choose to repeat that task execution at set intervals (hourly, daily weekly, at logon, etc.). Since adversaries often reuse code, we commonly observe them scheduling their tasks to execute at the same time across each endpoint targeted by their campaigns.