Project Name: Threat Hunting for Suspicious Schedule Task
Description: Attacker uses scheduled tasks to deliver their payload on OS level.
This article will help you to understand how attackers use scheduled tasks primarily for 3 reasons.
1. To keep persistence, lateral movement, execution, detection evasion, and privilege escalation in organization.
2. Execution of payload
3. Interval / Pattern based East <–> West & North <–> South Connection establishment.
Author: Rohit D Sadgune
FAQ:
- How to perform threat hunting for Suspicious Scheduled task?
- Co-relation of task creation to process anomaly.
- Co-relation of schedule task to network anomaly.
Threat Hunting for Suspicious Schedule Task.
1. Unusual process execution followed by suspicious task creation. (Within a time interval of 1 min)
- A new process has been created (EventID = 4688)
- Process Command Line Contains “Get-ScheduledTask”
- New Process Name Contains “schtasks.exe | cmd.exe | powershell.exe | regsvr32.exe | rundll32.exe | mshta.exe”
- Creator Process Name Contains “schtasks.exe | cmd.exe | powershell.exe | regsvr32.exe | rundll32.exe | mshta.exe”
- Rare task creation by same account.
2. Schedule tasks created and deleted in a very short period.
A. In 4698 and 4699 “Task Name ” & “Account Domain” should be the same.
B. “Account Name” Can be the same or different.
3. Unusual task creation and “Triggers” rarely.
4. Schedule Task creation (4698) followed by either of EventID within 1 min.
A scheduled task was updated (4702) Task Name :- contains — > powershell.exe, wsscript.exe, rundll32.exe, mashta.exe, arp.exe, at.exe, bitsadmin.exe, certutil.exe, cmd.exe, dsget.exe, dsquery.exe, find.exe, findstr.exe, fsutil.exe, hostname.exe, ipconfig.exe, nbstat.exe, net.exe, net1.exe, netdom.exe, netsh.exe, netstat.exe, nltest.exe, nslookup.exe, ntdsutil.exe, pathping.exe, ping.exe, qprocess.exe, query.exe, qwinsta.exe, reg.exe, rundll32.exe, sc.exe, schtasks.exe, systeminfo.exe, tasklist.exe, tracert.exe, ver.exe, vssadmin.exe, wevtutil.exe, whoami.exe, wmic.exe, wusa.exe, Gsecdump, Procdump, comsvcs.dll, MiniDump, Dumpert, vssadmin, dcsync, Unshadow, smb_enum_gpp, Gpp-Decrypt, ProLock, ZeroCleare, Beapy, Nishang, PWDump, acehash, SQLPS.EXE, out-minidump, powermemory, secretsdump
A new process has been created (EventID = 4688) New Process Name :- contains ( Suspicious Process Names) powershell.exe, wsscript.exe, rundll32.exe, mashta.exe, arp.exe, at.exe, bitsadmin.exe, certutil.exe, cmd.exe, dsget.exe, dsquery.exe, find.exe, findstr.exe, fsutil.exe, hostname.exe, ipconfig.exe, nbstat.exe, net.exe, net1.exe, netdom.exe, netsh.exe, netstat.exe, nltest.exe, nslookup.exe, ntdsutil.exe, pathping.exe, ping.exe, qprocess.exe, query.exe, qwinsta.exe, reg.exe, rundll32.exe, sc.exe, schtasks.exe, systeminfo.exe, tasklist.exe, tracert.exe, ver.exe, vssadmin.exe, wevtutil.exe, whoami.exe, wmic.exe, wusa.exe, Gsecdump, Procdump, comsvcs.dll, MiniDump, Dumpert, vssadmin, dcsync, Unshadow, smb_enum_gpp, Gpp-Decrypt, ProLock, ZeroCleare, Beapy, Nishang, PWDump, acehash, SQLPS.EXE, out-minidump, powermemory, secretsdump
Process Command Line :- Contains (Command and Control Tools) — >BindShellBypassHostFirewallwithSMB, ChaShell, CobaltStrike, Covenant, DDoor, Diagon, DnsCat2, DnsShell, DockerDBC2, DockerDNSCat, DOHC2, dropboxC2_DBC2, External_c2_framework, FudgeC2, GCat, Gorsh, HRShell_httpShell, ICMPSH, ICMPTunnel, ICMP_Tunnel_Python, Invoke-PipeShell, MacSwiftShell, Merlin, Nuages, OneLogicalMyth_Shell, Ping-Pwn, PoshC2, PowerCat, PowerHub, PowershellExample, Prismatica, Pupy, RedPeanut, ReUseExistingConnectionOneWayStager, ReverseShellGen, ReverseTCPEncrptedPowershell, RSH, SharpSocks, SilentTrinity, Slackor, Throwback, ThunderShell, TinkerShell, Tiny-SHell, TrevorC2, Tunna, Udp2Raw, UndetectableCSharpShell, Websocket-Smuggle, WebSocketC2, WheresMyImplant, WinSpy
Process Command Line :- Contains (Backdoor Process) — >Simple Shell, B374K Shell, C99 Shell, R57 Shell, Wso Shell, 0byt3m1n1, Alfa Shell, Indoxploit Shell, Marion001 Shell, Mini Shell, p0wny-shell, Sadrazam Shell, Webadmin Shell, WordPress Shell, LazyShell, Pouya Shell, Kacak Asp Shell, BetterBackdoor, Pupy, Thefatrat, Evilosx, Phpsploit, Dr0p1t, Asyncrat C Sharp, Diamorphine, Powershell Rat, Diffie Hellman, Vegile, Aviator, Chromebackdoor, Cloak, Gdog, Paradoxiarat, Xeexe Topantivirusevasion, Kithack, S6_pcie_microblaze, Tomcatwardeployer, Remot3d, Rspet, Nativepayload_dns, Openssh Backdoor Kit, Canisrufus, Betterbackdoor, Pwnginx, Pyiris, Hg8045q
5. Suspicious task creation (EventID = 4698) followed by Traffic
A. Unusual traffic to RDP port.
Destination Port =4125 | Destination Port=4500 | Destination Port=5938 | Destination Port=4822 | Destination Port=5900 | Destination Port=8040 | Destination Port=3306 | Destination Port=6129 | Destination Port=1025 | Destination Port=1194 | Destination Port=5500 | Destination Port=1723 | Destination Port=51820 | Destination Port=3389
B. Unusual traffic to suspicious port.
Destination Port=2222 | Destination Port=4444 | Destination Port=5555 | Destination Port=7777
6. Suspicious task creation (EventID = 4698) followed by unusual process command line (EventID = 4688)
4688 Process Command Line :- Contains — > ?cmd.exe | ?rlogin | ?rdump | ?rdist | ?wget | ?ping | ?ipconfig | ?whoami | ?/bin/bash | ?/usr/bin/id | ?curl | ?echo | ?exec | ?eval | ?hostname | ?ifconfig | ?ipconfig | ?iptables | ?net | ?netstat | ?qprocess | ?route | ?systeminfo | ?tasklist | ?uname | ?whoami | \cmd.exe | \rlogin | \rdump | \rdist | \wget | \ping | \ipconfig | \whoami | \/bin/bash | \/usr/bin/id | \curl | \echo | \exec | \eval | \hostname | \ifconfig | \ipconfig | \iptables | \net | \netstat | \qprocess | \route | \systeminfo | \tasklist | \uname | \whoami | =cmd.exe | =rlogin | =rdump | =rdist | =wget | =ping | =ipconfig | =whoami | =/bin/bash | =/usr/bin/id | =curl | =echo | =exec | =eval | =hostname | =ifconfig | =ipconfig | =iptables | =net | =netstat | =qprocess | =route | =systeminfo | =tasklist | =uname | =whoami | crontab | hostname | ifconfig | iptables | netstat | route | uname | whoami | net view | tasklist | ipconfig | systeminfo | qprocess | ping
7. Suspicious tasks creation followed by unusual ransomware file extension observed in command line.
4688 Process Command Line :- Contains — > .obleep | .0x0 | 0.1999 | .aaa | .abc | .bleep | .ccc | .cerber | .cerber2 | .cerber3 | .crinf | .crjoker | .cry | .crypt | .crypto | .cryptotorlocker | .ctb2 | .ctbl | .darkness | .ecc | .enc | .enciphered | .encoderpass | .encrypted | .encryptedRSA | .exx | .ezz | .frtrss | .good | .ha3 | .hydracrypt | .kb15 | .key | .kraken | .lechiffre | .locked | .locky | .lol! | .magic | .micro | .nochance | .omg! | .pzdc | .r16m | .r16m01d05 | .r5a | .rdm | .rrk | .supercrypt | .toxcrypt | .ttt | .vault | .vvv | .xrnt | .xrtn | .xtbl | .xxx | .xyz | .zzz | crypt | recover_instructions.txt | restore_fi. | ukr.net | want%syour%sfiles%sback. | _how_recover.txt | _locky_recover_instructions.txt | _secret_code.txt | coin.locker.txt | confirmation.key | cryptolocker. | decrypt_help. | decrypt_instruct. | decrypt_instruction.txt | decrypt_instructions.txt | decrypt_readme.txt | decryptallfiles.txt | djqfu. | enc_files.txt | filesaregone.txt | hellothere.txt | help_decrypt. | help_decrypt.txt | help_recover. | help_recover_instructions+.txt | help_restore. | help_to_decrypt_your_files.txt | help_to_save_files.txt | help_your_file. | help_your_files. | helpdecrypt. | how%sto%sdecrypt. | how_decrypt. | how_recover. | how_to_decrypt. | how_to_decrypt_files.txt | how_to_recover. | how_to_recover_files.txt | howrecover+.txt | howto_recover_file.txt | howto_restore. | howto_restore_file. | howto_restore_files.txt | howtodecrypt. | howtorestore.txt | iamreadytopay.txt | ihaveyoursecret.key | install_tor. | instructions_xxxx.png | last_chance. | message.txt | readdecryptfileshere.txt | readme_decrypt. | readme_for_decrypt. | readthisnow!!!.txt | recoverfile.txt | recovery_file.txt | recovery_files.txt | recovery_key.txt | recoveryfile.txt | restorefiles.txt | secret.key | secretidhere.key | vault.hta | vault.key | vault.txt | your_files.html | your_files.url | .___xratteamLucked | .__AiraCropEncrypted! | ._AiraCropEncrypted | ._read_thi$_file | 0.02 | 0.725 | .1btc | .1cbu1 | .1txt | .2ed2 | .31392E30362E32303136[ID-KEY]LSBJ1 | .73i87A | 0.726 | 0.777 | .7h9r | .7z.encrypted | .7zipper | .8c7f | .8lock8 | 0.911 | .a19 | .a5zfn | .adk | .adr | .adair | .AES | .aes128ctr | .AES256 | .aes_ni | .aes_ni_gov | .aes_ni_0day | .AESIR | .AFD | .aga | .alcatraz | .Aleta | .amba | .amnesia | .angelamerkel | .AngleWare | .antihacker2017 | .animus | .ap19 | .atlas | .aurora | .axx | .B6E1 | .BarRax | .barracuda | .bart | .bart.zip | .better_call_saul | .bip | .birbb | .bitstak | .bitkangoroo | .boom | .black007 | .bleepYourFiles | .bloc | .blocatto | .block | .braincrypt | .breaking_bad | .bript | .brrr | .btc | .btcbtcbtc | .btc-help-you | .cancer | .canihelpyou | .cbf | .CCCRRRPPP | .checkdiskenced | .CHIP | .cifgksaffsfyghd | .clf | .clop | .cnc | .cobain | .code | .coded | .comrade | .coverton | .crashed | .crime | .criptiko | .crypton | .criptokod | .cripttt | .crptrgr | .CRRRT | .cry | .cryp1 | .crypt38 | .crypted | .cryptes | .crypted_file | .cryptolocker | .CRYPTOSHIEL | .CRYPTOSHIELD | .CryptoTorLocker2015! | .cryptowall | .cryptowin | .crypz | .CrySiS | .css | .czvxce | .d4nk | .da_vinci_code | .dale | .damage | .darkcry | .dCrypt | .decrypt2017 | .ded | .deria | .desu | .dharma | .disappeared | .diablo6 | .divine | .dll | .doubleoffset | .domino | .doomed | .dxxd | .edgel | .encedRSA | .encmywork | .ENCR | .encrypt | .encryptedAES | .encryptedyourfiles | .enigma | .epic | .evillock | .exotic | .exte | .fantom | .fear | .FenixIloveyou!! | .file0locked | .filegofprencrp | .fileiscryptedhard | .filock | .firecrypt | .flyper | .fs0ciety | .fuck | .Fuck_You | .fucked | .FuckYourData | .fun | .flamingo | .gamma | .gefickt | .gembok | .globe | .glutton | .goforhelp | .gryphon | .grinch | .GSupport | .GWS | .hakunamatata | .hannah | .haters | .happyday | .happydayzz | .happydayzzz | .hb15 | .helpmeencedfiles | .herbst | .hendrix | .hermes | .help | .hnumkhotep | .hitler | .howcanihelpusir | .html | .homer | .hush | .iaufkakfhsaraf | .ifuckedyou | .iloveworld | .infected | .info | .invaded | .isis | .ipYgh | .iwanthelpuuu | .jaff | .java | .JUST | .justbtcwillhelpyou | .JLQUF | .jnec | .karma | .kencf | .keepcalm | .kernel_complete | .kernel_pid | .kernel_time | .KEYH0LES | .KEYZ | keemail.me | .killedXXX | .kirked | .kimcilware | .KKK | .kk | .korrektor | .kostya | .kr3 | .krab | .kratos | .kyra | .L0CKED | .lambda_l0cked | .legion | .lesli | .letmetrydecfiles | .like | .lock | .lock93 | .Locked-by-Mafia | .locked-mafiaware | .locklock | .loprt | .lovewindows | .lukitus | .madebyadam | .maktub | .malki | .maya | .merry | .MRCR1 | .muuq | .MTXLOCK | .nobad | .no_more_ransom | .nolvalid | .noproblemwedecfiles | .notfoundrans | .NotStonks | .nuclear55 | nuclear | .odcodc | .odin | .oled | .only-we_can-help_you | .onion.to._ | .oops | .oshit | .osiris | .otherinformation | .oxr | .p5tkjw | .pablukcrypt | .padcrypt | .paybtcs | .paym | .paymrss | .payms | .paymst | .paymts | .payransom | .payrms | .payrmts | .pays | .paytounlock | .pdcr | .PEGS1 | .perl | .PoAr2w | .porno | .potato | .powerfulldecrypt | .powned | .pr0tect | .purge | .R.i.P | .r3store | .R4A | .RAD | .RADAMANT | .raid10 | .ransomware | .RARE1 | .rastakhiz | .razy | .rdmk | .recry1 | .rekt | .reyptson | .remind | .rip | .RMCM1 | .rmd | .rnsmwr | .rokku | .RSNSlocked | .RSplited | .sage | .salsa222 | .sanction | .scl | .SecureCrypted | .serpent | .sexy | .shino | .shit | .sifreli | .Silent | .sport | .stn | .surprise | .szf | .t5019 | .tedcrypt | .TheTrumpLockerf | .thda | .TheTrumpLockerfp | .theworldisyours | .thor | .trun | .trmt | .tzu | .unavailable | .vbransom | .vekanhelpu | .velikasrbija | .venusf | .Venusp | .versiegelt | .VforVendetta | .vindows | .viki | .visioncrypt | .vxLock | .wallet | .wcry | .weareyourfriends | .weencedufiles | .wflx | .wlu | .Where_my_files.txt | .Whereisyourfiles | .windows10 | .wnx | .WNCRY | .wncryt | .wnry | .wowreadfordecryp | .wowwhereismyfiles | .wuciwug | .www | .xiaoba | .xcri | .xdata | .xort | .ya.ru | .yourransom | .Z81928819 | .zc3791 | .zcrypt | .zendr4 | .zepto | .zorro | .zXz | .zyklon | .zzzzz | H_e_l_p_RECOVER_INSTRUCTIONS | _LAST | _nullbyte | _READ_THIS_FILE | ABCXYZ11 | cpyt | crypt | decipher | qq_com | want your files back. | DECRYPT_INFO | _ryp | AllFilesAreLocked.bmp | ASSISTANCE_IN_RECOVERY.txt | ATTENTION!!!.txt | Decrypt.exe | DECRYPT_INSTRUCTION.HTML | DECRYPT_INSTRUCTIONS.HTML | HELP_DECRYPT.HTML | HELP_DECRYPT.lnk | HELP_DECRYPT.PNG | HELP_RESTORE_FILES.txt | how to decrypt aes files.lnk | How_Decrypt.html | How_Decrypt.txt | HowDecrypt.txt | INSTRUCCIONES_DESCIFRADO.TXT | last_chance.txt | oor. | restore_files.txt
8. Hunting Registry changes: When creating Scheduled Tasks, there are multiple registry path that can be monitored.
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCach
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree
9. Hunting For Schedule Task Commands
A. Schtasks /Create
B. Local task creation.
— > schtasks /Create /SC minute /MO 5 /TN “RDS_shell” /TR c:\Threat_Hunting\RDS_shell\RDS_shell.exe
C. Remote Task Creation
— > schtasks /Create /S Hunt777.hackforlab.com /RU RDS /RP RDS@RDS6781 /TN “Threat_Hunting_RDS” /TR c:\Threat_Hunting\RDS_shell\Threat_Hunting_RDS.exe /SC daily
D. Conti Ransomware task creation. :- Windows Defender scans and updates disabled.
— > SCHTASKS /s Hunt777.hackforlab.com /RU “hackforlab” /create /tn Conti_Ransomware_task /tr “powershell.exe Set-MpPreference-DisableRealtimeMonitoring $true” /sc ONCE /sd 01/01/2022 /st 01:01
E. Execution
–> schtasks /create /ru “RDS” /tn “update” /tr “cmd /c c:\windows\temp\update.bat” /sc once /f /st 05:39:00
10. Suspicious task creation or update followed by successful network traffic (Within 1 min)
A. EventID = 4698 OR EventID = 4702 unusual “Task Name”
B. Followed by suspicious network traffic to Destination Port=445 | Destination Port=389 | Destination Port=636
To identify suspicious traffic (Traffic allowed or Denied does not matter.)
B1. Communication to a rare destination address.
B2. Volumetric increase in connection to the same destination address.
B3. Catalogue behavior detection over destination address. (Distinct Destination Address)
11. Remote Task Hunting.
A. Windows EventID “A network share object was checked to see whether client can be granted desired access” 5145
Share Name contains *\IPC$ & Relative Target Name Contains “ATSVC” :- ATSVC is Microsoft AT-Scheduler Service primarily used for DEC/RPC protocol.
B. 4624 Followed by Schedule task creation (4698). Within 1 min successful authentication using the same Logon ID.