Scheduled Tasks [0.1]

A scheduled task which may suggest known attacker activity has been found.

Overview

Known attackers have been observed to use scheduled tasks on Windows systems to gain persistence.

A scheduled task allows users to set commands to be executed at a specified time.

Detection Approach

The search scans certain files present within C:\Windows\System32\Tasks on a Windows system to identify any batch files (.bat) which may be executing scheduled tasks in a way which known attackers have been observed to do.

Hits are derived from the intelligence provided by the ACSC other sources such as CyberCX and CrowdStrike and investigations. See the threat intelligence sources section below for further details. The results do not consider environmental factors specific to your computer or network environment.

Detection Artefact

Packs.CyberCX.Windows.ScheduledTasks

Threat Intelligence Sources

• Those provided by the ACSC 2020-008 report ‘Copy and Paste’ attacks, which are indicated as Traffic Light Protocol (TLP) White.
• Investigations performed by CyberCX
• Investigations performed by CrowdStrike
• Contributions from the community

Interpreting the Results

Any hits identified may not indicate compromise on your system, but might be indicative of attacker activity. It is recommended to review each detection contextually to confirm if the hit is definitively malicious or a false positive, as well as what activity may have occurred. Guidance for how to approach these investigations is provided within this section.

Investigations

This section provides general guidance on how to determine if the hit is indicative of malicious activity. Please note the specific detection results within the report generated by CCX Digger when conducting the investigation, as some of the content below may not be applicable for your system.

Suspicious Scheduled Task

• Examine the file to determine if the execution is expected behaviour, and if the location of the task is also expected. It is unusual for a scheduled task to execute batch files.
• Examine the file to ensure it is authorised to execute. Further investigation of the contents is recommended to identify what the file may do.

References

• https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks

Need Help?

If you have followed the investigations to confirm the validity of the findings, and believe your system may be at risk, please visit the Need Help? page for further instructions. Please refer to the same page for further context on how to use this wiki.

Revision History

[v0.1]: