Scheduled Task/Job:  Планировщик заданий Windows

TrickBot creates a scheduled task on the system that provides persistence.(Citation: S2 Grupo TrickBot June 2017)(Citation: Trend Micro Totbrick Oct 2016)(Citation: Microsoft Totbrick Oct 2017)

Bumblebee can achieve persistence by copying its DLL to a subdirectory of %APPDATA% and creating a Visual Basic Script that will load the DLL via a scheduled task.(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022)

GRIFFON has used sctasks for persistence. (Citation: SecureList Griffon May 2019)

yty establishes persistence by creating a scheduled task with the command SchTasks /Create /SC DAILY /TN BigData /TR “ + path_file + “/ST 09:30“.(Citation: ASERT Donot March 2018)

Stuxnet schedules a network job to execute two minutes after host infection.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)

POWRUNER persists through a scheduled task that executes it every minute.(Citation: FireEye APT34 Dec 2017)

SharpStage has a persistence component to write a scheduled task for the payload.(Citation: Cybereason Molerats Dec 2020)

Smoke Loader launches a scheduled task.(Citation: Talos Smoke Loader July 2018)

PowerSploit's New-UserPersistenceOption Persistence argument can be used to establish via a Scheduled Task/Job.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)

Matryoshka can establish persistence by adding a Scheduled Task named "Microsoft Boost Kernel Optimization".(Citation: ClearSky Wilted Tulip July 2017)(Citation: CopyKittens Nov 2015)

GravityRAT creates a scheduled task to ensure it is re-executed everyday.(Citation: Talos GravityRAT)

Prestige has been executed on a target system through a scheduled task created by Sandworm Team using Impacket.(Citation: Microsoft Prestige ransomware October 2022)

SharpDisco can create scheduled tasks to execute reverse shells that read and write data to and from specified SMB shares.(Citation: MoustachedBouncer ESET August 2023)

RainyDay can use scheduled tasks to achieve persistence.(Citation: Bitdefender Naikon April 2021)

NETWIRE can create a scheduled task to establish persistence.(Citation: FireEye NETWIRE March 2019)

Bad Rabbit’s infpub.dat file creates a scheduled task to launch a malicious executable.(Citation: Secure List Bad Rabbit)

CosmicDuke uses scheduled tasks typically named "Watchmon Service" for persistence.(Citation: F-Secure Cosmicduke)

IMAPLoader creates scheduled tasks for persistence based on the operating system version of the victim machine.(Citation: PWC Yellow Liderc 2023)

Emotet has maintained persistence through a scheduled task, e.g. though a .dll file in the Registry.(Citation: US-CERT Emotet Jul 2018)(Citation: emotet_hc3_nov2023)

Tomiris has used `SCHTASKS /CREATE /SC DAILY /TN StartDVL /TR "[path to self]" /ST 10:00` to establish persistence.(Citation: Kaspersky Tomiris Sep 2021)

Empire has modules to interact with the Windows task scheduler.(Citation: Github PowerShell Empire)

BADHATCH can use `schtasks.exe` to gain persistence.(Citation: BitDefender BADHATCH Mar 2021)

The different components of Machete are executed by Windows Task Scheduler.(Citation: ESET Machete July 2019)(Citation: Securelist Machete Aug 2014)

InvisiMole has used scheduled tasks named MSST and \Microsoft\Windows\Autochk\Scheduled to establish persistence.(Citation: ESET InvisiMole June 2020)

Apostle achieves persistence by creating a scheduled task, such as MicrosoftCrashHandlerUAC.(Citation: SentinelOne Agrius 2021)

Okrum's installer can attempt to achieve persistence by creating a scheduled task.(Citation: ESET Okrum July 2019)

RemoteCMD can execute commands remotely by creating a new schedule task on the remote system(Citation: Symantec Buckeye)

IcedID has created a scheduled task to establish persistence.(Citation: Juniper IcedID June 2020)(Citation: DFIR_Quantum_Ransomware)(Citation: DFIR_Sodinokibi_Ransomware)

Nightdoor uses scheduled tasks for persistence to load the final malware payload into memory.(Citation: Symantec Daggerfly 2024)

CSPY Downloader can use the schtasks utility to bypass UAC.(Citation: Cybereason Kimsuky November 2020)

CHIMNEYSWEEP can use the Windows `SilentCleanup` scheduled task to enable payload execution.(Citation: Mandiant ROADSWEEP August 2022)

Lucifer has established persistence by creating the following scheduled task schtasks /create /sc minute /mo 1 /tn QQMusic ^ /tr C:Users\%USERPROFILE%\Downloads\spread.exe /F.(Citation: Unit 42 Lucifer June 2020)

zwShell has used SchTasks for execution.(Citation: McAfee Night Dragon)

NotPetya creates a task to reboot the system one hour after infection.(Citation: Talos Nyetya June 2017)

ISMInjector creates scheduled tasks to establish persistence.(Citation: OilRig New Delivery Oct 2017)

GoldMax has used scheduled tasks to maintain persistence.(Citation: MSTIC NOBELIUM Mar 2021)

Anchor can create a scheduled task for persistence.(Citation: Cyberreason Anchor December 2019)

Pteranodon schedules tasks to invoke its components in order to establish persistence.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: Symantec Shuckworm January 2022)

DarkWatchman has created a scheduled task for persistence.(Citation: Prevailion DarkWatchman 2021)

Dyre has the ability to achieve persistence by adding a new task in the task scheduler to run every minute.(Citation: Malwarebytes Dyreza November 2015)

MultiLayer Wiper creates a malicious scheduled task that launches a batch file to remove Windows Event Logs.(Citation: Unit42 Agrius 2023)

Adversaries can instruct Duqu to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware.(Citation: Symantec W32.Duqu)

AsyncRAT can create a scheduled task to maintain persistence on system start-up.(Citation: Telefonica Snip3 December 2021)

Agent Tesla has achieved persistence via scheduled tasks.(Citation: SentinelLabs Agent Tesla Aug 2020)

SVCReady can create a scheduled task named `RecoveryExTask` to gain persistence.(Citation: HP SVCReady Jun 2022)

Gazer can establish persistence by creating a scheduled task.(Citation: ESET Gazer Aug 2017)(Citation: Securelist WhiteBear Aug 2017)

Latrodectus can create scheduled tasks for persistence.(Citation: Latrodectus APR 2024)(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024)

Saint Bot has created a scheduled task named "Maintenance" to establish persistence.(Citation: Malwarebytes Saint Bot April 2021)

QUADAGENT creates a scheduled task to maintain persistence on the victim’s machine.(Citation: Unit 42 QUADAGENT July 2018)

Spica has created a scheduled task named `CalendarChecker` to establish persistence.(Citation: Google TAG COLDRIVER January 2024)

MagicRAT can persist via scheduled tasks.(Citation: Cisco MagicRAT 2022)

Shamoon copies an executable payload to the target system by using SMB/Windows Admin Shares and then scheduling an unnamed task to execute the malware.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)

JHUHUGIT has registered itself as a scheduled task to run each time the current user logs in.(Citation: ESET Sednit Part 1)(Citation: ESET Sednit July 2015)

OopsIE creates a scheduled task to run itself every three minutes.(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 OilRig Sept 2018)

Attor's installer plugin can schedule a new task that loads the dispatcher on boot/logon.(Citation: ESET Attor Oct 2019)

SQLRat has created scheduled tasks in %appdata%\Roaming\Microsoft\Templates\.(Citation: Flashpoint FIN 7 March 2019)

LitePower can create a scheduled task to enable persistence mechanisms.(Citation: Kaspersky WIRTE November 2021)

Crutch has the ability to persist using scheduled tasks.(Citation: ESET Crutch December 2020)

RTM tries to add a scheduled task to establish persistence.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)

BlackByte Ransomware creates a schedule task to execute remotely deployed ransomware payloads.(Citation: Trustwave BlackByte 2021)

MCMD can use scheduled tasks for persistence.(Citation: Secureworks MCMD July 2019)

Sibot has been executed via a scheduled task.(Citation: MSTIC NOBELIUM Mar 2021)

ZxxZ has used scheduled tasks for persistence and execution.(Citation: Cisco Talos Bitter Bangladesh May 2022)

Tarrask is able to create “hidden” scheduled tasks for persistence.(Citation: Tarrask scheduled task)

Bazar can create a scheduled task for persistence.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)

SUGARDUMP has created scheduled tasks called `MicrosoftInternetExplorerCrashRepoeterTaskMachineUA` and `MicrosoftEdgeCrashRepoeterTaskMachineUA`, which were configured to execute `CrashReporter.exe` during user logon.(Citation: Mandiant UNC3890 Aug 2022)

XLoader can create scheduled tasks for persistence.(Citation: Netskope XLoader 2022)

Ryuk can remotely create a scheduled task to execute itself on a system.(Citation: ANSSI RYUK RANSOMWARE)

HermeticWiper has the ability to use scheduled tasks for execution.(Citation: Symantec Ukraine Wipers February 2022)

ccf32 can run on a daily basis using a scheduled task.(Citation: Bitdefender FunnyDream Campaign November 2020)

Kapeka persists via scheduled tasks.(Citation: Microsoft KnuckleTouch 2024)(Citation: WithSecure Kapeka 2024)

LockBit 2.0 can be executed via scheduled task.(Citation: Palo Alto Lockbit 2.0 JUN 2022)

Zebrocy has a command to create a scheduled task for persistence.(Citation: CISA Zebrocy Oct 2020)

EvilBunny has executed commands via scheduled tasks.(Citation: Cyphort EvilBunny Dec 2014)

HotCroissant has attempted to install a scheduled task named “Java Maintenance64” on startup to establish persistence.(Citation: Carbon Black HotCroissant April 2020)

ServHelper contains modules that will use schtasks to carry out malicious operations.(Citation: Proofpoint TA505 Jan 2019)

Valak has used scheduled tasks to execute additional payloads and to gain persistence on a compromised host.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)(Citation: SentinelOne Valak June 2020)

Milan can establish persistence on a targeted host with scheduled tasks.(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)

IronNetInjector has used a task XML file named mssch.xml to run an IronPython script when a user logs in or when specific system events are created.(Citation: Unit 42 IronNetInjector February 2021 )

Carbon creates several tasks for later execution to continue persistence on the victim’s machine.(Citation: ESET Carbon Mar 2017)

DanBot can use a scheduled task for installation.(Citation: SecureWorks August 2019)

Solar can create scheduled tasks named Earth and Venus, which run every 30 and 40 seconds respectively, to support C2 and exfiltration.(Citation: ESET OilRig Campaigns Sep 2023)

Ramsay can schedule tasks via the Windows COM API to maintain persistence.(Citation: Eset Ramsay May 2020)

Revenge RAT schedules tasks to run malicious scripts at different intervals.(Citation: Cofense RevengeRAT Feb 2019)

BackConfig has the ability to use scheduled tasks to repeatedly execute malicious payloads on a compromised host.(Citation: Unit 42 BackConfig May 2020)

Mango can create a scheduled task to run every 32 seconds to communicate with C2 and execute received commands.(Citation: ESET OilRig Campaigns Sep 2023)

Koadic has used scheduled tasks to add persistence.(Citation: MalwareBytes LazyScripter Feb 2021)

schtasks is used to schedule tasks on a Windows system to run at a specific date and time.(Citation: TechNet Schtasks)

GrimAgent has the ability to set persistence using the Task Scheduler.(Citation: Group IB GrimAgent July 2021)

Lokibot embedded the commands schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I inside a batch script.(Citation: Talos Lokibot Jan 2021)

BabyShark has used scheduled tasks to maintain persistence.(Citation: Crowdstrike GTR2020 Mar 2020)

BONDUPDATER persists using a scheduled task that executes every minute.(Citation: Palo Alto OilRig Sep 2018)

Meteor execution begins from a scheduled task named `Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeAll` and it creates a separate scheduled task called `mstask` to run the wiper only once at 23:55:00.(Citation: Check Point Meteor Aug 2021)

Maze has created scheduled tasks using name variants such as "Windows Update Security", "Windows Update Security Patches", and "Google Chrome Security Update", to launch Maze at a specific time.(Citation: Sophos Maze VM September 2020)

QuasarRAT contains a .NET wrapper DLL for creating and managing scheduled tasks for maintaining persistence upon reboot.(Citation: Volexity Patchwork June 2018)(Citation: CISA AR18-352A Quasar RAT December 2018)

ComRAT has used a scheduled task to launch its PowerShell loader.(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020)

POWERSTATS has established persistence through a scheduled task using the command ”C:\Windows\system32\schtasks.exe” /Create /F /SC DAILY /ST 12:00 /TN MicrosoftEdge /TR “c:\Windows\system32\wscript.exe C:\Windows\temp\Windows.vbe”.(Citation: ClearSky MuddyWater Nov 2018)

Disco can create a scheduled task to run every minute for persistence.(Citation: MoustachedBouncer ESET August 2023)

AppleJeus has created a scheduled SYSTEM task that runs when a user logs in.(Citation: CISA AppleJeus Feb 2021)

SoreFang can gain persistence through use of scheduled tasks.(Citation: CISA SoreFang July 2016)

One persistence mechanism used by CozyCar is to register itself as a scheduled task.(Citation: F-Secure CozyDuke)

BADNEWS creates a scheduled task to establish by executing a malicious payload every subsequent minute.(Citation: PaloAlto Patchwork Mar 2018)

Goopy has the ability to maintain persistence by creating scheduled tasks set to run every hour.(Citation: Cybereason Cobalt Kitty 2017)

Remexi utilizes scheduled tasks as a persistence mechanism.(Citation: Securelist Remexi Jan 2019)

QakBot has the ability to create scheduled tasks for persistence.(Citation: Trend Micro Qakbot May 2020)(Citation: Kroll Qakbot June 2020)(Citation: Crowdstrike Qakbot October 2020)(Citation: Trend Micro Qakbot December 2020)(Citation: Red Canary Qbot)(Citation: Cyberint Qakbot May 2021)(Citation: Kaspersky QakBot September 2021)(Citation: Group IB Ransomware September 2020)

Helminth has used a scheduled task for persistence.(Citation: ClearSky OilRig Jan 2017)

Dridex can maintain persistence via the creation of scheduled tasks within system directories such as `windows\system32\`, `windows\syswow64,` `winnt\system32`, and `winnt\syswow64`.(Citation: Red Canary Dridex Threat Report 2021)

JSS Loader has the ability to launch scheduled tasks to establish persistence.(Citation: CrowdStrike Carbon Spider August 2021)

Frankenstein has established persistence through a scheduled task using the command: /Create /F /SC DAILY /ST 09:00 /TN WinUpdate /TR , named "WinUpdate".(Citation: Talos Frankenstein June 2019)

Operation Wocao has used scheduled tasks to execute malicious PowerShell code on remote systems.(Citation: FoxIT Wocao December 2019)

APT33 has created a scheduled task to execute a .vbe file multiple times a day.(Citation: Symantec Elfin Mar 2019)

Fox Kitten has used Scheduled Tasks for persistence and to load and execute a reverse proxy binary.(Citation: CISA AA20-259A Iran-Based Actor September 2020)(Citation: ClearSky Pay2Kitten December 2020)

Lazarus Group has used schtasks for persistence including through the periodic execution of a remote XSL script or a dropped VBS payload.(Citation: Qualys LolZarus)(Citation: ESET Twitter Ida Pro Nov 2021)

Gamaredon Group has created scheduled tasks to launch executables after a designated number of minutes have passed.(Citation: ESET Gamaredon June 2020)(Citation: CERT-EE Gamaredon January 2021)(Citation: Microsoft Actinium February 2022)(Citation: unit42_gamaredon_dec2022)

APT29 has used named and hijacked scheduled tasks to establish persistence.(Citation: Mandiant No Easy Breach)

TA2541 has used scheduled tasks to establish persistence for installed tools.(Citation: Proofpoint TA2541 February 2022)

APT39 has created scheduled tasks for persistence.(Citation: FireEye APT39 Jan 2019)(Citation: BitDefender Chafer May 2020)(Citation: FBI FLASH APT39 September 2020)

APT38 has used Task Scheduler to run programs at system startup or on a scheduled basis for persistence.(Citation: CISA AA20-239A BeagleBoyz August 2020) Additionally, APT38 has used living-off-the-land scripts to execute a malicious script via a scheduled task.(Citation: 1 - appv)

MuddyWater has used scheduled tasks to establish persistence.(Citation: Reaqta MuddyWater November 2017)

Dragonfly 2.0 used scheduled tasks to automatically log out of created accounts every 8 hours as well as to execute malicious files.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017)

BRONZE BUTLER has used schtasks to register a scheduled task to execute malware during lateral movement.(Citation: Secureworks BRONZE BUTLER Oct 2017)

Machete has created scheduled tasks to maintain Machete's persistence.(Citation: 360 Machete Sep 2020)

Machete used scheduled tasks for persistence.(Citation: Cylance Machete Mar 2017)

Molerats has created scheduled tasks to persistently run VBScripts.(Citation: Unit42 Molerat Mar 2020)

BlackByte created scheduled tasks for payload execution.(Citation: FBI BlackByte 2022)(Citation: Picus BlackByte 2022)

Silence has used scheduled tasks to stage its operation.(Citation: Cyber Forensicator Silence Jan 2019)

Wizard Spider has used scheduled tasks to establish persistence for TrickBot and other malware.(Citation: CrowdStrike Grim Spider May 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: Mandiant FIN12 Oct 2021)

Confucius has created scheduled tasks to maintain persistence on a compromised host.(Citation: TrendMicro Confucius APT Aug 2021)

APT32 has used scheduled tasks to persist on victim systems.(Citation: FireEye APT32 May 2017)(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)(Citation: ESET OceanLotus Mar 2019)

Higaisa dropped and added officeupdate.exe to scheduled tasks.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)

Dragonfly has used scheduled tasks to automatically log out of created accounts every 8 hours as well as to execute malicious files.(Citation: US-CERT TA18-074A)

Naikon has used schtasks.exe for lateral movement in compromised networks.(Citation: Bitdefender Naikon April 2021)

OilRig has created scheduled tasks that run a VBScript to execute a payload on victim machines.(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 QUADAGENT July 2018)(Citation: FireEye APT34 July 2019)(Citation: Check Point APT34 April 2021)

TEMP.Veles has used scheduled task XML triggers.(Citation: FireEye TRITON 2019)

LuminousMoth has created scheduled tasks to establish persistence for their tools.(Citation: Bitdefender LuminousMoth July 2021)

APT37 has created scheduled tasks to run malicious scripts on a compromised host.(Citation: Volexity InkySquid RokRAT August 2021)

Chimera has used scheduled tasks to invoke Cobalt Strike including through batch script schtasks /create /ru "SYSTEM" /tn "update" /tr "cmd /c c:\windows\temp\update.bat" /sc once /f /st and to maintain persistence.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)

HEXANE has used a scheduled task to establish persistence for a keylogger.(Citation: Kaspersky Lyceum October 2021)

FIN7 malware has created scheduled tasks to establish persistence.(Citation: FireEye FIN7 April 2017)(Citation: Morphisec FIN7 June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: Flashpoint FIN 7 March 2019)

APT-C-36 has used a macro function to set scheduled tasks, disguised as those used by Google.(Citation: QiAnXin APT-C-36 Feb2019)

FIN13 has created scheduled tasks in the `C:\Windows` directory of the compromised network.(Citation: Mandiant FIN13 Aug 2022)

Kimsuky has downloaded additional malware with scheduled tasks.(Citation: KISA Operation Muzabi)

BITTER has used scheduled tasks for persistence and execution.(Citation: Cisco Talos Bitter Bangladesh May 2022)

Sandworm Team leveraged SHARPIVORY, a .NET dropper that writes embedded payload to disk and uses scheduled tasks to persist on victim machines.(Citation: mandiant_apt44_unearthing_sandworm)

Magic Hound has used scheduled tasks to establish persistence and execution.(Citation: DFIR Report APT35 ProxyShell March 2022)(Citation: DFIR Phosphorus November 2021)

menuPass has used a script (atexec.py) to execute a command on a target machine via Task Scheduler.(Citation: PWC Cloud Hopper Technical Annex April 2017)

ToddyCat has used scheduled tasks to execute discovery commands and scripts for collection.(Citation: Kaspersky ToddyCat Check Logs October 2023)

A Patchwork file stealer can run a TaskScheduler DLL to add persistence.(Citation: TrendMicro Patchwork Dec 2017)

Moonstone Sleet used scheduled tasks for program execution during initial access to victim machines.(Citation: Microsoft Moonstone Sleet 2024)

Mustang Panda has created a scheduled task to execute additional malicious software, as well as maintain persistence.(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: McAfee Dianxun March 2021)

Ember Bear uses remotely scheduled tasks to facilitate remote command execution on victim machines.(Citation: Cadet Blizzard emerges as novel threat actor)

RedCurl has created scheduled tasks for persistence.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2)(Citation: trendmicro_redcurl)

APT42 has used scheduled tasks for persistence.(Citation: Mandiant APT42-charms)

FIN10 has established persistence by using S4U tasks as well as the Scheduled Task option in PowerShell Empire.(Citation: FireEye FIN10 June 2017)(Citation: Github PowerShell Empire)

An APT3 downloader creates persistence by creating the following scheduled task: schtasks /create /tn "mysc" /tr C:\Users\Public\test.exe /sc ONLOGON /ru "System".(Citation: FireEye Operation Double Tap)

Winter Vivern executed PowerShell scripts that would subsequently attempt to establish persistence by creating scheduled tasks objects to periodically retrieve and execute remotely-hosted payloads.(Citation: DomainTools WinterVivern 2021)

GALLIUM established persistence for PoisonIvy by created a scheduled task.(Citation: Cybereason Soft Cell June 2019)

Blue Mockingbird has used Windows Scheduled Tasks to establish persistence on local and remote hosts.(Citation: RedCanary Mockingbird May 2020)

Daggerfly has attempted to use scheduled tasks for persistence in victim environments.(Citation: ESET EvasivePanda 2024)

FIN6 has used scheduled tasks to establish persistence for various malware it uses, including downloaders known as HARDTACK and SHIPBREAD and FrameworkPOS.(Citation: FireEye FIN6 April 2016)

Cobalt Group has created Windows tasks to establish persistence.(Citation: Group IB Cobalt Aug 2017)

APT41 used a compromised account to create a scheduled task on a system.(Citation: FireEye APT41 Aug 2019)(Citation: Crowdstrike GTR2020 Mar 2020)

UNC2452 used scheduler and schtasks to create new tasks on remote hosts as part of lateral movement.(Citation: Volexity SolarWinds) They also manipulated scheduled tasks by updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration.(Citation: FireEye SUNBURST Backdoor December 2020) UNC2452 also created a scheduled task to maintain SUNSPOT persistence when the host booted.(Citation: CrowdStrike SUNSPOT Implant January 2021)

FIN8 has used scheduled tasks to maintain RDP backdoors.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)

Stealth Falcon malware creates a scheduled task entitled “IE Web Cache” to execute a malicious file hourly.(Citation: Citizen Lab Stealth Falcon May 2016)

Rancor launched a scheduled task to gain persistence using the schtasks /create /sc command.(Citation: Rancor Unit42 June 2018)

Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through the following measures: Account Permissions and Roles: - Implement RBAC and least privilege principles to allocate permissions securely. - Use tools like Active Directory Group Policies to enforce access restrictions. Credential Security: - Deploy password vaulting tools like CyberArk, HashiCorp Vault, or KeePass for secure storage and rotation of credentials. - Enforce password policies for complexity, uniqueness, and expiration using tools like Microsoft Group Policy Objects (GPO). Multi-Factor Authentication (MFA): - Enforce MFA for all privileged accounts using Duo Security, Okta, or Microsoft Azure AD MFA. Privileged Access Management (PAM): - Use PAM solutions like CyberArk, BeyondTrust, or Thycotic to manage, monitor, and audit privileged access. Auditing and Monitoring: - Integrate activity monitoring into your SIEM (e.g., Splunk or QRadar) to detect and alert on anomalous privileged account usage. Just-In-Time Access: - Deploy JIT solutions like Azure Privileged Identity Management (PIM) or configure ephemeral roles in AWS and GCP to grant time-limited elevated permissions. *Tools for Implementation* Privileged Access Management (PAM): - CyberArk, BeyondTrust, Thycotic, HashiCorp Vault. Credential Management: - Microsoft LAPS (Local Admin Password Solution), Password Safe, HashiCorp Vault, KeePass. Multi-Factor Authentication: - Duo Security, Okta, Microsoft Azure MFA, Google Authenticator. Linux Privilege Management: - sudo configuration, SELinux, AppArmor. Just-In-Time Access: - Azure Privileged Identity Management (PIM), AWS IAM Roles with session constraints, GCP Identity-Aware Proxy.

User Account Management involves implementing and enforcing policies for the lifecycle of user accounts, including creation, modification, and deactivation. Proper account management reduces the attack surface by limiting unauthorized access, managing account privileges, and ensuring accounts are used according to organizational policies. This mitigation can be implemented through the following measures: Enforcing the Principle of Least Privilege - Implementation: Assign users only the minimum permissions required to perform their job functions. Regularly audit accounts to ensure no excess permissions are granted. - Use Case: Reduces the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions. Implementing Strong Password Policies - Implementation: Enforce password complexity requirements (e.g., length, character types). Require password expiration every 90 days and disallow password reuse. - Use Case: Prevents adversaries from gaining unauthorized access through password guessing or brute force attacks. Managing Dormant and Orphaned Accounts - Implementation: Implement automated workflows to disable accounts after a set period of inactivity (e.g., 30 days). Remove orphaned accounts (e.g., accounts without an assigned owner) during regular account audits. - Use Case: Eliminates dormant accounts that could be exploited by attackers. Account Lockout Policies - Implementation: Configure account lockout thresholds (e.g., lock accounts after five failed login attempts). Set lockout durations to a minimum of 15 minutes. - Use Case: Mitigates automated attack techniques that rely on repeated login attempts. Multi-Factor Authentication (MFA) for High-Risk Accounts - Implementation: Require MFA for all administrative accounts and high-risk users. Use MFA mechanisms like hardware tokens, authenticator apps, or biometrics. - Use Case: Prevents unauthorized access, even if credentials are stolen. Restricting Interactive Logins - Implementation: Restrict interactive logins for privileged accounts to specific secure systems or management consoles. Use group policies to enforce logon restrictions. - Use Case: Protects sensitive accounts from misuse or exploitation. *Tools for Implementation* Built-in Tools: - Microsoft Active Directory (AD): Centralized account management and RBAC enforcement. - Group Policy Object (GPO): Enforce password policies, logon restrictions, and account lockout policies. Identity and Access Management (IAM) Tools: - Okta: Centralized user provisioning, MFA, and SSO integration. - Microsoft Azure Active Directory: Provides advanced account lifecycle management, role-based access, and conditional access policies. Privileged Account Management (PAM): - CyberArk, BeyondTrust, Thycotic: Manage and monitor privileged account usage, enforce session recording, and JIT access.

Auditing is the process of recording activity and systematically reviewing and analyzing the activity and system configurations. The primary purpose of auditing is to detect anomalies and identify potential threats or weaknesses in the environment. Proper auditing configurations can also help to meet compliance requirements. The process of auditing encompasses regular analysis of user behaviors and system logs in support of proactive security measures. Auditing is applicable to all systems used within an organization, from the front door of a building to accessing a file on a fileserver. It is considered more critical for regulated industries such as, healthcare, finance and government where compliance requirements demand stringent tracking of user and system activates.This mitigation can be implemented through the following measures: System Audit: - Use Case: Regularly assess system configurations to ensure compliance with organizational security policies. - Implementation: Use tools to scan for deviations from established benchmarks. Permission Audits: - Use Case: Review file and folder permissions to minimize the risk of unauthorized access or privilege escalation. - Implementation: Run access reviews to identify users or groups with excessive permissions. Software Audits: - Use Case: Identify outdated, unsupported, or insecure software that could serve as an attack vector. - Implementation: Use inventory and vulnerability scanning tools to detect outdated versions and recommend secure alternatives. Configuration Audits: - Use Case: Evaluate system and network configurations to ensure secure settings (e.g., disabled SMBv1, enabled MFA). - Implementation: Implement automated configuration scanning tools like SCAP (Security Content Automation Protocol) to identify non-compliant systems. Network Audits: - Use Case: Examine network traffic, firewall rules, and endpoint communications to identify unauthorized or insecure connections. - Implementation: Utilize tools such as Wireshark, or Zeek to monitor and log suspicious network behavior.

Operating System Configuration involves adjusting system settings and hardening the default configurations of an operating system (OS) to mitigate adversary exploitation and prevent abuse of system functionality. Proper OS configurations address security vulnerabilities, limit attack surfaces, and ensure robust defense against a wide range of techniques. This mitigation can be implemented through the following measures: Disable Unused Features: - Turn off SMBv1, LLMNR, and NetBIOS where not needed. - Disable remote registry and unnecessary services. Enforce OS-level Protections: - Enable Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Control Flow Guard (CFG) on Windows. - Use AppArmor or SELinux on Linux for mandatory access controls. Secure Access Settings: - Enable User Account Control (UAC) for Windows. - Restrict root/sudo access on Linux/macOS and enforce strong permissions using sudoers files. File System Hardening: - Implement least-privilege access for critical files and system directories. - Audit permissions regularly using tools like icacls (Windows) or getfacl/chmod (Linux/macOS). Secure Remote Access: - Restrict RDP, SSH, and VNC to authorized IPs using firewall rules. - Enable NLA for RDP and enforce strong password/lockout policies. Harden Boot Configurations: - Enable Secure Boot and enforce UEFI/BIOS password protection. - Use BitLocker or LUKS to encrypt boot drives. Regular Audits: - Periodically audit OS configurations using tools like CIS Benchmarks or SCAP tools. *Tools for Implementation* Windows: - Microsoft Group Policy Objects (GPO): Centrally enforce OS security settings. - Windows Defender Exploit Guard: Built-in OS protection against exploits. - CIS-CAT Pro: Audit Windows security configurations based on CIS Benchmarks. Linux/macOS: - AppArmor/SELinux: Enforce mandatory access controls. - Lynis: Perform comprehensive security audits. - SCAP Security Guide: Automate configuration hardening using Security Content Automation Protocol. Cross-Platform: - Ansible or Chef/Puppet: Automate configuration hardening at scale. - OpenSCAP: Perform compliance and configuration checks.