Adversary's Arsenal - T1053 - Scheduled Tasks
HTML-код
- Опубликовано: 10 сен 2024
- Certain techniques exist in every Adversary's Arsenal - those evergreen techniques you'll find in the middle of nearly every serious incident. They don't always rely on novel #zeroday exploits, and they may be more difficult to alert on.
This week, we're digging into Scheduled Tasks - 1053.004. We'll show how it can be used for code execution, persistence and privilege escalation, and walk through the steps #Conti took in a real-world incident to abuse Scheduled Tasks to rapidly deliver impact to a victim.
Learn how scheduled tasks can be abused, why it can be tricky to alert on their creation, and what evidence you need to collect in this episode of Adversary's Arsenal.
References:
The DFIR Report - HTML Smuggling Leads to Domain Wide Ransomware - thedfirreport....
The DFIR Report - From ScreenConnect to Hive Ransomware in 61 Hours - thedfirreport....
SnapAttack Community Resources
Threat Dossier: T1053.005 Scheduled tasks - app.snapattack...
Detection: Scheduled Task Creation (SigmaHQ) - app.snapattack...
Detection: Suspicious Scheduled Task Creation (SigmaHQ) - app.snapattack...
Detection: Suspicious Usage of ShellExec_RunDLL (SigmaHQ) - app.snapattack...
Detection: Rare Schtasks Creation (SigmaHQ) - app.snapattack...
SnapAttack Subscriber Resources:
Threat: CACTUS Ransomware - SSH Backdoor via Scheduled Task - app.snapattack...
Threat: Modify Scheduled Task for Persistence (@Mandiant) - app.snapattack...
Threat: Killchain: Conti Ransomware - app.snapattack...
Detection: Scheduled task created in a Group Policy Object - app.snapattack...
