8 hours 28 minutes
hello and welcome to another application of the minor attack framework discussion today. We're looking at scheduled tasks or task in the case of how modern aims it and what they can be used for. So what? That let's go ahead and jump right into our objectives.
So today's objectives are as follows. We're going to describe what a scheduled task is.
How has scheduled test been used for attack purposes? What are some mitigation techniques and what are some detection techniques?
So simply put, a scheduled task is a threat Actor is able to utilize or can utilize utilities such as A T E X e and S C H. You're scheduled tasks in addition to the window scheduled our task scheduler
to schedule payload scripts or programs to run and a certain date and time.
So we've seen before where this congee used for persistence, it can be used to elevate privilege. It just depends on how the scheduled task runs and what it's able to do.
So some additional examples of this ours lob variants, which is a Trojan, which has the capability to take over a system, and so this particular Trojan variant uses scheduled are the task scheduler to execute and get a foothold in the network.
Bam! It'll are bam! It'll is a
click fraud Trojan that will attempt escalate privilege using the task scheduler as well. Overall, the problem with these methods is that if you're not going and looking
in task scheduler and scheduled tasks,
the threat actor can continue continuously reinfect the system. And so if you do a virus scan
and it doesn't check the task schedule or you don't do any additional evaluation and you think you've cleaned the system and then the system reboots, the task schedule runs. It does the process that originally infected the system,
and now you're back at square one. So you've got to pay attention to these areas if you think you're dealing with a compromise system because its potential. But there's a potential likelihood that a threat actors using it to reinfect or maintain some level of persistence in the system.
So what are some ways that we can mitigate
the use of scheduled task for doing this? Well, we have looked at power spoiled. We discussed it at least, and we're going to look at it, but it's one of a few tools that you can use to find system permission, weaknesses and scheduled tests prior to them being taken advantage of so again,
not necessarily a automated mitigation process or technique,
but a relatively low cost way that you could take a tool,
and validate whether or not their areas within scheduled tasks that could be taken advantage of. And then, if you get rid of those areas or at least shore them up.
That's one less way that the Threat actor could potentially compromise your system.
We can four scheduled task to run under the authenticated account instead of system,
so that could cause issues potentially for administrators. It may add some additional overhead. You may have to do some research on services, and it may be a little easier said than done.
But if you can manage it, then this could definitely limit these red actors capability to escalate their privileges through scheduled tasks
and then limit user privileges to those necessary to achieve their business functions again.
Nine times out of 10 threats are introduced or threat. Actors air introduced into a network were given access to a network through the unintentional interactions that users have with what they think are legitimate communications, phishing emails, sites, websites, just general Web browsing again.
If I get escalated privileges and I'm using that account for day to day use
going through a website, some of them in that nature and accidentally clicking malicious ad or link,
then I can introduce an infection into the environment that really circumvents any controls that and the doctor would need to bypass otherwise. So what are some detection techniques that we can use in this instance?
Well, we can alert on scheduled task creation from the command line. So a lot of times again, threat actors were trying to avoid detection and arousing suspicion.
So in this case, if we get
alerted whenever a scheduled task has created be a command line, that's something that we can investigate and look at. We could monitor for process execution from the task schedule or as well, and we can also configure event longing for scheduled task creation and changes.
So these are just a few examples of some event ideas that you would want to
look for an alert on again.
Ah, legitimate administrator may create a scheduled task from command line because they don't want to interrupt the user environment, whatever the case may be, so part of this is going to be validating that that activity is from legitimate operations and that it's not
again a threat actor doing something to try and cement themselves into a system
or elevate their privilege.
So what? That let's go ahead and do a quick check on learning. True or false scheduled tasks can be used to reinfect the system once it is cleaned up.
So if you need some additional time to consider the question, please pause the video. So true or false? Scheduled tasks can be used to reinfect a system once it is cleaned up. So we indicated this earlier that yes, in fact, a scheduled task
can be used to reinfect the system once it is cleaned up. And the reason for that is, is that if you don't check scheduled tasks,
you don't get rid of those tasks that allow the threat actor to reinfect the system or read Hamlet a payload. Whatever the case may be. Even if you get rid of the original payload, the way in which they got that payload, there may not have been removed. And so this is a true statement.
So in summary of today's discussion,
we described what scheduled task is okay, so essentially the ability to schedule task. And we could use that to run a payload on a script, whatever the case may be, we talked about how it could be used. We looked at some mitigation techniques, and we looked at some detection techniques as well.
So keep in mind least privilege is going to be a consistent thing across privilege escalation. Being able to check four areas in the system or privilege escalation can be executed is going to continue to be relevant
that in themselves will help Teoh come combat a number of these factors that a threat actor could use to take over our systems or to infect our network.
So with that in mind, I want to thank you for your time today, and I look forward to seeing you again soon.