Skip to content

Scheduled Task/Job

What: Scheduled Task/Job

Scheduled Task/Job is a sub-category within the MITRE ATT&CK framework, specifically categorized under the "Execution" tactic. This sub-category refers to the method by which adversaries schedule scripts or programs to be executed at a pre-defined time or after a certain interval. This can be achieved using native task scheduling applications provided by the operating system.

How: Implementation of Scheduled Tasks/Jobs

  1. Windows: Adversaries utilize tools like schtasks or directly interact with the Windows Task Scheduler API to create tasks. Tasks can be configured to trigger based on specific events or time schedules.

  2. Linux/Unix: Cron jobs are predominantly used. Cron is a time-based job scheduler in Unix-like operating systems. Users specify cron jobs by editing the crontab file, typically using crontab -e. Each user has their own crontab, and permissions are controlled by /etc/cron.allow and /etc/cron.deny.

  3. macOS: Besides cron, macOS utilizes launchd, a unified service management framework that handles services that start at boot as well as user-installed applications.

Where: Application in Systems

  • Windows Systems: Scheduled tasks are commonly found in C:\Windows\System32\Tasks directory and can be managed through PowerShell, Command Prompt, or graphical interface via Task Scheduler.

  • Linux/Unix Systems: Cron jobs for users are stored in /var/spool/cron/crontabs/, while system-wide cron jobs reside in /etc/crontab, /etc/cron.d/, and directories like /etc/cron.daily.

  • macOS: Similar to Linux for cron jobs; however, launchd jobs (.plist files) are typically located in ~/Library/LaunchAgents for user-specific agents, /Library/LaunchDaemons for system-wide daemons.

Why: Usage and Strategic Importance

  1. Persistence: By scheduling tasks or jobs that execute malicious scripts at regular intervals or specific times, adversaries ensure persistence on the victim's system even after reboots.

  2. Evasion: Scheduled tasks can often go unnoticed by users and some antivirus software, making them an effective method for stealthy execution of malicious code.

  3. Flexibility: Scheduling capabilities allow attackers to optimize the timing of their activities to coincide with periods of low activity on the network, reducing the likelihood of detection.

  4. Privilege Escalation: Certain scheduled tasks/jobs might be configured to run with elevated privileges (e.g., running as root or SYSTEM), which can be exploited by an adversary to perform privileged operations if they gain access to scheduling mechanisms.

In summary, understanding how scheduled tasks/jobs are utilized by adversaries helps in fortifying defenses against such methods of attack execution and persistence mechanisms within IT environments governed by varied operating systems like Windows, Linux/Unix, and macOS.