Hey friend, welcome to this short series on hunting for persistence!
In this series I have joined up with the team at Cympire to teach you how to hunt for adversary persistence mechanisms in your environment. Cympire is “The Most Advanced Cybersecurity Training & Assessment Platform” and it will provide you a virtualised battleground to test your cyber capabilities!
Each entry in this series will cover a persistence mechanism adversaries use in the real world to maintain access to systems they compromise. Accompanying this will be a gamified scenario where you can practice the skills you learn for FREE. So let’s dig in and upskill our threat hunting capabilities!
Once an attacker gains initial access to a machine they will try to keep this access by installing a persistence mechanism. There are many ways an adversary can maintain persistence, but this series will cover:
1. Registry Run Keys — where attackers will add registry keys to automatically start a program when the system boots.
2. Scheduled Tasks — where attackers will schedule a task to automatically run a program at specific intervals.
3. Services — where attackers will create or modify existing services to automatically start a program when the system boots.
4. Startup Folder — where attackers will add a shortcut to a program in the startup folder to automatically run when the user logs in.
Previously we focused on Registry Run Keys with the accompanying campaign Registry Run Persistence. If you didn’t get a chance to check out this campaign then I highly recommend reading the the first instalment of this series and giving it a go here.
In this instalment of the series we will be focusing on scheduled tasks.
What are Windows Scheduled Tasks?
In Windows, scheduled tasks are automated processes that run at a specified time or interval on a computer system. They are commonly used to perform routine maintenance, run backups, execute scripts, and perform other tasks that need to be performed automatically without user intervention. These tasks can be created by software (e.g. to check for updates) or by system administrators to automate repetitive tasks and free up time for other activities.
Attackers can use scheduled tasks to maintain access to a compromised system and ensure that their malicious code continues to run even after a reboot. An adversary will try to hide their malicious scheduled task and it’s associated process from the user. The task will either run a Command and Control (C2) implant (agent) or a “downloader” which will automatically download a implant in a obfuscated way. A C2 implant is a type of malware that allows attackers to remotely control a compromised system. The C2 implant provides the attacker with a means of communicating with the compromised system and issuing commands to it. Once installed, the implant allows an attacker to perform a variety of nefarious actions on a compromised system, including:
- Stealing sensitive data
- Exfiltrating data from the system
- Installing additional malware or tools
- Running malicious code or scripts
- Taking screenshots or capturing keyboard input
C2 implants are often highly sophisticated and are designed to be difficult to detect and remove. They can use encrypted communication channels and often have the ability to evade security software and hide their presence on the system.
Using Scheduled Tasks for Persistence
A system administrator will typically create a scheduled task using the Windows Tasks Schedular. This provides a friendly graphical interface (GUI) where a user can easily automate tasks they want to run. Attackers will avoid GUIs as this would typically mean opening an RDP connection to a machine. This is highly suspicious if coming from an unknown IP and usually locked down in corporate environments. Instead, an attacker will create a scheduled task using a hacking tool, such as SharPersist, which will use native Windows functionality (e.g. PowerShell, Windows API calls through C#, etc.) or use a Windows shell.
In the case of the Windows shell, the attacker is likely to use the schtasks.exe Windows executable. This is a Living of the Land binary (LOLBAS) that attackers will abuse to create a persistent scheduled task. The following command creates a scheduled task that executes revshell.exe every minute using
schtasks /create /sc minute /mo 1 /tn "Reverse shell" /tr c:\some\directory\revshell.exe
Hunting for persistence mechanisms is often a fertile ground for a threat hunter as the adversary usually has to make configuration changes and drop their malware (C2 implant) to disk. Scheduled tasks are demonstrative of this as an attacker has to make changes to the compromised system’s task schedular and have their scheduled task point to the location of the malware stored on the system’s disk (or where it is downloaded from).
Let’s Get Our Hands Dirty!
I find the best way of learning is doing, so lets see how scheduled tasks are used as persistence mechanisms in the real world.
With help from the team at Cympire I have created a threat hunting campaign which will demonstrate how attackers create and use scheduled tasks to maintain persistence on a compromised Windows machine. The campaign walks you through how to create these malicious scheduled tasks in an interactive and fun environment that uses real-world hacking tools.
Once you install your persistence mechanism you will jump over to an Attacker machine where you will be able to see how your C2 implant stays persistent even if the victim reboots their machine. The C2 implant gives you a reverse shell on the Target machine that allows you to perform various nefarious actions. When you are finished playing the role of the bad guy you can then hunt for this persistence mechanism using Splunk.
Splunk is a platform for collecting, searching, analysing, and visualizing machine-generated big data. It is commonly used for security information and event management (SIEM), log management, and IT operations. It is a powerful tool that helps large enterprises, government agencies, and small to medium-sized businesses make sense of machine data and turn it into actionable insights.
We will use the Splunk “Search & Reporting App” to hunt for the malicious scheduled task you installed using special syntax known as Search Processing Language (SPL). This query language is widely used in the security industry and allows us to perform powerful searches that reveal malicious or suspicious behaviour.
Finally, we will kick the adversary off of the compromised endpoint using the Windows Task Schedular and regain control of the Windows machine!
To play along with this campaign simply navigate to this link and get started for FREE. Here you can sign up for the Cympire platform and tackle the Scheduled Task Persistence campaign I have created just for you.
Feel free to let me know how you get on and if you would like to see any other threat hunting campaigns!
Discover more in the Hunting for Persistence with Cympire series!