For attackers, establishing persistence in the victim's network is a crucial goal. If not, they would have to repeatedly use their initial access methods to gain access to the target system and run the risk of being detected. In order to run malicious payloads on a predetermined schedule or at system startup, adversaries exploit task scheduling utilities of operating systems.
A scheduled task or job is a command, program, or script that is to be run on a regular basis (for example, every Friday at 1:00 a.m.) or when a specific event takes place (e.g., a user logs on the system). Scheduled tasks are used to generate and execute operational tasks automatically by authorized users such as domain administrators.
T1053.001 At (Linux)
The command-line program "at" enables users to schedule commands on a variety of operating systems, including Microsoft Windows and Unix-like operating systems (including BSD, macOS, and Linux versions). This sub-technique applies to Linux's "at" command, but it can also be applied to other Unix-like operating systems.
Users of Linux can schedule commands to run only once at a specific time by using the at utility. The at command can be used by an adversary to plan the one-time execution of malicious code at a future time.
The Connection Manager service profiles are installed using the built-in Windows command-line tool CMSTP (the Microsoft Connection Manager Profile Installer). By giving installation information files (.inf) infected with malicious commands to CMSTP.exe, adversaries use it for proxy execution of these commands.
"UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity." -Dennis Ritchie
T1053.004 Launchd
The OS service management daemon known as Launchd is responsible for loading and maintaining services for macOS during system boot. It is comparable to systemd in Linux distributions and Service Control Manager in Microsoft Windows.
The first process started by a macOS system after the kernel is Launchd. The launchd daemon is used by attackers to schedule the execution of their malicious executables at system startup. For instance, the Olyx macOS backdoor makes use of launchd to make sure the backdoor executable is launched immediately after the user logs in.
The Windows Task Scheduler is mentioned in this sub-technique . Users can plan tasks with time-based or event-based triggers using Windows Task Scheduler.
Instead of using cron, timers can be utilized instead, thanks to Systemd. Systemd provides timers with built-in support for monotonic time events, calendar events, and the ability to run asynchronously. As a result, attackers can take advantage of systemd timers to schedule tasks.
Make sure to monitor your scheduled tasks. · Robert Peaarce