LOLBin Attacks With Scheduled Tasks (T1053.005) and How To Detect Them
Based on a specific subset of Recorded Future’s research reporting, which focuses on emerging tools and TTPs, we saw a large increase in observations of the Scheduled Task technique (T1053.005), the sub-technique of Scheduled Task/Job (T1053), as compared to previous reporting by Recorded Future. In this blog, I will first give an overview of the technique and discuss why it is used by adversaries. Second, I show multiple ways to access the Windows Task Scheduler. Third, I show how the technique has been used by various threat actors to achieve persistence, lateral movement, code execution, detection evasion, and privilege escalation. Lastly, I will discuss ways to detect the malicious use of the technique. What are Scheduled Tasks? Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code to achieve persistence, lateral movement, execution, detection evasion, and privilege escalation. The Task Scheduler allows pre