CrowdResponse Release and new @Tasks modules

Crowdstrike Response

With the ongoing need to effectively and quickly detect and respond to attacks, CrowdStrike is excited to release a new version of CrowdResponse. This new update introduces the addition of @Tasks to parse Windows Task Scheduler entries, as well as a number of fixes and updates to your favorite modules. The new CrowdResponse, including patch notes, is now available at www.crowdstrike.com/resources/crowdresponse/

Detecting the Adversary

One key method for identifying an attacker in an environment is to find out how they move laterally between systems once an initial foothold is achieved. Many adversaries choose to avoid malware altogether and use native utilities to perform actions on both local and remote hosts. These actions can include executing dropped malware or scripts, modifying registry keys, and terminating programs like antivirus. Once an adversary has proper credentials, such as service accounts or Domain Administrator, the opportunity is unlimited for the attacker to propagate to other computers.

Windows Task Scheduler

A common choice for adversaries on Microsoft Windows computers is the Windows Task Scheduler, which can run commands with administrator privileges or even System-level privileges on older operating systems like Windows Server 2003. The Task Scheduler also provides several methods for quickly scheduling tasks across multiple machines or the entire domain. Options available to attackers include the Windows Task Scheduler GUI, the application “at.exe” (deprecated in Windows 8), and using “schtasks.exe.” Each of these leave different artifacts, however we first need to talk about the different formats of scheduled tasks.

Task SchedulerTask Scheduler 1.0

On Windows XP and Windows Server 2003 and below systems, the Microsoft Task Scheduler leverages binary .job files commonly found in C:\Windows\Tasks\. These binary files have the same name as the task and include fixed and variable data sections for the application to execute, the account that registered the task, status, exit codes, and flags for the year/month/day/hour/minute/second/milliseconds to execute. The full file format can be viewed in MSDN at <https://msdn.microsoft.com/en-us/library/cc248285.aspx

Task Scheduler 1.2

On Windows Vista and above systems, the Microsoft Task Scheduler now leverages an xml format stored in C:\Windows\System32\Tasks\.

xml file capturesThe xml file captures much of the same information including triggers, settings, and execution.  Additionally, Task Scheduler 1.2 includes an API to allow programs and scripts to create tasks.

At Jobs

One of the most common means of execution used by adversaries is leveraging the At.exe application and creating scheduled tasks. By default, only a Local Administrator can issue an AT command however, with valid credentials, AT scheduled tasks run under local SYSTEM privileges on Windows XP or Windows Server 2003 devices. This can be used in assisting the attacker to obtain the elevated and coveted SYSTEM privileges. This utility was originally created to help system administrators; however, Microsoft didn’t anticipate attackers also leveraging the tool to elevate their access. The At.exe application has been deprecated in Windows 8 and Server 2012.

Privilege escalation aside, the At.exe application ultimately creates the same binary .job and xml task files, depending on your flavor of Windows. These At.exe created tasks should stand out in most organizations as each task is named sequentially starting with At1, At2, At3, etc. For backwards compatibility, these files can be created in both C:\Windows\Tasks and C:\Windows\System32\Tasks.

CrowdResponse @Tasks

The new @Tasks module within CrowdResponse parses both Task Scheduler 1.0 and 1.2 files, including those created with the At.exe application, with a source type of tasksv1 and tasksv2, respectively. The purpose of this module is to provide a quick look at scheduled tasks on a particular system or across an enterprise to identify suspicious or malicious attacks. Once a suspicious task of particular interest has been identified, CrowdResponse parses critical information like the event triggers for execution and principal user that created the task.

To run the new tasks module, simply include @Tasks in your configuration file or directly at the command line: “CrowdResponse.exe @Tasks”

An example of the results from CrowdResponse parsing an “at.exe” scheduled task to execute evil.exe on a virtual machine can be seen below.  Results for both v1.0 and v1.2 tasks are returned since this action created artifact files in both formats.

 

Field Value
_time 2016-05-10T18:37:31.000+0000
arguments /c “c:\Windows\Temp\evil.exe”
engagement CS_TEST
execpath cmd
executiontimelimit 259200000
ffcruntime 2016-05-09T16_00_00Z
ipaddress 10.1.1.12
linecount 1
name At1.job
priority 32
source /usr/rpochron/Documents/mod_tasksv1_00000.csv
sourcetype csv
system CS_TEST,RP-VM,10.1.1.12,2016-05-09T16_00_00Z
systemname RP-VM
timestamp none

Table 1: CrowdResponse output for Task Scheduler 1.0 file

field value
_time 2016-05-08T18:37:31.000+0000
allowdemandstart TRUE
allowhardterminate TRUE
arguments /c “C:\Windows\Temp\evil.exe”
context Author
disallowstartifonbatteries TRUE
enabled TRUE
engagement CS_TEST
execpath cmd
exectype TASK_ACTION_EXEC
executiontimelimit PT72H
ffcruntime 2016-05-09T16_00_00Z
hidden FALSE
id Author
ipaddress 10.1.1.12
lastruntime 2016-05-08T18:37:31.000+0000
lasttaskresult 0x1
linecount 1
logontype TASK_LOGON_INTERACTIVE_TOKEN_OR_PASSWORD
name At1
numberofmissedruns 0
path \At1
restartcount 0
runlevel TASK_RUNLEVEL_HIGHEST
runonlyifidle FALSE
runonlyifnetworkavailable FALSE
source /usr/rpochron/Documents/mod_tasksv2_00000.csv
startwhenavailable FALSE
state READY
stopifgoingonbatteries TRUE
system CS_TEST,RP-VM,10.1.1.12,2016-05-09T16:00:00Z
systemname RP-VM
timestamp none
userid AtServiceAccount
waketorun FALSE

Table 2: CrowdResponse output for Task Scheduler 1.2 file

Conclusion

In closing, Windows Task Scheduler can be used for a variety of purposes including establishing persistence and lateral movement via remotely executing dropped files. The new CrowdResponse can parse the binary and xml files created with Microsoft Task Scheduler 1.0 and 1.2  and is now available at www.crowdstrike.com/resources/crowdresponse.

CrowdResponse is a free version of the tool developed by the CrowdStrike Services team to collect forensic artifacts from a host exhibiting suspicious behavior or an entire enterprise during an intrusion. More information about the CrowdStrike Services team and our Incident Response offering can be found at https://www.crowdstrike.com/services.

While CrowdResponse handles historic artifacts and is a snapshot in time, CrowdStrike also has a commercial product, Falcon Host, which is an endpoint protection solution that combines Next-Gen AV, enterprise detection and response, real-time monitoring and hunting capabilities. Detailed information on Falcon Host and CrowdStrike’s full product lineup is also available on our website at https://www.crowdstrike.com/products/.

Stay tuned for more updates to CrowdResponse and happy hunting!

 

Stop Breaches with CrowdStrike Falcon request a live demo