Abstract

Advanced Persistent Threats (APT) represent a serious security concern because they carry out long-term and carefully planned attacks. While a lot of research has gone into finding ways to detect these threats; one crucial area often gets less attention, namely the persistence mechanisms that allow attackers to stay hidden and maintain access to systems over time. In this work, we investigate scheduled tasks, a widely used persistence technique in Windows environments, and analyze their role in APT operations. We conducted an in-depth study of how attackers leverage scheduled tasks to maintain stealthy access and execute malicious actions over time. We introduce Detecting APT Through Malicious Scheduled Tasks (DAPTASK), an approach that leverages Sysmon log data, Word2Vec-based feature representation, and Machine Learning (ML) classifiers to identify malicious scheduled tasks commonly used in APT persistence techniques. Our approach achieves a high detection performance, with an F1-score of 95.19\%. Furthermore, we provide a labeled dataset, which can serve as a valuable resource for researchers developing APT detection methods, the dataset and the code used are publicly available at https://gitlab.cylab.be/cylab/daptask. Our approach enhances APT detection by addressing persistence techniques, a critical yet often neglected attack vector.

Statistics