Adversaries have been observed abusing the built-in Oracle Database Scheduler to maintain persistence on compromised systems, evade detection, and schedule malicious tasks. This tactic lets them run arbitrary commands or scripts under the guise of legitimate database jobs.
Main Takeaways
- Attackers are misusing Oracle’s internal job scheduling capability to hide payload execution, making their actions look like routine DB tasks.
- By running malicious tasks via the Scheduler, they can survive restarts and stay under the radar of many security controls.
- Defense recommendations include auditing scheduled jobs regularly, restricting who can create new jobs, and enabling alerting when unusual jobs are added.
The Oracle DB Scheduler is a component that allows administrators to schedule jobs (such as PL/SQL scripts or shell commands) to run at defined intervals or triggers. Threat actors with sufficient database privileges are leveraging this component to:
- Insert malicious or unauthorized jobs that execute commands or scripts.
- Operate under the guise of maintenance or backup jobs, blending into typical database activity.
- Ensure persistence even across database restarts or maintenance windows.
Because many monitoring tools look at external services or suspicious processes, a malicious job operating internally within Oracle can slip past detection.
Attack vectors & mechanics
- The attacker must first gain elevated privileges within the Oracle environment (e.g. DBA role or access to scheduler privileges).
- Using the
DBMS_SCHEDULERAPI or SQL packages, they create or modify jobs that invoke shell commands or scripts. - These jobs can execute on a schedule or in response to specific events/triggers.
- The commands run under the context of the database user, which may have access to file systems or other services.
- Because the job definitions are stored within the Oracle database, they’re harder to spot via OS-level monitoring tools.
Risks & impacts
- Persistence: Even after system reboots or routine cleanups, the scheduled jobs can re-run malicious code.
- Stealth: Activity appears as a legitimate database operation rather than an external attacker process.
- Privilege escalation / lateral movement: Malware or commands launched via these jobs can attempt privilege escalation, data exfiltration, or further infrastructure compromises.
Mitigation & defense strategies
- Audit scheduler jobs: Regularly review all jobs in the Oracle database and compare them against known baselines.
- Restrict scheduler permissions: Limit who can create, alter, or drop jobs via
DBMS_SCHEDULERto a small set of trusted admins. - Alert on anomalies: Trigger alerts if new or modified jobs are created, especially those invoking external scripts or shell commands.
- Harden database access: Enforce least privilege, role separation, and monitor for suspicious privilege assignments.
- Use forensic logging: Enable audit logs for scheduler activity and track job execution history.
- Isolate sensitive environments: Where possible, separate mission-critical DB servers from environments where attacker access is more probable.
Mourad Maacha 