Please note that tasks created via the “taskschd.msc” interface will get handled by the “svchost.exe” process hosting the “Task Scheduler” Service.Īlso task creation via scripting or API is not covered in this blog post.
Once a task gets created, a descriptive XML file that contains all the information regarding the task will be generated in the following directory “%SystemRoot%\System32\Tasks”. If enabled, then Task creation and modification in “Microsoft-Windows-TaskScheduler/Operational” event log.
Artifacts: - Creation of XML files in the %SystemRoot%\System32\Tasks folder. Look for any unusual task name via the flag “/TN”. Check the command line being passed to the “/TR” when creating a task and see if the executable or the command as a whole are benign. What to look for while Hunting: - Check the parent process calling the utility to determine if its allowed to create tasks or not. To run a task as privileged account obviously you need an administrator account / password. Path: %SystemRoot%\System32\schtasks.exe Privilege: Any user can create a task. One again here is a small description of what to hunt for with the “schtasks.exe” command. They consists of the following components. The task scheduler runs tasks, which defines the work that the task scheduler will perform. The Task Scheduler monitors the time or event criteria that you choose and then executes the task when those criteria are met.
With this service, you can schedule any program to run at a convenient time for you or when a specific event occurs. The Task Scheduler service allows you to perform automated tasks on a chosen computer. Starting by the definition of what is the task scheduler service. I’ll only quote what’s necessary to get us started in our discussion. So I will not reinvent the wheel with this one. MSDN is filled with details about the task scheduler, its API and how it works. Tod ay, we’ll take a look at how schedule tasks get created with the “schtasks.exe” and “at.exe” commands and the services / processes (svchost.exe, taskhostw.exe, taskeng.exe) responsible for running them. Malware authors have often used schedule tasks as persistence mechanisms as they are a reliable way to make their malicious code run in a recurring way.įrom a threat hunting perspective it is necessary to grasp how schedule tasks are run and understand the commands and command line arguments associated with their process(es). Today I want to refocus on specific processes and talk about schedule tasks and the schedule task service.
0 kommentar(er)
