Scheduled tasks are a powerful feature of Windows that allow you to automate tasks. However, they can also be a double-edged sword if they are hijacked by adversaries to launch attacks or maintain persistence.
In this post, I will reveal 4 ways to detect and prevent scheduled tasks from compromising your security.
1. Monitoring the creation and modification of scheduled tasks by using event logs.
– %SystemRoot%\System32\winevt\Logs\Microsoft-Windows-TaskScheduler\Operational log
– 4698 – Task was created
– 4699 – Task was deleted
– 4700 – Task was enabled
– 4701 – Task was disabled
– 4702 – Task was changed
2. Conducting regular audits of scheduled tasks to identify any unknown or suspicious tasks.
– Ensure the creation of scheduled tasks is tracked.
– Changes to tasks or the creation of new ones should be looked into.
3. Using built-in Windows security tools like PowerShell and schtask to query scheduled tasks and detect any anomalies.
– Get-ScheduledTask
– PowerShell-Remoting can be used to scale this out
– schtask /query /fo csv > schtasks.csv
4. Utilizing third-party security solutions that can scale detection, response and querying of suspicious scheduled tasks.
– Velociraptor
– LimaCharlie
Hopefully you learned something or found this useful.
Stay vigilant and happy hunting!
Marcus Edmondson | Offensive Security | Information Security 