Scheduled Tasks [0.1]
This artefact searches for malicious use of scheduled tasks on Windows systems to gain persistence, particularly through the use of batch files.
A scheduled task allows users to set commands to be executed at a specified time, either on the local computer or across the network.
This artefact scans certain files present within C:\Windows\System32\Tasks on a Windows system to identify any batch files (.bat) which may be executing scheduled tasks in particular ways.
Packs.CyberCX.Windows.ScheduledTasks
- Examine the contents of the batch file to determine when commands are executed, and whether their execution is expected behaviour. Also determine whether the location of the task is expected. It is generally unusual for a scheduled task to execute batch files.
- Examine the metadata of the batch file, in particular the Accessed and Modified timestamps. This may provide an indication of when the files were created on the web server and their contents last modified respectively. More sophisticated attackers will modify file system metadata, including timestamps to hide malicious files. These can still be found, but require deeper forensic analysis.
- Perform deeper forensic analysis to identify other activities which occurred around these timeframes.
- https://www.cyber.gov.au/acsc/view-all-content/threats/web-shell-malware
- https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2020-008-copy-paste-compromises-tactics-techniques-and-procedures-used-target-multiple-australian-networks
If you've followed the steps above, but still believe your system may have been compromised, please refer to our wiki for more information about how to contact the CyberCX DFIR team.
[v0.1]:
