A Deep Dive Into Windows Scheduled Tasks and The Processes Running Them

Image for post
Image for post
Task Scheduler

Tasks and The Task Scheduler Service

Image for post
Image for post
https://docs.microsoft.com/en-us/windows/win32/taskschd/images/taskcomponents.png

Creating Tasks Via Command Line

“AT.EXE”

Image for post
Image for post
Path: %SystemRoot%\System32\at.exePrivilege: To use at, you must be a member of the local Administrators group.What to look for while Hunting: Check the command line being passed when creating a task and see if the executable or the command as a whole are benign.Artifacts:- Creation of At[x].job files in the “%SystemRoot%\Tasks” folder where [x] is the ID of the job.- Creation of XML files in the %SystemRoot%\System32\Tasks folder.- If enabled, then Task creation and modification in “Microsoft-Windows-TaskScheduler/Operational” event log.

“SCHTASKS.EXE”

Image for post
Image for post
Image for post
Image for post
any.run Report
Path: %SystemRoot%\System32\schtasks.exePrivilege: Any user can create a task. To run a task as privileged account obviously you need an administrator account / password.What to look for while Hunting:- Check the parent process calling the utility to determine if its allowed to create tasks or not.- Check the command line being passed to the “/TR” when creating a task and see if the executable or the command as a whole are benign.- Look for any unusual task name via the flag “/TN”.Artifacts:- Creation of XML files in the %SystemRoot%\System32\Tasks folder.- If enabled, then Task creation and modification in “Microsoft-Windows-TaskScheduler/Operational” event log.

Running Tasks (svchost.exe / taskeng.exe / taskhostw.exe)

“TASKENG.EXE”

Image for post
Image for post
Image for post
Image for post
“Interactive:Highest[1]”

“SVCHOST.EXE –K NETSVCS –P –S SCHEDULE”

Image for post
Image for post

“TASKHOSTW.EXE” And Its Arguments

Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post

Conclusion

Resources

Written by

#ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store