Windows Task Scheduler Monitor - winitor.com · Windows Task Scheduler Monitor @ochsenmeier | Marc...

23
April 11, 2020 @ochsenmeier Marc Ochsenmeier www.winitor.com Windows Task Scheduler Monitor

Transcript of Windows Task Scheduler Monitor - winitor.com · Windows Task Scheduler Monitor @ochsenmeier | Marc...

Page 1: Windows Task Scheduler Monitor - winitor.com · Windows Task Scheduler Monitor @ochsenmeier | Marc Ochsenmeier | 9 April 11, 2020 •Monitor new entry in Windows Task Scheduler •Provide

April 11, 2020

@ochsenmeier

Marc Ochsenmeier

www.winitor.com

Windows Task Scheduler Monitor

Page 2: Windows Task Scheduler Monitor - winitor.com · Windows Task Scheduler Monitor @ochsenmeier | Marc Ochsenmeier | 9 April 11, 2020 •Monitor new entry in Windows Task Scheduler •Provide

Windows Task Scheduler Monitor

@ochsenmeier | Marc Ochsenmeier | www.winitor.com

2

April 11, 2020

• Malware creates scheduled Task > MITRE - T1053

https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/

https://attack.mitre.org/techniques/T1053/
Page 3: Windows Task Scheduler Monitor - winitor.com · Windows Task Scheduler Monitor @ochsenmeier | Marc Ochsenmeier | 9 April 11, 2020 •Monitor new entry in Windows Task Scheduler •Provide

Windows Task Scheduler Monitor

@ochsenmeier | Marc Ochsenmeier | www.winitor.com

3

April 11, 2020

• Malware creates scheduled Task > MITRE - T1053

https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/

https://attack.mitre.org/techniques/T1053/
Page 4: Windows Task Scheduler Monitor - winitor.com · Windows Task Scheduler Monitor @ochsenmeier | Marc Ochsenmeier | 9 April 11, 2020 •Monitor new entry in Windows Task Scheduler •Provide

Windows Task Scheduler Monitor

@ochsenmeier | Marc Ochsenmeier | www.winitor.com

4

April 11, 2020

• Malware creates scheduled Task > MITRE - T1053

https://blog.talosintelligence.com/2017/03/dnsmessenger.html

https://attack.mitre.org/techniques/T1053/
Page 5: Windows Task Scheduler Monitor - winitor.com · Windows Task Scheduler Monitor @ochsenmeier | Marc Ochsenmeier | 9 April 11, 2020 •Monitor new entry in Windows Task Scheduler •Provide

Windows Task Scheduler Monitor

@ochsenmeier | Marc Ochsenmeier | www.winitor.com

5

April 11, 2020

• Malware often creates scheduled Task(s) to...• Achieve persistence

• Launch next step of infection

• Obfuscate Kill chain

• Bypass UAC

• Bypass File permissions

Page 6: Windows Task Scheduler Monitor - winitor.com · Windows Task Scheduler Monitor @ochsenmeier | Marc Ochsenmeier | 9 April 11, 2020 •Monitor new entry in Windows Task Scheduler •Provide

Windows Task Scheduler Monitor

@ochsenmeier | Marc Ochsenmeier | www.winitor.com

6

April 11, 2020

• Windows uses Task Scheduler intensively

Page 7: Windows Task Scheduler Monitor - winitor.com · Windows Task Scheduler Monitor @ochsenmeier | Marc Ochsenmeier | 9 April 11, 2020 •Monitor new entry in Windows Task Scheduler •Provide

Windows Task Scheduler Monitor

@ochsenmeier | Marc Ochsenmeier | www.winitor.com

7

April 11, 2020

• Enumerate scheduled Tasks

Page 8: Windows Task Scheduler Monitor - winitor.com · Windows Task Scheduler Monitor @ochsenmeier | Marc Ochsenmeier | 9 April 11, 2020 •Monitor new entry in Windows Task Scheduler •Provide

Windows Task Scheduler Monitor

@ochsenmeier | Marc Ochsenmeier | www.winitor.com

8

April 11, 2020

• Enumerate scheduled Tasks

Page 9: Windows Task Scheduler Monitor - winitor.com · Windows Task Scheduler Monitor @ochsenmeier | Marc Ochsenmeier | 9 April 11, 2020 •Monitor new entry in Windows Task Scheduler •Provide

Windows Task Scheduler Monitor

@ochsenmeier | Marc Ochsenmeier | www.winitor.com

9

April 11, 2020

• Monitor new entry in Windows Task Scheduler• Provide visible immediate Notification

• Ease malware early triage

• Trigger automation

• Accelerate remediation

Page 10: Windows Task Scheduler Monitor - winitor.com · Windows Task Scheduler Monitor @ochsenmeier | Marc Ochsenmeier | 9 April 11, 2020 •Monitor new entry in Windows Task Scheduler •Provide

Windows Task Scheduler Monitor

@ochsenmeier | Marc Ochsenmeier | www.winitor.com

10

April 11, 2020

• Install a Task Scheduler Monitor• 1. Enable Audit Policy

• 2. Bind the appropriate Windows event(s)

• 3. Setup the appropriate Task(s) | Action(s)

• 4. Configure the appropriate condition(s)

Policy Event(s) Task(s) ...

Page 11: Windows Task Scheduler Monitor - winitor.com · Windows Task Scheduler Monitor @ochsenmeier | Marc Ochsenmeier | 9 April 11, 2020 •Monitor new entry in Windows Task Scheduler •Provide

Windows Task Scheduler Monitor

@ochsenmeier | Marc Ochsenmeier | www.winitor.com

11

April 11, 2020

• Install a Task Scheduler Monitor• 1 - Enable Audit Policy

Page 12: Windows Task Scheduler Monitor - winitor.com · Windows Task Scheduler Monitor @ochsenmeier | Marc Ochsenmeier | 9 April 11, 2020 •Monitor new entry in Windows Task Scheduler •Provide

Windows Task Scheduler Monitor

@ochsenmeier | Marc Ochsenmeier | www.winitor.com

12

April 11, 2020

• Install a Task Scheduler Monitor• 2- Bind a Task to the appropriate Windows event(s)

ID Description Windows 7 / Server 2008 R2 Windows 10 / Server 2016

106 Scheduled task registered x

140 Scheduled task updated x

141 Scheduled task deleted x

4698 Scheduled task created x

4699 Scheduled task deleted x

4700 Scheduled task enabled x

4701 Scheduled task disabled x

4702 Scheduled task updated x

Advanced Audit Policy – which GPO corresponds with which Event IDhttps://girl-germs.com/?p=363

Page 13: Windows Task Scheduler Monitor - winitor.com · Windows Task Scheduler Monitor @ochsenmeier | Marc Ochsenmeier | 9 April 11, 2020 •Monitor new entry in Windows Task Scheduler •Provide

Windows Task Scheduler Monitor

@ochsenmeier | Marc Ochsenmeier | www.winitor.com

13

April 11, 2020

• Install a Task Scheduler Monitor• 2 - Bind a Task to the appropriate Windows event(s)

Page 14: Windows Task Scheduler Monitor - winitor.com · Windows Task Scheduler Monitor @ochsenmeier | Marc Ochsenmeier | 9 April 11, 2020 •Monitor new entry in Windows Task Scheduler •Provide

Windows Task Scheduler Monitor

@ochsenmeier | Marc Ochsenmeier | www.winitor.com

14

April 11, 2020

• Install a Task Scheduler Monitor• 2 - Bind the appropriate Windows Event to a Task

Page 15: Windows Task Scheduler Monitor - winitor.com · Windows Task Scheduler Monitor @ochsenmeier | Marc Ochsenmeier | 9 April 11, 2020 •Monitor new entry in Windows Task Scheduler •Provide

Windows Task Scheduler Monitor

@ochsenmeier | Marc Ochsenmeier | www.winitor.com

15

April 11, 2020

• Install a Task Scheduler Monitor• Setup the appropriate action(s)

Page 16: Windows Task Scheduler Monitor - winitor.com · Windows Task Scheduler Monitor @ochsenmeier | Marc Ochsenmeier | 9 April 11, 2020 •Monitor new entry in Windows Task Scheduler •Provide

Windows Task Scheduler Monitor

@ochsenmeier | Marc Ochsenmeier | www.winitor.com

16

April 11, 2020

• Install a Task Scheduler Monitor• 3 - Configure the appropriate condition(s)

Page 17: Windows Task Scheduler Monitor - winitor.com · Windows Task Scheduler Monitor @ochsenmeier | Marc Ochsenmeier | 9 April 11, 2020 •Monitor new entry in Windows Task Scheduler •Provide

Windows Task Scheduler Monitor

@ochsenmeier | Marc Ochsenmeier | www.winitor.com

17

April 11, 2020

• Events related to the Task Scheduler

Page 18: Windows Task Scheduler Monitor - winitor.com · Windows Task Scheduler Monitor @ochsenmeier | Marc Ochsenmeier | 9 April 11, 2020 •Monitor new entry in Windows Task Scheduler •Provide

Windows Task Scheduler Monitor

@ochsenmeier | Marc Ochsenmeier | www.winitor.com

18

April 11, 2020

• Configuration of a scheduled Task

Page 19: Windows Task Scheduler Monitor - winitor.com · Windows Task Scheduler Monitor @ochsenmeier | Marc Ochsenmeier | 9 April 11, 2020 •Monitor new entry in Windows Task Scheduler •Provide

Windows Task Scheduler Monitor

@ochsenmeier | Marc Ochsenmeier | www.winitor.com

19

April 11, 2020

• Architecture• The Task Scheduler is NOT the Windows Task Manager

• The Task Scheduler is NOT the Windows Task Scheduler Service

• The Task Scheduler is NOT the Windows Thread Scheduler

Task Scheduler(Windows Service)

Task Scheduler(Framework)

Event Log(Windows Service)

Page 20: Windows Task Scheduler Monitor - winitor.com · Windows Task Scheduler Monitor @ochsenmeier | Marc Ochsenmeier | 9 April 11, 2020 •Monitor new entry in Windows Task Scheduler •Provide

Windows Task Scheduler Monitor

@ochsenmeier | Marc Ochsenmeier | www.winitor.com

20

April 11, 2020

• Repository• Legacy: \Windows\Tasks

• Preferred: \Windows\System32\Tasks

Page 21: Windows Task Scheduler Monitor - winitor.com · Windows Task Scheduler Monitor @ochsenmeier | Marc Ochsenmeier | 9 April 11, 2020 •Monitor new entry in Windows Task Scheduler •Provide

Windows Task Scheduler Monitor

@ochsenmeier | Marc Ochsenmeier | www.winitor.com

21

April 11, 2020

• Repository• Computer related settings

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree

Page 22: Windows Task Scheduler Monitor - winitor.com · Windows Task Scheduler Monitor @ochsenmeier | Marc Ochsenmeier | 9 April 11, 2020 •Monitor new entry in Windows Task Scheduler •Provide

Windows Task Scheduler Monitor

@ochsenmeier | Marc Ochsenmeier | www.winitor.com

22

April 11, 2020

• Some more details• at.exe is obsolete

• eventtriggers.exe is replaced

Page 23: Windows Task Scheduler Monitor - winitor.com · Windows Task Scheduler Monitor @ochsenmeier | Marc Ochsenmeier | 9 April 11, 2020 •Monitor new entry in Windows Task Scheduler •Provide

Windows Task Scheduler Monitor

@ochsenmeier | Marc Ochsenmeier | www.winitor.com

23

April 11, 2020

• References• https://attack.mitre.org/techniques/T1053/

• https://support.microsoft.com/en-us/help/939039/description-of-the-scheduled-tasks-in-windows-vista

• https://docs.microsoft.com/de-de/archive/blogs/wincat/trigger-a-powershell-script-from-a-windows-event

• https://blog.malwarebytes.com/cybercrime/2015/03/scheduled-tasks/

• https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/

• https://girl-germs.com/?p=363

• https://docs.microsoft.com/en-us/windows/win32/taskschd/schtasks

• https://docs.microsoft.com/en-us/windows/win32/api/_taskschd/index

https://support.microsoft.com/en-us/help/939039/description-of-the-scheduled-tasks-in-windows-vista
https://support.microsoft.com/en-us/help/939039/description-of-the-scheduled-tasks-in-windows-vista
https://docs.microsoft.com/de-de/archive/blogs/wincat/trigger-a-powershell-script-from-a-windows-event
https://blog.malwarebytes.com/cybercrime/2015/03/scheduled-tasks/
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/
https://girl-germs.com/?p=363
https://docs.microsoft.com/en-us/windows/win32/taskschd/schtasks
https://docs.microsoft.com/en-us/windows/win32/api/_taskschd/index

Circuit Playground Class Scheduler - Adafruit …...Scheduler Code Class Scheduler Logic The sketch that runs on the Circuit Playground Class Scheduler is fairly simple. It really

Circuit Playground Class Scheduler - Adafruit …...Scheduler Code Class Scheduler Logic The sketch that runs on the Circuit Playground Class Scheduler is fairly simple. It really

Proactive Process-Level Live Migration in HPC Environmentsengelman/publications/... · zJob exec. resume nodes n0 n1 n2 n3 lamd scheduler lamd scheduler lamd scheduler lamd scheduler

Proactive Process-Level Live Migration in HPC Environmentsengelman/publications/... · zJob exec. resume nodes n0 n1 n2 n3 lamd scheduler lamd scheduler lamd scheduler lamd scheduler

Linux scheduler

Linux scheduler

MANUAL SCHEDULER

MANUAL SCHEDULER

TYPO3 Scheduler

TYPO3 Scheduler

Maximo Scheduler & Scheduler Plus

Maximo Scheduler & Scheduler Plus

Scheduler Activation

Scheduler Activation

Maximo Scheduler & Scheduler Plus Overview

Maximo Scheduler & Scheduler Plus Overview

WEB BASED MEETING SCHEDULER SYSTEMchung/SYSM6309/Presentations10S/c… · The Web based Meeting Scheduler is aimed at developing an application to schedule, monitor, plan and re-plan

WEB BASED MEETING SCHEDULER SYSTEMchung/SYSM6309/Presentations10S/c… · The Web based Meeting Scheduler is aimed at developing an application to schedule, monitor, plan and re-plan

Appointment scheduler

Appointment scheduler

Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)

Windows Alternate Data Streams (ADS) · May 8, 2020 @ochsenmeier Marc Ochsenmeier Windows Alternate Data Streams (ADS)

Azure Scheduler

Azure Scheduler

Cluster Scheduler

Cluster Scheduler

Xen Virtual Machine Monitor Performance Isolation E0397 Lecture 17/8/2010 Many slides based verbatim on “Xen Credit Scheduler Wiki”

Xen Virtual Machine Monitor Performance Isolation E0397 Lecture 17/8/2010 Many slides based verbatim on “Xen Credit Scheduler Wiki”

Smart Scheduler

Smart Scheduler

Loading Scheduler

Loading Scheduler

IF75T633/6 75 Interactive Flat Panel Display - IFM Series · Display - IFM Series Key Features Scheduler Digital Signage Monitor Software allows many important features such as Scheduler.

IF75T633/6 75 Interactive Flat Panel Display - IFM Series · Display - IFM Series Key Features Scheduler Digital Signage Monitor Software allows many important features such as Scheduler.

Containers and Kubernetes · 2020-04-28 · Borg Architecture •Borgmaster •Main Borgmasterprocess & Scheduler •Five replicas •Borglet •Manage and monitor tasks and resource

Containers and Kubernetes · 2020-04-28 · Borg Architecture •Borgmaster •Main Borgmasterprocess & Scheduler •Five replicas •Borglet •Manage and monitor tasks and resource

Oracle DB Adapter Guide · To run and monitor an Oracle database job from Tida l Enterprise Scheduler (E nterprise Scheduler), you need to create a job definition in Enterprise Scheduler

Oracle DB Adapter Guide · To run and monitor an Oracle database job from Tida l Enterprise Scheduler (E nterprise Scheduler), you need to create a job definition in Enterprise Scheduler

* Requisition Processing Common Problems * Budget Checking Errors * Run Controls * Process Scheduler Request & Process Monitor * Questions.

* Requisition Processing Common Problems * Budget Checking Errors * Run Controls * Process Scheduler Request & Process Monitor * Questions.