1. Introduction

Scheduled tasks are used to schedule the launch of programs or scripts. But adversaries also use them to persist themselves after they initially access the target system. In this challenge, you will solve tasks to detect malicious scheduled tasks using Velociraptor.

In the previous challenge Lateral Movement we found that the adversary used PsExec and Mimikatz to become Domain Administrator. Before doing that the adversary persists himself, because he wants to regain access, when he loses the connection to the target. Now you are going to solve some tasks to check what persistence mechanism the adversary used.

2. Tasks

1. Write an Artifact that displays events containing Windows event ID 4698. Include the rows TaskName and LogonTime.
2. Do a temporal correlation with the results from task 1 and the result from task 1 in the challenge Lateral movement. Can you detect a relation between the two results? Which task could therefore be the malicious one?
3. Find more information about the malicious scheduled task you found in task 2 by using a built in Artifact from Velociraptor. Specifically, find out what is executed when the scheduled task is run.
4. Besides the one from tasks 1-3, the adversary used another technique for persistence. You might actually have spotted it already in a previous challenge. Find out which one it is.

3. Solution

1. Create Artifact for event ID 4698

2. Correlation

   We can see that a sheduled task was created on FS1 from user ladmin

If we compare the timestamps from the previous exercise the maliscious task is Taskshedulerupdate

3. Using Artifact Artifact Windows.System.TaskScheduler

   According to the result, the maliscious task is C:\Windows\System32\taskschd.exe

4. If an attacker want to gain persistence he often tries to install and hide somewhere a backdoor user. I can’t show you the evidence yet, it’s just a guess!