Les Miserable Persistence: Hunting Through Scheduled Tasks

Presented at ShmooCon 2023, Jan. 21, 2023, 10 a.m. (60 minutes).

I always thought scheduled tasks fell into the category of low-level adversaries. Did you know that a standard build of Windows 10 or 11 contains about 150 scheduled tasks by default? Did you know over 40 of these tasks are hidden by default? Cue misery…

In this talk, I’ll explore the various details we can extract about scheduled tasks and why it’s so difficult to find anomalies. Everything from Microsoft typos, inconsistent naming schemes, and obfuscated execution details.

And don’t worry, it’s not all doom and gloom. You’ll leave this presentation with PowerShell scripts, Elasticsearch dashboards, and a better understanding on how to hunt for malicious persistence.

Presenters:

• Brandon DeVault
  Brandon DeVault (@SolderSwag) is a Security Author and Researcher creating hands-on content at Pluralsight. He is also a member of the Florida Air National Guard with a variety of offensive and defensive experience. He is passionate about open-source, hardware hacking, soldering, and hiking. Brandon loves sharing information and having conversations about cybersecurity but is incredibly introverted… Let’s have a chat!