SlideShare a Scribd company logo

Les Miserable Persistence - Hunting Through Scheduled Tasks - ShmooCon 2023.pdf

Brandon DeVault
Brandon DeVault

I always thought scheduled tasks fell into the category of low-level adversaries. Did you know that a standard build of Windows 10 or 11 contains about 150 scheduled tasks by default? Did you know over 40 of these tasks are hidden by default? Cue misery… In this talk, I’ll explore the various details we can extract about scheduled tasks and why it’s so difficult to find anomalies. Everything from Microsoft typos, inconsistent naming schemes, and obfuscated execution details. And don’t worry, it’s not all doom and gloom. You’ll leave this presentation with PowerShell scripts, Elasticsearch dashboards, and a better understanding on how to hunt for malicious persistence.

Technology
1 of 26
Download to read offline
Les Misérables Persistence: Hunting Through Scheduled Tasks ShmooCon 2023 Brandon DeVault Principal Security Author, Pluralsight Defensive Cyber Operations, FL Air National Guard /in/brandon-devault @SolderSwag www.devaultsecurity.com
Agenda • Introduction & Detection • PowerShell Analysis • Dashboard Analysis with Elastic • Q&A
Persistence Techniques - MITRE Account Manipulation BITS Jobs Boot or Logon Autostart Execution Boot or Logon Initialization Scripts Browser Extensions Compromise Client Software Binary Create Account Create or Modify System Process Event Triggered Execution External Remote Services Hijack Execution Flow Implant Internal Image Modify Authentication Process Office Application Startup Pre-OS Boot Scheduled Task/Job Server Software Component Traffic Signaling Valid Accounts Boot or Logon Autostart Execution Boot or Logon Initialization Scripts Browser Extensions Compromise Client Software Binary Create Account Create or Modify System Process Event Triggered Execution External Remote Services Hijack Execution Flow Implant Internal Image Modify Authentication Process Office Application Startup Pre-OS Boot Scheduled Task/Job Server Software Component Traffic Signaling Valid Accounts
Persistence Techniques - MITRE Scheduled Task/Job T1053.002 – At T1053.003 – Cron T1053.005 – Scheduled Task T1053.006 – Systemd Timers T1053.007 – Container Orchestration Job *132 Named Threat Groups having used this persistence method
Detection Methods • Command Execution • WMI, PowerShell, cmd … • File Modification • %systemroot%Sytem32Tasks • Process Creation • Registry Key Creation • Log Detection! • Sysmon • Event ID: 4698-4702
PowerShell Analysis
Dashboard Analysis w/ Elastic
Export journey
Attempt #1
Step 1 – Export the Tasks (using PowerShell) $savefolder = "C:SomeFolder" Get-ScheduledTask | ForEach-Object { $_.TaskName Export-ScheduledTask -TaskName $_.TaskName -TaskPath $_.TaskPath | Out-file (Join-Path $savefolder "$($_.TaskName).xml") }
Step 2 – Convert to JSON (using Python) import xmltodict, json, os directory = '/some/directory/’ for filename in os.listdir(directory): if filename.endswith(".xml"): with open(filename, 'rb') as f: XML_content = f.read() x = xmltodict.parse(XML_content) j = json.dumps(x) print (filename) filename = filename.replace('.xml', '') output_file = open(filename + '.json', 'w') output_file.write(j)
Step 3 – Import! • Fail… • Not a proper NDJSON format
Attempt #2
Convert JSON to NDJSON (using jq) cat test.json | jq -c '.[]' > testNDJSON.json
Import! • Fail… • Multi-nested complex JSON file
Attempt #3
Convert JSON to NDJSON (using Python) <Super Awesome Code>
Import! • Fail… • Still too complex
Attempt #4
Create a Logstash Pipeline • XML Parser • 30 minutes later… • Task Scheduler schema: 658 lines…
Attempt #5
Convert to CSV • Tool: SaveJson2CSV • Gunamoi Software
Import! Success! … ish
Questions? • www.devaultsecurity.com • linkedin. • twitter. devaultsecurity.com • github. • brandon-devault@pluralsight.com • https://app.pluralsight.com/profile/author/brandon-devault • https://github.com/Oofles/scheduled-tasks }

Recommended

grrcon-2023-scheduled-tasks.pdf
grrcon-2023-scheduled-tasks.pdfgrrcon-2023-scheduled-tasks.pdf
grrcon-2023-scheduled-tasks.pdfBrandon DeVault
 
Authentication with OAuth and Connected Apps
Authentication with OAuth and Connected AppsAuthentication with OAuth and Connected Apps
Authentication with OAuth and Connected AppsSalesforce Developers
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
AMB110: IT Asset Management – How to Start When You Don’t Know Where to Start
AMB110: IT Asset Management – How to Start When You Don’t Know Where to StartAMB110: IT Asset Management – How to Start When You Don’t Know Where to Start
AMB110: IT Asset Management – How to Start When You Don’t Know Where to StartIvanti
 
Public v1 real world example of azure functions serverless conf london 2016
Public v1 real world example of azure functions serverless conf london 2016 Public v1 real world example of azure functions serverless conf london 2016
Public v1 real world example of azure functions serverless conf london 2016 Yochay Kiriaty
 
Chapter5-Bypass-ClientSide-Control-Presentation.pptx
Chapter5-Bypass-ClientSide-Control-Presentation.pptxChapter5-Bypass-ClientSide-Control-Presentation.pptx
Chapter5-Bypass-ClientSide-Control-Presentation.pptxilhamilyas5
 
Camunda Day Amsterdam 2019: Workflow Automation in Microservices Architecture...
Camunda Day Amsterdam 2019: Workflow Automation in Microservices Architecture...Camunda Day Amsterdam 2019: Workflow Automation in Microservices Architecture...
Camunda Day Amsterdam 2019: Workflow Automation in Microservices Architecture...camunda services GmbH
 
Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro Amazon Web Services
 

Recommended

grrcon-2023-scheduled-tasks.pdf
grrcon-2023-scheduled-tasks.pdfgrrcon-2023-scheduled-tasks.pdf
grrcon-2023-scheduled-tasks.pdfBrandon DeVault
 
Authentication with OAuth and Connected Apps
Authentication with OAuth and Connected AppsAuthentication with OAuth and Connected Apps
Authentication with OAuth and Connected AppsSalesforce Developers
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
AMB110: IT Asset Management – How to Start When You Don’t Know Where to Start
AMB110: IT Asset Management – How to Start When You Don’t Know Where to StartAMB110: IT Asset Management – How to Start When You Don’t Know Where to Start
AMB110: IT Asset Management – How to Start When You Don’t Know Where to StartIvanti
 
Public v1 real world example of azure functions serverless conf london 2016
Public v1 real world example of azure functions serverless conf london 2016 Public v1 real world example of azure functions serverless conf london 2016
Public v1 real world example of azure functions serverless conf london 2016 Yochay Kiriaty
 
Chapter5-Bypass-ClientSide-Control-Presentation.pptx
Chapter5-Bypass-ClientSide-Control-Presentation.pptxChapter5-Bypass-ClientSide-Control-Presentation.pptx
Chapter5-Bypass-ClientSide-Control-Presentation.pptxilhamilyas5
 
Camunda Day Amsterdam 2019: Workflow Automation in Microservices Architecture...
Camunda Day Amsterdam 2019: Workflow Automation in Microservices Architecture...Camunda Day Amsterdam 2019: Workflow Automation in Microservices Architecture...
Camunda Day Amsterdam 2019: Workflow Automation in Microservices Architecture...camunda services GmbH
 
Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro Using Security to Build with Confidence in AWS - Trend Micro
Using Security to Build with Confidence in AWS - Trend Micro Amazon Web Services
 
Which Came First: The Phish or the Opportunity to Defend Against It
Which Came First: The Phish or the Opportunity to Defend Against ItWhich Came First: The Phish or the Opportunity to Defend Against It
Which Came First: The Phish or the Opportunity to Defend Against ItJamieWilliams130
 
UiPath - IT Automation.pdf
UiPath - IT Automation.pdfUiPath - IT Automation.pdf
UiPath - IT Automation.pdfCristina Vidu
 
UiPath - IT Automation (1).pdf
UiPath - IT Automation (1).pdfUiPath - IT Automation (1).pdf
UiPath - IT Automation (1).pdfCristina Vidu
 
Design mission-critical enterprise applications with Power Automate and Docto...
Design mission-critical enterprise applications with Power Automate and Docto...Design mission-critical enterprise applications with Power Automate and Docto...
Design mission-critical enterprise applications with Power Automate and Docto...serge luca
 
WhiteHat Security Presentation
WhiteHat Security PresentationWhiteHat Security Presentation
WhiteHat Security Presentationmarkgmeyer
 
Red Hat Summit - OpenShift Identity Management and Compliance
Red Hat Summit - OpenShift Identity Management and ComplianceRed Hat Summit - OpenShift Identity Management and Compliance
Red Hat Summit - OpenShift Identity Management and ComplianceMarc Boorshtein
 
Make your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeMake your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeThuan Ng
 
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)Codit
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018MOnCloud
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersSalesforce Developers
 
Salesforce platform session 2
Salesforce platform session 2 Salesforce platform session 2
Salesforce platform session 2Salesforce - Sweden, Denmark, Norway
 
Input validation slides of web application workshop
Input validation slides of web application workshopInput validation slides of web application workshop
Input validation slides of web application workshopPayampardaz
 
Prévention et détection des mouvements latéraux
Prévention et détection des mouvements latérauxPrévention et détection des mouvements latéraux
Prévention et détection des mouvements latérauxColloqueRISQ
 
CV_PurnimaBalla_WCS-Consultant_7Yrs
CV_PurnimaBalla_WCS-Consultant_7YrsCV_PurnimaBalla_WCS-Consultant_7Yrs
CV_PurnimaBalla_WCS-Consultant_7YrsPurnima Balla
 
Automate All The Things with Flow
Automate All The Things with FlowAutomate All The Things with Flow
Automate All The Things with FlowSalesforce Admins
 
End-to-End Identity Management
End-to-End Identity ManagementEnd-to-End Identity Management
End-to-End Identity ManagementWSO2
 
Access Control, Authentication, and Public Key Infrastructure .docx
Access Control, Authentication, and Public Key Infrastructure .docxAccess Control, Authentication, and Public Key Infrastructure .docx
Access Control, Authentication, and Public Key Infrastructure .docxdaniahendric
 
Log Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesLog Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesKai Wähner
 
Introduction to Heroku
Introduction to HerokuIntroduction to Heroku
Introduction to HerokuSalesforce Developers
 
BuildingSecurity Audits with Extended Events
BuildingSecurity Audits with Extended EventsBuildingSecurity Audits with Extended Events
BuildingSecurity Audits with Extended EventsJason Strate
 
Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...
Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...
Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...Brandon DeVault
 
Tracing Transactions - BSides Orlando.pdf
Tracing Transactions - BSides Orlando.pdfTracing Transactions - BSides Orlando.pdf
Tracing Transactions - BSides Orlando.pdfBrandon DeVault
 

More Related Content

Similar to Les Miserable Persistence - Hunting Through Scheduled Tasks - ShmooCon 2023.pdf

Which Came First: The Phish or the Opportunity to Defend Against It
Which Came First: The Phish or the Opportunity to Defend Against ItWhich Came First: The Phish or the Opportunity to Defend Against It
Which Came First: The Phish or the Opportunity to Defend Against ItJamieWilliams130
 
UiPath - IT Automation.pdf
UiPath - IT Automation.pdfUiPath - IT Automation.pdf
UiPath - IT Automation.pdfCristina Vidu
 
UiPath - IT Automation (1).pdf
UiPath - IT Automation (1).pdfUiPath - IT Automation (1).pdf
UiPath - IT Automation (1).pdfCristina Vidu
 
Design mission-critical enterprise applications with Power Automate and Docto...
Design mission-critical enterprise applications with Power Automate and Docto...Design mission-critical enterprise applications with Power Automate and Docto...
Design mission-critical enterprise applications with Power Automate and Docto...serge luca
 
WhiteHat Security Presentation
WhiteHat Security PresentationWhiteHat Security Presentation
WhiteHat Security Presentationmarkgmeyer
 
Red Hat Summit - OpenShift Identity Management and Compliance
Red Hat Summit - OpenShift Identity Management and ComplianceRed Hat Summit - OpenShift Identity Management and Compliance
Red Hat Summit - OpenShift Identity Management and ComplianceMarc Boorshtein
 
Make your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeMake your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeThuan Ng
 
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)Codit
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018MOnCloud
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersSalesforce Developers
 
Input validation slides of web application workshop
Input validation slides of web application workshopInput validation slides of web application workshop
Input validation slides of web application workshopPayampardaz
 
Prévention et détection des mouvements latéraux
Prévention et détection des mouvements latérauxPrévention et détection des mouvements latéraux
Prévention et détection des mouvements latérauxColloqueRISQ
 
CV_PurnimaBalla_WCS-Consultant_7Yrs
CV_PurnimaBalla_WCS-Consultant_7YrsCV_PurnimaBalla_WCS-Consultant_7Yrs
CV_PurnimaBalla_WCS-Consultant_7YrsPurnima Balla
 
Automate All The Things with Flow
Automate All The Things with FlowAutomate All The Things with Flow
Automate All The Things with FlowSalesforce Admins
 
End-to-End Identity Management
End-to-End Identity ManagementEnd-to-End Identity Management
End-to-End Identity ManagementWSO2
 
Access Control, Authentication, and Public Key Infrastructure .docx
Access Control, Authentication, and Public Key Infrastructure .docxAccess Control, Authentication, and Public Key Infrastructure .docx
Access Control, Authentication, and Public Key Infrastructure .docxdaniahendric
 
Log Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesLog Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesKai Wähner
 
BuildingSecurity Audits with Extended Events
BuildingSecurity Audits with Extended EventsBuildingSecurity Audits with Extended Events
BuildingSecurity Audits with Extended EventsJason Strate
 

Similar to Les Miserable Persistence - Hunting Through Scheduled Tasks - ShmooCon 2023.pdf (20)

Which Came First: The Phish or the Opportunity to Defend Against It
Which Came First: The Phish or the Opportunity to Defend Against ItWhich Came First: The Phish or the Opportunity to Defend Against It
Which Came First: The Phish or the Opportunity to Defend Against It
 
UiPath - IT Automation.pdf
UiPath - IT Automation.pdfUiPath - IT Automation.pdf
UiPath - IT Automation.pdf
 
UiPath - IT Automation (1).pdf
UiPath - IT Automation (1).pdfUiPath - IT Automation (1).pdf
UiPath - IT Automation (1).pdf
 
Design mission-critical enterprise applications with Power Automate and Docto...
Design mission-critical enterprise applications with Power Automate and Docto...Design mission-critical enterprise applications with Power Automate and Docto...
Design mission-critical enterprise applications with Power Automate and Docto...
 
WhiteHat Security Presentation
WhiteHat Security PresentationWhiteHat Security Presentation
WhiteHat Security Presentation
 
Red Hat Summit - OpenShift Identity Management and Compliance
Red Hat Summit - OpenShift Identity Management and ComplianceRed Hat Summit - OpenShift Identity Management and Compliance
Red Hat Summit - OpenShift Identity Management and Compliance
 
Make your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeMake your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More Safe
 
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
Enable Oauth2.0 with Sentinet API Management (Massimo Crippa @ BTUG Event)
 
Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018Microservices security - jpmc tech fest 2018
Microservices security - jpmc tech fest 2018
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
 
Salesforce platform session 2
Salesforce platform session 2 Salesforce platform session 2
Salesforce platform session 2
 
Input validation slides of web application workshop
Input validation slides of web application workshopInput validation slides of web application workshop
Input validation slides of web application workshop
 
Prévention et détection des mouvements latéraux
Prévention et détection des mouvements latérauxPrévention et détection des mouvements latéraux
Prévention et détection des mouvements latéraux
 
CV_PurnimaBalla_WCS-Consultant_7Yrs
CV_PurnimaBalla_WCS-Consultant_7YrsCV_PurnimaBalla_WCS-Consultant_7Yrs
CV_PurnimaBalla_WCS-Consultant_7Yrs
 
Automate All The Things with Flow
Automate All The Things with FlowAutomate All The Things with Flow
Automate All The Things with Flow
 
End-to-End Identity Management
End-to-End Identity ManagementEnd-to-End Identity Management
End-to-End Identity Management
 
Access Control, Authentication, and Public Key Infrastructure .docx
Access Control, Authentication, and Public Key Infrastructure .docxAccess Control, Authentication, and Public Key Infrastructure .docx
Access Control, Authentication, and Public Key Infrastructure .docx
 
Log Analytics for Distributed Microservices
Log Analytics for Distributed MicroservicesLog Analytics for Distributed Microservices
Log Analytics for Distributed Microservices
 
Introduction to Heroku
Introduction to HerokuIntroduction to Heroku
Introduction to Heroku
 
BuildingSecurity Audits with Extended Events
BuildingSecurity Audits with Extended EventsBuildingSecurity Audits with Extended Events
BuildingSecurity Audits with Extended Events
 

More from Brandon DeVault

Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...
Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...
Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...Brandon DeVault
 
Tracing Transactions - BSides Orlando.pdf
Tracing Transactions - BSides Orlando.pdfTracing Transactions - BSides Orlando.pdf
Tracing Transactions - BSides Orlando.pdfBrandon DeVault
 
Log4Shell Case Study - Suricon2022.pdf
Log4Shell Case Study - Suricon2022.pdfLog4Shell Case Study - Suricon2022.pdf
Log4Shell Case Study - Suricon2022.pdfBrandon DeVault
 
Tracing Transactions - Threat Hunting for Financially Motivated APTs.pdf
Tracing Transactions - Threat Hunting for Financially Motivated APTs.pdfTracing Transactions - Threat Hunting for Financially Motivated APTs.pdf
Tracing Transactions - Threat Hunting for Financially Motivated APTs.pdfBrandon DeVault
 
Level up your SOC - Guide for a Resilient Education Program.pdf
Level up your SOC - Guide for a Resilient Education Program.pdfLevel up your SOC - Guide for a Resilient Education Program.pdf
Level up your SOC - Guide for a Resilient Education Program.pdfBrandon DeVault
 
Log4j vulnerability - CCC - Workshop.pdf
Log4j vulnerability - CCC - Workshop.pdfLog4j vulnerability - CCC - Workshop.pdf
Log4j vulnerability - CCC - Workshop.pdfBrandon DeVault
 
Log4j vulnerability - CCC - Talk.pdf
Log4j vulnerability - CCC - Talk.pdfLog4j vulnerability - CCC - Talk.pdf
Log4j vulnerability - CCC - Talk.pdfBrandon DeVault
 
Handling Open-Source Code - ISF 2022.pdf
Handling Open-Source Code - ISF 2022.pdfHandling Open-Source Code - ISF 2022.pdf
Handling Open-Source Code - ISF 2022.pdfBrandon DeVault
 
CircleCityCon - Threat Hunting with the Elastic Stack
CircleCityCon - Threat Hunting with the Elastic StackCircleCityCon - Threat Hunting with the Elastic Stack
CircleCityCon - Threat Hunting with the Elastic StackBrandon DeVault
 
Alamo ACE - Threat Hunting with CVAH
Alamo ACE - Threat Hunting with CVAHAlamo ACE - Threat Hunting with CVAH
Alamo ACE - Threat Hunting with CVAHBrandon DeVault
 
BSides JAX 2019 - Threat Hunting with the Elastic Stack
BSides JAX 2019 - Threat Hunting with the Elastic StackBSides JAX 2019 - Threat Hunting with the Elastic Stack
BSides JAX 2019 - Threat Hunting with the Elastic StackBrandon DeVault
 
How Microsoft will MiTM your network
How Microsoft will MiTM your networkHow Microsoft will MiTM your network
How Microsoft will MiTM your networkBrandon DeVault
 

More from Brandon DeVault (12)

Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...
Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...
Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...
 
Tracing Transactions - BSides Orlando.pdf
Tracing Transactions - BSides Orlando.pdfTracing Transactions - BSides Orlando.pdf
Tracing Transactions - BSides Orlando.pdf
 
Log4Shell Case Study - Suricon2022.pdf
Log4Shell Case Study - Suricon2022.pdfLog4Shell Case Study - Suricon2022.pdf
Log4Shell Case Study - Suricon2022.pdf
 
Tracing Transactions - Threat Hunting for Financially Motivated APTs.pdf
Tracing Transactions - Threat Hunting for Financially Motivated APTs.pdfTracing Transactions - Threat Hunting for Financially Motivated APTs.pdf
Tracing Transactions - Threat Hunting for Financially Motivated APTs.pdf
 
Level up your SOC - Guide for a Resilient Education Program.pdf
Level up your SOC - Guide for a Resilient Education Program.pdfLevel up your SOC - Guide for a Resilient Education Program.pdf
Level up your SOC - Guide for a Resilient Education Program.pdf
 
Log4j vulnerability - CCC - Workshop.pdf
Log4j vulnerability - CCC - Workshop.pdfLog4j vulnerability - CCC - Workshop.pdf
Log4j vulnerability - CCC - Workshop.pdf
 
Log4j vulnerability - CCC - Talk.pdf
Log4j vulnerability - CCC - Talk.pdfLog4j vulnerability - CCC - Talk.pdf
Log4j vulnerability - CCC - Talk.pdf
 
Handling Open-Source Code - ISF 2022.pdf
Handling Open-Source Code - ISF 2022.pdfHandling Open-Source Code - ISF 2022.pdf
Handling Open-Source Code - ISF 2022.pdf
 
CircleCityCon - Threat Hunting with the Elastic Stack
CircleCityCon - Threat Hunting with the Elastic StackCircleCityCon - Threat Hunting with the Elastic Stack
CircleCityCon - Threat Hunting with the Elastic Stack
 
Alamo ACE - Threat Hunting with CVAH
Alamo ACE - Threat Hunting with CVAHAlamo ACE - Threat Hunting with CVAH
Alamo ACE - Threat Hunting with CVAH
 
BSides JAX 2019 - Threat Hunting with the Elastic Stack
BSides JAX 2019 - Threat Hunting with the Elastic StackBSides JAX 2019 - Threat Hunting with the Elastic Stack
BSides JAX 2019 - Threat Hunting with the Elastic Stack
 
How Microsoft will MiTM your network
How Microsoft will MiTM your networkHow Microsoft will MiTM your network
How Microsoft will MiTM your network
 

Recently uploaded

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 

Recently uploaded (20)

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

Les Miserable Persistence - Hunting Through Scheduled Tasks - ShmooCon 2023.pdf

  • 1. Les Misérables Persistence: Hunting Through Scheduled Tasks ShmooCon 2023 Brandon DeVault Principal Security Author, Pluralsight Defensive Cyber Operations, FL Air National Guard /in/brandon-devault @SolderSwag www.devaultsecurity.com
  • 2. Agenda • Introduction & Detection • PowerShell Analysis • Dashboard Analysis with Elastic • Q&A
  • 3. Persistence Techniques - MITRE Account Manipulation BITS Jobs Boot or Logon Autostart Execution Boot or Logon Initialization Scripts Browser Extensions Compromise Client Software Binary Create Account Create or Modify System Process Event Triggered Execution External Remote Services Hijack Execution Flow Implant Internal Image Modify Authentication Process Office Application Startup Pre-OS Boot Scheduled Task/Job Server Software Component Traffic Signaling Valid Accounts Boot or Logon Autostart Execution Boot or Logon Initialization Scripts Browser Extensions Compromise Client Software Binary Create Account Create or Modify System Process Event Triggered Execution External Remote Services Hijack Execution Flow Implant Internal Image Modify Authentication Process Office Application Startup Pre-OS Boot Scheduled Task/Job Server Software Component Traffic Signaling Valid Accounts
  • 4. Persistence Techniques - MITRE Scheduled Task/Job T1053.002 – At T1053.003 – Cron T1053.005 – Scheduled Task T1053.006 – Systemd Timers T1053.007 – Container Orchestration Job *132 Named Threat Groups having used this persistence method
  • 5. Detection Methods • Command Execution • WMI, PowerShell, cmd … • File Modification • %systemroot%Sytem32Tasks • Process Creation • Registry Key Creation • Log Detection! • Sysmon • Event ID: 4698-4702
  • 7.
  • 11. Step 1 – Export the Tasks (using PowerShell) $savefolder = "C:SomeFolder" Get-ScheduledTask | ForEach-Object { $_.TaskName Export-ScheduledTask -TaskName $_.TaskName -TaskPath $_.TaskPath | Out-file (Join-Path $savefolder "$($_.TaskName).xml") }
  • 12. Step 2 – Convert to JSON (using Python) import xmltodict, json, os directory = '/some/directory/’ for filename in os.listdir(directory): if filename.endswith(".xml"): with open(filename, 'rb') as f: XML_content = f.read() x = xmltodict.parse(XML_content) j = json.dumps(x) print (filename) filename = filename.replace('.xml', '') output_file = open(filename + '.json', 'w') output_file.write(j)
  • 13. Step 3 – Import! • Fail… • Not a proper NDJSON format
  • 15. Convert JSON to NDJSON (using jq) cat test.json | jq -c '.[]' > testNDJSON.json
  • 18. Convert JSON to NDJSON (using Python) <Super Awesome Code>
  • 21. Create a Logstash Pipeline • XML Parser • 30 minutes later… • Task Scheduler schema: 658 lines…
  • 23. Convert to CSV • Tool: SaveJson2CSV • Gunamoi Software
  • 25.
  • 26. Questions? • www.devaultsecurity.com • linkedin. • twitter. devaultsecurity.com • github. • brandon-devault@pluralsight.com • https://app.pluralsight.com/profile/author/brandon-devault • https://github.com/Oofles/scheduled-tasks }