great video as always. Got just a question for you. What if you delete everything in the opposite way, first the scheduled task.. does the task still run?
Clearly the service just reads in the configs at start or when a new task is scheduled. Lots of programs work like this as they don’t constantly monitor the registry
More specifically, an svchost.exe process is spawned to run the recurring Scheduled Task. That process will continue to run in the background until the trigger condition expires, until the PID is killed, or until the system is rebooted/shutdown. That's why killing the on-disk artifacts have no effect on it. That gives a Threat Actor a very stealthy way to run such a recurring task in the background that may go unnoticed.
@@13Cubed yes. Microsoft would have to change the service to monitor for changes in that registry key to make it update dynamically. Nice catch. Haxors will be using this one
If you delete both registry paths (Tasks and Tree), the task will continue to run until reboot. If you delete only the SD value, the task will continue to run, even on reboot, and will be effectively "hidden" from Task Scheduler and schtasks. Either way, logs will continue to be generated.
@@13Cubed No task under \Schedule\TaskCache\Tree\ has an entry of type SD. The malware generated the \Microsoft\windows\Bluetool entry, which runs a powershell bypass with obfuscated parameters every 50 minutes. Is there a way to remove that persistent task?
I can't get enough of these kinds of videos, especially with this quality. Keep 'em coming!
Awesome videos as always! Cheers!
wild concept, love it
great video as always. Got just a question for you. What if you delete everything in the opposite way, first the scheduled task.. does the task still run?
No, if you delete the task directly from the GUI or via schtasks, it will not continue to run.
is this because the task is sitting in the registry (memory) on one of those transactional log files?
No, this particular sequence of events was unrelated to that. I'm not sure I understand your question?
Awesome work!
Thanks for another great video!
ehat a nice Tutorial.. thank you for it
Awesome
But how to delete this task if you could not see it?
via the Registry
Clearly the service just reads in the configs at start or when a new task is scheduled. Lots of programs work like this as they don’t constantly monitor the registry
More specifically, an svchost.exe process is spawned to run the recurring Scheduled Task. That process will continue to run in the background until the trigger condition expires, until the PID is killed, or until the system is rebooted/shutdown. That's why killing the on-disk artifacts have no effect on it. That gives a Threat Actor a very stealthy way to run such a recurring task in the background that may go unnoticed.
@@13Cubed yes. Microsoft would have to change the service to monitor for changes in that registry key to make it update dynamically. Nice catch. Haxors will be using this one
0:05
12:51
10:51
Restart the computer, but the malicious scheduled task continues to run, it seems that they injected some code into the svchost dll
If you delete both registry paths (Tasks and Tree), the task will continue to run until reboot. If you delete only the SD value, the task will continue to run, even on reboot, and will be effectively "hidden" from Task Scheduler and schtasks. Either way, logs will continue to be generated.
@@13Cubed No task under \Schedule\TaskCache\Tree\ has an entry of type SD. The malware generated the \Microsoft\windows\Bluetool entry, which runs a powershell bypass with obfuscated parameters every 50 minutes. Is there a way to remove that persistent task?
Push.
𝓹𝓻𝓸𝓶𝓸𝓼𝓶 😢