You can examine old and new task files, but it isn't always easy. First, the files may be owned by the System account and inaccessible to Administrators. They are often located in
%Windir%\System32\Tasks and made invisible using the Hidden attribute. Even if you are looking for them -- and most people aren't -- they can be difficult to find.
Windows Task Scheduler safety tips
So what can you do? There are a few steps you can take, and they're not hard -- you just have to be aware of them. First, you can look for unexpected, hidden job files. You can use Windows Explorer, Attrib.exe, or
DIR /ah to search for hidden files, but an even easier way is to use Sysinternals Autoruns. Autoruns lets you zero straight in on all scheduled tasks, whether they're hidden or not.
Unfortunately, if you've never looked around to see what jobs normally run on your systems (and it can be dozens to hundreds enabled by Microsoft or legitimate software), figuring out what is nasty versus nice can take some time. Here's where it pays just to be aware of this attack vector because you don't want to look at every job file all the time. Heck, that will drive you crazy. But you can be sure to look for suspicious job files whenever you're doing a malware investigation.
As I said before, this might involve decoding binary .job files. This Windows Incident Response article can help you with that.
Windows Event Logging can be your friend as well. You can enable Object Access auditing on the task folders noted above and alert on unusual activity. This will take some fine-tuning of course.
Finally, you can use a network monitoring tool (Network Monitor, Wireshark, and so on) to look for instances of unexpected hosts that are creating unexpected remote jobs. Remote jobs are pretty common when malware or malicious hackers are involved.
What do I mean by unexpected hosts? Well, most client computers should not be creating remote jobs to other clients and servers. Most servers should not be creating remote jobs to other servers and clients. You can use network monitoring tools to figure out which remote jobs are normal and legitimate. Use the normal activity to create a baseline, then alert on deviations from the norm. The remote job activity can be identified and filtered fairly easily. Microsoft's Network Monitor identifies the application-layer protocol as TSCH, by default.
If you haven't included Windows Task Scheduler jobs in your malware investigation procedures, you should. If you have a network intrusion detection system or network anomaly system looking for dubious network activity, make suspicious remote jobs part of the sweep. Simply being aware of this rising attack vector and introducing it into your normal forensics activities is a great step forward.
This story, "Malware loves Windows Task Scheduler," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes's Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.