Tuesday, 15 November 2011

Investigating tasks in Windows

When investigating an incident in Windows environment, one of the things you should check is the scheduled tasks. Many malware varieties use startup processes to reload and maintain themselves. By seeking new and unusual tasks, you can quickly look for simple compromises and malicious processes.

The inclusion of privileged processes (those running as SYSTEM and Admin for instance) are or particular concern. It is also not unusual to discover malicious code running using a blank username.

To make a simple check of the running and scheduled tasks from the command line, type:

  • schtasks


You can see in the image above that we have a number of scheduled tasks on the system that this was run from. This is divided into groups as follows:

  • by folder
  • Task name
  • The next run time
  • The status (ready to run or if it is running now)

You can create tasks in Windows using these commands as well, but for now, we are simply seeking commands out that we did not expect. Diff’√≠ng the results is a good way to look for system changes.

You can see the help for this command using the “schtasks /?” extension as displayed below.


Next is WMIC.

WMIC is great for doing malware analysis. It will display all of the files loaded at Startup. More, the Registry keys the system has associated with the “autostart” are also returned.

You can see the values returned in the figure below:

  • wmic startup list full


We can also use this to select individual processes.

  • wmic process list full | find "cmd.exe"


Here we have restricted the process search to just cmd.exe.

This is useful in checking paths and if a process has inserted itself before the “true” system file.

No comments: