A Story of Persistance – Windows Part 1


For a while I wanted to do a series of blog posts where I discuss the different types of persistence mechanisms in Windows, Linux and MacOS. Some procrastination has had the better of me.

This is the first part, hopefully more to come. I am going to try and add some more pertinent details.

Malwares use persistence mechanisms to keep access on a system across restarts. Mitre Att&ack talks about Persistence as a tactic, and all the persistence mechanisms are the techniques.

The way the articles will flow is as follows:

  1. Name and some details of the persistence mechanism.
  2. How it works.
  3. Threat actors or malware who use this consistently.
  4. How to set it up.
  5. How to detect it from the event logs.
  6. How to get more details about it, using tools like PowerShell, Autoruns or any other tool.
  7. How to remove it.

First persistence mechanism:

Name: Scheduled Task

Scheduled tasks are used to schedule some executable or command for execution at particular date or time. The schedule could be run periodically as well. More details here.

Threat actors/Malware which use it consistently are:

  1. Mummy Spider ( Emotet)
  2. Indrik Spider (Dridex)
  3. Wizard Spider (Trickbot)
  4. APT18 aka Dynamite Panda which is China Based Threat actor has also been known to use it.

Before setting up scheduled task, a little bit about my environment. I am using Windows 10 and I will try to use the terminal for most of the work.

Lets first enable the audit logs which will enable us to see the scheduled task creation in the Security Event Logs.

Command to enable required Audit logs:

auditpol /set /category:"Object Access" /success:enable /failure:enable

Command to setup Scheduled Task:

schtasks /create /tn "ASK Scheduled Task" /tr "c:\windows\system32\notepad.exe" /sc daily /st 04:23

Name of Task: ASK Scheduled Task

File to execute: c:\windows\system32\notepad.exe

Execution Period: Daily at 04:23.

Command to check the event logs for Scheduled Task creation, the event id for Scheduled Task Creation is 4698:

Get-WinEvent -FilterHashtable @{LogName="Security";ID=4698;} | Select *

Command to check details of the created task:

schtasks /query /fo list /v /tn "ASK Scheduled Task"

Delete the scheduled task:

schtasks /delete /F /tn "ASK Scheduled Task"

I think these details are concise enough, Screenshot of the commands executed below:

Next blog will be based on registry Run Key Persistence.


About the author

Ahmed Kasmani

Add comment

By Ahmed Kasmani

Recent Posts

Recent Comments