presence of common attack tools is highly concerning
but may be used by security personnel and administrators as part of their job
Unauthorized Scheduled Tasks
Scheduled Tasks is a Windows utility designed to allow routine maintenance processes to run in an organized and automated way
often used to run backups and maintenance scripts
often abused by attackers and malware
may use scheduled tasks to
automate communication with a C&C server
or launch a reverse shell when the system restarts
Monitor scheduled tasks for changes and review new items to ensure they are authorized
Changes generate an event recorded in the System or Security Event Log
contains:
task’s name
who made the change
timestamp
Event ID 4698 indicates a scheduled task was created or modified
Event ID 4700 indicates a scheduled task was enabled or disabled
can search events using keywords
e.g., “Task Scheduler”
File System and Registry Changes
File system and registry changes can indicate a security breach or attack
attacker may change critical system configuration stored in system files or registry keys to change or disable essential security settings or store malware and scripts
Indicators:
creation of new files or folders in unexpected locations or with unusual names
Unexpected or unauthorized changes to files
Removing temp files, clearing temp folders, or deleting log entries
Changes to registry keys related to security settings
Unauthorized changes to user accounts or group membership