Windows Task schedu...
 
Notifications
Clear all

Windows Task scheduler artefacts  

  RSS
pmurton
(@pmurton)
New Member

I am currently conducting an investigation on a host that is known to have been compromised. There are a string of .job files (i.e. AT1.job, AT2.job etc etc).

I believe that these have been run by a remote user using the "at" command. By looking at the command line commands issued chronologically, I can see pretty much what the user has done.

i.e AT1.job shows ping.google.com (presumably to confirm Internet access), AT2.job shows the use of the netstat command piped to tep file.

The sequence continues to a point where I can see "rogue" executables being launched.

I'd like to be able to identify the source of the device that issued the at commands, but I'm unsure how to go about this, or if it's possible.

Much of the content of the job files are in plain text, (which is how I could see the commands), but there is also some "non plain text" content at the start of each file. I wondered whether this might contain some (encoded) information on the source of the file.

In each case the file owner is Adminisrator.

Quote
Posted : 06/09/2013 4:37 pm
keydet89
(@keydet89)
Community Legend

You never mentioned the version of Windows you were analyzing, and that may have an effect on what you find, and what may be possible…

If you assume that these AT jobs were the result of someone using at.exe within your infrastructure and reaching to the system remotely, you should probably examine the Event Logs, looking for network-type logins. On Windows XP/2003, the event ID is 540, type 3. For Vista+, add 4096.

If the system you're analyzing is Vista or above, your chances of finding something of value are a bit better, simply because of the more verbose logging on those systems.

HTH

ReplyQuote
Posted : 13/09/2013 5:40 pm
Share: