Windows.Registry.ScheduledTasks :: Velociraptor

Windows.Registry.ScheduledTasks

This artefact will collect Scheduled task information from the registry without relying on the existance of an XML file in C:\Windows\System32\Tasks.

The artifact will attempt to find relevant XML data if exists. There is also an option to show only tasks missing a Security Descriptor.

TODO: cleanup, write test and add to main repo


name: Windows.Registry.ScheduledTasks
author: Matt Green - @mgreen27
description: |
  This artefact will collect Scheduled task information from the registry without 
  relying on the existance of an XML file in C:\\Windows\\System32\\Tasks.
  
  The artifact will attempt to find relevant XML data if exists.
  There is also an option to show only tasks  missing a Security Descriptor.
  
  TODO: cleanup, write test and add to main repo
  
reference:
  - https://www.youtube.com/watch?v=ZQeWgTP4PaY
  
type: CLIENT

parameters:
   - name: OnlyShowNullSD
     type: bool
     description: only show entries with null security descriptor

sources:
  - precondition:
      SELECT OS From info() where OS = 'windows'

    query: | 
      LET xml <= SELECT *, 
            regex_replace(source=OSPath,re='''^C:\\Windows\\System32\\Tasks''',replace='') as Path 
        FROM Artifact.Windows.System.TaskScheduler()
        
      LET tree <= SELECT Id,SD,Index
        FROM read_reg_key(globs="HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Schedule/TaskCache/Tree/**", accessor="reg")
      
      LET find_xml(path) = SELECT OSPath, Command, Arguments, ComHandler, UserId, _XML
        FROM xml WHERE Path = path
        
      LET tree_sd(id) = SELECT Id,SD,Index
        FROM tree WHERE Id = id
      
      LET tasks = SELECT 
            basename(path=Key.FileInfo.FullPath) as TaskID,
            Key.FileInfo.ModTime as Mtime,
            Path,
            Hash,
            Version,
            SecurityDescriptor,
            Source,
            Author,
            Description,
            URI,
            Triggers,
            Actions,
            DynamicInfo,
            if(condition=Schema, 
                then=format(format='0x%x',args=Schema),
                else='') as Schema,
            Date,
            Key.FileInfo.FullPath as OSPath,
            find_xml(path=Path)[0] as XmlEntry
        FROM read_reg_key(globs="HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Schedule/TaskCache/Tasks/**", accessor="reg")
     
      SELECT 
        TaskID,Mtime,Path,Hash,Version,
            SecurityDescriptor,
            tree_sd(id=TaskID)[0].SD as TreeSD,
            Source, Author, Description,URI,Triggers, Actions, DynamicInfo,
            Schema,Date,
            OSPath,
            XmlEntry
        FROM tasks
        WHERE NOT if(condition= OnlyShowNullSD,
            then= TreeSD,
            else= False )
      
column_types:
  - name: Hash
    type: hex
  - name: Triggers
    type: hex
  - name: DynamicInfo
    type: hex
  - name: TreeSD
    type: hex