Skip to content
Reverse Engineering
Persistencebeginner

Scheduled Task Persistence

Malware registers a Windows scheduled task that re-launches its payload on a trigger — logon, a fixed interval, or system idle — providing durable, often privileged, persistence.

The Windows Task Scheduler runs programs on triggers — at logon, at boot, on a timer, when the machine goes idle, or in response to an event-log entry. Malware abuses it to re-launch its payload reliably and, when running as SYSTEM, with high privilege. Scheduled tasks survive reboots, are easy to register, and blend in among the hundreds of legitimate tasks Windows ships with.

Tasks can be created with the built-in schtasks.exe utility, via PowerShell's ScheduledTasks module, or directly through the ITaskService COM interface. Each task is stored both as an XML file on disk and as registry entries describing the trigger and action.

How it works

A command-line registration that runs a payload every hour:

text
schtasks /create /tn "OneDrive Reporting Task" /tr "C:\Users\Public\report.exe"
         /sc minute /mo 60 /ru SYSTEM /f

The resulting task is materialised in two places that an analyst should examine:

text
XML:       C:\Windows\System32\Tasks\OneDrive Reporting Task
Registry:  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\<taskname>
           HKLM\...\Schedule\TaskCache\Tasks\{GUID}   (Actions, Triggers as binary blobs)

The XML <Actions> element holds the executable path and arguments; <Triggers> defines when it runs. Attackers favour innocuous task names placed under existing folders (e.g., \Microsoft\Windows\) to hide among Microsoft's own tasks, and sometimes register a task whose action is a LOLBin (mshta, rundll32, powershell -enc ...).

Detection & analysis

Static analysis:

  • Examine the on-disk task XML under C:\Windows\System32\Tasks\. The <Command> and <Arguments> reveal the payload; the Author and registration date in the file metadata help scope the intrusion.
  • Parse the TaskCache registry subtree offline with RegRipper or Registry Explorer; the Tasks\{GUID} Actions value is a binary blob containing the executable path. The Tree key's last-write time dates creation.
  • In a malware sample, look for schtasks.exe invocations, the strings Tasks / TaskCache, or imports/COM use of taskschd.dll and ITaskService.

Dynamic analysis:

  • Run the sample and watch for a child schtasks.exe or a svchost.exe Task Scheduler call. Sysmon Event ID 1 (Process Create) captures the schtasks /create command line.
  • The Microsoft-Windows-TaskScheduler/Operational log records Event ID 106 (task registered) and 140 (task updated); Security log Event ID 4698 logs task creation when audit policy is enabled. Sysmon Event IDs 12/13 capture the TaskCache registry writes.

Detection rule hint:

Alert on task registration where the action points to a user-writable or temp directory, invokes a script interpreter or LOLBin, or where the task is created by a non-installer process. Correlate Event ID 4698/106 with the writing process and flag tasks whose names impersonate Microsoft tasks but whose binaries are unsigned.

Votes

Comments(0)