Checking Scheduled tasks in a System.

Posted on by hecsan9634

While in the Cyber Team some of the stuff that we did to defend a system besides the regular stuff such as checking users, folders, etc, we checked schedule tasks, there are a lot of reasons to know this. As a network defender, it is important to know what tasks are scheduled on a system because they can provide insight into the activity and behavior of the system. For example, if you see a scheduled task that is set to run a program at a specific time, it could indicate that the program is being used for some legitimate purpose. On the other hand, if you see a scheduled task that is set to run a suspicious program or connect to an unknown network address, it could be a sign of malicious activity.

Attackers can abuse the scheduled task mechanism to perform malicious activities on a system. For example, an attacker could create a scheduled task to run a malicious program at a specific time, or to connect to a malicious network address. This can allow the attacker to gain access to the system, or to perform other malicious actions without the user’s knowledge. By knowing what tasks are scheduled on the system, you can identify and prevent this type of activity.

To view scheduled tasks on a Windows system using PowerShell, you can use the Get-ScheduledTask cmdlet. Here’s how to do it:

  1. Open PowerShell.
  2. Type the following command to view all the scheduled tasks on the system:
Get-ScheduledTask

This will show you a list of all the scheduled tasks on the system, along with their names, triggers, and actions.

You can also use the -TaskName parameter to view a specific scheduled task. For example:

Get-ScheduledTask -TaskName "My Task"

This will show you the details of the scheduled task with the name “My Task”.

To check scheduled jobs on a Linux system, you can use the crontab command. Here’s how to do it:

  1. Open a terminal window.
  2. Type the following command to view the scheduled jobs for the current user:
crontab -l

This will show you a list of all the scheduled jobs for the current user.

  1. To view the scheduled jobs for all users, you will need to use the sudo command. For example:
sudo crontab -l -u root

This will show you a list of all the scheduled jobs for the root user. Replace “root” with the username of the user whose scheduled jobs you want to view.

Here are a few resources:

https://www.techtarget.com/searchwindowsserver/tutorial/Learn-how-to-create-a-scheduled-task-with-PowerShell

https://learn.microsoft.com/en-us/powershell/module/scheduledtasks/get-scheduledtask?view=windowsserver2022-ps

https://opensource.com/article/17/11/how-use-cron-linux

This is all for now!

PEACE!!!

Published by hecsan9634