Building uberAgent ESA: Scheduled Task Monitoring

This post is part of a series about the new uberAgent Endpoint Security Analytics (ESA) product. uberAgent ESA aims to provide deep security visibility. It is complemented by uberAgent UXM, our user experience monitoring solution, which adds rich context and metadata.

Scheduled tasks are fantastic for hiding malware. There are multiple reasons for that: every Windows PC has a huge number of tasks, all of which are completely undocumented, there is no authentication mechanism for “good” tasks, and essential information is not available in the UI. Let us explore those caveats in more detail.

Issues With Scheduled Tasks

Huge Number of Tasks, All Undocumented

The machine I am writing this on has a total number of 221 scheduled tasks spread across 127 folders. Most of these tasks came with the Windows operating system, but some were added by applications or drivers. Microsoft Office 365, for example, installs the following tasks:

• Office Automatic Updates 2.0
• Office ClickToRun Service Monitor
• Office Feature Updates
• Office Feature Updates Logon
• Office Subscription Maintenance
• OfficeBackgroundTaskHandlerLogon
• OfficeBackgroundTaskHandlerRegistration
• OfficeTelemetryAgentFallBack2016
• OfficeTelemetryAgentLogOn2016

We can deduce from the names of these tasks that most of them are related to application updates and telemetry. Each task’s description field contains rudimentary information, but apart from that, these tasks are undocumented. The same is true for basically all scheduled tasks.

No Authentication Mechanism for “Good” Tasks

Unlike executables, scheduled tasks cannot be digitally signed. As a consequence, there is no way to verify if a task is genuine. Tasks do have an author field, but its contents can be set to anything, making it worthless for security purposes.

Nothing demonstrates that better than the Office tasks mentioned earlier. As you can see in the screenshot below, some of those tasks do not even have an author configured at all!

Essential Information Is Not Available in the UI

Scheduled tasks are all about doing something: running a tool, starting a script, invoking a component. Without any such action, a task is useless. In other words, a task’s action is by far its most important property. All the more alarming that the Task Scheduler UI in many cases does not display this essential information:

More specifically, Task Scheduler neither shows details for COM actions nor does it list properties of custom triggers. The same is true for command-line tools like schtasks.exe. Essentially, Windows turns a blind eye to scheduled tasks.

uberAgent ESA Scheduled Task Monitoring

The only solution to dealing with the weaknesses of Windows scheduled tasks is careful monitoring. uberAgent Endpoint Security Analytics (ESA) puts you in control again.

Detecting Task Creation, Update and Delete

uberAgent ESA automatically detects the relevant events in a scheduled task’s lifecycle: task creation, task change/update, and task deletion.

Full Details on Scheduled Task Triggers

Scheduled tasks have a complex architecture: each task may have several, even different triggers. A task could be triggered at machine boot, user logon, according to a schedule, or any combination of the above. There is also a huge number of undocumented custom triggers. uberAgent ESA lists all of these triggers in full detail.

Scheduled Task Actions, Unraveled

As with triggers, tasks can be configured with more than one action. Some actions, like starting a process, or sending an email are straightforward. Instantiating a COM object is not. All the more important to clearly understand exactly what is being executed.

For each COM action, uberAgent ESA not only lists the component’s CLSID but also resolves it to the actual executable hosting the component.

More Information About uberAgent ESA

See our blog post announcing uberAgent Endpoint Security Analytics for more information about uberAgent ESA. Also, follow this blog – we have more to share soon!