Goal
Identify suspicious scheduled tasks used for persistence and remove them safely.When to use
- Alerts indicating scheduled task creation/modification
Prereqs
- Endpoint telemetry (Windows) + investigation pivots
Procedure (high level)
- Triage the alert and identify the host/user/process context
- Enumerate scheduled tasks on the endpoint
- Identify suspicious task(s) and associated binaries/commands
- Contain/remediate and document
Validation
- Suspicious task removed/disabled
- Follow-on telemetry confirms no re-creation