How to Threat Hunt for APT33/APT38/Lazarus/Dragonfly's Malicious Scheduled Tasks скачать в хорошем качестве

How to Threat Hunt for APT33/APT38/Lazarus/Dragonfly's Malicious Scheduled Tasks

APT33/APT38/Lazarus/Dragonfly and many other hacking groups have used scheduled tasks for both persistence and privilege escalation. In this edition of #techtalktuesday we review the fundamentals behind scheduled tasks and discuss how you can include looking for scheduled tasks in your threat hunting efforts. Please like and subscribe to support our channel! Welcome to Insane Cyber! Formerly known as Insane Forensics, we've evolved into Insane Cyber—bringing cutting-edge cybersecurity solutions to the industrial world. Our mission remains the same: delivering full-spectrum visibility, rapid response, and expert-driven security to protect critical assets. We’re the team behind: 🔹 Valkyrie – Security automation platform for fast, actionable insights 🔹 Cygnet – Rapid-response flyaway kit for field-ready cybersecurity 🔹 Corvus – Managed security services for continuous protection 🔹 Aesir – Professional services for expert-led cybersecurity solutions Explore our latest innovations, insights, and tech talks right here. 🔗 Learn more at https://insanecyber.com/ 🔗 Follow us on LinkedIn:   / insane-cyber-inc   Chapters: 00:00 - Intro 00:13 - Overview of Scheduled Task/Job Technique (ATT&CK T1053) 02:55 - Scheduled Task Trigger Events 04:41 - Creating Scheduled Tasks with schtasks 06:42 - schtasks Real World Examples 08:28 - Enabling Advanced Scheduled Task Logging 10:15 - Threat Hunting for Scheduled Task Creation via Windows Event Code 4698 11:56 - Threat Hunting for Scheduled Task Deletion via Windows Event Code 4699 12:23 - Other Windows Event Codes Helpful for Scheduled Task Threat Hunting (Event Codes 4700/4701/4702) 13:18 - Wrapping Up