글 작성자: pental

[ CMD - Scheduled Task / Job Information ]

schtasks
schtasks /query /fo LIST /v
schtasks /query /fo LIST /v | findstr "Task To Run:"
schtasks /query /fo LIST /v | findstr "appdata"
schtasks /query /fo LIST /v | select-string "Enabled" -CaseSensitive -Context 10,0 | findstr "exe"
schtasks /query /fo LIST /v | select-string "Enabled" -CaseSensitive -Context 10,0 | findstr "Task"
schtasks /query /fo LIST /v | Select-String "exe" -Context 2,27 
gci -path C:\windows\system32\tasks -recurse | Select-String Command | ? {$_.Line -match "MALICIOUS"} | FL Line, Filename
schtasks /query /fo csv /v | ConvertFrom-Csv | ?{"$_.Task To Run" -match "MALICIOUS"}| FL "Taskname","Task To Run"
schtasks /query /fo csv /v | ConvertFrom-Csv | ?{$_.Taskname -ne "TaskName"} | FL "Taskname","Task To Run"
wmic job get Name, Owner, DaysOfMonth, DaysOfWeek, ElapsedTime, JobStatus, StartTime, Status

[ Powershell - Scheduled Task / Job Information ]

Get-ScheduledTask
gci -path C:\windows\system32\tasks -recurse | Select-String Command | FL Filename, Line
gci -path C:\windows\system32\tasks -recurse | Select-String Command | ? {$_.Line -match "MALICIOUSNAME"} | FL Filename, Line

[ Powershell - Remediate Malicious Scheduled Tasks ]

schtasks /Delete /TN [taskname] /F

[ Powershell - Schedule Delete ]

Unregister-ScheduledTask -TaskName [taskname]
Unregister-ScheduledTask -TaskPath [taskname]
저작자표시 비영리 (새창열림)

'Forensics > Digital Forensics Information' 카테고리의 다른 글

[Forensics] Widows - 자동시작 프로그램 포렌식 (startup process forensics)  (0) 2020.03.28
[Forensics] Windows - Pagefile Information  (0) 2020.03.27
[Forensics] Windows - 방화벽 정보  (0) 2020.03.27
[Forensics] Windows - 유저와 관리자 정보 가져오기  (0) 2020.03.26
[Forensics] Windows - 시스템 정보 가져오기  (0) 2020.03.26

티스토리툴바