schedule task via ITaskService

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: schedule task via ITaskService
    namespace: persistence/scheduled-tasks
    authors:
      - michael.hunhoff@mandiant.com
    scopes:
      static: function
      dynamic: unsupported  # requires offset, bytes features
    att&ck:
      - Persistence::Scheduled Task/Job::Scheduled Task [T1053.005]
  features:
    - and:
      - basic block:
        - and:
          - api: ole32.CoCreateInstance
          - bytes: 9F 36 87 0F E5 A4 FC 4C BD 3E 73 E6 15 45 72 DD = CLSID_TaskScheduler
          - bytes: C7 A4 AB 2F A9 4D 13 40 96 97 20 CC 3F D4 0F 85 = IID_ITaskService
      - offset: 0x24 = ppv->NewTask

last edited: 2023-11-24 10:34:28