logo

Query Exchange

Built off the open source project Osquery

The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Scheduled Tasks

Status: Approved Submitted by on ‎06-27-2019 01:24 PM

Description: looks for existing scheduled tasks that exist on a windows host

What The Data Shows: shows what tasks are running, scheduled tasks are often used as a method of persistence for an attacker. also could be used for compliance, to make sure no users are running automated tasks they should not be.

SQL: 

SELECT name,action,path,state,
    datetime(last_run_time,"unixepoch","localtime") AS last_run_time
FROM (`scheduled_tasks`) 
ORDER BY last_run_time DESC;

 

Tags (2)
Comment
3 Comments
jnelson
Carbon Black Employee
‎07-05-2019 02:46 PM
‎07-05-2019 02:46 PM
Status changed to: Under Review

@coreymaygard would you consider converting the last_run_time and then sorting by by the time? Here is an example:

SELECT name,action,path,state,
    datetime(last_run_time,"unixepoch","localtime") AS last_run_time
FROM (`scheduled_tasks`)
ORDER BY last_run_time DESC;

coreymaygard
New Contributor III
‎07-08-2019 08:03 AM
‎07-08-2019 08:03 AM

I added in your suggestion, thanks Jnelson

jnelson
Carbon Black Employee
‎07-09-2019 09:16 AM
‎07-09-2019 09:16 AM
Status changed to: Approved
 
logo