The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Scheduled Tasks

Description: looks for existing scheduled tasks that exist on a windows host

What The Data Shows: shows what tasks are running, scheduled tasks are often used as a method of persistence for an attacker. also could be used for compliance, to make sure no users are running automated tasks they should not be.

SQL: 

SELECT name,action,path,state,
    datetime(last_run_time,"unixepoch","localtime") AS last_run_time
FROM (`scheduled_tasks`) 
ORDER BY last_run_time DESC;

 

Tags (2)
3 Comments
jnelson
Carbon Black Employee
Status changed to: Under Review

@coreymaygard would you consider converting the last_run_time and then sorting by by the time? Here is an example:

SELECT name,action,path,state,
    datetime(last_run_time,"unixepoch","localtime") AS last_run_time
FROM (`scheduled_tasks`)
ORDER BY last_run_time DESC;

coreymaygard
New Contributor III

I added in your suggestion, thanks Jnelson

jnelson
Carbon Black Employee
Status changed to: Approved