Obsidian CTH: Hunting for Adversary's Schedule
2022-08-12, 13:00–14:00 (US/Pacific), Project Obsidian: Track 0x42 (In-person)

Once an adversary gained a foothold, they typically would like to keep their access and establish persistence. Scheduled tasks are one of the most commonly used persistence techniques in adversary intrusions and for a good reason. In this session we take a look at Scheduled Tasks. We start with the basics, and then learn how to create a hypothesis to conduct a threat hunt. In the end, we'll take a stab at detection engineering concepts surrounding the creation/revision of detections/analytics from telemetry we obtain from hunting this technique.

Project Obsidian is an immersive, defensive cybersecurity learning experience.


Once an adversary gained a foothold, they typically would like to keep their access. Here, I'm using the term ""access"" loosely where it could be many things like C2 beacon, script, binary, security source providers, shortcuts, and so on. This is called Persistence and in MITRE speak ""TA0003"" [3]. We take a look at one such persistence method, Scheduled Task. Scheduled tasks are one of the most commonly used persistence techniques in adversary intrusions and for a good reason. It provides flexibility to be created on local and remote machines and provides several ways to be created (from GUI to Net32API), along with the ability to combine/achieve tactics like Execution and Privilege Escalation. We start with the basics of scheduled tasks, and why and when an adversary would like to use them. Then we jump into the hell of threat hunting to see some ways to create a hypothesis and investigate the result set. In the end, we take a stab at detection engineering concepts surrounding the creation/revision of detections/analytics from queries/results we got from hunting this technique.

Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH).