An automatic approach
In scenarios in which we still have access to our EDR systems, this will allow us to easily build a timeline and see what has happened by analyzing all the data and events collected by the EDR tools.
In the following example, we will use Microsoft Defender for Endpoint to look for certain activities on our systems. As part of the Microsoft Defender for Endpoint agent, it will constantly collect process activities from endpoints that are onboarded and uploaded to the cloud service. So, if we wanted to again look for scheduled tasks that have been added for persistent access, there are multiple ways to detect this using the service.
Microsoft released a blog post in April 2022 that shows that some attackers are also able to hide scheduled tasks by deleting the security identifier within the task, which you can read more about here: https://www.microsoft.com/en-us/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/.
Before...
