28. ScheduledTasks
The ScheduledTasks module analyses the local user at jobs and just lists
them in "Info" level messages and applies the global string check on the command line.
28.1. Samples
Aug 2 14:37:48 server44/192.168.2.4
THOR: Notice: MODULE: ScheduledTasks
MESSAGE: Noticeable file name in command detected
ELEMENT: C:\start1.bat
PATTERN: \start1\.bat$
SCORE: 50
DESC: Indian Cyber Attack Task
NAME: kpistart1 sabato
COMMAND: C:\start1.bat
USER: Webload
LASTRUN: 15/05/2010 14:02:00
NEXTRUN: 30/11/1999 00:00:00
MD5: 666081523aeff8d40d53b4f6aeedd851
SHA1:
28.2. Typical False Positives
Software updaters
Administrative jobs
28.3. Attribute Evaluation
Attribute |
Question |
Answer |
Indication |
Weight |
|---|---|---|---|---|
NAME |
Does the name look like a random value? (e.g. |
Yes |
Bad |
High |
NAME |
Does the name contain words in the local language? (e.g. |
Yes |
Good |
High |
LOCATION |
See chapter File Path Checks |