|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: Hiding scheduled tasks in 2K/XP
From: Dan Perez (danperez
san.rr.com)
Date: Tue Jun 03 2003 - 16:25:45 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
The folks at DiamondCS had released a while back a tool called AutoStart
Viewer that can detect/document tasks hidden in this way (it is still
ostensibly in beta but I have found no problems with it).
The tool can be obtained from
http://www.diamondcs.com.au/index.php?page=asguard
This is one of the third-party freeware tools that I use in my own free
Intrusion Audit system that I recently posted for public review at
http://sourceforge.net/projects.ntida/ (although this too is in beta :(
any comments on the latter would be most welcome!
-----Original Message-----
From: winter [mailto:shonky_sechotpop.com]
Sent: Monday, June 02, 2003 12:11 AM
To: pen-testsecurityfocus.com
Subject: Hiding scheduled tasks in 2K/XP
Hey all,
Ive found that you can use attrib.exe on files in %windir%\tasks,
particularly with the +h attribute. "Attrib.exe +h *" will hide all
scheduled tasks from AT, Scheduled Tasks (both Control Panel + explorer) and
"dir %windir%\tasks" (unless you use dir /a or have it set as such in
%dircmd%). Browsing %windir%\tasks on the cmd line with "dir /a" is the
only way ive been able to detect jobs that have been hidden this way. They
run as scheduled. Tested on 2000 SP3 & XP SP1.
winter
---------------------------------------------------------------------------
----------------------------------------------------------------------------
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]