creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-15 23:44:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/hunting-for-scheduled-task-persistence/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

45 lines
1.5 KiB
Markdown
Raw Blame History

# API Reference — Hunting for Scheduled Task Persistence
## Libraries Used
- **subprocess**: Execute `schtasks /query` and `schtasks /query /xml` for task enumeration
- **csv**: Parse schtasks CSV output for structured task analysis
- **python-evtx** (Evtx): Parse Security EVTX for Event ID 4698 (Task Created)
## CLI Interface
```
python agent.py enumerate # List and risk-score all tasks
python agent.py events --evtx-file <path> # Scan EVTX for task creation events
python agent.py export --task-name <name> # Export task XML definition
```
## Core Functions
### `enumerate_tasks()`
Runs `schtasks /query /fo CSV /v` and classifies each task as high/medium/low risk.
**Returns:** dict with `total_tasks`, `high_risk`, `medium_risk`, `suspicious_tasks`, `non_vendor_tasks`.
### `scan_event_log_4698(evtx_file)`
Parses Windows Security EVTX for Event ID 4698 (Scheduled Task Created).
**Parameters:**
| Name | Type | Description |
|------|------|-------------|
| `evtx_file` | str | Path to Security .evtx log file |
### `export_task_xml(task_name)`
Exports a task's full XML definition using `schtasks /query /tn <name> /xml`.
## Risk Classification
| Risk | Criteria |
|------|---------|
| **High** | Action matches suspicious patterns (powershell -enc, certutil, temp paths) |
| **Medium** | Non-vendor task (not under \\Microsoft\\, \\Google\\, etc.) |
| **Low** | Known vendor task prefix |
## Dependencies
```
pip install python-evtx # Optional, for EVTX parsing
```
Reference in New Issue View Git Blame Copy Permalink