public void ProcessTaskFolder(ITaskFolder taskFolder)
{
int idx;
string name, path;
_TASK_STATE state;
DateTime lastRun;
IRegisteredTaskCollection taskCol = taskFolder.GetTasks((int)_TASK_ENUM_FLAGS.TASK_ENUM_HIDDEN); // include hidden tasks, otherwise 0
for (idx = 1; idx <= taskCol.Count; idx++) // browse all tasks in folder
{
IRegisteredTask runTask = taskCol[idx]; // 1 based index
name = runTask.Name;
path = runTask.Path;
state = runTask.State;
lastRun = runTask.LastRunTime;
Console.WriteLine(path);
foreach (var wt in watchList.tasks)
{
if (wt == name)
{
string stateHtml = "";
stateHtml = (state.ToString() != "TASK_STATE_DISABLED") ? "<span style='color:green'>ENABLED</span>" : "<span style='color:red'>DISABLED</span>";
WriteContent("DateTime: " + DateTime.Now + " name: " + name + " status: " + state + " last run time " + lastRun.ToString() + " \n");
htmlBody.Append("<tr>");
htmlBody.AppendFormat("<td><b>{0}</b></td> <td>{1}</td> <td><span style='font-size:9pt'> {2} </span></td>", name, stateHtml, lastRun);
htmlBody.Append("<tr>");
}
}
}
ITaskFolderCollection taskFolderCol = taskFolder.GetFolders(0); // 0 = reserved for future use
for (idx = 1; idx <= taskFolderCol.Count; idx++) // recursively browse subfolders
{
ProcessTaskFolder(taskFolderCol[idx]); // 1 based index
}
}
internal TaskFolderCollection(TaskFolder folder, ITaskFolderCollection iCollection)
{
_parent = folder;
_v2FolderList = iCollection;
}
/// //////////////////////////////////////////////////
/// //////////////////////////////////////////////////
/// //// Scheduled Tasks /////////////////////////
/// //////////////////////////////////////////////////
/// //////////////////////////////////////////////////
public static void ProcessTaskFoler(ITaskFolder taskFolder)
{
int idx;
string name, path;
string ePs, schXm, msTaskPath;
_TASK_STATE state;
IRegisteredTaskCollection taskCol = taskFolder.GetTasks((int)_TASK_ENUM_FLAGS.TASK_ENUM_HIDDEN);
for (idx = 1; idx <= taskCol.Count; idx++)
{
IRegisteredTask runTask = taskCol[idx];
// Some lolbins..remove common ones if a lot of noise is created
string[] interestingTasks = new string[] {
"certutil.exe", "cmstp.exe", "control.exe", "csc.exe", "cscript.exe", "bitsadmin", "installutil.exe", "jsc.exe", "makecab.exe", "msbuild.exe",
"dfsvc.exe", "diskshadow.exe", "dnscmd.exe", "esentutl.exe", "eventvwr.exe", "expand.exe", "extexport.exe", "extrac32.exe",
"findstr.exe", "forfiles.exe", "ftp.exe", "ie4uinit.exe", "ieexec.exe", "infdefaultinstall.exe",
"msconfig.exe", "msdt.exe", "mshta.exe", "msiexec.exe", "odbcconf.exe", "pcalua.exe", "pcwrun.exe", "presentationhost.exe",
"print.exe", "regasm.exe", "regedit.exe", "reg.exe", "runonce.exe", "runscripthelper.exe", "schtasks.exe", "scriptrunner.exe",
"syncappvpublishingserver.exe", "verclsid.exe", "wab.exe", "wmic.exe", "wscript.exe"
};
name = runTask.Name;
path = runTask.Path;
state = runTask.State;
schXm = runTask.Xml;
string schXml = schXm.ToLower();
msTaskPath = "\\Microsoft\\";
ePs = "powershell.exe";
string sched_out = " Name: " + name + "\n" + " Path: " + path + "\n" + " State: " + state + "\n";
bool mspath = path.Contains(msTaskPath);
bool bPs = schXml.Contains(ePs);
/////////////////////
// Based off array //
/////////////////////
foreach (string itasks in interestingTasks)
{
bool chkItasks = schXml.Contains(itasks);
if (chkItasks == true)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine(" [-] Detected interesting String in task: ");
Console.ForegroundColor = ConsoleColor.DarkRed;
Console.WriteLine(sched_out);
//Console.WriteLine(schXm);
Console.WriteLine("-----------------------");
}
}
////////////////
// Powershell //
////////////////
if (bPs == true)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine(" [-] PowerShell Detected - task info: ");
Console.WriteLine("-----------------------");
Console.WriteLine(sched_out);
//Console.WriteLine(schXm);
Console.WriteLine("-----------------------");
}
////////////////////////////
// Outside Microsoft folder
////////////////////////////
if (mspath == false)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine(" [-] Detected Task outside of Microsoft folder - task info: ");
Console.ForegroundColor = ConsoleColor.DarkRed;
Console.WriteLine(sched_out);
}
}
ITaskFolderCollection taskFolderCol = taskFolder.GetFolders(0);
for (idx = 1; idx <= taskFolderCol.Count; idx++)
{
ProcessTaskFoler(taskFolderCol[idx]);
}
}
