NEW TOOL: Scheduled tasks parser

[EricZimmerman]

Hey Eric

We talked on Twitter about creating a new parser for both formats of Scheduled Tasks (job binary format, and the newer xml format). There's an implementation of this written in Python called winjob, and can be found here - https://github.com/yahoo/winjob/blob/master/winjob/winjob.py

Additionally, the structs can be found on Microsoft's documentations:

JOB - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/b6425baf-7eb1-46c9-be5f-b13649004d0c
XML - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/0d6383e4-de92-43e7-b0bb-a60cfa36379f

I hope that is what you were looking for. I think the winjob library is doing a good job documenting the necessary objects.

Hadar

[randomaccess3]

+1 for this. Potential names (clearly the hardest part) STECmd - Scheduled Task explorer cmd JBECmd - job explorer cmd

[AndrewRathbun]

One of my colleagues just put this together: https://github.com/EricZimmerman/KapeFiles/blob/master/Modules/Windows/PowerShell_ParseScheduledTasks.mkape

Curious if this will help with this.

[EricZimmerman]

It's an xml file already. What is there to parse? Maybe for at style jobs ?