{"id":31079942,"url":"https://github.com/compcode1/ios9-scheduled-task","last_synced_at":"2026-07-01T00:31:49.184Z","repository":{"id":293069774,"uuid":"982842258","full_name":"Compcode1/ios9-scheduled-task","owner":"Compcode1","description":"This case study documents an advanced persistence technique involving a scheduled task launching base64-encoded PowerShell, used to execute malicious commands without dropping traditional malware to disk. ","archived":false,"fork":false,"pushed_at":"2025-05-13T13:55:50.000Z","size":21,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-09-16T11:25:17.915Z","etag":null,"topics":["edr-telemetry","fileless-persistence","ioc-analysis","powershell","scheduled-task"],"latest_commit_sha":null,"homepage":"","language":"Jupyter Notebook","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Compcode1.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-05-13T13:40:13.000Z","updated_at":"2025-05-13T13:57:49.000Z","dependencies_parsed_at":"2025-05-13T14:58:45.497Z","dependency_job_id":"7de286e8-23b8-4fbf-8f95-0125d746d9e9","html_url":"https://github.com/Compcode1/ios9-scheduled-task","commit_stats":null,"previous_names":["compcode1/ios9-scheduled-task"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Compcode1/ios9-scheduled-task","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Compcode1%2Fios9-scheduled-task","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Compcode1%2Fios9-scheduled-task/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Compcode1%2Fios9-scheduled-task/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Compcode1%2Fios9-scheduled-task/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Compcode1","download_url":"https://codeload.github.com/Compcode1/ios9-scheduled-task/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Compcode1%2Fios9-scheduled-task/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34988712,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-30T02:00:05.919Z","response_time":92,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["edr-telemetry","fileless-persistence","ioc-analysis","powershell","scheduled-task"],"created_at":"2025-09-16T11:01:31.651Z","updated_at":"2026-07-01T00:31:49.151Z","avatar_url":"https://github.com/Compcode1.png","language":"Jupyter Notebook","funding_links":[],"categories":[],"sub_categories":[],"readme":"IOC 9 – Scheduled Task Persistence with Encoded PowerShell\nOverview\nThis case study documents an attacker’s use of Windows-native binaries to establish persistent, fileless execution using Task Scheduler and obfuscated PowerShell. The operation was designed to silently launch a hidden beacon on schedule, relying entirely on legitimate system components to avoid detection.\n\nKey Objectives\nDemonstrate detection of fileless persistence using host-based triage.\n\nAnalyze attacker behavior across OS and OSI layers.\n\nReinforce technical interpretation with analogies and metaphorical clarity.\n\nCore Detection Flow\nTriggered by EDR alert: PowerShell process launched by schtasks.exe.\n\nVerified via Event ID 4698 (new scheduled task) and registry Run key.\n\nScript was base64-encoded and executed with hidden window.\n\nBeaconing observed through Invoke-WebRequest to external domain.\n\nNotable Techniques Used\nScheduled task configured to run powershell.exe silently.\n\nPayload passed via base64 encoding to avoid basic string detection.\n\nRedundant persistence using both Task Scheduler and Run key.\n\nFileless execution with no dropped malware binary.\n\nOutcome\nThe scheduled task and registry key were removed. Outbound domains were blocked. The host was isolated and memory-captured for runtime analysis. IOC was logged into central SIEM and a detection rule was created for base64 PowerShell launched from scheduled tasks.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcompcode1%2Fios9-scheduled-task","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcompcode1%2Fios9-scheduled-task","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcompcode1%2Fios9-scheduled-task/lists"}