Seminar Details
2025-11-27 (13:00) : Uncovering Malicious Persistence: Machine Learning-Based Detection of Windows Scheduled Tasks
At Shannon, Maxwell a.105
Organized by Computer Science and Engineering
Speaker :
Khaled Rahal (ERM & ULB)
Abstract :
Advanced Persistent Threats (APT) represent a serious security concern because they
carry out long-term and carefully planned attacks. While a lot of research has gone into finding
ways to detect these threats; one crucial area often gets less attention, namely the persistence
mechanisms that allow attackers to stay hidden and maintain access to systems over
time. In this work, we investigate scheduled tasks, a widely used persistence technique
in Windows environments, and analyze their role in APT operations. We conducted an
in-depth study of how attackers leverage scheduled tasks to maintain stealthy access and
execute malicious actions over time. We introduce Detecting APT Through Malicious
Scheduled Tasks (DAPTASK), an approach that leverages Sysmon log data, Word2Vecbased
feature representation, and Machine Learning (ML) classifiers to identify malicious
1scheduled tasks commonly used in APT persistence techniques. Our approach achieves
a high detection performance, with an F1-score of 95.19%. Furthermore, we provide a
labeled dataset, which can serve as a valuable resource for researchers developing APT
detection methods, the dataset and the code used are publicly available at https://gitlab.cylab.
be/cylab/daptask. Our approach enhances APT detection by addressing persistence
techniques, a critical yet often neglected attack vector.