CSY102 Week 07 - Practice scheduled execution and automation workflows before moving to reading resources.

Opening Framing: The Most Dangerous Instruction Is the One You Forgot You Gave

In Week 6, we studied background trust: services that run continuously and quietly enforce rules. But continuous execution is only half the story.

The other half is scheduled execution — actions that run at a particular time, on a particular condition, often with no user present to notice or interrupt them.

Systems don't just respond to users. They execute plans. They remember instructions you gave yesterday, last week, or years ago — and carry them out faithfully, whether or not you still want them to, whether or not the context still makes sense.

Automation is deferred authority. When you schedule something, you are granting the system permission to act later, potentially under conditions you won't be present to verify.

Mental Model: The Calendar of a Powerful Organisation

Imagine a large organisation where work is executed via a shared calendar:

Some meetings are harmless (routine tasks)
Some meetings have authority (system maintenance)
Some meetings unlock doors and change permissions (privileged automation)

If an attacker can add, edit, or impersonate entries in that calendar, they don't need to fight guards in real time. They simply arrange for the guards to open the doors later.

Security failures happen when systems execute future actions based on assumptions that no longer hold. The calendar doesn't know that the person who scheduled a meeting was fired last week. It simply executes what was planned.

Mental model: scheduled tasks are calendar entries with system authority. Control the calendar, control the future.

1) What Scheduling Means in an Operating System

At the OS level, scheduling is the ability to run tasks:

At a specific time (e.g., nightly at 2 AM)
At a repeating interval (e.g., every 5 minutes)
On an event (e.g., user logs in, network becomes available)
At boot (e.g., after startup completes)

The key security question is never "Can it run?" The question is: Under what identity, with what privileges, and based on what trust assumptions?

On Linux, the primary scheduling mechanisms are cron (time-based) and systemd timers. On Windows, the Task Scheduler provides equivalent functionality with additional triggers like idle time, workstation lock/unlock, and event log entries.

Each scheduled task is a stored instruction waiting to execute. The system doesn't re-verify whether you still want it to run. It doesn't check whether circumstances have changed. It simply executes what was planned.

Key insight: scheduled tasks are instructions frozen in time, executed in a future that may not match the assumptions under which they were created.

2) Automation and Identity: Who Does the Task Run As?

Scheduled tasks do not run "as the computer." They run as a specific identity:

Normal user identity: limited scope, can only access that user's resources
Service identity: system-wide scope, designed for background operations
Administrative identity: high-risk scope, can modify system configuration
SYSTEM/root: maximum privileges, can do anything on the machine

This is why automation is a privilege boundary. A task scheduled by a regular user but configured to run as SYSTEM is a privilege escalation waiting to happen. If an attacker can modify that task's definition, they inherit its authority.

Consider a backup script that runs nightly as root. The script itself may be simple, but its execution context grants full system access. If an attacker can modify the script file, or redirect where the script is loaded from, they gain root execution — without ever exploiting a vulnerability.

Key insight: the identity under which automation runs is often more important than what the automation does. Privilege determines impact.

3) Why Time Is a Security Surface

Time is not just when things happen — it's a control mechanism that affects security:

Logs and forensics: timestamps determine how investigations reconstruct events
Updates and patches: timing determines what version is running and when vulnerabilities are closed
Credential validity: tokens, certificates, and passwords expire based on time
Policy enforcement: lockouts, audits, and key rotations trigger on schedules

If an attacker can influence time, triggers, or scheduling rules, they gain powerful capabilities:

Hide in maintenance windows: schedule malicious activity when legitimate maintenance occurs
Delay detection: shift timestamps to confuse forensic analysis
Achieve persistence: re-run payloads automatically, surviving manual removal
Exploit predictability: know exactly when defenses are weakest

Time manipulation attacks (NTP poisoning, clock skew exploitation) are real techniques used by sophisticated attackers precisely because time underlies so many security mechanisms.

Key insight: time is infrastructure. Like network or filesystem, it can be attacked, manipulated, and exploited by those who understand its role in security.

4) Automation as Persistence (Connecting to Weeks 4–6)

In Week 4 we learned persistence beyond identity — how data and configurations outlive the users who created them. In Week 6 we learned about services as background authority. Scheduling is the bridge: persistence via repeated execution.

Traditional malware persistence means "staying resident" — keeping code in memory or installed on disk. But scheduled task persistence is different and often more resilient:

The malicious payload can be deleted, but if the schedule remains, it gets recreated
A task running every hour survives manual removal if the scheduling mechanism isn't cleaned
Scheduled tasks blend into legitimate system maintenance, avoiding detection
Even if the malware is discovered once, it returns automatically

This is why incident responders always check scheduled tasks during investigations. Removing a malicious file without removing its scheduled recreation is incomplete remediation.

Key insight: scheduling turns one-time access into recurring access. It's not about staying — it's about reliably returning.

5) Risk Patterns to Recognise

When auditing scheduled tasks, watch for these dangerous patterns:

Privileged automation: tasks that run with admin/system authority. Ask: does this task actually need these privileges?
Silent execution: tasks that run without visible output or prompts. Ask: how would anyone notice if this task misbehaved?
Weak ownership: tasks editable by accounts that should not control them. Ask: who can modify this task's definition or target script?
Overbroad scope: tasks that touch many files, users, or network paths. Ask: what's the blast radius if this task is compromised?
Predictable routine: tasks that run at known times on known triggers. Ask: could an attacker time their activity to coincide with this?

Legitimate scheduled tasks share many characteristics with malicious ones. The difference is intent and oversight — which is exactly why attackers prefer to hide in plain sight among legitimate automation.

Key insight: the most dangerous scheduled tasks are the ones nobody reviews because they've "always been there."

Real-World Context: Scheduled Task Attacks in Practice

Scheduled task abuse is a standard technique documented in the MITRE ATT&CK framework (T1053):

APT29 (Cozy Bear): Russian state-sponsored attackers extensively use Windows Task Scheduler for persistence. During the SolarWinds campaign, they created scheduled tasks that would execute malicious payloads, ensuring continued access even if individual components were discovered and removed.

Lazarus Group: North Korean attackers have used scheduled tasks to maintain persistence in financial institutions. Tasks were configured to run during business hours, blending with legitimate activity and making detection through behavioral analysis more difficult.

Ransomware Operations: Many ransomware families use scheduled tasks to ensure encryption completes even if the initial process is killed. Some schedule tasks to run at boot, before security software fully initializes, giving them a window to disable defenses.

Common thread: attackers use scheduling because it provides persistence that survives reboots, blends with legitimate operations, and executes reliably without interaction.

Guided Lab: Exploring Deferred Authority

This lab focuses on observation and analysis. You will examine scheduling mechanisms on your system and reason about their security implications.

Lab Objective

Identify scheduled tasks on your system, understand their execution context, and analyze the security implications of deferred authority.

Environment

A Linux virtual machine (any modern distribution), OR
A Windows system with access to Task Scheduler

Step 1: Enumerate Scheduled Tasks

On Linux:

crontab -l                     # User's scheduled tasks
sudo ls -la /etc/cron.d/       # System cron jobs
systemctl list-timers          # systemd timers

On Windows (PowerShell as Administrator):

Get-ScheduledTask | Where-Object {$_.State -eq "Ready"}

Observe: how many scheduled tasks exist? Which ones did you create vs. which came with the system?

Step 2: Analyze Task Authority

Pick two scheduled tasks and determine:

What user/account does the task run as?
What triggers cause it to execute?
What does the task actually do?
Who has permission to modify the task?

On Linux:

sudo cat /etc/cron.d/<taskname>
systemctl cat <timer-name>.timer

On Windows: Task Scheduler → Right-click task → Properties

Step 3: Identify Persistence Opportunities

Consider: if you were an attacker with user-level access, which scheduling mechanism would you target? What would you schedule, and why?

Think like an attacker: persistence, privilege, and stealth.

Reflection (mandatory)

Which scheduled tasks run with the highest privileges? Why?
How would you detect a malicious scheduled task on your system?
Why is "deferred authority" a useful mental model for understanding scheduled task risk?

Lab: Deferred Authority (Scheduling and Automation)

Goal: observe how systems execute tasks automatically in the future and reason about why scheduled execution is a security boundary.

Choose ONE path (Linux or Windows). Both are valid.

Linux Path (safe commands)

Run crontab -l to see your user's scheduled tasks (it is normal if none exist).

List system-wide cron directories:

ls -la /etc/cron.daily /etc/cron.weekly /etc/cron.d

Examine systemd timers: systemctl list-timers --all
Pick one scheduled task (e.g., logrotate, apt-daily) and determine:
- What does it do?
- What user does it run as?
- Why must it run automatically?
Concept question: Why is a task that runs "later" potentially more dangerous than a task you run manually?

Windows Path (built-in tools)

Open Task Scheduler (taskschd.msc) and expand Task Scheduler Library.
Browse to Microsoft → Windows and note the variety of system tasks.
Pick two scheduled tasks and record for each:
- Triggers: what causes it to run (time, event, boot)?
- Actions: what does it execute?
- Security context: which account runs it (check "Run as" in General tab)?
- Permissions: who can modify this task?
Concept question: Why do scheduled tasks often run with higher privileges than normal applications? What risk does this create?

Deliverable (submit):

1–2 pages: observations + explanations.
One paragraph explaining "automation as deferred authority."

Checkpoint Questions

Explain why scheduling is a form of trust delegation. What are you trusting the system to do?
Why does scheduled execution create persistence even if the malicious payload file is removed?
How does time itself become a security surface? Give two specific examples.
Why are scheduled tasks attractive to attackers seeking stealth? How do they blend in?
How does Week 7's concept of "deferred authority" connect to Week 6's "background trust" and Week 4's "persistence beyond identity"?

Week 07 Outcome Check

By the end of this week, you should be able to explain:

what scheduled execution is and how it differs from continuous services
why automation is "deferred authority" and what security risks that creates
how time influences security mechanisms like logging, credentials, and updates
why attackers use scheduled tasks for persistence and stealth
how to identify dangerous patterns in scheduled task configurations

Next week: Networked services and listening surfaces — what it means for a system to expose functionality to the outside world, and how boundaries fail.

🎯 Hands-On Labs (Free & Essential)

Practice scheduled execution and automation workflows before moving to reading resources.

🎮 TryHackMe: Linux Fundamentals Part 3

What you'll do: Work with system configuration and background behavior in Linux.
Why it matters: Scheduling depends on system services and file permissions.
Time estimate: 1.5-2 hours

Start TryHackMe Linux Fundamentals 3 →

📝 Lab Exercise: Cron or Task Scheduler Audit

Task: List scheduled tasks and identify which run with elevated privileges.
Deliverable: Task list + one potential risk per privileged task.
Why it matters: Scheduled tasks are a common persistence mechanism.
Time estimate: 45-60 minutes

🏁 PicoCTF Practice: General Skills (Automation)

What you'll do: Solve beginner challenges that involve scripting and task automation.
Why it matters: Automation is power — attackers and defenders both use it.
Time estimate: 1-2 hours

Start PicoCTF General Skills →

💡 Lab Tip: Any scheduled task that runs as root/SYSTEM should be treated as high risk.

🛡️ Secure Configuration & Scheduled Tasks

Scheduling is deferred authority. Secure configuration limits who can schedule tasks and what those tasks are allowed to do.

Scheduling hardening checklist:
- Restrict cron/task scheduler access
- Store scripts in root-owned directories
- Avoid world-writable task files
- Log scheduled task execution
- Rotate credentials used by automation

Common risks: writable cron scripts, overly privileged service accounts, and unmonitored scheduled tasks that attackers can hijack for persistence.

📚 Building on CSY101 Week-13: Threat model automation as an attacker persistence path. CSY201: OS hardening extends to secure scheduling and service orchestration.

Resources

Mark the required resources as complete to unlock the Week completion button.

man7 — cron(8) Manual Page · 20-30 min · 50 XP · Resource ID: csy102_w7_r1 (Required)
Microsoft Learn — Task Scheduler Overview · 30-45 min · 50 XP · Resource ID: csy102_w7_r2 (Required)
MITRE ATT&CK — Scheduled Task/Job (T1053) · 15-20 min · 25 XP · Resource ID: csy102_w7_r3 (Optional)

Verified Resources & Videos

Linux (cron fundamentals): man7 — cron(8) manual page
Linux (crontab format): man7 — crontab(5) manual page
Windows (task scheduling): Microsoft Learn — Task Scheduler
Windows (task security context): Microsoft Learn — Security Contexts for Running Tasks
Security perspective (MITRE ATT&CK): MITRE ATT&CK — Scheduled Task/Job
Linux (systemd timers): systemd.timer Manual Page

Scheduling is powerful because it removes humans from the execution loop. That same removal is what makes it dangerous. If Week 6 taught you to fear what runs continuously, Week 7 teaches you to fear what runs reliably.

Weekly Reflection

Reflection Prompt (200-300 words):

Think about a system you manage or use regularly. Identify at least two scheduled tasks or automated processes that run on that system. For each one, analyze:

What authority does the task have (what user/privileges)?
Who can modify the task definition or the scripts it executes?
How would you detect if the task had been tampered with?
What would an attacker gain by compromising this specific task?

Connect your analysis to this week's concept of "deferred authority." How does scheduling change the trust relationship between you and the system? What assumptions are you making about future conditions when you schedule something today?

A strong response will name specific tasks, analyze their privilege and modification controls, and demonstrate understanding of why scheduled execution creates unique security risks.