RedLotus Task Sentinel
To combat advanced persistence mechanisms and evasion techniques relying on the Windows Task Scheduler, RedLotus introduces the Task Sentinel. This advanced analyzer moves beyond simple enumeration, offering deep forensic inspection of every scheduled task to identify anomalies, arguments, and hidden execution vectors instantly.
πΊ Presentation & Showcase
Click the image above to watch the tool showcase.
βοΈ Interface & Key Features
The Task Sentinel organizes complex system data into a streamlined dashboard designed for rapid assessment. The interface is centered around usability and depth:
Main Dashboard
Search Bar: Allows for instant filtering of tasks by name, enabling quick lookup of known system tasks or suspicious entries.
Task Details Panel: Double-clicking any row reveals a full forensic analysis, including digital signatures, specific YARA rule matches, IFEO hijacks, and USN Journal history.
Quick Filters
8 toggleable filters allow Staff to isolate threats immediately:
π΄ Suspicious: Isolates tasks executing high-risk binaries like
cmd,powershell,rundll32, etc.π€ User Author: Filters tasks created specifically by local users, ignoring default system tasks.
π« Unsigned: Highlights binaries missing valid digital signatures.
π LogOn: Shows tasks configured to auto-run immediately when a user logs in (persistence vector).
π Yara: Displays tasks that have triggered internal YARA detection rules.
π¬ Args: Filters for tasks that utilize command-line arguments.
π» Registry: Identifies "Ghost Tasks"βentries present in the Registry but missing from the Filesystem (or vice versa).
π IFEO: Flags Image File Execution Options debugger hijacks.
Real-Time Journal Scanning
The tool integrates directly with the NTFS USN Journal to flag tasks that have been modified since boot. This highlights active evasion attempts where a cheater tries to alter a task before a check.
π‘οΈ Detection Capabilities
Task Sentinel is built to detect not just known cheats, but suspicious behaviors and obfuscation techniques used to hide them.
YARA Rule Engine
The tool scans task targets against 19 custom rules specifically tuned for cheat detection:
Generic A-Series (3): Patterns associated with Autoclickers.
Generic B-Series (7): Detection of packers and file protection methods.
Generic F-Series (7): Identification of advanced packed executables.
Generic G-Series (4): Patterns common in DLL Injectors.
Specific A-B: Targeted detection for known cheat signatures.
Advanced Forensic Checks
Ghost Tasks: Detects discrepancies between the Windows Registry and XML task definitions, a common method used to hide persistence from standard tools.
IFEO Hijacking: Identifies debugger redirects (Image File Execution Options), a technique used to silently launch malware when a legitimate program is opened.
Signature Verification: Automatically classifies targets as
SIGNED,FAKE,CHEAT,UNSIGNED, orNOT FOUND.
π Technical Optimizations
The tool is engineered for forensic depth without sacrificing speed or stability.
Dual-Source Validation: Unlike standard tools that only check the folder structure, Sentinel cross-references the Filesystem against the Registry to catch hidden or desynchronized tasks.
NTFS Journal Integration: By correlating tasks with the USN Journal, it detects post-boot modifications, effectively countering timestamp spoofing attempts.
Multi-threaded Scanning: The engine utilizes multi-threading to perform enumeration, signature checks, and YARA scanning near-instantly, ensuring the check remains efficient.
π Download
Last updated