🖥️
Windows DFIR
  • Introduction
  • Windows Artifacts
    • Windows Quick Tips
      • Windows Command Line
      • Workstation File/Folder Locations
      • Server File/Folder Locations
    • Account Usage
      • Authentications SAM Artifacts
        • Last Login
        • Last Failed Login
        • Last Password Change
      • Authentications (Windows Event Log)
        • Logon ID
      • Group Membership
        • Event ID: 4798
        • Event ID: 4799
      • RDP
        • Source System Artifacts - Quick Reference
        • Destination System Artifacts - Quick Reference
      • SSH
      • Rouge Local Accounts
      • CrowdStrike Searches
        • Event Name - UserLogon
        • Event Name - UserLogonFailed
        • Event Name - UserLogonFailed2
        • Event Name - SsoApplicationAccess
    • Browser Usage
      • History & Downloads
        • Viewing History Files - DB Browser
        • Transition Types
      • Auto-Complete Data
      • Bookmarks
      • Browser Preferences
      • Cache
      • Cookies
      • Extensions
      • Super Cookies (HTML5 Web Storage)
      • Media History
      • Private Browsing
      • Session Restore
      • Stored Credentials
      • Suggested/Frequent Sites
      • DB Browser Queries
        • Firefox
        • Chrome
        • Media History
      • PowerShell Scripts
        • Browser Extension Finder
        • Browser History Finder
    • Processes
      • at.exe
      • explorer.exe
      • lsass.exe
      • lsaiso.exe
      • PuTTy.exe
        • X11 Forwarding
      • runtimebroker.exe
      • services.exe
      • smss.exe
      • System
      • svchost.exe
        • Services
      • winlogon.exe
      • wininit.exe
    • Cloud Storage
    • Deleted File or File Knowledge
      • WordWheelQuery (Win 7+)
      • ACMRU (Win XP)
      • Internet Explorer file:///
      • Last Visited MRU
      • Thumbs.db (Win XP)
      • Thumbcache
      • Recycle Bin
      • User Typed Paths
      • Windows Search Database
    • File Download
      • Zone.Identifer
      • Open/Save Most Recently Used (MRU)
      • Email
      • Drive By Downloads
        • Malvertising
      • Web Browsing
        • Cache Files
      • CrowdStrike Searches
        • MoTW
    • Folder/File Opening/Creation
      • Recent Files
      • Office Recent Files
      • Shell Bags
      • .lnk Files
      • Jump Lists
        • AppIDs
      • Prefetch
      • Index.dat file://
      • PowerShell Scripts
        • .lnk Files
    • Persistence
      • Registry
        • NTUSER.DAT & HKU\SID
        • Run and Run Once
        • Shell Folders and UserInit Key
        • Services
        • Logon Scripts
        • Office Add-ins
        • Winlogon Shell
        • Image File Execution Options (IFEO)
        • AppInit_DLLs
        • Scheduled Tasks
      • Scheduled Tasks
        • Scheduled Task Destination System Artifacts
        • Scheduled Task Source System Artifacts
      • Startup
      • Tool: AutoRuns
      • Accounts
      • WMI Event Consumers
        • WMI: Source System Artifacts
        • WMI: Destination System Artifacts
        • WMI: PowerShell Analysis
      • PowerShell Scripts
        • Startup Programs
      • CrowdStrike Searches
        • Files Written to Startup Folder
        • Files Written to Startup Folder from the Internet
        • Local Account Creation/Deletion
        • Azure Account Creation/Deletion
        • Scheduled Tasks
    • Physical Location
      • Time zone
      • Wireless SSID
      • Network History (Vista/Win7–11)
      • Cookies
      • Browser Search Terms
    • Program Execution
      • Prefetch
        • Decoding Prefetch Files with Eric Zimmerman's PECmd Tool
      • BAM/DAM
      • CapabilityAccessManager
      • UserAssist
      • Last Visited MRU
      • RunMRU
      • MUI Cache
      • ShimCache
      • Amcache
      • Jump Lists
    • Shadow Copies
      • VSC Permissions
      • Event ID 8193: Volume Shadow Copy Service Error
    • USB Usage
      • Key Identification
      • Drive Letter and Volume Name
      • Connection Timestamps
      • User
      • Volume Name
      • Plug & Play Event Log
    • Windows Services
      • DoSvc (Delivery Optimization)
    • System Information
    • Event IDs
      • Authentication / Account
        • 4624 - Authentication Success
          • Logon Types
        • 4625 - Authentication Failure
          • SubStatus Codes
        • 4634 - Account Logoff
        • 4648 - Explicit Credentials Success
        • 4672 - Special Privileges
        • 4720 - Account Creation
        • 4722 - Account Enabled
        • 4732 - Addition to Local Group
        • 4738 - Account Changed
        • 4776 - Kerberos Authentication Attempt
          • Substatus Codes
        • 4771 - Kerberos Failure
        • 4768
      • File System
        • 1006
        • 4688 - Process Created
        • 4663
        • 4656
        • 6416
        • 20001
        • 20003
  • Windows DFIR & MITTR
    • Initial Access
      • Content Injection
      • Drive-by Compromise
        • Watering Hole Attack
        • Microsoft Files (Payload Execution)
        • Exploit Delivery
        • Viewing Browser History Files
      • Phishing
    • Execution
    • Persistence
    • Privilege Escalation
    • Defense Evasion
    • Credential Access
      • Logon ID
    • Discovery
    • Lateral Movement
    • Collection
    • Command and Control
    • Exfiltration
    • Impact
  • SOC Related
    • Cached Credentials
    • Domain Controller Password Spraying
Powered by GitBook
On this page
  • Source System Artifacts:
  • Destination System Artifacts:
  • Overview
  • Analyzing The Artifact
  • Tools for Analysis

Was this helpful?

  1. Windows Artifacts
  2. Persistence

Scheduled Tasks

Scheduled tasks can be used for persistence by threat actors in various ways. Key artifacts associated with the creation, execution, and management of scheduled tasks in Windows include:

Source System Artifacts:

  • Event Log:

    • Event ID 4648: Logon specifying alternate credentials.

    • Scheduled Task Events Event IDs:

      • 4698 (creation)

      • 4702 (update)

      • 4699 (deletion)

      • 4700/4701 (enabled/disabled).

  • Registry:

    • ShimCache: SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

    • BAM/DAM: SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}

    • AmCache.hve: Lists programs executed, including schtasks.exe and at.exe.

  • Prefetch:

    • C:\Windows\Prefetch\at.exe-{hash}.pf

    • C:\Windows\Prefetch\schtasks.exe-{hash}.pf

Destination System Artifacts:

  • Event Log:

    • Event ID 4624: Successful account logon.

    • Event ID 4672: Special privileges assigned to new logon.

    • Event ID 4776: The computer attempted to validate the credentials for an account.

    • Scheduled Task Events Event IDs:

      • 4698 (creation)

      • 4702 (update)

      • 4699 (deletion)

      • 4700/4701 (enabled/disabled).

  • Registry:

    • Tasks and Tree:

      • Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks

      • Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree

        • Store details of scheduled tasks.

  • File System:

    • Job Files: C:\Windows\Tasks

    • XML Task Files: C:\Windows\System32\Tasks

Overview

Scheduled tasks are integral to Windows operations, automation, and persistence mechanisms. These artifacts are pivotal:

  • Event IDs 4698, 4702, 4699, 4700 & 4701 provide forensic evidence of task manipulation.

  • Registry keys under TaskCache reveal task configurations and metadata.

  • Prefetch files for schtasks.exe and at.exe indicate execution and can help establish a timeline.

  • File paths like C:\Windows\System32\Tasks and C:\Windows\Tasks contain the actual task files, potentially including malicious tasks.

Analyzing The Artifact

  1. Examine Scheduled Tasks: Use the Task Scheduler GUI (taskschd.msc) or schtasks.exe to list and review tasks. Pay attention to tasks with unusual triggers or actions.

  2. Event Log Analysis: Investigate the Security and Microsoft-Windows-TaskScheduler operational logs for creation, modification, and execution of tasks. Correlate these events with other suspicious activities.

  3. Registry Examination: Navigate to Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache to analyze task definitions and metadata. Tools like Registry Explorer can be invaluable.

  4. Prefetch Analysis: Review prefetch files for execution patterns of schtasks.exe, at.exe, and potentially malicious executables like evil.exe.

  5. File System Scrutiny: Inspect C:\Windows\System32\Tasks and C:\Windows\Tasks for task files, especially those with recent timestamps or linked to other indicators of compromise.

Tools for Analysis

  • Task Scheduler and Command Line Utilities: For reviewing and managing scheduled tasks.

  • Windows Event Viewer: For detailed logs related to task creation, execution, and deletion.

  • Registry Tools (Registry Explorer, RECmd): For deep dives into the registry entries associated with tasks.

  • Forensic Analysis Tools (Autopsy, X-Ways Forensics): For comprehensive analysis of file systems, prefetch files, and registry keys.

  • PowerShell Scripts: Custom scripts can automate the extraction and analysis of scheduled task artifacts.

PreviousScheduled TasksNextScheduled Task Destination System Artifacts

Last updated 1 year ago

Was this helpful?