Scheduled Task Destination System Artifacts

Scheduled Task Destination System Artifacts Quick Reference

security.evtx:

Event ID 4624
- Logon Type 3
- Source IP/Logon Username
Event ID 4672
- Logon User Name
- Logon by user with administrative rights
- Requirement for accessing default shares such as C$ and ADMIN$
Event ID 4776
- NTLM if authenticating to Local System
- Source Host Name/Logon User Name
Event ID 4698
- Scheduled task created
Event ID 4702
- Scheduled task updated
Event ID 4699
- Scheduled task deleted
Event ID 4700/4701
- Scheduled task enabled/disabled

SOFTWARE

Overview

The source system artifacts provide crucial evidence about the use and management of scheduled tasks. These artifacts include:

Event ID 4648: Indicates logon with alternate credentials, which can be a sign of privilege escalation or lateral movement attempts.
Scheduled Task Events:
- Event ID 4698: Creation of a new scheduled task.
- Event ID 4702: Update to an existing scheduled task.
- Event ID 4699: Deletion of a scheduled task.
- Event IDs 4700/4701: A scheduled task was enabled or disabled.

ShimCache: Located at SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
- Provides a record of executed applications, including schtasks.exe and at.exe.
BAM/DAM: Found under SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}, it tracks applications executed by users, useful for identifying execution patterns of task scheduling tools.
AmCache.hve: Contains records of programs executed, offering timestamps and file paths, crucial for timeline analysis involving schtasks.exe and at.exe.

Prefetch files, specifically C:\Windows\Prefetch\at.exe-{hash}.pf and C:\Windows\Prefetch\schtasks.exe-{hash}.pf, record the execution of the AT command and Task Scheduler, providing insights into their usage frequency and last execution time.

Understanding the implications of these artifacts requires a comprehensive analysis approach:

Event Log Analysis: Event logs are foundational for timeline reconstruction and understanding task management actions. They reveal when and how scheduled tasks were manipulated, potentially highlighting unauthorized changes or the setup of malicious tasks.
Registry Examination: The ShimCache, BAM/DAM, and AmCache.hve provide a forensic trail of executable runs, which is invaluable for identifying the use of scheduling tools in potentially malicious contexts. Analyzing these registry entries can reveal execution patterns and timelines for critical forensic analysis.
Prefetch Files Analysis: Prefetch files for at.exe and schtasks.exe not only confirm the execution of these tools but also provide execution frequency and last execution date, aiding in the identification of suspicious task scheduling activities.

Event Log Review: Utilize tools like Event Viewer to scrutinize the Security logs for the specified Event IDs, understanding the context and timing of scheduled task manipulations.
Registry Analysis: Employ forensic tools to explore the mentioned registry paths for evidence of schtasks.exe and at.exe execution. This analysis can uncover usage patterns and potentially link to specific scheduled tasks or malicious activities.
Prefetch Investigation: Analyze the prefetch files for at.exe and schtasks.exe to determine how frequently these tools are used and their last known execution times. This information is critical for establishing a timeline of events and identifying abnormal use patterns.

Windows Event Viewer: For accessing and analyzing event logs related to scheduled tasks.
Registry Analysis Tools: Tools like Registry Explorer and RECmd can navigate and interpret ShimCache, BAM/DAM, and AmCache.hve entries.
Forensic Analysis Suites: Comprehensive forensic suites like Autopsy or X-Ways Forensics can analyze prefetch files, alongside other artifacts, providing a holistic view of system activities.

Last updated 1 year ago

Was this helpful?