Scheduled Task Destination System Artifacts
Last updated
Was this helpful?
Last updated
Was this helpful?
Scheduled Task Destination System Artifacts Quick Reference
security.evtx:
Logon Type 3
Source IP/Logon Username
Logon User Name
Logon by user with administrative rights
Requirement for accessing default shares such as C$ and ADMIN$
NTLM if authenticating to Local System
Source Host Name/Logon User Name
Scheduled task created
Scheduled task updated
Scheduled task deleted
Event ID /
Scheduled task enabled/disabled
The source system artifacts provide crucial evidence about the use and management of scheduled tasks. These artifacts include:
Event ID 4648: Indicates logon with alternate credentials, which can be a sign of privilege escalation or lateral movement attempts.
Scheduled Task Events:
Event ID 4698: Creation of a new scheduled task.
Event ID 4702: Update to an existing scheduled task.
Event ID 4699: Deletion of a scheduled task.
Event IDs 4700/4701: A scheduled task was enabled or disabled.
ShimCache: Located at SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
Provides a record of executed applications, including schtasks.exe and at.exe.
BAM/DAM: Found under SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}, it tracks applications executed by users, useful for identifying execution patterns of task scheduling tools.
AmCache.hve: Contains records of programs executed, offering timestamps and file paths, crucial for timeline analysis involving schtasks.exe and at.exe.
Prefetch files, specifically C:\Windows\Prefetch\at.exe-{hash}.pf and C:\Windows\Prefetch\schtasks.exe-{hash}.pf, record the execution of the AT command and Task Scheduler, providing insights into their usage frequency and last execution time.
Understanding the implications of these artifacts requires a comprehensive analysis approach:
Event Log Analysis: Event logs are foundational for timeline reconstruction and understanding task management actions. They reveal when and how scheduled tasks were manipulated, potentially highlighting unauthorized changes or the setup of malicious tasks.
Registry Examination: The ShimCache, BAM/DAM, and AmCache.hve provide a forensic trail of executable runs, which is invaluable for identifying the use of scheduling tools in potentially malicious contexts. Analyzing these registry entries can reveal execution patterns and timelines for critical forensic analysis.
Prefetch Files Analysis: Prefetch files for at.exe and schtasks.exe not only confirm the execution of these tools but also provide execution frequency and last execution date, aiding in the identification of suspicious task scheduling activities.
Event Log Review: Utilize tools like Event Viewer to scrutinize the Security logs for the specified Event IDs, understanding the context and timing of scheduled task manipulations.
Registry Analysis: Employ forensic tools to explore the mentioned registry paths for evidence of schtasks.exe and at.exe execution. This analysis can uncover usage patterns and potentially link to specific scheduled tasks or malicious activities.
Prefetch Investigation: Analyze the prefetch files for at.exe and schtasks.exe to determine how frequently these tools are used and their last known execution times. This information is critical for establishing a timeline of events and identifying abnormal use patterns.
Windows Event Viewer: For accessing and analyzing event logs related to scheduled tasks.
Registry Analysis Tools: Tools like Registry Explorer and RECmd can navigate and interpret ShimCache, BAM/DAM, and AmCache.hve entries.
Forensic Analysis Suites: Comprehensive forensic suites like Autopsy or X-Ways Forensics can analyze prefetch files, alongside other artifacts, providing a holistic view of system activities.
– SYSTEM
– First Time Executed
– C:\Windows\Prefetch