Scheduled Task Source System Artifacts

Scheduled Task Source System Artifacts Quick Reference

Overview

Destination system artifacts related to scheduled tasks encompass a variety of data sources including event logs, registry entries, file system traces, and more. These artifacts are crucial for understanding how scheduled tasks are used within a system, potentially for malicious purposes.

Event Log:

• Event ID 4698: A scheduled task was created.

• Event ID 4702: A scheduled task was updated.

• Event ID 4699: A scheduled task was deleted.

• Scheduled Task Events Event IDs:

  • 4698 (creation)

  • 4702 (update)

  • 4699 (deletion)

  • 4700/4701 (enabled/disabled).

Registry:

• Task Scheduler Cache:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks

    • Stores individual task configurations.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree

    • Maintains a hierarchical structure of all scheduled tasks, useful for understanding groupings and relationships between tasks.

File System:

• Job and XML Task Files:

  • C:\Windows\Tasks for older .job task files.

  • C:\Windows\System32\Tasks

    • For XML-based task files, which contain definitions and configurations for tasks. The Author tag within these files can provide the creator's username and system name.

Deeper Dive

Understanding the usage and implications of these artifacts requires careful analysis and correlation with other forensic evidence:

• Event Logs Analysis: Event logs are pivotal for timeline analysis, showing when tasks were created, modified, executed, or deleted. Correlation with other event IDs can help build a comprehensive view of an attacker's actions.

• Registry Analysis: The TaskCache registry keys provide detailed information about each scheduled task, including the task's last run time and configuration details. These entries can be examined to identify potentially malicious tasks, especially those that do not correlate with legitimate system or user activities.

• File System Examination: The files stored in C:\Windows\System32\Tasks and C:\Windows\Tasks are direct representations of the scheduled tasks. These files should be analyzed for anomalies such as unusual execution times, actions, or triggers. The presence of scripts or executables referenced by these tasks that are located in unusual directories or have suspicious names may also indicate malicious intent.

Analyzing The Artifact

1. Review Event Logs: Use the Event Viewer to analyze the Task Scheduler operational logs and security logs for relevant event IDs. This can reveal unauthorized creation, modification, or deletion of tasks.

2. Inspect Registry Entries: Tools like Registry Explorer can be used to navigate the TaskCache registry keys for insights into the tasks' configurations and metadata.

3. Examine Task Files: Investigate the contents of task files in C:\Windows\System32\Tasks and C:\Windows\Tasks for suspicious task definitions or actions. Pay attention to tasks that execute unknown or unexpected scripts and programs.

4. Correlate with Other Artifacts: Cross-reference scheduled task artifacts with other system artifacts such as Prefetch files, ShimCache entries, and AmCache.hve records to validate the execution of tasks and associated executables.

Tools for Analysis

• Windows Event Viewer: Essential for reviewing event logs related to scheduled tasks.

• Registry Analysis Tools (e.g., Registry Explorer): For deep dives into the TaskCache registry.

• File Analysis Tools (e.g., Autopsy, X-Ways Forensics): To examine the contents and metadata of task files in the file system.

• Command Line Utilities (schtasks.exe): For querying, creating, and modifying scheduled tasks directly from the command line.