Scheduled Tasks

File Location:

  • C:\Windows\System32\Tasks

  • C:\Windows\SysWOW64\Tasks

Parse Data

Considerations

  • Can be registered remotely (type 3 logons).

  • Batch logons save credentials on host in LSA.

Audit Logs:

  • Scheduled tasks are not logged by default

    • Microsoft-Windows-Task Scheduler\Operational log

Task Scheduler

  • 106: Scheduled Task Created.

  • 140: Scheduled Task Updated.

    • The entry shows the user account that updated the task and the name of the task. The Logged date and time show when the task was updated. Look for the associated Event ID 200 and 201 for additional information.

  • 141: Scheduled Task Deleted.

    • The entry shows the user account that deleted the task and the name of the task.

  • 200: Scheduled Task Executed.

    • Shows the task name and the full path to the executable on disk that was run (listed as the Action). Correlate this with the associated Event ID 106 to determine the user account that scheduled the task.

  • 201: Scheduled Task Completed

    • Scheduled Task Completed. Shows the task name and the full path to the executable on disk that was run (listed as the Action). Correlate this with the associated Event ID 106 to determine the user account that scheduled the task.

Security.evtx (not default)

  • 4698: A scheduled task was created.

    • The event description contains the user account that created the task in the Subject section. XML details of the scheduled task are also recorded in the event description under the Task Description section and includes the Task Name.

  • 4699: A scheduled task was deleted.

    • The Subject section of the event description contains the Account Name that deleted the task as well as the Task Name.

  • 4700: A scheduled task was enabled. See Event ID 4698 for additional details.

  • 4701: A scheduled task was disabled. See Event ID 4698 for additional details.

  • 4702: A scheduled task was updated.

    • The user who initiated the update appears in the Subject section of the event description. The details of the task after its modification are listed in the XML in the event description. Compare with previous Event ID 4702 or 4698 entries for this task to determine what changes were made. See Event ID 4698 for additional details.

Remote Usage:

XML Files:

XML Files show a lot of data:

  • When task was registered.

  • What account and system registered the task.

  • Task trigger conditions and frequency.

  • Account used to execute scheduled task (batch logon).

Anti-Forensics

  • TAs delete scheuled tasks so the XML file may be missing, but EVTXs of the scheduled task will exist.

    • Hunt for deleted scheduled task logs to find anomalies. They are rarely deleted.

PreviousPowerShellNextServices

Last updated