Windows
Tasks
Event logs
Two trails are of use are Microsoft-Windows-TaskScheduler/Operational 🍇 (disabled by default on the newer systems) and Security 🛡️.
| 🍇 | 🛡️ | Info |
|---|---|---|
106 |
4698 |
Task created |
140 |
4702 |
updated |
141 |
4699 |
Deleted |
200/201 |
- | executed and completed |
| - | 4700/4701 |
enabled and disabled |
✍🏻 On older Win 👴🏼 it’s
602event. Also, config files are in bin format with.jobextension and can be parsed by ajobparser.pyscript.
Also, scheduled tasks create an XML (on newer) or bin (👴🏼) config files with helpful information like the account used, timestamps and activities scheduled. Simply go to Windows\System32\Tasks or Windows\SysWoW64\Tasks (for 32-bit) folders. Bot at.exe and schtasks.exe produce this artefact. If you know that’s a malicious task, note the account used to create it, and you have a lead because it’s likely compromised. Bingo!