Windows
Tasks
Event logs
Two trails are of use are Microsoft-Windows-TaskScheduler/Operational 🍇 (disabled by default on the newer systems) and Security 🛡️.
| 🍇 | 🛡️ | Info |
|---|---|---|
106 |
4698 |
Task created |
140 |
4702 |
updated |
141 |
4699 |
Deleted |
200/201 |
- | executed and completed |
| - | 4700/4701 |
enabled and disabled |
✍🏻 On older Win 👴🏼 it’s
602event. Also, config files are in bin format with.jobextension and can be parsed by ajobparser.pyscript.
Also, scheduled tasks create an XML (on newer) or bin (👴🏼) config files with helpful information like the account used, timestamps and activities scheduled. Simply go to Windows\System32\Tasks or Windows\SysWoW64\Tasks (for 32-bit) folders. Bot at.exe and schtasks.exe produce this artefact. If you know that’s a malicious task, note the account used to create it, and you have a lead because it’s likely compromised. Bingo!
Services
Even when the key at 🔑 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce is cleared, if 🔑 HKLM\SYSTEM\CurrentControlSet\Services can be leveraged to run processes at every without user interaction. If some helper file is specified here, or even the malware itself, it can monitor different folders and registry settings to remain persistent.