RSS Feed

🤔 How Do I Check For Malicious Autostarts?

Created: 24.06.2023



Event logs

Two trails are of use are Microsoft-Windows-TaskScheduler/Operational 🍇 (disabled by default on the newer systems) and Security 🛡️.

🍇 🛡️ Info
106 4698 Task created
140 4702 updated
141 4699 Deleted
200/201 - executed and completed
- 4700/4701 enabled and disabled

✍🏻 On older Win 👴🏼 it’s 602 event. Also, config files are in bin format with .job extension and can be parsed by a jobparser.py script.

Also, scheduled tasks create an XML (on newer) or bin (👴🏼) config files with helpful information like the account used, timestamps and activities scheduled. Simply go to Windows\System32\Tasks or Windows\SysWoW64\Tasks (for 32-bit) folders. Bot at.exe and schtasks.exe produce this artefact. If you know that’s a malicious task, note the account used to create it, and you have a lead because it’s likely compromised. Bingo!


Even when the key at 🔑 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce is cleared, if 🔑 HKLM\SYSTEM\CurrentControlSet\Services can be leveraged to run processes at every without user interaction. If some helper file is specified here, or even the malware itself, it can monitor different folders and registry settings to remain persistent.


Expand… Something here