Two trails are of use are
Microsoft-Windows-TaskScheduler/Operational 🍇 (disabled by default on the newer systems) and
||-||executed and completed|
||enabled and disabled|
✍🏻 On older Win 👴🏼 it’s
602event. Also, config files are in bin format with
.jobextension and can be parsed by a
Also, scheduled tasks create an XML (on newer) or bin (👴🏼) config files with helpful information like the account used, timestamps and activities scheduled. Simply go to
Windows\SysWoW64\Tasks (for 32-bit) folders. Bot
schtasks.exe produce this artefact. If you know that’s a malicious task, note the account used to create it, and you have a lead because it’s likely compromised. Bingo!
Even when the key at 🔑
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce is cleared, if 🔑
HKLM\SYSTEM\CurrentControlSet\Services can be leveraged to run processes at every without user interaction. If some helper file is specified here, or even the malware itself, it can monitor different folders and registry settings to remain persistent.