For the restless, please jump directly to The Solution
To maintain their persistence on a compromised host, Scheduled Tasks have been a hot favorite among advanced adversaries and low-grade pesky malware alike.
For more details on this mechanism: Scheduled Task/Job, Technique T1053 - Enterprise | MITRE ATT&CK®
Microsoft Windows stores information about Scheduled tasks in %WINDIR%\\System32\\Tasks (or C:\\Windows\\System32\\Tasks). Each task has a unique extensionless XML file associated with it.
With the creation of every scheduled task, the following two registry subkeys (containing the task information) get created: one within the Tree path and the other within the Tasks path.
HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\TASK_NAME
HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{GUID}
To fetch a list of Scheduled Tasks on a machine, the simplest way is to leverage the in-built command called schtasks
schtasks /query /fo CSV /v >> Scheduled_Tasks.csv
To investigate Scheduled Task activity, we generally resort to Windows Event IDs, particularly the Security Event Logs which is generally rendered useless as they have rotated. The other log Microsoft-Windows-TaskScheduler/Operational **only provides a superficial information about task execution status.
Seasoned Incident Responders/Digital Forensic Examiners can back me on this. Suppose all you have is a targeted triage image containing all your favorite artifacts. You unleash your open-source tools to parse each one of them individually or all-at-once using KAPE or a commercial product.
<aside>
<img src="/icons/light-bulb_red.svg" alt="/icons/light-bulb_red.svg" width="40px" /> But what about the whopping amount of Scheduled Tasks XML files? If you don’t know what you’re looking for, it’s a time consuming process to check every Task XML file for suspicious content. Log2Timeline has winjob which only parses Windows Scheduled Task job (or at-job) files.
</aside>
We need the good stuff,
