Windows Scheduled Tasks Event Logs
Windows Scheduled Tasks Event Logs: Forensic Analysis and Detection
Scheduled tasks are a core feature of Windows that automate repetitive tasks. However, attackers often exploit this utility to establish persistence, execute malicious code, or maintain control over compromised systems. This lesson provides a detailed guide on analyzing event logs related to scheduled tasks and their forensic significance.
Key Event IDs for Scheduled Tasks Analysis
1. Security Logs
These logs provide insights into the creation, modification, and deletion of scheduled tasks.
Event ID 4698: Task Created
Details: Logs the creation of a new scheduled task, including:
Task Name
Author
Trigger Time
Commands to be Executed
Use Case:
Detect malicious task creation as a persistence mechanism.
Example: Tasks that execute PowerShell scripts or unusual binaries.
Event ID 4699: Task Deleted
Details: Logs when a task is deleted, including the task name and deletion time.
Use Case:
Identify task cleanup activities by attackers to hide traces.
Event ID 4702: Task Updated
Details: Captures modifications to existing tasks, such as:
New Schedules
Updated Commands
Task Name
Use Case:
Detect tampering with legitimate tasks to introduce malicious behavior.
2. Application and Services Logs (Task Scheduler)
These logs supplement the security logs, providing additional visibility into task operations.
Event ID 106: Task Registered
Details: Logs the registration of a new task, capturing only the task name.
Use Case:
Useful when Security Logs (4698) are unavailable or incomplete.
Event ID 140: Task Updated
Details: Logs updates to an existing task, including the task name.
Use Case:
Complementary to Event ID 4702 for tracking task modifications.
Event ID 141: Task Deleted
Details: Logs the deletion of a task, recording the task name and deletion time.
Use Case:
Helpful when Security Logs (4699) are unavailable.
Event ID 201: Task Action Completed
Details: Logs the exact command executed by a scheduled task.
Use Case:
Investigate the payload executed, even if the task was subsequently deleted.
Attack Scenarios Involving Scheduled Tasks
1. Persistence via Scheduled Tasks
Scenario: An attacker creates a task with a legitimate-sounding name (e.g., "Windows Update") to execute a malicious script.
Indicators:
Event ID 4698: Task creation with suspicious commands (e.g., PowerShell scripts, unusual executables).
2. Task Modification
Scenario: An attacker modifies an existing task to execute a malicious payload while keeping it under the guise of legitimate operations.
Indicators:
Event ID 4702: Logs the modified commands or schedules.
Event ID 140: Records task updates.
3. Cleanup Operations
Scenario: After achieving their objective, the attacker deletes the task to cover their tracks.
Indicators:
Event ID 4699 and 141: Task deletion logs.
Event ID 201: Logs the executed command, preserving evidence even after deletion.
Recommendations for Effective Monitoring
Enable Advanced Security Logging
Ensure task-related events (4698, 4699, 4702) are enabled via Group Policy (GPO) for comprehensive visibility.
Regular Log Review
Focus on tasks created/modified by unauthorized users or containing suspicious commands.
Correlate Logs Across Categories
Use both Security Logs and Task Scheduler Logs to gain a holistic view of task-related activities.
Implement Alerting and Automation
Set up alerts for suspicious task creation or modification using a SIEM solution.
Key points
Scheduled task logs are a goldmine for detecting attacker persistence and malicious operations. By focusing on key event IDs such as 4698, 4699, 4702, and their counterparts in Task Scheduler logs, forensic analysts can effectively uncover and investigate suspicious activities.
Last updated