Task Scheduler

Scheduled Task Analysis in Incident Response

Scheduled tasks are a commonly abused persistence mechanism. Attackers use them to automate the execution of malicious scripts or commands at regular intervals, ensuring long-term access to a compromised system.

Detection Tools and Methods

1. Autoruns (Sysinternals Tool)

Purpose: Identify all auto-starting locations, including scheduled tasks, for persistence mechanisms.

Steps:

  1. Run Autoruns as Administrator.

  2. Navigate to the "Scheduled Tasks" tab:

    • Lists all tasks configured to run automatically.

  3. Filter Suspicious Tasks:

    • Focus on tasks without a publisher or those running from unusual locations.

  4. Analyze the Actions:

    • Example: A task named Update-Daily runs important.bat.

      • Inspection of important.bat reveals commands to create a new user (User123) and enable RDP, a clear indication of malicious activity.

2. Task Scheduler (GUI)

Purpose: Review scheduled tasks using the built-in Windows Task Scheduler.

Steps:

  1. Open Task Scheduler from the Start menu.

  2. Browse the Task Scheduler Library for all configured tasks.

  3. For each task:

    • Check the Action tab for the executable or script being triggered.

    • Look for suspicious file paths or unexpected scripts.

3. Command Line Interface (CLI)

Purpose: Analyze scheduled tasks in non-GUI environments or for quick queries.

Command:

schtasks /query /fo LIST /v

Output:

  • Task Name: Name of the scheduled task.

  • Task To Run: Path to the file or command being executed.

  • Next Run Time: When the task is scheduled to run next.

  • Status: Whether the task is enabled or disabled.

Manual Analysis:

  • Look for tasks with unusual names, commands, or locations.

  • Tasks executing from temporary or writable directories (e.g., C:\Users\Public, C:\Temp) warrant further investigation.

Analyzing Deleted or Hidden Tasks

Attackers often delete scheduled tasks after execution to avoid detection. However, these actions are logged, allowing forensic analysis even if the task no longer exists.

Log Sources:

  1. Task Scheduler Logs:

    • Path: Applications and Services Logs -> Microsoft -> Windows -> TaskScheduler -> Operational.evtx

  2. Security Logs:

    • Event ID 4698: A scheduled task was created.

    • Event ID 4702: A scheduled task was updated.

Steps for Log Analysis:

  1. Open Event Viewer.

  2. Navigate to TaskScheduler Operational Logs.

  3. Look for relevant Event IDs:

    • 4698: Creation of a scheduled task.

    • 4702: Modification of a scheduled task.

Example Analysis:

  • On 10/23/2021, a task was created that no longer exists in Task Scheduler.

  • Reviewing logs reveals the task executed malicious.exe, which was set to delete itself after execution.

Key Takeaways

  1. Scheduled Tasks as Persistence:

    • Used by attackers to maintain control, run malicious payloads, or gather system information periodically.

  2. Detection Tools:

    • Autoruns: Comprehensive visibility into auto-start mechanisms.

    • Task Scheduler GUI: Easy navigation and review.

    • schtasks: Quick CLI-based task enumeration.

  3. Deleted Tasks:

    • Even if attackers delete tasks, logs provide a historical view of task creation, updates, and execution.

What to Do:

  • Regular Analysis: Periodically review scheduled tasks.

  • Monitor Logs: Use Event Viewer to track task creation and modification.

  • Automate Checks: Integrate tools like Autoruns and centralized log monitoring (e.g., SIEM) to detect anomalies in scheduled tasks.

  • Investigate Suspicious Tasks: Focus on tasks executing from unusual directories or running unexpected commands.

By proactively identifying and analyzing scheduled tasks, incident responders can uncover hidden persistence mechanisms and remediate threats effectively.

PreviousLive Memory AnalysisNextServices

Last updated