Scheduled Tasks and Event Logs - nurit-cyber/OperatingSystemForensics GitHub Wiki
Table of Contents
Scheduled Tasks
Location: System32\Tasks\ as XML files.
The files list the commands that were executed and at what scheduled time (e.g. "logontrigger") and when it was created and more information.
The files are controlled by the task scheduler, so only those with system privileges are able to access the files; however, the users with such privileges can modify them easily. There is no way at the current moment to double check the integrity of these files easily.
Just as many automated tasks that users will legitimately schedule, many malware will often register itself to autostart as a scheduled tasks.
Such as if a malicious actor desires a backdoor on a system, the malware may execute upon user login every time.
Commands
schtasks can list, create, edit, and delete tasks. schtasks will list all of the schedule tasks
schtasks
schtasks /Create
Before Win 10, at can schedule commands and programs to run on a computer at a specified time/date. These commands are stored in System32\Tasks\. The scheduled tasks will be scheduled for a one time use.
at 15:57 notepad.exe
at
Tasks Scheduler
GUI interface that can create, edit, and delete scheduled tasks. To test the task created, right click and select "Run".
Windows Event Logs
Location:
- Windows NT, 2K, XP: Windows\System32\config as .EVT files (changed because there is no way of double checking the integrity of the files easily)
- Vista+: Windows\System32\winevt\Logs as .EVTX files
The default types for Windows Event Logs are System, Security, and Application.
- Source: The source of the event; the source that generated the logged event
- Event ID: Every event has a unique identifier per system
- Level: Information (SQL sever starts), Error (SQL server couldn't start because X), Warning (SQL server started, but only 10% of room left on the drive)
- User: who was behind the event (user and/or system)
- Created Time: When the event was created (UTC)
- Logged Time: When the event was logged (UTC), there may be a time difference between created time and logged time. Creation time should come first. Real time is rare on client systems.
- Computer Name: Host of the event
- Description: What was the type of event important
Commands
Exporting from a live machine
wevtutil epl [LOGNAME] [EXPORT-FILENAME]
To list all logs available on a live machine
wevtutil el
Logon Types
It is important to specify who and how a user logged onto a system that is needing to be analyzed.
Important Security Event IDs
Refer to Microsoft Security Event IDs
Forensic Relevance
These files are important because almost every action in windows are logged from crash messages and errors along with start and stop times, etc.
Logon and logoff times are especially important along with security token assignments