Scheduled Tasks
Scheduled Tasks are one of the most commonly abused persistence mechanisms in modern intrusions. Attackers use them to ensure their malware survives reboots, re-executes at regular intervals and runs under privileged accounts. From a forensic perspective, the Task Scheduler infrastructure leaves multiple layered artifacts on disk and in the registry that can survive even after the task itself has been deleted.
Imagine setting a recurring alarm on your phone that automatically calls a specific number every 30 minutes. Scheduled Tasks work exactly like that alarm. Attackers use them to tell the computer to automatically run malware every time it starts up or every ten minutes. Even after deleting the alarm, digital traces of its existence are left behind in hidden system files.
General
The Windows Task Scheduler (svchost hosting the Schedule service) stores task definitions as XML files under C:\Windows\System32\Tasks\ and mirrors key registration data in the registry at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\. Each task XML file defines triggers, actions and execution context in a human-readable format. The additional registry keys store binary task fingerprints that persist even when XML files are manually deleted. The Task Scheduler operational event log (Microsoft-Windows-TaskScheduler/Operational.evtx) also captures every task creation, modification, trigger and execution event providing a comprehensive audit trail.
Traces
Parsing Scheduled Task artifacts across all three data sources reveals:
- Task Name and Path: The configured name and the folder hierarchy it was registered under.
- Action Command: The exact executable path and arguments the task runs.
- Trigger Definition: When the task fires — at startup, at logon, on a recurring schedule or on a specific system event.
- Run-As Account: The user or SYSTEM account context the task executes under.
- Last Run Time and Result: The timestamp of the most recent execution and its exit code.
- and more.
Forensic Use Cases
We investigate Scheduled Tasks to establish persistence and uncover long-running attacker dwell time:
- Persistence Detection: Identifying attacker-created tasks disguised as legitimate Windows services that re-execute malware on every boot.
- Command Execution: Recovering deleted task XML to reconstruct the exact command line an attacker ran on a compromised host.
- Privilege Escalation: Finding tasks configured to run as SYSTEM that execute attacker-controlled binaries.
- Lateral Movement: Tracking remotely registered tasks created on a victim machine via Event ID 4698 from a different source host.
- and more.