Scheduled tasks allow various programs to be executed once or on a regularly scheduled basis. This can be very helpful; For example, the trigger created by the attacker can be seen as indicated in the image below. The cyber incident responder may not realize that the attackers continue to leak data with a newly created scheduled task, even if an existing scheduled program or service is stopped. After the investigation is over, attackers may remain in the system until a new investigation is made or until the leak is noticed.
In this context, scheduled missions are at the beginning of the places where cybercriminals leave their remains. Sometimes it is not enough for the reviewer to detect and terminate a malware. A malicious trigger assigned to scheduled tasks can reactivate the infiltrator.
Windows systems have a lot of functionality, including executing tasks on a user-specified schedule. These are called scheduled tasks. It can be accessed as a command using the Schtasks.exe tool or using the scheduled task wizard.
In Windows 10, .job files are stored in the \Windows\System32\Tasks folder as well as subfolders under it in XML format (i.e. files exposed by the Windows 10 API); and you can read them in a text editor like notepad. An example of this is if you install iTunes or another Apple product, you will most likely see the "AppleSoftwareUpdate.job" file in the "C:\Windows\Tasks" directory on your system.
However, the existence of a scheduled task cannot always be directly attributed to a user who created the task, as these tasks can be created programmatically with appropriate API calls (accessible remotely with the appropriate credentials). Therefore, the presence of a scheduled task may be associated with a software installation or, in some cases, a malware infection or danger.
Windows systems require user content to have administrator-level access to create a scheduled task. When the task is executed, the running task itself has system-level privileges. This feature can be very useful for the administrator when system level privileges are needed temporarily; The administrator can create a scheduled task to launch the command prompt (eg cmd.exe) when the command prompt appears, and he can take over your system by getting the code and permission he wants. This is valuable to an analyst. Scheduled tasks are used, a persistence mechanism for malware, and a scheduled task to enable Trojans, backdoors, or legitimate remote access services to allow intruders into the system.
Windows 10 comes with a number of scheduled tasks pre-installed; For example, the RegIdleBackup task backs up the Registry (to the \Windows\Systems32\config\RegBack folder) every 10 days and limited defragmentation is scheduled once a week. These tasks can be viewed on a live Windows 10 system via the task scheduler control panel applet (available in administrative tools).
Another useful piece of information the analyst can use is the scheduled tasks log file named "SchedLgU.txt. This file is 32 kilobytes (KB) in size by default and is located in the \Windows\Tasks" directory on Windows. This file simply indicates that the Task Scheduler service was started or exited at a specific date and time. You can also perform controls using the graphical interface of the Task scheduler program.
This log also keeps track of various tasks executed along with exit codes. In some cases, there are indications of tasks associated with the intrusion and confirmed by an external data source (eg network traffic, etc.). In such cases, the task is created from a remote system using the affected domain administrator credentials, allowing the examiner to detect signs that the task was deleted when it is complete.