-
Notifications
You must be signed in to change notification settings - Fork 201
/
Copy pathScheduledTasks.tkape
81 lines (80 loc) · 2.93 KB
/
ScheduledTasks.tkape
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
Description: Scheduled tasks (*.job and XML)
Author: Eric Zimmerman, Reece394
Version: 1.2
Id: e5dc4367-2e6b-49bf-a90a-d4c1598bbe28
RecreateDirectories: true
Targets:
-
Name: at .job
Category: Persistence
Path: C:\Windows\Tasks\
FileMask: '*.job'
-
Name: at .job
Category: Persistence
Path: C:\Windows.old\Windows\Tasks\
FileMask: '*.job'
-
Name: at SchedLgU.txt
Category: Persistence
Path: C:\Windows\
FileMask: SchedLgU.txt
-
Name: at SchedLgU.txt
Category: Persistence
Path: C:\Windows.old\Windows\
FileMask: SchedLgU.txt
-
Name: XML
Category: Persistence
Path: C:\Windows\System32\Tasks\
Recursive: true
-
Name: XML
Category: Persistence
Path: C:\Windows\syswow64\Tasks\
Recursive: true
-
Name: XML
Category: Persistence
Path: C:\Windows.old\Windows\System32\Tasks\
Recursive: true
-
Name: PowerShell Scheduled_Jobs
Category: Persistence
Path: C:\Users\%user%\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\
Recursive: true
-
Name: PowerShell Scheduled_Jobs Output
Category: Persistence
Path: C:\Users\%user%\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\*\Output\*\
Recursive: true
-
Name: PowerShell Scheduled_Jobs Systemprofile
Category: Persistence
Path: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\
Recursive: true
-
Name: PowerShell Scheduled_Jobs Output Systemprofile
Category: Persistence
Path: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\*\Output\*\
Recursive: true
-
Name: PowerShell Scheduled_Jobs WOW64 Systemprofile
Category: Persistence
Path: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\
Recursive: true
-
Name: PowerShell Scheduled_Jobs Output WOW64 Systemprofile
Category: Persistence
Path: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\*\Output\*\
Recursive: true
# Documentation
# http://windowsir.blogspot.com/2009/09/parsing-job-files.html
# https://www.sans.org/blog/windows-scheduler-at-job-forensics
# https://forensicswiki.xyz/wiki/index.php?title=Windows_Job_File_Format
# https://www.forensafe.com/blogs/taskschd.html
# https://stmxcsr.com/persistence/scheduled-tasks.html
# https://www.cybertriage.com/blog/windows-scheduled-tasks-for-dfir-investigations/
# https://learn.microsoft.com/en-us/powershell/module/psscheduledjob/about/about_scheduled_jobs
# https://learn.microsoft.com/en-us/powershell/module/psscheduledjob/about/about_scheduled_jobs_troubleshooting