Skip to content

Commit

Permalink
Merge pull request #976 from reece394/master
Browse files Browse the repository at this point in the history
Add PowerShell Scheduled_Jobs
  • Loading branch information
AndrewRathbun authored Oct 8, 2024
2 parents 8a49470 + 2e47a3b commit ad2180c
Showing 1 changed file with 35 additions and 2 deletions.
37 changes: 35 additions & 2 deletions Targets/Windows/ScheduledTasks.tkape
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
Description: Scheduled tasks (*.job and XML)
Author: Eric Zimmerman
Version: 1.1
Author: Eric Zimmerman, Reece394
Version: 1.2
Id: e5dc4367-2e6b-49bf-a90a-d4c1598bbe28
RecreateDirectories: true
Targets:
Expand Down Expand Up @@ -39,10 +39,43 @@ Targets:
Category: Persistence
Path: C:\Windows.old\Windows\System32\Tasks\
Recursive: true
-
Name: PowerShell Scheduled_Jobs
Category: Persistence
Path: C:\Users\%user%\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\
Recursive: true
-
Name: PowerShell Scheduled_Jobs Output
Category: Persistence
Path: C:\Users\%user%\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\*\Output\*\
Recursive: true
-
Name: PowerShell Scheduled_Jobs Systemprofile
Category: Persistence
Path: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\
Recursive: true
-
Name: PowerShell Scheduled_Jobs Output Systemprofile
Category: Persistence
Path: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\*\Output\*\
Recursive: true
-
Name: PowerShell Scheduled_Jobs WOW64 Systemprofile
Category: Persistence
Path: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\
Recursive: true
-
Name: PowerShell Scheduled_Jobs Output WOW64 Systemprofile
Category: Persistence
Path: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\*\Output\*\
Recursive: true

# Documentation
# http://windowsir.blogspot.com/2009/09/parsing-job-files.html
# https://www.sans.org/blog/windows-scheduler-at-job-forensics
# https://forensicswiki.xyz/wiki/index.php?title=Windows_Job_File_Format
# https://www.forensafe.com/blogs/taskschd.html
# https://stmxcsr.com/persistence/scheduled-tasks.html
# https://www.cybertriage.com/blog/windows-scheduled-tasks-for-dfir-investigations/
# https://learn.microsoft.com/en-us/powershell/module/psscheduledjob/about/about_scheduled_jobs
# https://learn.microsoft.com/en-us/powershell/module/psscheduledjob/about/about_scheduled_jobs_troubleshooting

0 comments on commit ad2180c

Please sign in to comment.