`schedlgu`#

$ target-query <path/to/target> -f schedlgu

Details#
Module	`os.windows.log.schedlgu.SchedLgUPlugin`
Output	`records`

Module documentation

Plugin for parsing the Task Scheduler Service transaction log file (SchedLgU.txt).

Function documentation

Return all events in the Task Scheduler Service transaction log file (SchedLgU.txt).

Older Windows systems may log .job tasks that get started remotely in the SchedLgU.txt file. In addition, this log file records when the Task Scheduler service starts and stops.

Adversaries may use malicious .job files to gain persistence on a system.

Yield:: ts (datetime): The timestamp of the event. job (str): The name of the .job file. command (str): The command executed. status (str): The status of the event (finished, completed, exited, stopped). exit_code (int): The exit code of the event. version (str): The version of the Task Scheduler service.

schedlgu#

`schedlgu`#