schedlgu¶
$ target-query <path/to/target> -f schedlgu
Module |
|
Output |
|
Module documentation
Plugin for parsing the Task Scheduler Service transaction log file (SchedLgU.txt).
Function documentation
Return all events in the Task Scheduler Service transaction log file (SchedLgU.txt).
Older Windows systems may log .job tasks that get started remotely in the SchedLgU.txt file.
In addition, this log file records when the Task Scheduler service starts and stops.
Adversaries may use malicious .job files to gain persistence on a system.
Yields SchedLgURecord with fields:
ts (datetime): The timestamp of the event.
job (str): The name of the .job file.
command (str): The command executed.
status (str): The status of the event (finished, completed, exited, stopped).
exit_code (int): The exit code of the event.
version (str): The version of the Task Scheduler service.