schtasks

- Table of Contents

Open all sections | Close all sections

- Tool Overview

Category
Command Execution
Description
Executes a task at the specified time.
Example of Presumed Tool Use During an Attack
This tool is used to secretly execute an executable file or script without being recognized by the user at the desired time.

- Tool Operation Overview

Item Source Host Destination Host
OS Windows
Belonging to Domain Not required
Rights Standard user Administrator
Communication Protocol 445/tcp
Service Task Scheduler

- Information Acquired from Log

Standard Settings
  • Source host
    • Execution history (Prefetch)
  • Destination Host
    • Creation of a task, execution history (task scheduler log)
Additional Settings
  • Source host
    • Execution history (audit policy, Sysmon)

- Evidence That Can Be Confirmed When Execution is Successful

- Main Information Recorded at Execution

- Source Host

Event log

# Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • CommandLine: Command line of the execution command (C:\Windows\System32\schtasks.exe /Create /S [Target] /U [User] /P [Password] /SC [Execution Timing] /TN [Task Name] /TR [Execution Command])
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (C:\Windows\System32\schtasks.exe)
  • User: Execute as user
2 Security 4648 Logon A logon was attempted using explicit credentials.
  • Subject > Account Name: Name of the account that executed the tool
  • Account for which Credentials were Used > Account Name: Specified account name (user specified by the schtasks.exe command line)
  • Subject > Account Domain: Domain to which the account belongs
  • Process Information > Process Name: Name of the process that attempted the logon (C:\Windows\System32\schtasks.exe)
  • Target Server > Target Server Name: Logon destination host name (target host)
  • Subject > Security ID: SID of the user who executed the tool
  • Target Server > Additional Information: Additional information on the logon destination host (target host)
  • Account for which Credentials were Used > Account Domain: Domain to which the specified account belongs (domain of the user specified by the schtasks.exe command line)
3 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • Image: Path to the executable file
  • ProcessGuid/ProcessId: Process ID (process ID of schtasks.exe)
  • User: Execute as user
  • SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number (source host)
  • DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (destination ports: 135, high port)
4 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • CommandLine: Command line of the execution command (C:\Windows\System32\schtasks.exe /Run /S [Target] /U [User] /P [Password] /TN [Task Name])
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (C:\Windows\System32\schtasks.exe)
  • User: Execute as user
5 Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Exit Status: Process return value (0x0)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Process Name: Path to the executable file (C:\Windows\System32\schtasks.exe)
6 Security 4648 Logon A logon was attempted using explicit credentials.
  • Subject > Account Name: Name of the account that executed the tool
  • Account for which Credentials were Used > Account Name: Specified account name (user specified by the schtasks.exe command line)
  • Subject > Account Domain: Domain to which the account belongs
  • Process Information > Process Name: Name of the process that attempted the logon (C:\Windows\System32\schtasks.exe)
  • Target Server > Target Server Name: Logon destination host name (destination host)
  • Subject > Security ID: SID of the user who executed the tool
  • Target Server > Additional Information: Additional information on the logon destination host (destination host)
  • Account for which Credentials were Used > Account Domain: Domain to which the specified account belongs (domain of the user specified by the schtasks.exe command line)
7 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • Image: Path to the executable file
  • ProcessGuid/ProcessId: Process ID (process ID of schtasks.exe)
  • User: Execute as user
  • SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number (source host)
  • DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (destination ports: 135, high port)

Prefetch

- Destination Host

Event log

# Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • DestinationIp/DestinationHostname/DestinationPort: Destination IP address/Host name/Port number (source host)
  • Protocol: Protocol (tcp)
  • ProcessGuid/ProcessId: Process ID
  • SourceIp/SourceHostname/SourcePort: Source IP address/Host name/Port number (destination ports: 135, high port)
2 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process (C:\Windows\System32\taskeng.exe)
  • CommandLine: Command line of the execution command (command line specified by a task)
  • ParentCommandLine: Command line of the parent process (taskeng.exe {[Task GUID]} [User SID]:[Domain]\[User Name]:Interactive:[1])
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (path to the executable file specified by a task)
3 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • CommandLine: Command line of the execution command (taskeng.exe {[Task GUID]} [User SID]:[Domain]\[User Name]:Interactive:[1])
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (C:\Windows\System32\taskeng.exe)
  • User: Execute as user (user specified on the executing host)
4 Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • EventType: Process type (SetValue)
  • Image: Path to the executable file (C:\Windows\System32\svchost.exe)
  • Details: Setting value written to the registry (Binary Data)
  • TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{[Task GUID]}\DynamicInfo)

Prefetch

Registry entry

# Path Value
1 Under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{[GUID]} (multiple registry entries)
2 Under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\[Task Name] (multiple registry entries)

- Details: Source Host

- Event Log

# Event Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process
  • CurrentDirectory: Work directory
  • CommandLine: Command line of the execution command (C:\Windows\System32\schtasks.exe /Create /S [Target] /U [User] /P [Password] /SC [Execution Timing] /TN [Task Name] /TR [Execution Command])
  • IntegrityLevel: Privilege level
  • ParentCommandLine: Command line of the parent process
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (C:\Windows\System32\schtasks.exe)
Security 4688 Process Create A new process has been created.
  • Process Information > Required Label: Necessity of privilege escalation (Mandatory Label\Medium Mandatory Level)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Source Process Name: Path to parent process that created the new process
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (C:\Windows\System32\schtasks.exe)
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
2 Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (C:\Windows\System32\schtasks.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters)
3 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (destination host IP address)
  • Image: Path to the executable file
  • DestinationHostname: Destination host name (destination host name)
  • ProcessGuid/ProcessId: Process ID (process ID of schtasks.exe)
  • User: Execute as user
  • DestinationPort: Destination port number (135)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\schtasks.exe)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (135)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (destination host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\schtasks.exe)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID
4 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (destination host IP address)
  • Image: Path to the executable file
  • DestinationHostname: Destination host name (destination host name)
  • ProcessGuid/ProcessId: Process ID (process ID of schtasks.exe)
  • User: Execute as user
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\schtasks.exe)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (destination host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\schtasks.exe)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID
6 Security 4648 Logon A logon was attempted using explicit credentials.
  • Process Information > Process ID: Process ID that attempted the logon
  • Account for which Credentials were Used > Account Name: Specified account name (user specified by the schtasks.exe command line)
  • Subject > Logon ID/Logon GUID: Session ID of the user who executed the authentication
  • Subject > Account Domain: Domain to which the account belongs
  • Target Server > Target Server Name: Logon destination host name (target host)
  • Process Information > Process Name: Name of the process that attempted the logon (C:\Windows\System32\schtasks.exe)
  • Subject > Account Name: Name of the account that executed the tool
  • Subject > Security ID: SID of the user who executed the tool
  • Target Server > Additional Information: Additional information on the logon destination host (target host)
  • Account for which Credentials were Used > Account Domain: Domain to which the specified account belongs (domain of the user specified by the schtasks.exe command line)
7 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (C:\Windows\System32\schtasks.exe)
Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Exit Status: Process return value (0x0)
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Process Name: Path to the executable file (C:\Windows\System32\schtasks.exe)
  • Subject > Logon ID: Session ID of the user who executed the process
8 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (C:\Windows\System32\svchost.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file (C:\Windows\Prefetch\SCHTASKS.EXE-[RANDOM].pf)
  • CreationUtcTime: File creation date and time (UTC)
Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Windows\Prefetch\SCHTASKS.EXE-[RANDOM].pf))
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Object > Object Type: File type
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Windows\Prefetch\SCHTASKS.EXE-[RANDOM].pf))
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
9 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process
  • CurrentDirectory: Work directory
  • CommandLine: Command line of the execution command (C:\Windows\System32\schtasks.exe /Run /S [Target] /U [User] /P [Password] /TN [Task Name])
  • IntegrityLevel: Privilege level
  • ParentCommandLine: Command line of the parent process
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (C:\Windows\System32\schtasks.exe)
Security 4688 Process Create A new process has been created.
  • Process Information > Required Label: Necessity of privilege escalation (Mandatory Label\Medium Mandatory Level)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Source Process Name: Path to parent process that created the new process
  • Log Date and Time: Process execution date and time (local time)
  • Process Information > New Process Name: Path to the executable file (C:\Windows\System32\schtasks.exe)
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
10 Microsoft-Windows-Sysmon/Operational 12 Registry object added or deleted (rule: RegistryEvent) Registry object added or deleted.
  • EventType: Process type (CreateKey)
  • Image: Path to the executable file (C:\Windows\System32\schtasks.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetObject: Created/deleted registry key/value (\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters)
11 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (destination host IP address)
  • Image: Path to the executable file
  • DestinationHostname: Destination host name (destination host name)
  • ProcessGuid/ProcessId: Process ID (process ID of schtasks.exe)
  • User: Execute as user
  • DestinationPort: Destination port number (135)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\schtasks.exe)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (135)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (destination host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\schtasks.exe)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID
12 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (destination host IP address)
  • Image: Path to the executable file
  • DestinationHostname: Destination host name (destination host name)
  • ProcessGuid/ProcessId: Process ID (process ID of schtasks.exe)
  • User: Execute as user
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (source host name)
  • SourceIp: Source IP address (source host IP address)
Security 5158 Filtering Platform Connection The Windows Filtering Platform has permitted a bind to a local port.
  • Network Information > Protocol: Protocol used (6=TCP)
  • Network Information > Source Port: Bind local port (high port)
  • Application Information > Process ID: Process ID
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\schtasks.exe)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (destination host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\schtasks.exe)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (source host)
  • Application Information > Process ID: Process ID
13 Security 4648 Logon A logon was attempted using explicit credentials.
  • Process Information > Process ID: Process ID that attempted the logon
  • Account for which Credentials were Used > Account Name: Specified account name (user specified by the schtasks.exe command line)
  • Subject > Logon ID/Logon GUID: Session ID of the user who executed the authentication
  • Subject > Account Domain: Domain to which the account belongs
  • Target Server > Target Server Name: Logon destination host name (destination host)
  • Process Information > Process Name: Name of the process that attempted the logon (C:\Windows\System32\schtasks.exe)
  • Subject > Account Name: Name of the account that executed the tool
  • Subject > Security ID: SID of the user who executed the tool
  • Target Server > Additional Information: Additional information on the logon destination host (destination host)
  • Account for which Credentials were Used > Account Domain: Domain to which the specified account belongs (domain of the user specified by the schtasks.exe command line)
14 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (C:\Windows\System32\schtasks.exe)
Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Exit Status: Process return value (0x0)
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Process Name: Path to the executable file (C:\Windows\System32\schtasks.exe)
  • Subject > Logon ID: Session ID of the user who executed the process

- USN Journal

# File Name Process Attribute
1 SCHTASKS.EXE-[RANDOM].pf FILE_CREATE archive+not_indexed
SCHTASKS.EXE-[RANDOM].pf DATA_EXTEND+FILE_CREATE archive+not_indexed
SCHTASKS.EXE-[RANDOM].pf CLOSE+DATA_EXTEND+FILE_CREATE archive+not_indexed
SCHTASKS.EXE-[RANDOM].pf DATA_TRUNCATION archive+not_indexed
SCHTASKS.EXE-[RANDOM].pf DATA_EXTEND+DATA_TRUNCATION archive+not_indexed
SCHTASKS.EXE-[RANDOM].pf CLOSE+DATA_EXTEND+DATA_TRUNCATION archive+not_indexed

- MFT

# Path Header Flag Validity
1 [Drive Name]:\Windows\Prefetch\SCHTASKS.EXE-[RANDOM].pf FILE ALLOCATED

- Prefetch

# Prefetch File Process Name Process Path Information That Can Be Confirmed
1 C:\Windows\Prefetch\SCHTASKS.EXE-[RANDOM].pf SCHTASKS.EXE C:\WINDOWS\SYSTEM32\SCHTASKS.EXE Last Run Time (last execution date and time)

- Details: Destination Host

- Event Log

# Event Log Event ID Task Category Event Details
1 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (C:\Windows\System32\svchost.exe)
  • DestinationHostname: Destination host name (source host)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\NETWORK SERVICE)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (135)
  • SourceHostname: Source host name (destination host)
  • SourceIp: Source IP address (destination host IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (135)
  • Network Information > Destination Address: Destination IP address (source host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (destination host)
  • Application Information > Process ID: Process ID
2 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (source host IP address)
  • Image: Path to the executable file (C:\Windows\System32\svchost.exe)
  • DestinationHostname: Destination host name (source host)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\NETWORK SERVICE)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (destination host)
  • SourceIp: Source IP address (destination host IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (source host)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\svchost.exe)
  • Network Information > Direction: Communication direction (inbound)
  • Network Information > Source Address: Source IP address (destination host)
  • Application Information > Process ID: Process ID
3 Microsoft-Windows-Sysmon/Operational 3 Network connection detected (rule: NetworkConnect) Network connection detected.
  • Protocol: Protocol (tcp)
  • DestinationIp: Destination IP address (Domain Controller IP address)
  • Image: Path to the executable file (C:\Windows\System32\lsass.exe)
  • DestinationHostname: Destination host name (Domain Controller host name)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (NT AUTHORITY\SYSTEM)
  • DestinationPort: Destination port number (high port)
  • SourcePort: Source port number (high port)
  • SourceHostname: Source host name (destination host)
  • SourceIp: Source IP address (destination host IP address)
Security 5156 Filtering Platform Connection The Windows Filtering Platform has allowed a connection.
  • Network Information > Destination Port: Destination port number (high port)
  • Network Information > Source Port: Source port number (high port)
  • Network Information > Destination Address: Destination IP address (Domain Controller)
  • Network Information > Protocol: Protocol used (6=TCP)
  • Application Information > Application Name: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)
  • Network Information > Direction: Communication direction (outbound)
  • Network Information > Source Address: Source IP address (destination host)
  • Application Information > Process ID: Process ID
4 Security 4672 Special Logon Privileges assigned to a new logon.
  • Privileges: Assigned special privileges (SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
Security 4624 Logon An account was successfully logged on.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • New Logon > Logon ID/Logon GUID: Session ID of the user who was logged on
  • Detailed Authentication Information > Package Name (NTLM only): NTLM version (NTLM V2)
  • Detailed Authentication Information > Logon Process: Process used for logon (NtLmSsp)
  • Network Information > Source Port: Source port number (high port)
  • New Logon > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who was logged on
  • Logon Type: Logon path, method, etc. (3=Network)
  • Network Information > Workstation Name: Name of the host that requested the logon (source host name)
  • Detailed Authentication Information > Key Length: Length of the key used for the authentication (128)
  • Process Information > Process Name: Path to the executable file
  • Detailed Authentication Information > Authentication Package: Authentication package used (NTLM)
  • Network Information > Source Network Address: IP address that requested the logon (source host IP address)
  • Subject > Logon ID: Session ID of the user who executed the authentication
Security 4634 Logoff An account was logged off.
  • Logon Type: Logon path, method, etc. (3=Network)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the authentication
5 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process (C:\Windows\System32\svchost.exe)
  • CurrentDirectory: Work directory (C:\Windows\system32\)
  • CommandLine: Command line of the execution command (taskeng.exe {[Task GUID]} [User SID]:[Domain]\[User Name]:Interactive:[1])
  • IntegrityLevel: Privilege level (High)
  • ParentCommandLine: Command line of the parent process (C:\Windows\system32\svchost.exe -k netsvcs)
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user (user specified on the executing host)
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (C:\Windows\System32\taskeng.exe)
Security 4688 Process Create A new process has been created.
  • Subject > Account Name: Name of the account that executed the tool ([Host Name]$)
  • Log Date and Time: Process execution date and time (local time)
  • Subject > Account Domain: Domain to which the executed account belongs (domain to which the machine belongs)
  • Process Information > New Process Name: Path to the executable file (C:\Windows\System32\taskeng.exe)
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Subject > Security ID: SID of the user who executed the tool (SYSTEM)
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
6 Microsoft-Windows-Sysmon/Operational 1 Process Create (rule: ProcessCreate) Process Create.
  • LogonGuid/LogonId: ID of the logon session
  • ParentProcessGuid/ParentProcessId: Process ID of the parent process
  • ParentImage: Executable file of the parent process (C:\Windows\System32\taskeng.exe)
  • CurrentDirectory: Work directory
  • CommandLine: Command line of the execution command (command line specified by a task)
  • IntegrityLevel: Privilege level
  • ParentCommandLine: Command line of the parent process (taskeng.exe {[Task GUID]} [User SID]:[Domain]\[User Name]:Interactive:[1])
  • UtcTime: Process execution date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • User: Execute as user
  • Hashes: Hash value of the executable file
  • Image: Path to the executable file (path to the executable file specified by a task)
Security 4688 Process Create A new process has been created.
  • Subject > Account Name: Name of the account that executed the tool
  • Log Date and Time: Process execution date and time (local time)
  • Subject > Account Domain: Domain to which the account belongs
  • Process Information > New Process Name: Path to the executable file (path to the executable file specified by a task)
  • Process Information > Token Escalation Type: Presence of privilege escalation (1)
  • Process Information > New Process ID: Process ID (hexadecimal)
  • Subject > Security ID: SID of the user who executed the tool
  • Process Information > Source Process ID: Process ID of the parent process that created the new process. "Creator Process ID" in Windows 7
  • Subject > Logon ID: Session ID of the user who executed the process
7 Microsoft-Windows-Sysmon/Operational 10 Process accessed (rule: ProcessAccess) Process accessed.
  • SourceProcessGUID/SourceProcessId/SourceThreadId: Process of the access source process/Thread ID
  • TargetProcessGUID/TargetProcessId: Process ID of the access destination process
  • GrantedAccess: Details of the granted access (0x1FFFFF)
  • SourceImage: Path to the access source process (C:\Windows\system32\taskeng.exe)
  • TargetImage: Path to the access destination process (path to the executable file specified by a task)
8 Microsoft-Windows-Sysmon/Operational 5 Process terminated (rule: ProcessTerminate) Process terminated.
  • UtcTime: Process terminated date and time (UTC)
  • ProcessGuid/ProcessId: Process ID
  • Image: Path to the executable file (path to the executable file specified by a task)
Security 4689 Process Termination A process has exited.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Process Information > Exit Status: Process return value
  • Log Date and Time: Process terminated date and time (local time)
  • Process Information > Process Name: Path to the executable file (path to the executable file specified by a task)
  • Subject > Logon ID: Session ID of the user who executed the process
9 Microsoft-Windows-Sysmon/Operational 13 Registry value set (rule: RegistryEvent) Registry value set.
  • EventType: Process type (SetValue)
  • Image: Path to the executable file (C:\Windows\System32\svchost.exe)
  • ProcessGuid/ProcessId: Process ID
  • Details: Setting value written to the registry (Binary Data)
  • TargetObject: Registry value at the write destination (\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{[Task GUID]}\DynamicInfo)
10 Microsoft-Windows-Sysmon/Operational 11 File created (rule: FileCreate) File created.
  • Image: Path to the executable file (C:\Windows\System32\svchost.exe)
  • ProcessGuid/ProcessId: Process ID
  • TargetFilename: Created file (C:\Windows\Prefetch\TASKENG.EXE-[RANDOM].pf)
  • CreationUtcTime: File creation date and time (UTC)
Security 4656 File System/Other Object Access Events A handle to an object was requested.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Windows\Prefetch\TASKENG.EXE-[RANDOM].pf
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Object > Object Type: File type
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle
Security 4663 File System An attempt was made to access an object.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Access Request Information > Access/Reason for Access/Access Mask: Requested privileges (including WriteData or AddFile, and AppendData)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Object > Object Name: Target file name (C:\Windows\Prefetch\TASKENG.EXE-[RANDOM].pf
  • Audit Success: Success or failure (access successful)
  • Process Information > Process Name: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)
  • Object > Object Type: Category of the target (File)
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)
Security 4658 File System The handle to an object was closed.
  • Process Information > Process ID: Process ID (hexadecimal)
  • Process Information > Process Name: Name of the process that requested the object (C:\Windows\System32\svchost.exe)
  • Subject > Security ID/Account Name/Account Domain: SID/Account name/Domain of the user who executed the tool
  • Subject > Logon ID: Session ID of the user who executed the process
  • Object > Handle ID: ID of the relevant handle (handle obtained with Event ID 4656)

- USN Journal

# File Name Process Attribute
1 TASKENG.EXE-[RANDOM].pf FILE_CREATE archive+not_indexed
TASKENG.EXE-[RANDOM].pf DATA_EXTEND+FILE_CREATE archive+not_indexed
TASKENG.EXE-[RANDOM].pf CLOSE+DATA_EXTEND+FILE_CREATE archive+not_indexed

- MFT

# Path Header Flag Validity
1 [Drive Name]:\Windows\Prefetch\TASKENG.EXE-[RANDOM].pf FILE ALLOCATED

- Prefetch

# Prefetch File Process Name Process Path Information That Can Be Confirmed
1 C:\Windows\Prefetch\TASKENG.EXE-[RANDOM].pf TASKENG.EXE C:\WINDOWS\SYSTEM32\TASKENG.EXE Last Run Time (last execution date and time)

- Registry Entry

# Path Type Value
1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{[GUID]} Key (No value to be set)
2 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{[GUID]}\Path String \[Task Name]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{[GUID]}\Hash String [Hash Value]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{[GUID]}\Triggers String [Task Start Timing (Trigger)]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{[GUID]}\DynamicInfo String [Data]
3 Under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\[Task Name]\Id String {[GUID]}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\[Task Name]\Index DWORD [Index Number]

- Packet Capture

# Process Source Host Source Port Number Destination Host Destination Port Number Protocol/Application
1 Bind: call_id: 2, Fragment: Single, 3 context items: 86d35949-83c9-4044-b424-db363231fd0c V1.0 (32bit NDR), 86d35949-83c9-4044-b424-db363231fd0c V1.0 (64bit NDR), 86d35949-83c9-4044-b424-db363231fd0c V1.0 (6cb71c2c-9812-4540-0300-000000000000), NTLMSSP_NEGOTIATE [Source Host] [High Port] [Destination Host] [High Port] DCERPC
Bind_ack: call_id: 2, Fragment: Single, max_xmit: 5840 max_recv: 5840, 3 results: Provider rejection, Acceptance, Negotiate ACK, NTLMSSP_CHALLENGE [Destination Host] [High Port] [Source Host] [High Port] DCERPC
2 AUTH3: call_id: 2, Fragment: Single, NTLMSSP_AUTH, User: [User Name] [Source Host] [High Port] [Destination Host] [High Port] DCERPC
Request: call_id: 2, Fragment: Single, opnum: 0, Ctx: 1 86d35949-83c9-4044-b424-db363231fd0c V1 [Destination Host] [High Port] [Source Host] [High Port] DCERPC
Response: call_id: 2, Fragment: Single, Ctx: 1 86d35949-83c9-4044-b424-db363231fd0c V1 [Destination Host] [High Port] [Source Host] [High Port] DCERPC
3 Request: call_id: 3, Fragment: Single, opnum: 7, Ctx: 1 86d35949-83c9-4044-b424-db363231fd0c V1 [Source Host] [High Port] [Destination Host] [High Port] DCERPC
Response: call_id: 3, Fragment: Single, Ctx: 1 86d35949-83c9-4044-b424-db363231fd0c V1 [Destination Host] [High Port] [Source Host] [High Port] DCERPC
4 Request: call_id: 4, Fragment: Single, opnum: 1, Ctx: 1 86d35949-83c9-4044-b424-db363231fd0c V1 [Source Host] [High Port] [Destination Host] [High Port] DCERPC
Response: call_id: 4, Fragment: Single, Ctx: 1 86d35949-83c9-4044-b424-db363231fd0c V1 [Destination Host] [High Port] [Source Host] [High Port] DCERPC
5 Bind: call_id: 2, Fragment: Single, 3 context items: 86d35949-83c9-4044-b424-db363231fd0c V1.0 (32bit NDR), 86d35949-83c9-4044-b424-db363231fd0c V1.0 (64bit NDR), 86d35949-83c9-4044-b424-db363231fd0c V1.0 (6cb71c2c-9812-4540-0300-000000000000), NTLMSSP_NEGOTIATE [Source Host] [High Port] [Destination Host] [High Port] DCERPC
Bind_ack: call_id: 2, Fragment: Single, max_xmit: 5840 max_recv: 5840, 3 results: Provider rejection, Acceptance, Negotiate ACK, NTLMSSP_CHALLENGE [Destination Host] [High Port] [Source Host] [High Port] DCERPC
6 AUTH3: call_id: 2, Fragment: Single, NTLMSSP_AUTH, User: [User Name] [Source Host] [High Port] [Destination Host] [High Port] DCERPC
Request: call_id: 2, Fragment: Single, opnum: 0, Ctx: 1 86d35949-83c9-4044-b424-db363231fd0c V1 [Source Host] [High Port] [Destination Host] [High Port] DCERPC
Response: call_id: 2, Fragment: Single, Ctx: 1 86d35949-83c9-4044-b424-db363231fd0c V1 [Destination Host] [High Port] [Source Host] [High Port] DCERPC
7 Request: call_id: 3, Fragment: Single, opnum: 7, Ctx: 1 86d35949-83c9-4044-b424-db363231fd0c V1 [Source Host] [High Port] [Destination Host] [High Port] DCERPC
Response: call_id: 3, Fragment: Single, Ctx: 1 86d35949-83c9-4044-b424-db363231fd0c V1 [Destination Host] [High Port] [Source Host] [High Port] DCERPC
8 Request: call_id: 4, Fragment: Single, opnum: 2, Ctx: 1 86d35949-83c9-4044-b424-db363231fd0c V1 [Source Host] [High Port] [Destination Host] [High Port] DCERPC
Response: call_id: 4, Fragment: Single, Ctx: 1 86d35949-83c9-4044-b424-db363231fd0c V1 [Destination Host] [High Port] [Source Host] [High Port] DCERPC
9 Request: call_id: 5, Fragment: Single, opnum: 17, Ctx: 1 86d35949-83c9-4044-b424-db363231fd0c V1 [Source Host] [High Port] [Destination Host] [High Port] DCERPC
Response: call_id: 5, Fragment: Single, Ctx: 1 86d35949-83c9-4044-b424-db363231fd0c V1 [Destination Host] [High Port] [Source Host] [High Port] DCERPC
10 Request: call_id: 6, Fragment: Single, opnum: 12, Ctx: 1 86d35949-83c9-4044-b424-db363231fd0c V1 [Source Host] [High Port] [Destination Host] [High Port] DCERPC
Response: call_id: 6, Fragment: Single, Ctx: 1 86d35949-83c9-4044-b424-db363231fd0c V1 [Destination Host] [High Port] [Source Host] [High Port] DCERPC

- Remarks