Detection

• Manual Inspection (Task Scheduler GUI): Open Task Scheduler (taskschd.msc) and carefully review tasks listed in the main library and under Microsoft\Windows. Look for recently created or modified tasks, tasks with suspicious names or descriptions, tasks triggering at logon/startup, and tasks executing unusual programs or scripts (especially from user directories like Temp or Downloads). Check the "Actions" and "Triggers" tabs for details.

• Command Line Query (schtasks.exe): schtasks /query /fo LIST /v provides a detailed list of all tasks in the command prompt.

• Task Files (C:\Windows\System32\Tasks): Scheduled tasks are stored as XML files in this directory (and its subdirectories). Analyze the "Date Modified" timestamps of these files in Search Everything. Examine the XML content directly (using Notepad or specialized viewers) to see the commands, arguments, triggers, and user context. Look for recently modified XML files.

• PowerShell Scripts: Use specialized PowerShell scripts (like those from N0LW or Rio mentioned previously) designed to parse task XML files, extract commands/arguments, and flag potentially suspicious entries based on keywords (cmd, powershell, rundll32, etc.).

• Event Logs: The Task Scheduler Operational log (Applications and Services Logs > Microsoft > Windows > TaskScheduler > Operational) records task creation (Event ID 106), deletion (ID 141), execution (ID 200/201), and completion events. Correlate timestamps with suspicious tasks found elsewhere.

• Registry Explorer: Can be used to examine Task Cache keys (HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tasks and Tree) for task metadata, including potentially deleted task information or tasks using Unicode names.

• System Informer: Dump the memory of the Scheduler service (svchost.exe or taskeng.exe) and search for <Command> or <Arguments> tags, or specific paths/scripts found via other methods.