Forensic Scripts an...
 
Notifications
Clear all

Forensic Scripts and tasks

pimp
 pimp
(@pimp)
New Member

Hello,

Sorry if my question is very basic but I need to know the following

Scripts

How is posible to know if a script was executed in a Windows Machine using WMI, wscript or cscript? I mean, where do you have to search to know exactly that a script was executed, from where (local or remote), what processes and what kind of logs were generated? Is there any place of the Windows registry that can help to search this?

Tasks

Is there any method to execute hidden tasks using the Windows Scheduler? How to know if someone is using this method? Is there more locations apart from autostart points in the registry that can be used to execute scheduled tasks?

Best Regards and thanks in advance.

Quote
Topic starter Posted : 22/09/2014 1:49 am
keydet89
(@keydet89)
Community Legend

How is posible to know if a script was executed in a Windows Machine using WMI, wscript or cscript? I mean, where do you have to search to know exactly that a script was executed, from where (local or remote), what processes and what kind of logs were generated? Is there any place of the Windows registry that can help to search this?

Generally speaking, no, on all counts. It is possible to know if a script has executed if you know what the script does and what artifacts it creates. If the system is Windows XP, the executed script would have it's last accessed date updated.

In general, logs are not created when scripts are executed, unless the script is written to generate a log entry. There may be other possibilities, however…some AV products monitor behaviors, such as programs executing from Temp folders, so there might be some possibilities there…I'd do testing to be sure.

Is there any method to execute hidden tasks using the Windows Scheduler?

What is a "hidden" task?

How to know if someone is using this method? Is there more locations apart from autostart points in the registry that can be used to execute scheduled tasks?.

Different Windows systems have different ways of logging scheduled task activity, with Vista+ systems being the more prolific. Scheduled tasks are not generally "run" from autostart locations, per se, although they could easily be _created_ by a program or script run from an autostart location.

HTH

ReplyQuote
Posted : 22/09/2014 5:26 am
jaclaz
(@jaclaz)
Community Legend

Is there any method to execute hidden tasks using the Windows Scheduler?

If by "hidden task" it is intended something that runs without showing on the user desktop, yes, actually that is the default, see the "interactive" switch for the AT or the IT one for SCHTASKS
http//ss64.com/nt/at.html
http//ss64.com/nt/schtasks.html

jaclaz

ReplyQuote
Posted : 22/09/2014 2:47 pm
Share: