dissect.target.plugins.os.windows.log.schedlgu#

Module Contents#

Classes#

SchedLgU

SchedLgUPlugin

Plugin for parsing the Task Scheduler Service transaction log file (SchedLgU.txt).

Attributes#

log

SchedLgURecord

JOB_REGEX_PATTERN

SCHEDLGU_REGEX_PATTERN

dissect.target.plugins.os.windows.log.schedlgu.log#
dissect.target.plugins.os.windows.log.schedlgu.SchedLgURecord#
dissect.target.plugins.os.windows.log.schedlgu.JOB_REGEX_PATTERN#
dissect.target.plugins.os.windows.log.schedlgu.SCHEDLGU_REGEX_PATTERN#
class dissect.target.plugins.os.windows.log.schedlgu.SchedLgU#
ts: datetime.datetime#
job: str#
status: str#
command: str#
exit_code: int#
version: str#
classmethod from_line(line: str) SchedLgU#

Parse a group of SchedLgU.txt lines.

class dissect.target.plugins.os.windows.log.schedlgu.SchedLgUPlugin(target: dissect.target.Target)#

Bases: dissect.target.plugin.Plugin

Plugin for parsing the Task Scheduler Service transaction log file (SchedLgU.txt).

PATHS#
check_compatible() None#

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

schedlgu() Iterator[SchedLgURecord]#

Return all events in the Task Scheduler Service transaction log file (SchedLgU.txt).

Older Windows systems may log .job tasks that get started remotely in the SchedLgU.txt file. In addition, this log file records when the Task Scheduler service starts and stops.

Adversaries may use malicious .job files to gain persistence on a system.

Yields:

ts (datetime) – The timestamp of the event. job (str): The name of the .job file. command (str): The command executed. status (str): The status of the event (finished, completed, exited, stopped). exit_code (int): The exit code of the event. version (str): The version of the Task Scheduler service.