dissect.target.plugins.os.windows.log.schedlgu

Module Contents

Classes

SchedLgU

SchedLgUPlugin

Plugin for parsing the Task Scheduler Service transaction log file (SchedLgU.txt).

Attributes

log

SchedLgURecord

JOB_REGEX_PATTERN

SCHEDLGU_REGEX_PATTERN

dissect.target.plugins.os.windows.log.schedlgu.log
dissect.target.plugins.os.windows.log.schedlgu.SchedLgURecord
dissect.target.plugins.os.windows.log.schedlgu.JOB_REGEX_PATTERN
dissect.target.plugins.os.windows.log.schedlgu.SCHEDLGU_REGEX_PATTERN
class dissect.target.plugins.os.windows.log.schedlgu.SchedLgU
ts: datetime.datetime
job: str
status: str
command: str
exit_code: int
version: str
classmethod from_line(line: str) SchedLgU

Parse a group of SchedLgU.txt lines.

class dissect.target.plugins.os.windows.log.schedlgu.SchedLgUPlugin(target: dissect.target.Target)

Bases: dissect.target.plugin.Plugin

Plugin for parsing the Task Scheduler Service transaction log file (SchedLgU.txt).

PATHS
check_compatible() None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

schedlgu() Iterator[SchedLgURecord]

Return all events in the Task Scheduler Service transaction log file (SchedLgU.txt).

Older Windows systems may log .job tasks that get started remotely in the SchedLgU.txt file. In addition, this log file records when the Task Scheduler service starts and stops.

Adversaries may use malicious .job files to gain persistence on a system.

Yields:

ts (datetime) – The timestamp of the event. job (str): The name of the .job file. command (str): The command executed. status (str): The status of the event (finished, completed, exited, stopped). exit_code (int): The exit code of the event. version (str): The version of the Task Scheduler service.