Loading date…
LinkedIn Twitter Instagram YouTube WhatsApp

Windows Event IDs 106, 140, and 141 Could Reveal Hidden Malware Persistence

byShubham Chaudhary
0
Read full article on Windows Event IDs 106, 140, and 141 Could Reveal Hidden Malware Persistence

Task Scheduler Logs Detection Guide: How SOC Teams Detect Persistence Using Event IDs 106, 140, and 141

One of the most dangerous things about modern cyberattacks is not the initial compromise — it’s what happens after the attacker gets inside.

In multiple ransomware investigations across enterprise Windows environments, attackers were found creating hidden scheduled tasks to maintain persistence. Even after passwords were reset and malware was removed, the attackers kept returning because of one overlooked Windows feature: Task Scheduler.

In one real-world SOC investigation, an attacker deployed a malicious PowerShell payload through a scheduled task that executed every 30 minutes under SYSTEM privileges. Traditional antivirus missed it completely. The only clue? A small but critical Windows log entry: Event ID 106.

This is why Task Scheduler logs are extremely important for threat hunting, persistence detection, ransomware investigations, and Windows forensic analysis.

In this article, we’ll break down how cybersecurity professionals use Task Scheduler logs to detect persistence mechanisms, investigate malicious scheduled tasks, and improve enterprise monitoring using Event IDs 106, 140, and 141.

Table of Contents

What Is Task Scheduler?

Read full article on What Is Task Scheduler?

Windows Task Scheduler is a built-in Microsoft utility that automates tasks based on triggers such as:

  • User logon
  • System startup
  • Specific time intervals
  • Idle system states
  • Application events

System administrators use it for backups, maintenance scripts, software updates, and monitoring tasks.

Attackers, however, use the exact same functionality for:

  • Persistence
  • Malware execution
  • Privilege escalation
  • Payload delivery
  • Lateral movement automation

Since Task Scheduler is a legitimate Windows component, malicious activity often blends into normal enterprise operations.

Why Attackers Abuse Scheduled Tasks?

Read full article on Why Attackers Abuse Scheduled Tasks?

Scheduled tasks are popular among threat actors because they are:

  • Native to Windows
  • Stealthy and trusted
  • Easy to automate
  • Capable of running with elevated privileges
  • Persistent across reboots

Threat groups including ransomware operators, banking trojans, and advanced persistent threat (APT) actors commonly abuse scheduled tasks.

Common malicious examples include:

  • Running encoded PowerShell commands every few minutes
  • Launching malware after user logon
  • Downloading payloads from remote servers
  • Re-establishing persistence after cleanup
  • Executing scripts under SYSTEM accounts

Many EDR and SOC teams now prioritize Task Scheduler monitoring because attackers continue using it successfully in modern attacks.

Understanding Task Scheduler Logs

Read full article on Understanding Task Scheduler Logs

Windows records Task Scheduler activity inside the following event log:

Applications and Services Logs
→ Microsoft
→ Windows
→ TaskScheduler
→ Operational

This log contains critical forensic evidence related to task creation, modification, execution, and deletion.

Among the most important Event IDs for detection engineering are:

Event ID Description Security Importance
106 Scheduled task created Persistence detection
140 Scheduled task updated Task hijacking detection
141 Scheduled task deleted Anti-forensics detection

Event ID 106 – Scheduled Task Created

Read full article on Event ID 106 – Scheduled Task Created

Event ID 106 is one of the most valuable logs for persistence detection.

It appears whenever a new scheduled task is created on the system.

Why It Matters?

Attackers frequently create scheduled tasks immediately after gaining access to a machine.

SOC analysts often correlate Event ID 106 with:

  • PowerShell execution
  • Suspicious parent-child processes
  • Encoded commands
  • Remote access tools
  • C2 callbacks

Suspicious Indicators

  • Tasks created in unusual directories
  • Randomized task names
  • Tasks created by non-admin users
  • PowerShell or CMD execution inside task actions
  • Tasks executing from Temp or AppData folders

Example Malicious Task

Task Name: WindowsUpdateCheck

Action:
powershell.exe -EncodedCommand SQBtACcAbQBhAGwAaQBjAGkAbwB1AHMAJwA=

This is commonly seen in malware persistence operations.

Event ID 140 – Task Updated

Read full article on Event ID 140 – Task Updated

Event ID 140 logs modifications to existing scheduled tasks.

This is extremely useful because attackers often avoid creating new tasks and instead modify legitimate ones.

Why Attackers Modify Existing Tasks?

  • Blends into normal system activity
  • Avoids detection rules focused on creation
  • Hijacks trusted scheduled tasks
  • Uses existing administrator-created jobs

Real SOC Detection Example

During a compromise investigation in a financial environment, analysts discovered that attackers modified an existing backup task.

The original backup executable was replaced with:

cmd.exe /c powershell -nop -w hidden -enc <base64_payload>

The task still appeared legitimate because the task name remained unchanged.

High-Risk Indicators

  • Changes to trusted scheduled tasks
  • PowerShell added to existing tasks
  • Task triggers changed unexpectedly
  • Tasks modified outside maintenance windows
  • Unauthorized users modifying tasks

Event ID 141 – Task Deleted

Read full article on Event ID 141 – Task Deleted

Event ID 141 records scheduled task deletions.

While deletion may appear harmless, it can actually signal attacker cleanup activity or anti-forensic behavior.

Why This Matters?

Threat actors frequently delete malicious scheduled tasks after:

  • Payload execution
  • Privilege escalation
  • Data exfiltration
  • Ransomware deployment
  • Persistence migration

This helps attackers reduce forensic evidence.

SOC Investigation Clue

If analysts observe:

  • Event ID 106 → Task Created
  • Malware execution
  • Event ID 141 → Task Deleted

…within a short time window, it strongly suggests malicious automation.

Real-World Persistence Attack Scenario

Read full article on SOC Real-World Persistence Attack Scenario

Imagine a ransomware operator gains access through a phishing email containing a malicious attachment.

After establishing initial access, the attacker executes:

schtasks /create /sc minute /mo 30 /tn "Windows Defender Update" /tr "powershell.exe -ExecutionPolicy Bypass -File C:\Users\Public\update.ps1"

This creates a scheduled task that runs every 30 minutes.

Windows generates:

  • Event ID 106 – Task created

The PowerShell script downloads additional malware from a remote server.

Later, the attacker updates the task:

  • Event ID 140 – Task updated

Finally, after deploying ransomware:

  • Event ID 141 – Task deleted

Without proper Task Scheduler monitoring, this entire persistence chain may go unnoticed.

SOC Investigation Guide

Read full article on SOC Investigation Guide

Step 1: Review Task Scheduler Operational Logs

Open Event Viewer:

Event Viewer
→ Applications and Services Logs
→ Microsoft
→ Windows
→ TaskScheduler
→ Operational

Filter logs using:

  • 106
  • 140
  • 141

Step 2: Identify Suspicious Task Names

Attackers commonly use names like:

  • WindowsUpdate
  • AdobeUpdater
  • ChromeUpdate
  • SecurityHealth
  • SystemMaintenance

These names are designed to appear legitimate.

Step 3: Inspect Task Actions

Look for:

  • PowerShell
  • CMD execution
  • Encoded commands
  • Network downloads
  • Execution from Temp/AppData

Step 4: Correlate With Other Logs

Combine Task Scheduler logs with:

  • PowerShell logs
  • Sysmon events
  • EDR telemetry
  • Windows Security logs
  • Network connections

This creates a stronger attack timeline.

Detection Techniques Used by SOC Teams

Read full article on Detection Techniques Used by SOC Teams

Monitor Task Creation Frequency

Sudden spikes in task creation may indicate malware automation.

Alert on PowerShell Usage

Tasks launching PowerShell are high-value detections.

Especially monitor:

  • -EncodedCommand
  • -ExecutionPolicy Bypass
  • -nop
  • -w hidden

Detect Tasks Running From User Directories

Legitimate enterprise tasks rarely execute from:

  • AppData
  • Temp
  • Downloads
  • Public folders

Hunt for SYSTEM-Level Persistence

Tasks running under SYSTEM accounts deserve immediate attention.

Baseline Normal Scheduled Tasks

Large organizations often maintain allowlists of approved scheduled tasks.

Anything outside the baseline becomes easier to investigate.

Prevention Strategies

Read full article on SOC Prevention Strategies

Enable Comprehensive Logging

Ensure Task Scheduler Operational logs are enabled across endpoints.

Use Sysmon

Sysmon provides enhanced visibility into process execution and persistence activity.

Implement EDR Rules

Create detections for:

  • PowerShell-based scheduled tasks
  • Encoded commands
  • Suspicious task names
  • Unauthorized task modifications

Restrict Administrative Privileges

Many malicious scheduled tasks require elevated access.

Applying least privilege principles reduces risk.

Monitor Remote Task Creation

Attackers often create tasks remotely using:

  • PsExec
  • WMI
  • PowerShell Remoting
  • RPC-based administration

Useful Commands for Analysts

Read full article on SOC Investigation Useful Commands for Analysts

List Scheduled Tasks

schtasks /query /fo LIST /v

What it does:
Displays all scheduled tasks with detailed information.

When to use:
During forensic investigations or persistence hunting.

Expected output:
Task names, triggers, execution paths, users, and scheduling details.

Create a Scheduled Task

schtasks /create /tn "Updater" /tr "powershell.exe -File C:\update.ps1" /sc hourly

What it does:
Creates a task that runs every hour.

Security relevance:
Attackers frequently abuse this method for persistence.

Delete a Scheduled Task

schtasks /delete /tn "Updater" /f

What it does:
Deletes a scheduled task forcefully.

Security relevance:
Can indicate attacker cleanup or anti-forensic activity.

Expert Tips From SOC Teams

Read full article on Expert Tips From SOC Teams
  • Always investigate scheduled tasks executing PowerShell silently.
  • Correlate Event ID 106 with suspicious outbound traffic.
  • Watch for task names imitating Microsoft software.
  • Attackers often schedule tasks shortly after phishing execution.
  • Scheduled tasks running every few minutes are highly suspicious.
  • Tasks deleted quickly after creation often indicate malware automation.
  • Use Sigma rules to standardize scheduled task detections across SIEM platforms.

FAQ

What are Task Scheduler logs used for in cybersecurity?

They help detect persistence mechanisms, malicious automation, malware execution, and attacker activity on Windows systems.

Where are Task Scheduler logs stored?

They are located under:

Applications and Services Logs
→ Microsoft
→ Windows
→ TaskScheduler
→ Operational

Why is Event ID 106 important?

It records newly created scheduled tasks, which attackers commonly use for persistence.

What does Event ID 140 indicate?

It shows an existing task was modified, which may indicate task hijacking.

Is Event ID 141 always malicious?

No. Administrators also delete tasks legitimately. However, rapid task deletion after suspicious activity is a strong indicator of attacker cleanup.

Do ransomware groups use scheduled tasks?

Yes. Many ransomware operators use scheduled tasks for payload execution, persistence, and automated attacks.

Can antivirus detect malicious scheduled tasks?

Sometimes, but many attacks evade traditional antivirus because Task Scheduler is a legitimate Windows component.

Conclusion

Task Scheduler logs are one of the most underrated sources of forensic evidence in Windows security monitoring.

While many defenders focus heavily on malware files and antivirus alerts, experienced attackers quietly rely on scheduled tasks to survive reboots, maintain persistence, and automate malicious operations.

Event IDs 106, 140, and 141 provide critical visibility into those activities.

For SOC analysts, DFIR teams, and threat hunters, monitoring Task Scheduler logs is no longer optional. It’s an essential layer of modern Windows detection engineering.

The organizations that successfully detect persistence early are usually the ones already watching these small but powerful log events before attackers move deeper into the environment.

Tags:
Shubham Chaudhary

Welcome to Xpert4Cyber! I’m a passionate Cyber Security Expert and Ethical Hacker dedicated to empowering individuals, students, and professionals through practical knowledge in cybersecurity, ethical hacking, and digital forensics. With years of hands-on experience in penetration testing, malware analysis, threat hunting, and incident response, I created this platform to simplify complex cyber concepts and make security education accessible. Xpert4Cyber is built on the belief that cyber awareness and technical skills are key to protecting today’s digital world. Whether you’re exploring vulnerability assessments, learning mobile or computer forensics, working on bug bounty challenges, or just starting your cyber journey, this blog provides insights, tools, projects, and guidance. From secure coding to cyber law, from Linux hardening to cloud and IoT security, we cover everything real, relevant, and research-backed. Join the mission to defend, educate, and inspire in cyberspace.

Post a Comment

Previous Post Next Post

WhatsApp Live Chat
Name
Email
Select Subject
MessageXpert4Cyber
Send WhatsApp
Talk to us?
×

🤖 Welcome to Xpert4Cyber

Xpert4Cyber shares cybersecurity tutorials, ethical hacking guides, tools, and projects for learners and professionals to explore and grow in the field of cyber defense.

🔒 Join Our Cybersecurity Community on WhatsApp

Get exclusive alerts, tools, and guides from Xpert4Cyber.

Join Now