Unusual Scheduled Task Discovery: UpdateCheck

Upon inspection of a Windows system, you stumble upon a peculiarly named scheduled task dubbed "UpdateCheck." This task is set to execute a PowerShell script housed at C:\Windows\Temp\update.ps1.

What key indicators do you examine to investigate the occurrence of an incident?

You're unable to swiftly access the file system for immediate file retrieval. However, you can presume access to other essential digital evidence sources like system logs and network data.

Possible Solution

• Discover the creation time of the scheduled task by examining security event logs.
• Make a note of its scheduled runtime.
• Utilize this information to investigate PowerShell logs around that timeframe.

-- Team ZeroDayNinjas --