The Job object is used by Scheduled Job Activity and Job Query. I'm afraid it is a long way from being able to adequately describe Windows scheduled jobs.
The biggest issue is that the current definition misses the fact that on Windows a scheduled job can have a sequence of multiple indendendent actions associated with it. The Job object however has just a singular cmd_line attribute so it is not possible to represent these actions.
Moreover, an individual action doesn't necessarily involve executing a command line. Windows supports three other actions types (COM action, email action, message action) whose information needs to be represented differently.
Next up, and I appreciate that this may blow minds, a Windows scheduled job doesn't even have to be executed on a schedule! Zero or more triggers can be associated with a job to control when it runs. A time-based schedule is certainly one trigger but multiple system events can also be used, and these are very important from a security perspective.
Lastly, Job has an ambiguously described file attribute ("The file that pertains to the job.") which is required. If this refers to the on-disk representation of the scheduled job then I would say that this should not be required. Yes, such a file exists on Windows but it is an internal implementation detail of the Scheduler and not documented by MS. If on the other hand the file attribute refers to a binary image or script file that gets executed by the scheduled job, then we fall into the same issue as the cmd_line attribute, i.e. unable to represent multiple actions.
The
Job
object is used byScheduled Job Activity
andJob Query
. I'm afraid it is a long way from being able to adequately describe Windows scheduled jobs.The biggest issue is that the current definition misses the fact that on Windows a scheduled job can have a sequence of multiple indendendent actions associated with it. The
Job
object however has just a singularcmd_line
attribute so it is not possible to represent these actions.Moreover, an individual action doesn't necessarily involve executing a command line. Windows supports three other actions types (COM action, email action, message action) whose information needs to be represented differently.
Next up, and I appreciate that this may blow minds, a Windows scheduled job doesn't even have to be executed on a schedule! Zero or more triggers can be associated with a job to control when it runs. A time-based schedule is certainly one trigger but multiple system events can also be used, and these are very important from a security perspective.
Lastly,
Job
has an ambiguously describedfile
attribute ("The file that pertains to the job.") which is required. If this refers to the on-disk representation of the scheduled job then I would say that this should not be required. Yes, such a file exists on Windows but it is an internal implementation detail of the Scheduler and not documented by MS. If on the other hand thefile
attribute refers to a binary image or script file that gets executed by the scheduled job, then we fall into the same issue as thecmd_line
attribute, i.e. unable to represent multiple actions.