How to audit Windows Task Scheduler for cyber-attack activity

Two recently discovered Windows zero-day attacks underscore the importance of monitoring for unauthorized tasks.

security audit - risk assessment - network analysis

Recently Google announced two zero-days that impacted both the Chrome browser and Windows 7 operating system. Google released an update to Chrome to protect users from the issue, and Microsoft patched the Windows 7 zero-day with the March 12 updates. At this time the attack is only seen on Windows 7, and Google believes that Windows 10 is not vulnerable to the attack due to its sandbox technologies.

To exploit the zero-days, an attacker would deliver an exploit to targeted Windows 7 32-bit platforms using a malicious Javascript. That Javascript would then install a back-door payload and run a task to add a scheduled task in the operating system and perceive persistence. I’ve seen many attacks use Windows Task Scheduler to hide and setup various tasks to further infiltrate the system. The two zero-days are a reminder to monitor Task Scheduler and any new tasks added for possible attacks. In particular, you want to look for event 4698.

Enable event logging

Before you start looking for events, first ensure that logging is fully enabled and you are considering an extended logging process that will capture and save the logging events. The security log in particular is very active and events are overwritten quickly. You might not have logging enabled on Windows 7, and even Windows 10 might not have object logging enabled to see if new tasks are set.

To review if logging is enabled, first run eventvwr.msc then click on “Windows Logs”. Then right-click "Security log”, and then on “Properties”. Make sure the "Enable logging" check box is selected and increase the log size to at least 1 gigabyte to ensure you have the space needed to capture the events.

Windows task auditing setup

Next, enable "Other Object Access Events" auditing (in the "Object Access" category). It’s a two-step process. First, set the security option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" to "Enabled". This enables “auditol” for the detailed auditing subcategories. You can set it in Group Policy or in the local security policy of the machine. Launch an administrator command prompt at this point to review what default settings you have. Type auditpol /get /category:* to list what is currently in place for auditing.

bradley audit task 1 Susan Bradley

Review audit settings

Then, configure the Group Policy value by going to “Computer Configuration”, then to “Windows Settings”, then to “Security Settings”, then to “Advanced Audit Policy Configuration”, then to “System Audit Policies”, then to “Object Access,” then to "Audit Other Object Access Events" with “Success” and "Failure" selected. Now that you have the necessary logging in place, you can start the process of monitoring and ideally alerting yourself to when a task is added to our machines under our control.

bradley audit task 2 Susan Bradley

Enable object access

Now comes the fun part of filtering out what is normal and what is not. If you haven’t turned on object access auditing before, you’ll need to monitor the activities to identify the normal “noise” of a security log. For example, once you turn on auditing, you’ll notice that many normal processes create tasks on your machines. Thus monitoring your systems to see what is normal is key to identifying abnormal conditions so you can run queries in your log management systems.

For example, the normal windows updating process sets up temporary tasks:

bradley audit task 3 Susan Bradley

Normal scheduled task created

Once you scroll down the event window you can see that the Microsoft updating process created the task. Instead, you want to focus on events that could be created by malicious software.

bradley audit task 4 Susan Bradley

Examine log file for abnormal events

You’ll also find numerous resources on the web and on GitHub for recommended auditing levels as well as recommendations for setting up Windows event forwarding. You can even use Event Forwarding along with PowerBI to build an intrusion console.

Bottom line: Ensure that you are auditing, logging and monitoring abnormalities in your organization. Task scheduling is just one of many key auditing values that should be monitored. I’ll be covering more key audit events to monitor in upcoming tips.

Copyright © 2019 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)