How to audit Windows Task Scheduler for cyber-attack activity

Two recently discovered Windows zero-day attacks underscore the importance of monitoring for unauthorized tasks.

Recently Google announced two zero-days that impacted both the Chrome browser and Windows 7 operating system. Google released an update to Chrome to protect users from the issue, and Microsoft patched the Windows 7 zero-day with the March 12 updates. At this time the attack is only seen on Windows 7, and Google believes that Windows 10 is not vulnerable to the attack due to its sandbox technologies.

To exploit the zero-days, an attacker would deliver an exploit to targeted Windows 7 32-bit platforms using a malicious Javascript. That Javascript would then install a back-door payload and run a task to add a scheduled task in the operating system and perceive persistence. I’ve seen many attacks use Windows Task Scheduler to hide and setup various tasks to further infiltrate the system. The two zero-days are a reminder to monitor Task Scheduler and any new tasks added for possible attacks. In particular, you want to look for event 4698.

Enable event logging

Before you start looking for events, first ensure that logging is fully enabled and you are considering an extended logging process that will capture and save the logging events. The security log in particular is very active and events are overwritten quickly. You might not have logging enabled on Windows 7, and even Windows 10 might not have object logging enabled to see if new tasks are set.

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!