Two recently discovered Windows zero-day attacks underscore the importance of monitoring for unauthorized tasks. Credit: Thinkstock Recently Google announced two zero-days that impacted both the Chrome browser and Windows 7 operating system. Google released an update to Chrome to protect users from the issue, and Microsoft patched the Windows 7 zero-day with the March 12 updates. At this time the attack is only seen on Windows 7, and Google believes that Windows 10 is not vulnerable to the attack due to its sandbox technologies.To exploit the zero-days, an attacker would deliver an exploit to targeted Windows 7 32-bit platforms using a malicious Javascript. That Javascript would then install a back-door payload and run a task to add a scheduled task in the operating system and perceive persistence. I’ve seen many attacks use Windows Task Scheduler to hide and setup various tasks to further infiltrate the system. The two zero-days are a reminder to monitor Task Scheduler and any new tasks added for possible attacks. In particular, you want to look for event 4698.Enable event loggingBefore you start looking for events, first ensure that logging is fully enabled and you are considering an extended logging process that will capture and save the logging events. The security log in particular is very active and events are overwritten quickly. You might not have logging enabled on Windows 7, and even Windows 10 might not have object logging enabled to see if new tasks are set. To review if logging is enabled, first run eventvwr.msc then click on “Windows Logs”. Then right-click “Security log”, and then on “Properties”. Make sure the “Enable logging” check box is selected and increase the log size to at least 1 gigabyte to ensure you have the space needed to capture the events. Windows task auditing setupNext, enable “Other Object Access Events” auditing (in the “Object Access” category). It’s a two-step process. First, set the security option “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings” to “Enabled”. This enables “auditol” for the detailed auditing subcategories. You can set it in Group Policy or in the local security policy of the machine. Launch an administrator command prompt at this point to review what default settings you have. Type auditpol /get /category:* to list what is currently in place for auditing. Susan BradleyReview audit settingsThen, configure the Group Policy value by going to “Computer Configuration”, then to “Windows Settings”, then to “Security Settings”, then to “Advanced Audit Policy Configuration”, then to “System Audit Policies”, then to “Object Access,” then to “Audit Other Object Access Events” with “Success” and “Failure” selected. Now that you have the necessary logging in place, you can start the process of monitoring and ideally alerting yourself to when a task is added to our machines under our control. Susan BradleyEnable object accessNow comes the fun part of filtering out what is normal and what is not. If you haven’t turned on object access auditing before, you’ll need to monitor the activities to identify the normal “noise” of a security log. For example, once you turn on auditing, you’ll notice that many normal processes create tasks on your machines. Thus monitoring your systems to see what is normal is key to identifying abnormal conditions so you can run queries in your log management systems.For example, the normal windows updating process sets up temporary tasks: Susan BradleyNormal scheduled task createdOnce you scroll down the event window you can see that the Microsoft updating process created the task. Instead, you want to focus on events that could be created by malicious software. Susan BradleyExamine log file for abnormal eventsYou’ll also find numerous resources on the web and on GitHub for recommended auditing levels as well as recommendations for setting up Windows event forwarding. You can even use Event Forwarding along with PowerBI to build an intrusion console.Bottom line: Ensure that you are auditing, logging and monitoring abnormalities in your organization. Task scheduling is just one of many key auditing values that should be monitored. I’ll be covering more key audit events to monitor in upcoming tips. Related content news Arm patches bugs in Mali GPUs that affect Android phones and Chromebooks The vulnerability with active exploitations allows local non-privileged users to access freed-up memory for staging new attacks. By Shweta Sharma Oct 03, 2023 3 mins Android Security Android Security Mobile Security news UK businesses face tightening cybersecurity budgets as incidents spike More than a quarter of UK organisations think their cybersecurity budget is inadequate to protect them from growing threats. By Michael Hill Oct 03, 2023 3 mins CSO and CISO Risk Management news Cybersecurity experts raise concerns over EU Cyber Resilience Act’s vulnerability disclosure requirements Open letter claims current provisions will create new threats that undermine the security of digital products and individuals. By Michael Hill Oct 03, 2023 4 mins Regulation Compliance Vulnerabilities opinion Cybersecurity professional job-satisfaction realities for National Cybersecurity Awareness Month Half of all cybersecurity pros are considering a job change, and 30% might leave the profession entirely. CISOs and other C-level execs should reflect on this for National Cybersecurity Awareness Month. By Jon Oltsik Oct 03, 2023 4 mins CSO and CISO Careers Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe