Windows Server: How to Detect Who Created a Scheduled Task in Real Time
Why It Is Important
New scheduled tasks created on Windows Server by someone who doesn’t belong to your IT department might indicate a virus attack, which could result in a sensitive data leakage. In order to reduce this risk, it’s necessary to monitor creations of scheduled tasks in real time.
Native Auditing
1. Run eventvwr.msc → Windows Logs → Right-click “Security” log → Properties:
- Make sure the “Enable logging” check box is selected
- Increase the log size for at least 4gb.
2. Set retention method to “Overwrite events as needed”.
3. Open Event Viewer and search the application log for the 4698 event ID to find latest created scheduled tasks.
https://img.netwrix.com/landings/howtofriday/14/native_scheduled%20task.png
4. In order to create instant alert after every scheduled tasks creation you need to edit the following PowerShell script by setting your parameters up and save it as detectst.ps1 for example (follow comments):
$Subject = “New Scheduled Task Has Been Created” # Message Subject
$Server = “smtp.server” # SMTP Server
$From = “From@domain.com” # From whom we are sending an e-mail(add anonymous logon permission if needed)
$To = “To@domain.com” # To whom we are sending
$Pwd = ConvertTo-SecureString “enterpassword” -AsPlainText –Force #Sender account password
#(Warning! Use a very restricted account for the sender, because the password stored in the script will be not encrypted)
$Cred = New-Object System.Management.Automation.PSCredential(“From@domain.com” , $Pwd) #Sender account credentials
$encoding = [System.Text.Encoding]::UTF8 #Setting encoding to UTF8 for message correct display
#Powershell command for filtering the security log about created scheduled task event
$Body=Get-WinEvent -FilterHashtable @{LogName=”Security”;ID=4698;} | Select TimeCreated, machinename, @{n=”Task Creator”;e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq “SubjectUserName”} |%{$_.’#text’}}},@{n=”Scheduled Task Name”;e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq “TaskName”}| %{$_.’#text’}}} | select-object -first 1
#Sending an e-mail.
Send-MailMessage -From $From -To $To -SmtpServer $Server -Body “$Body” -Subject $Subject -Credential $Cred -Encoding $encoding
5. Run "Task Scheduler" → Create new schedule task → Enter its name → Triggers tab → New trigger → Set up the following options:
- Begin the task on an event
- Log – Security
- Source – Blank
- EventID – 4698.
6. Go to the "Actions" tab → New action with following parameters:
- Action – Start a program
- Program script: PowerShell
- Add arguments (optional): -File "filepath to our script"
7. Now you will be notified about every scheduled task created on your Windows Server via email that will contain scheduled task creation time, name, computer name on which this task was created and the name of the creator.
Real Life Use Case Video
Credits
Originally posted - https://www.netwrix.com/how_to_detect_scheduled_task_creation.html