How to audit Windows Task Scheduler to detect attacks

Susan Bradley here for CSO Online. With just a reminder that perhaps you need to adjust how you are doing your auditing in your systems. Recently on Windows 7 zero day was identified by Google and used against in targeted attacks against Windows 7 Machines. The good news is it’s since been updated and protected against in the March updates but it showcases how many times that attackers use back doors and they use tasks to hide from us. In this particular instance they used a scheduled task to set up and achieve persistence in the system. Now if you didn’t have auditing turned on and specifically looking for new schedule tasks you might miss that your machines have been attacked. The specific auditing we have to turn on is something called audit object access. But as you can see it’s normally not enabled. And in order to further enable this you have to do a couple of steps. The first thing you need to do is to go into these security options and actually force a policy subcategory. Called audit force audit policy sub category settings to override audit policy category settings. I know sounds a bit much of a mouthful, doesn’t it but it turns on additional Auditing Techniques. Once you’ve set up that setting of additional auditing I want you to go to the command line and do a quick audit pol / get / category asterisk. And this will show you what is already enabled on your systems. Now I’ll recommend that you’ll go up and turn on object auditing. And you want it for success and failure. You can’t have it all also for just success. It’s your call. You’ll need to examine your systems and see if you’ve got the necessary space on your system. It is a very chatty setting to do but if you’re concerned about targeted attacks especially for attackers coming after you and setting up tasks specifically to go after you again this is something you may want to look at. So if you haven’t reviewed your auditing this is the time to do it. Until next time. This is Susan Bradley for CSO online.