How to Detect Who Created a Scheduled Task on Windows Server


Native Auditing vs. Netwrix Auditor for Windows Server

Native Auditing Netwrix Auditor for Windows Server
Steps
  1. Run eventvwr.msc → Windows Logs → Right-click "Security" log → Properties:
    • Make sure the "Enable logging" check box is selected
    • Increase the log size for at least 1gb.
  2. Set retention method to "Overwrite events as needed".
  3. Open Event viewer and search the Security log for the 4698 event ID with to find latest created scheduled tasks.
  4. In order to create instant alert after every scheduled tasks creation you need to edit the following powershell script by setting your parameters up and save it as detectst.ps1 for example (follow comments):

    $Subject = "New Scheduled Task Has Been Created" # Message Subject
    $Server = "smtp.server" # SMTP Server 
    $From = "From@domain.com" # From whom we are sending an e-mail(add anonymous logon permission if needed) 
    $To = "To@domain.com" # To whom we are sending
    $Pwd = ConvertTo-SecureString "enterpassword" -AsPlainText –Force #Sender account password 
    #(Warning! Use a very restricted account for the sender, because the password stored in the script will be not encrypted)
    $Cred = New-Object System.Management.Automation.PSCredential("From@domain.com" , $Pwd) #Sender account credentials 
    $encoding = [System.Text.Encoding]::UTF8 #Setting encoding to UTF8 for message correct display
    #Powershell command for filtering the security log about created scheduled task event 
    $Body=Get-WinEvent -FilterHashtable @{LogName="Security";ID=4698;} | Select TimeCreated, machinename, @{n="Task Creator";e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq "SubjectUserName"} |%{$_.’#text’}}},@{n="Scheduled Task Name";e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq "TaskName"}| %{$_.’#text’}}} | select-object -first 1
    #Sending an e-mail. 
    Send-MailMessage -From $From -To $To -SmtpServer $Server -Body "$Body" -Subject $Subject -Credential $Cred -Encoding $encoding,/p>

  5. Run "Task Scheduler" → Create new schedule task → Enter its name → Triggers tab → New trigger → Set up the following options:
    • Begin the task on an event
    • Log – Security
    • Source – Blank
    • EventID – 4698.
  6. Go to the "Actions" tab → New action with following parameters:
    • Action – Start a program
    • Program script: powershell
    • Add arguments (optional): -File "filepath to our script"
    • Click "OK".
  7. Now you will be notified about every scheduled task created on your windows server via e-mail that will contain scheduled task creation time, name, computer name on which this task was created and the name of the creator.

 

  1. Run Netwrix Auditor → Reports → Windows Server → Windows Server Changes → select "Scheduled Task Changes" report→ click "View".

  1.  
  2. In order to create an instant alert after any scheduled task creation navigate to Netwrix Auditor Administration Console → Managed Objects → Windows server → Event Log → Right click "Real-time alerts" → New Real-time alert → Set alert’s name and click "Next" → Click Add Event Filter → Set filter’s name → Set Security Event log → Go to Event Filters tab → Set Event ID = 4698 → click "OK" and "Finish".
  3. Now you will be able to receive an email with full log details after each scheduled task creation on your windows server.

Keeping an Eye on Newly Created Scheduled Tasks Minimizes the Risk of a Data Breach

New scheduled tasks created on Windows Server by someone who doesn’t belong to your IT department might indicate a virus attack, which could result in a sensitive data leakage. In order to reduce this risk, it’s necessary to monitor creations of scheduled tasks in real time. 

Join the discussion