- Run eventvwr.msc → Windows Logs → Right-click "Security" log → Properties:
- Make sure the "Enable logging" check box is selected
- Increase the log size for at least 1gb.
- Set retention method to "Overwrite events as needed".
- Open Event viewer and search the Security log for the 4698 event ID with to find latest created scheduled tasks.
- In order to create instant alert after every scheduled tasks creation you need to edit the following powershell script by setting your parameters up and save it as detectst.ps1 for example (follow comments):
$Subject = "New Scheduled Task Has Been Created" # Message Subject
$Server = "smtp.server" # SMTP Server
$From = "From@domain.com" # From whom we are sending an e-mail(add anonymous logon permission if needed)
$To = "To@domain.com" # To whom we are sending
$Pwd = ConvertTo-SecureString "enterpassword" -AsPlainText –Force #Sender account password
#(Warning! Use a very restricted account for the sender, because the password stored in the script will be not encrypted)
$Cred = New-Object System.Management.Automation.PSCredential("From@domain.com" , $Pwd) #Sender account credentials
$encoding = [System.Text.Encoding]::UTF8 #Setting encoding to UTF8 for message correct display
#Powershell command for filtering the security log about created scheduled task event
$Body=Get-WinEvent -FilterHashtable @{LogName="Security";ID=4698;} | Select TimeCreated, machinename, @{n="Task Creator";e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq "SubjectUserName"} |%{$_.’#text’}}},@{n="Scheduled Task Name";e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq "TaskName"}| %{$_.’#text’}}} | select-object -first 1
#Sending an e-mail.
Send-MailMessage -From $From -To $To -SmtpServer $Server -Body "$Body" -Subject $Subject -Credential $Cred -Encoding $encoding,/p>
- Run "Task Scheduler" → Create new schedule task → Enter its name → Triggers tab → New trigger → Set up the following options:
- Begin the task on an event
- Log – Security
- Source – Blank
- EventID – 4698.
- Go to the "Actions" tab → New action with following parameters:
- Action – Start a program
- Program script: powershell
- Add arguments (optional): -File "filepath to our script"
- Click "OK".
- Now you will be notified about every scheduled task created on your windows server via e-mail that will contain scheduled task creation time, name, computer name on which this task was created and the name of the creator.
- Run Netwrix Auditor → Navigate to “Reports” → “Windows Server” → “Windows Server Changes” → Select "Scheduled Task Changes" report → Click "View".
To receive the report regularly by email, click the “Subscribe” button and choose the schedule you prefer.
In order to create an instant alert on scheduled task creation:
- From the Netwrix Auditor home page navigate to “Alerts” → Click “Add” → Specify alert’s name.
- Navigate to “Recipients” → Click “Add Recipient” → Specify an email address for the alert.
- Navigate to “Filters” → Adjust the following filters:
- Filter = “What”
Operator = “Contains”
Value = “Scheduled Tasks” - Filter = “Action”
Operator = “Equals”
Value = “Added”
- Filter = “What”
- Click “Add” to save the alert.
Whenever someone creates a scheduled task, you will receive a similar alert: