• State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 22 subscribers
  • Views 606 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Is it possible to create scheduled task creation alert on LEM?

evileyes07

Hi,

Is there a way on LEM to create a rule that will generate an alert whenever a windows scheduled task is created? I've tried searching the forums but can't seem to find the right guide. I would like to monitor every scheduled task created on our servers and make sure that it is not created by malware/spyware (mostly named at#.job eg. At1.job etc).

Any help would be very much appreciated.

Regards,

Neil

Parents
  • 0

    Yes, yes it is!

    I had to do some digging.  The first part of this is to make sure that you have the right audit policies in place on your machine or in your domain.  The category in Windows 7/8/2008 is "Other Object Access Events."  I was able to enable this on my local machine with the command:


    auditpol /set /subcategory:"Other Object Access Events" /failure:enable /success:enable

    Once that was done, I launched Task Scheduler and was able to get the following events in my LEM:

    ProcessInfoScheduled Task "\My Tasks\Sample" DeletedVista SecurityMicrosoft-Windows-Security-Auditing 4699
    ProcessInfoScheduled Task "\My Tasks\Sample" EnabledVista SecurityMicrosoft-Windows-Security-Auditing 4700
    ProcessInfoScheduled Task "\My Tasks\Sample" DisabledVista SecurityMicrosoft-Windows-Security-Auditing 4701
    ProcessInfoScheduled Task "\My Tasks\Sample" Created by "DOMAIN\UserName"Vista SecurityMicrosoft-Windows-Security-Auditing 4698

    As you can see, events were generated for the event being created, disabled, enabled, and deleted.  That should just about cover what you're looking for, right?  Obviously, the LEM would add the source account and machine, but I trimmed this to make it fit the post, and I didn't think that information was relevant to the answer.

  • 0 in reply to curtisi

    Thanks curtisi! Works like a charm! emoticons_cool.png  The command also works in Windows Server 2012. emoticons_wink.png

Reply Children
No Data

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.