Scheduled Task - Anomaly Detection with Event ID 4698 Detection with Rules

Scheduled tasks play a pivotal role in system automation, allowing users to execute processes at specific times or intervals. However, these tasks are not only utilized for legitimate purposes but also exploited by attackers for persistence and unauthorized activities. This article explores Event IDs 4698, 4699, 4700, 4701, and 4702, focusing on anomaly detection and safeguarding systems against potential threats.

Understanding Key Scheduled Task Event IDs:

1. Event ID 4698 – Task Creation:

• Monitors the creation of scheduled tasks.

1. Event ID 4699 – Task Deletion:

• Flags when a scheduled task is deleted.

1. Event ID 4700 – Task Enabled:

• Indicates the enabling of a scheduled task.

1. Event ID 4701 – Task Disabled:

• Signals the disabling of a scheduled task.

1. Event ID 4702 – Task Updated:

• Tracks updates or modifications to a scheduled task.

Best Practices for Continuous Monitoring:

• Regular monitoring of Events 4698, 4699, 4700, 4701, and 4702 is crucial.

• Any operation not aligned with documented processes should be scrutinized.

Exploitation of Scheduled Tasks:

• Attackers may leverage scheduled tasks for persistence, executing malicious scripts during system startup or at regular intervals.

• Event ID 5145 can be used to check whether the desired access is granted to a network share object, a technique often exploited by attackers.

Anomaly Detection Criteria

1. Event ID 4624 and LogonType 3 followed by Event ID 4698 within 1 minute:

• Detects task creation after a successful network logon.

1. Event ID 4702 and NOT Subject Account Name ≠ System:

• Identifies updates to scheduled tasks excluding those initiated by the 'System' account.

1. Event ID 4688 and command line contains /create or /change or /run:

• Monitors processes initiated with specific command line parameters.

1. Event ID 4688 or 4698 or 4702 and path "c:\users* or c:\programdata* or c:\windows\temp*":

• Flags events related to specific paths, often associated with suspicious activities.

IMPORTANT! Enable cmdline logging for Event ID 4688: Ensures detailed command-line information is logged for further analysis.

Conclusion:

As automation continues to rise, scheduled tasks remain a potential exploitation vector. By comprehensively monitoring the specified Event IDs and implementing anomaly detection criteria, organizations can bolster their cybersecurity defenses. Proactive measures, including the enablement of detailed logging, contribute to the early detection of suspicious activities and enhance overall system security.