Schedule Task Added - 4698 vs 106 Expand / Collapse
Author
Message
Posted 7/19/2017 10:31:57 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 7/19/2017 10:27:37 AM
Posts: 1, Visits: 0
Can someone help me understand the difference between Event ID 106 vs 4698? According to Randy's DB, 4698 applies to Windows 7 and 2012 but I don't think that is accurate for a schedule task added and I only see 106 events being created when a scheduled task is created? Can someone confirm this?

Also, does anyone have any pointers or references to rule out any false positives? In other words, I am trying to alert on any potential indicators of malicious tasks created.

Thank you for the help.
Post #7388
Posted 8/14/2017 4:56:49 PM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 212, Visits: 0
I'm not familiar with event ID 106. You can follow a few options for monitoring scheduled tasks. First is to alert on first time a task is seen and the second is to filter out known good task names. This should reduce the quantity of alerts to a manageable number.
Post #7400
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 6:13pm