如何审计Windows任务调度器检测攻击

苏珊·布拉德利为您报道。提醒一下，您可能需要调整在系统中执行审计的方式。最近在Windows 7零日被谷歌识别，用于针对Windows 7机器的针对性攻击。好消息是，在三月份的更新中，它已经被更新和保护，但它显示了多少次攻击者使用后门，他们使用任务来躲避我们。在这个特定的实例中，他们使用一个计划任务来设置并实现系统中的持久性。现在，如果您没有打开审计，并专门寻找新的调度任务，您可能会错过您的机器已经被攻击。我们必须启用的特定审计是审计对象访问。但你可以看到，它通常是不启用的。为了进一步实现这个，你需要做几个步骤。您需要做的第一件事是进入这些安全选项并实际强制一个策略子类别。 Called audit force audit policy sub category settings to override audit policy category settings. I know sounds a bit much of a mouthful, doesn't it but it turns on additional Auditing Techniques. Once you've set up that setting of additional auditing I want you to go to the command line and do a quick audit pol / get / category asterisk. And this will show you what is already enabled on your systems. Now I'll recommend that you'll go up and turn on object auditing. And you want it for success and failure. You can't have it all also for just success. It's your call. You'll need to examine your systems and see if you've got the necessary space on your system. It is a very chatty setting to do but if you're concerned about targeted attacks especially for attackers coming after you and setting up tasks specifically to go after you again this is something you may want to look at. So if you haven't reviewed your auditing this is the time to do it. Until next time. This is Susan Bradley for CSO online.