Attackers often use tasks as a means to hide their tracks. They might also use the ability to run tasks with different user rights to gain more access. Earlier, I recommended that you set up auditing to track tasks being set. Now I recommend you harden a setting on your workstations to prevent task scheduling in the first place.
Below are the Microsoft Defender Advanced Threat Protection (ATP) recommended actions:
The “Domain controller: Allow server operators to schedule tasks” setting determines whether scheduled tasks are forced to run under the context of the authenticated account instead of allowing them to run as SYSTEM.
Leave a reply