Windows SecurityProcess ExecutionEnhanced Analysis

Event 4698: A scheduled task was created.

Quick Answer

Event 4698 logs the creation of new scheduled tasks on Windows systems. Attackers frequently use scheduled tasks for persistence, privilege escalation, and executing malicious code at specific times. This event is critical for detecting post-exploitation activity.

Technical Details

Windows Security Source

Event ID: 4698

Windows Security- Process Execution

Event Description

A scheduled task was created.

Key Log Fields

  • SubjectUserName - Account that created the task
  • SubjectDomainName - Domain of the account
  • SubjectLogonId - Logon ID for correlation
  • TaskName - Name of the scheduled task
  • TaskContent - XML content defining the task (includes action, trigger, principal)

MITRE ATT&CK® Mapping (1)

T1053.005execution, persistence, privilege-escalation
Scheduled Task

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111) utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red Team) An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218), adversaries have also abused the Windows Task Scheduler to potentially mask one-time execution under signed/trusted system processes.(Citation: ProofPoint Serpent) Adversaries may also create "hidden" scheduled tasks (i.e. [Hide Artifacts](https://attack.mitre.org/techniques/T1564)) that may not be visible to defender tools and manual queries used to enumerate tasks. Specifically, an adversary may hide a task from `schtasks /query` and the Task Scheduler by deleting the associated Security Descriptor (SD) registry value (where deletion of this value must be completed using SYSTEM permissions).(Citation: SigmaHQ)(Citation: Tarrask scheduled task) Adversaries may also employ alternate methods to hide tasks, such as altering the metadata (e.g., `Index` value) within associated registry keys.(Citation: Defending Against Scheduled Task Attacks in Windows Environments)

Event Comparison

Monitor 4698 alongside 4688 (process creation) and 4624 (logon) to understand who created the task and when it executes. Event 4699 logs task deletion, which attackers use to clean up traces.

What This Event Means

Event 4698 is generated whenever a new scheduled task is registered on a Windows system, providing defenders with visibility into one of the most common persistence mechanisms used by adversaries. This event captures the task name, the user account that created it, and the complete XML definition of the task including the executable path, arguments, triggers, and privileges under which it will run. Threat actors favor scheduled tasks because they survive reboots, can execute with SYSTEM privileges, run without user interaction, and integrate seamlessly with legitimate Windows administrative activity. The event's XML content reveals critical indicators of malicious activity such as tasks configured to run with highest privileges, executables launched from temporary directories, tasks with names that mimic legitimate Windows task names to blend in, or tasks with immediate or very frequent triggers designed to ensure rapid re-infection. Security analysts should examine the task's action parameters for suspicious command lines, especially PowerShell with encoded commands, scripts from user-writable directories, or network-based file paths. The combination of Event 4698 with process creation (4688) when the task executes provides a complete picture of scheduled task abuse.

Security Implications

  • Scheduled tasks running from temporary directories, user profiles, or C:\ProgramData are highly suspicious
  • Tasks configured with SYSTEM privileges but created by non-administrative accounts indicate privilege escalation
  • Task names that mimic legitimate Windows tasks (e.g., 'MicrosoftUpdate') but have different executables are malicious
  • Tasks with immediate triggers or very short intervals (every few minutes) suggest aggressive persistence
  • Remote task creation via AT or SCHTASKS commands often indicates lateral movement or remote execution

Detection Strategies

Establish a baseline of legitimate scheduled tasks in your environment and alert on new task creation outside change windows. Monitor for tasks that execute from unusual locations, especially user-writable directories like Downloads, AppData, or Temp folders. Flag tasks created with administrative privileges but by non-admin accounts. Examine task XML for suspicious command patterns including PowerShell encodedCommand, rundll32 with unusual DLLs, or network UNC paths. Alert on tasks with names that closely match legitimate Windows tasks but have different executables or parameters. Correlate task creation with the creating user's recent activity to verify legitimacy. Track tasks that execute during off-hours or immediately after creation. SIEM detection rules and parsers for task XML content will be provided in subsequent updates.

Note: Comprehensive SIEM detection queries for Splunk SPL, Microsoft KQL, and Elastic Query DSL will be added in future updates.

Real-World Attack Examples

  • Emotet malware creates scheduled tasks named after system services to execute DLLs from %AppData% directories, all captured in 4698 events

  • Ryuk ransomware creates tasks like 'AppMgmt' running cmd.exe to execute batch scripts that deploy the encryption payload

  • FIN7 group uses scheduled tasks to execute PowerShell Empire stagers that beacon to command-and-control servers

Contents