Skip to content

4698 A scheduled task was created

Written when a new scheduled task is created. Tasks survive reboots and auto-run at set times or conditions, so they are heavily used for persistence, execution, and privilege escalation, making this a cornerstone detection event.

Overview

The subcategory is Audit Other Object Access Events. It is generated when a new scheduled task is registered. The key to reading it is that, besides the task name and creating account, the event includes the task’s full XML definition (executable path, arguments, triggers, and the privileges it runs under).

How it is triggered

  • Task registration via schtasks.exe, the Task Scheduler GUI, Register-ScheduledTask (PowerShell), or APIs.
  • Remote task creation can also be a path for lateral movement.

Security review points

  • It maps to MITRE ATT&CK T1053.005 (Scheduled Task: abusing the task scheduler to run code recurringly or at a set time) and is used for Execution, Persistence, and Privilege Escalation alike.
  • Scrutinize the XML definition. Danger signs include an Actions executable pointing to powershell / cmd, a temp folder, or a suspicious path; encoded arguments like -enc; a Principal running with SYSTEM rights; and a trigger at logon or at short intervals.
  • Together with deletion 4699, enabling 4700, disabling 4701, and updating 4702, track the task’s full lifecycle.

Notes for log review

  • Legitimate software and the OS create many tasks. Baseline the normal patterns of task name, executable path, and creating subject, and watch for deviations.
  • A hidden-task technique that directly manipulates the registry ...\Schedule\TaskCache\Tree may not produce a 4698. Supplement in layers with registry auditing and the Task Scheduler operational log (Microsoft-Windows-TaskScheduler/Operational Event ID 106, and so on).

Key fields

FieldMeaning
Task NameThe created task name
Task Content (XML)The task definition: executable, arguments, triggers, run privileges
Subject\Account NameThe account that created the task

Glossary

  • Scheduled task — a Windows mechanism that automatically runs a program at set times or conditions. It is a frequent foothold for attackers.

References