4699 A scheduled task was deleted
Written when a scheduled task is deleted. It captures an attacker removing a task they are done with to hide traces, or the removal of a defensive task.
Overview
The subcategory is Audit Other Object Access Events. It is generated when an existing scheduled task is deleted. Paired with creation 4698 and update 4702, it is material for tracking a task’s lifecycle.
How it is triggered
- Task deletion via
schtasks /delete, the Task Scheduler,Unregister-ScheduledTask, or APIs.
Security review points
- There is a pattern where an attacker deletes a task used for persistence after achieving their goal, to erase traces (defense evasion). A short sequence of creation 4698, execution, then deletion 4699 suggests a coherent attack.
- Deletion of a legitimate task set up for monitoring or defense can mean defenses are being disabled.
Notes for log review
- It also occurs during legitimate uninstalls and configuration changes. Match against normal patterns of deleted task name and deleting subject.
- Read deletion events together with the creation context. Compare against the creation-time XML (what it ran) to evaluate what was removed.
Key fields
| Field | Meaning |
|---|---|
Task Name | The deleted task name |
Subject\Account Name | The account that performed the deletion |