4702 A scheduled task was updated
Written when an existing scheduled task is updated or changed. It can catch “hijacking,” where a legitimate task’s action is rewritten to something malicious.
Overview
The subcategory is Audit Other Object Access Events. It is generated when an existing task’s definition is changed, and includes the updated task XML. As with creation 4698, the XML content (executable, arguments, triggers, run privileges) is central to reading it.
How it is triggered
- Editing an existing task (GUI /
schtasks /change/Set-ScheduledTask/ API).
Security review points
- An attacker may rewrite the
Actionsof an existing legitimate task to malicious content, achieving persistence more quietly than by creating a new task. Confirm that the updated XML’s executable and arguments are as expected. - Watch for elevation and auto-run introduced by the update, such as run privileges raised to SYSTEM, or a trigger changed to logon or a short interval.
Notes for log review
- Legitimate software updates also change tasks. Know the “original definition” per task and evaluate by the difference (what changed).
- Read it as a task history together with creation 4698, enabling 4700, disabling 4701, and deletion 4699.
Key fields
| Field | Meaning |
|---|---|
Task Name | The updated task name |
Task Content (XML) | The updated task definition |
Subject\Account Name | The account that performed the update |