EventPeeker
Analyze EVTX Logs Free →·Detection guides
Event ID 4698T1053

Event ID 4698 — Scheduled Task Created

Event ID 4698 is logged when a new scheduled task is created on a Windows system. Scheduled tasks are a common persistence mechanism used by attackers to ensure their malicious code runs automatically after reboots or at specific times.

MITRE ATT&CK

Technique

T1053 · Scheduled Task

Tactic

Persistence

View on attack.mitre.org →

Security Relevance

Attackers create scheduled tasks to maintain persistence after gaining access. The task may execute a reverse shell, download additional malware, or run a script that re-establishes the attacker's foothold if their other access is removed. This technique is used widely across ransomware, APT groups, and commodity malware.

Example Log Entry

Log Name: Security
Source:    Microsoft-Windows-Security-Auditing
Event ID:  4698
Level:     Information

A scheduled task was created.

Subject:
  Security ID:   CORP\j.smith
  Account Name:  j.smith

Task Information:
  Task Name:    \Microsoft\Windows\UpdateCheck
  Task Content: <?xml version="1.0"?>
    <Task>
      <Actions>
        <Exec>
          <Command>powershell.exe</Command>
          <Arguments>-enc SGVsbG8gV29ybGQ=</Arguments>
        </Exec>
      </Actions>
    </Task>

Investigation Steps

  1. 1.Review the task name — attackers often use names that blend in with Windows (e.g. 'WindowsUpdate', 'MicrosoftEdge').
  2. 2.Examine the task command — PowerShell with -enc (encoded command) or unusual executables are red flags.
  3. 3.Check who created the task and from what session — cross-reference with recent logon events.
  4. 4.Look at the task schedule — tasks running at boot, every few minutes, or at odd hours are suspicious.
  5. 5.Check whether the task binary or script exists on disk and review its contents.
  6. 6.Compare against a known-good baseline of scheduled tasks for this system.

Check your own logs for this technique — upload an EVTX file for instant detection, no account required.

Upload EVTX →See sample

Remediation

  • Delete any unauthorized scheduled tasks immediately.
  • Audit all scheduled tasks on affected systems using: schtasks /query /fo LIST /v
  • Restrict scheduled task creation to administrators only via Group Policy.
  • Enable monitoring and alerting on Event ID 4698 in your SIEM.
  • Investigate the account that created the task for signs of compromise.
  • Scan the system for additional persistence mechanisms (services, registry autoruns, startup folders).

Related Event IDs

4702Scheduled task updated — modification of existing tasks
4699Scheduled task deleted — attacker may be cleaning up
4688Process created — look for schtasks.exe or at.exe
7045New service installed — often used alongside scheduled tasks for persistence

Related Detection Guides

Lateral MovementPowerShell AbuseRansomware IndicatorsEvent ID 7045 — Suspicious Service Installed

Analyze your Windows Event Logs

Upload an .evtx file from servers, domain controllers, or endpoints — get instant detections, MITRE mappings, and an AI-generated triage report.

Detect this technique in your logs →
← All detection guides·Analyze EVTX Logs Free →