EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4698Audit SuccessSecurityT1053.005

Windows Event ID 4698Scheduled Task Created

Logged when a new scheduled task is registered on the system via schtasks.exe, PowerShell, COM API, or Group Policy. One event fires per task creation, on the host where the task is registered.

MITRE ATT&CK

Technique

T1053.005 · Scheduled Task

Tactic

Persistence

View on attack.mitre.org →

Why It Matters

Scheduled tasks are the most common persistence mechanism in Windows-targeted attacks — they survive reboots, run under SYSTEM or high-privilege accounts, and blend into the hundreds of legitimate tasks already present. Ransomware, APTs, and commodity malware all use them. Attackers name tasks to mimic legitimate Windows components (MicrosoftEdgeUpdateTaskMachine, WindowsDefenderScheduledScan, GoogleUpdateTask) to avoid scrutiny. Remote task creation — where a task is registered on a target host from an attacker-controlled system — requires valid admin credentials and generates 4698 on the target, making it a strong lateral movement indicator alongside 4624 Type 3.

Key Fields

Task NameThe registered task name — camouflage names mimicking Microsoft or antivirus products are the primary red flag. Legitimate enterprise tasks follow naming conventions from known software; random strings or plausible-sounding Microsoft names created outside patch cycles are suspicious
Task ContentThe full XML definition — the critical sections: <Actions><Exec><Command> (what runs), <Arguments> (flags and payloads — look for -EncodedCommand, URLs, base64), <Triggers> (when it runs — <LogonTrigger> or <BootTrigger> = persistent), <Principal><RunLevel> (HighestAvailable or RequireAdministrator = elevated execution)
Subject Account NameWho created the task — SYSTEM or a known deployment account is expected. A standard user, service account, or domain account not involved in software deployment is a strong signal. Remote task creation (another system registering a task here) typically shows the remote admin account
Subject Logon IDCorrelate with Event 4624 to find the source IP and logon type — Type 3 (network) logon = remote task creation, which indicates lateral movement

Investigation Tips

  1. 1.Task XML is the investigation core: parse the <Actions><Exec> block. Red flags in <Command>: powershell.exe, cmd.exe, wscript.exe, mshta.exe, certutil.exe. Red flags in <Arguments>: -EncodedCommand / -enc (encoded payload), -WindowStyle Hidden (execution without UI), http:// / https:// (download and execute). Any of these from a non-deployment account = malicious.
  2. 2.Run-as account matters: check <Principal> for the execution context. <RunLevel>HighestAvailable</RunLevel> or <UserId>S-1-5-18</UserId> (SYSTEM) means the payload runs with maximum privilege. A task that runs as SYSTEM with a command pointing to AppData, Temp, or a UNC path = critical.
  3. 3.Camouflage detection: compare the Task Name against Windows built-in task paths. Legitimate Windows tasks are under \Microsoft\Windows\, \Microsoft\Office\, or vendor-specific paths — all well-documented. An unknown name in those paths, or a name that's one character off from a real task, is a naming spoof. Check the creation timestamp: built-in tasks are created at OS install or software update, not during business hours from a user session.
  4. 4.Remote task creation = lateral movement: if Subject Logon ID maps to a 4624 Type 3 (network) logon on this host, the task was registered remotely. Identify the source IP — this is the host the attacker is pivoting from. Remote task registration is a core technique in Impacket's atexec.py.
  5. 5.Correlate with 4688: schtasks.exe with /create in its command line, or PowerShell invoking Register-ScheduledTask or New-ScheduledTaskAction, should appear in process creation events just before 4698. If no corresponding 4688 exists, the task was created via the COM API directly — a less common but stealthier path used by advanced malware.
  6. 6.Audit policy: 4698 requires 'Audit Other Object Access Events' under Advanced Audit Policy → Object Access. Without this, all scheduled task creation is invisible. Verify via GPO — many environments have this disabled by default.

Related Event IDs

4702Scheduled task modified — follow-on event if the attacker creates then modifies to evade creation monitoring
4699Scheduled task deleted — cleanup after use; 4698 followed later by 4699 = one-time execution task for lateral movement
4700Scheduled task enabled — task may be created in disabled state then enabled
4688Process creation — schtasks.exe or PowerShell Register-ScheduledTask immediately before 4698 shows the creation method
4624Successful logon — correlate Subject Logon ID to determine if task was created locally or remotely (Type 3 = remote = lateral movement)
4104PowerShell script block — if the task runs encoded PowerShell, 4104 captures the decoded script on first execution

Full Detection Guide Available

This event ID has a full detection guide with investigation steps, remediation advice, and example log entries.

View full guide for Event ID 4698

See Event ID 4698 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects scheduled task created patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →