Windows Event ID 4699 — Scheduled Task Deleted

MITRE ATT&CK

Why It Matters

Task deletion is the cleanup step. Attackers who used a scheduled task for one-time lateral movement execution — running a beacon, establishing a foothold, or staging a payload — will delete it immediately after use to eliminate the forensic artifact. A 4698 (creation) followed by 4699 (deletion) within minutes or hours, especially outside business hours or from a non-deployment account, is the signature of a one-time execution task. 4699 can also indicate a defender removing a malicious task, but the response will leave no preceding 4698 in the same account context. Critically, 4699 destroys the task XML — after deletion, the task content (what it executed, its run-as account, its triggers) is gone from the live system. If the XML wasn't captured at creation (4698) or modification (4702), it requires memory forensics or offline disk imaging to recover.

Key Fields

Investigation Tips

1. 1.Lifecycle correlation is the primary analysis: search for a 4698 (task created) or 4702 (task modified) event matching the same Task Name in the hours or days before this 4699. The time gap between creation and deletion tells the story — minutes = one-time execution cleanup; days = durable persistence removed after mission completion.
2. 2.Account consistency check: did the same account create and delete the task? If not — different accounts at creation and deletion — this suggests privilege escalation occurred between steps, or two actors are involved (attacker created, defender deleted). Both are investigation leads.
3. 3.Did a security tool delete this? Defenders removing a malicious task generate 4699 from a security account or AV process. These are expected but should be documented. Unexpected 4699 events on tasks that were not previously flagged may indicate an attacker proactively cleaning up before analysts notice.
4. 4.Task XML is gone: after 4699, the task content is unrecoverable from the live system. If you didn't capture the XML at 4698 or 4702, look for: (a) Windows Prefetch for schtasks.exe or the task's binary at the execution timestamp, (b) the Windows Task Scheduler operational log (Microsoft-Windows-TaskScheduler/Operational, Event 201 = task completed), (c) process creation events (4688) showing what the task actually spawned.
5. 5.Remote deletion pattern: if Subject Logon ID traces to a Type 3 (network) 4624 logon, the task was deleted remotely. The source IP is the attacker's pivot host. Pair with the remote task creation pattern from 4698 to build the full lateral movement timeline.
6. 6.Audit policy: 4699 requires 'Audit Other Object Access Events' under Advanced Audit Policy → Object Access. The same policy gate as 4698 — if task creation logging is enabled, deletion logging should be as well. Verify coverage via GPO.

Detection Logic (KQL)

Microsoft Sentinel (KQL) — detect the create-then-delete lifecycle pattern indicating one-time execution tasks used for lateral movement and persistence.

// Scheduled task created then deleted within 24 hours — one-time execution pattern
let creations = SecurityEvent
| where EventID == 4698
| project CreatedTime = TimeGenerated, TaskName, Creator = SubjectAccount, Computer;
let deletions = SecurityEvent
| where EventID == 4699
| project DeletedTime = TimeGenerated, TaskName, Deleter = SubjectAccount, Computer;
deletions
| join kind=inner creations on TaskName, Computer
| where DeletedTime > CreatedTime
| where DeletedTime - CreatedTime < 1d
| extend LifetimeMinutes = datetime_diff('minute', DeletedTime, CreatedTime)
| project Computer, TaskName, Creator, Deleter, CreatedTime, DeletedTime, LifetimeMinutes
| sort by LifetimeMinutes asc

// Unexpected task deletion — non-SYSTEM, non-deployment account
SecurityEvent
| where EventID == 4699
| where SubjectAccount !endswith "$"
| where SubjectAccount !in ("SYSTEM", "NT AUTHORITY\\SYSTEM")
| project TimeGenerated, SubjectAccount, TaskName, Computer
| sort by TimeGenerated desc

Related Event IDs