Is Event ID 4702 always suspicious?

No — Windows Update, Group Policy, and legitimate management tools modify tasks regularly. What makes 4702 suspicious is who modified it (Subject Account Name — non-SYSTEM or non-deployment account is a red flag), which task was modified (any \Microsoft\Windows\ task modified by a user account is high priority), and what changed in the XML Actions block.

How do attackers use Event ID 4702 for persistence?

Task hijacking: attackers modify an existing trusted task's XML Actions block to execute their payload while leaving the task name unchanged. The task name stays legitimate (e.g., \Microsoft\Windows\Defrag\ScheduledDefrag) while the Command now points to a malicious binary. This bypasses detections focused on new task creation (4698) since the task already existed and looks trusted by name.

What's the difference between Event ID 4698 and 4702?

4698 fires when a new scheduled task is created; 4702 fires when an existing task is modified. Many detection stacks alert on 4698 but miss 4702 — attackers know this and prefer hijacking existing tasks over creating new ones. A 4698 followed immediately by 4702 on the same task name is the create-then-modify pattern: set up a task, immediately change its payload before execution triggers.

What should I look for in Event ID 4702 Task XML?

Focus on the Task New Content XML Actions block. Look for: new paths in AppData, Temp, or unusual directories; containing encoded PowerShell, base64, or download URLs; set to SYSTEM with a non-standard Command; and that doesn't match a known deployment account. Compare against a known-good baseline from SCCM, Intune, or a previous 4698 creation event.

Scan your Security and Sysmon logs·Detection guides

Event ID 4702Audit SuccessSecurityT1053.005

Windows Event ID 4702 — Scheduled Task Modified

Logged when an existing scheduled task is updated — its name, trigger, action, or run-as account is changed. Fires on the host where the task is registered.

MITRE ATT&CK

Technique

T1053.005 · Scheduled Task

Tactic

Persistence

View on attack.mitre.org →

Why It Matters

Task hijacking is stealthier than new task creation (Event 4698) because the task name is already trusted — attackers leave the name intact and only change what the task executes. Windows ships with hundreds of built-in tasks (Windows Defender, Windows Update, MicrosoftEdgeUpdate, OneDriveRemediation) that run as SYSTEM on a schedule; modifying one of these turns a trusted OS mechanism into a persistent payload launcher. 4702 is also less monitored than 4698 — many detection stacks alert on task creation but miss modification. Post-exploitation frameworks (Cobalt Strike, Metasploit, Empire) routinely use task modification for durable persistence after establishing an initial foothold.

Key Fields

Task NameThe registered task name — if it matches a Windows built-in task (any path under \Microsoft\Windows\, \Microsoft\Edge\, or \Microsoft\Office\), the modification is high-priority; legitimate updates come exclusively from SYSTEM or known software deployment accounts

Task New ContentThe full updated XML definition — the critical section is <Actions>: look for new <Exec> entries, changed <Command> values, or <Arguments> containing -EncodedCommand, -enc, base64 strings, or URLs. Also check <Triggers> for new <LogonTrigger> or <BootTrigger> additions (persistence upgrade)

Subject Account NameWho made the modification — SYSTEM or a known deployment account (SCCM, Intune, patch management) is expected. A standard user account, a service account not involved in software deployment, or an unexpected privileged account is suspicious

Subject Logon IDCorrelate with Event 4624 to establish which session made the change — reveals source IP and logon type, which places the modification in the broader attack timeline

Task Run As (in XML)The account the task executes as — found in <Principal> inside the XML. SYSTEM or NT AUTHORITY\SYSTEM context means the payload runs with maximum privilege. A newly-added privileged run-as account is itself a persistence escalation

Investigation Tips

1.XML diff is the core investigation: open Task New Content and focus on the <Actions><Exec> block. Any new <Command> or <Arguments> entry not matching the task's historical baseline is the modification. Compare against a known-good snapshot from SCCM, Intune, or a previously captured 4702 event.
2.Built-in task hijacking: any 4702 for a task under \Microsoft\Windows\, \Microsoft\Edge\, or \Microsoft\Office\ where Subject Account Name is not SYSTEM or a known deployment account is a critical incident. Legitimate Windows task updates come from Windows Update or SYSTEM — never from a user account or interactive session.
3.Encoded payload detection: search the Task New Content XML for -EncodedCommand, -enc, -w hidden, FromBase64String, or any http:// / https:// URL inside <Arguments>. These strings in task XML are unambiguous malicious modification indicators.
4.Persistence upgrade via triggers: if the <Triggers> section now includes <LogonTrigger> or <BootTrigger> that wasn't there before, the attacker has ensured their payload executes on every user logon or system boot — treat this as a high-confidence persistence IOC.
5.Correlate with 4688: look for schtasks.exe, PowerShell, or cmd.exe executing immediately before the 4702 timestamp on the same host. This shows the attack chain — what process made the modification and what command it ran.
6.Audit policy verification: 4702 requires 'Audit Other Object Access Events' in Advanced Audit Policy Configuration → Object Access to be enabled. Without it, task modifications are completely invisible. Verify this is deployed via GPO on endpoints and servers — gaps in coverage are attacker opportunities.
7.Mass modification pattern: multiple 4702 events across different task names from a single account within seconds indicates a script or framework (Cobalt Strike's schtasks module, Impacket's atexec) performing batch task hijacking. Corroborate with network logon events on the target hosts.

Detection Logic

Microsoft Sentinel (KQL) — flag task modifications containing encoded payloads or targeting built-in Windows tasks from unexpected accounts.

// Task modifications with encoded or suspicious command content
SecurityEvent
| where EventID == 4702
| where TaskContent has_any (
    "-EncodedCommand", "-enc ", "FromBase64String",
    "http://", "https://", "\\AppData\\", "\\Temp\\",
    "-w hidden", "-WindowStyle Hidden")
| project TimeGenerated, SubjectAccount, TaskName, TaskContent, Computer
| sort by TimeGenerated desc

// Built-in Windows task modified by non-SYSTEM account
SecurityEvent
| where EventID == 4702
| where TaskName has_any ("\Microsoft\Windows\", "\Microsoft\Edge\",
    "\Microsoft\Office\")
| where SubjectAccount !endswith "$"   // exclude machine accounts
| where SubjectAccount !in ("SYSTEM", "NT AUTHORITY\SYSTEM")
| project TimeGenerated, SubjectAccount, TaskName, Computer

Seeing Event ID 4702 in your own logs? Upload an .evtx file — EventPeeker flags scheduled task modified automatically, maps it to MITRE ATT&CK, and writes the triage report. No account, files auto-deleted.

Analyze my logs →

Related Event IDs

4698Scheduled task created — baseline to compare: was 4698 followed immediately by 4702? That pattern = create-then-modify to evade creation monitoring

4699Scheduled task deleted — attackers delete tasks during cleanup; 4702 followed by 4699 = modification then evidence removal

4700Scheduled task enabled — attackers sometimes disable a task (4701), modify it (4702), then re-enable it (4700) to minimize the window the malicious version is active

4688Process creation — schtasks.exe or cmd.exe executing just before 4702 shows what made the modification; the process spawned by the modified task shows what it executes

4624Successful logon — correlate Subject Logon ID to find the source IP and logon type of the account that made the modification

4104PowerShell script block — if the modified task runs encoded PowerShell, 4104 will capture the decoded script on execution

Frequently Asked Questions

Is Event ID 4702 always suspicious?: No — Windows Update, Group Policy, and legitimate management tools modify tasks regularly. What makes 4702 suspicious is who modified it (Subject Account Name — non-SYSTEM or non-deployment account is a red flag), which task was modified (any \Microsoft\Windows\ task modified by a user account is high priority), and what changed in the XML Actions block.
How do attackers use Event ID 4702 for persistence?: Task hijacking: attackers modify an existing trusted task's XML Actions block to execute their payload while leaving the task name unchanged. The task name stays legitimate (e.g., \Microsoft\Windows\Defrag\ScheduledDefrag) while the Command now points to a malicious binary. This bypasses detections focused on new task creation (4698) since the task already existed and looks trusted by name.
What's the difference between Event ID 4698 and 4702?: 4698 fires when a new scheduled task is created; 4702 fires when an existing task is modified. Many detection stacks alert on 4698 but miss 4702 — attackers know this and prefer hijacking existing tasks over creating new ones. A 4698 followed immediately by 4702 on the same task name is the create-then-modify pattern: set up a task, immediately change its payload before execution triggers.
What should I look for in Event ID 4702 Task XML?: Focus on the Task New Content XML Actions block. Look for: new <Command> paths in AppData, Temp, or unusual directories; <Arguments> containing encoded PowerShell, base64, or download URLs; <UserId> set to SYSTEM with a non-standard Command; and <Author> that doesn't match a known deployment account. Compare against a known-good baseline from SCCM, Intune, or a previous 4698 creation event.

Go deeper: the full Scheduled Task Abuse — Persistence and Lateral Execution guide

Builds on this page with the attack chain, step-by-step investigation, immediate containment actions, KQL/Sigma detection queries, and an annotated example log.

Read the Scheduled Task Abuse — Persistence and Lateral Execution guide →

See Event ID 4702 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects scheduled task modified patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →

← All detection guides·Analyze EVTX Logs Free →