EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4702Audit SuccessSecurityT1053.005

Windows Event ID 4702Scheduled Task Modified

Logged when an existing scheduled task is updated — its name, trigger, action, or run-as account is changed. Fires on the host where the task is registered.

MITRE ATT&CK

Technique

T1053.005 · Scheduled Task

Tactic

Persistence

View on attack.mitre.org →

Why It Matters

Task hijacking is stealthier than new task creation (Event 4698) because the task name is already trusted — attackers leave the name intact and only change what the task executes. Windows ships with hundreds of built-in tasks (Windows Defender, Windows Update, MicrosoftEdgeUpdate, OneDriveRemediation) that run as SYSTEM on a schedule; modifying one of these turns a trusted OS mechanism into a persistent payload launcher. 4702 is also less monitored than 4698 — many detection stacks alert on task creation but miss modification. Post-exploitation frameworks (Cobalt Strike, Metasploit, Empire) routinely use task modification for durable persistence after establishing an initial foothold.

Key Fields

Task NameThe registered task name — if it matches a Windows built-in task (any path under \Microsoft\Windows\, \Microsoft\Edge\, or \Microsoft\Office\), the modification is high-priority; legitimate updates come exclusively from SYSTEM or known software deployment accounts
Task New ContentThe full updated XML definition — the critical section is <Actions>: look for new <Exec> entries, changed <Command> values, or <Arguments> containing -EncodedCommand, -enc, base64 strings, or URLs. Also check <Triggers> for new <LogonTrigger> or <BootTrigger> additions (persistence upgrade)
Subject Account NameWho made the modification — SYSTEM or a known deployment account (SCCM, Intune, patch management) is expected. A standard user account, a service account not involved in software deployment, or an unexpected privileged account is suspicious
Subject Logon IDCorrelate with Event 4624 to establish which session made the change — reveals source IP and logon type, which places the modification in the broader attack timeline
Task Run As (in XML)The account the task executes as — found in <Principal> inside the XML. SYSTEM or NT AUTHORITY\SYSTEM context means the payload runs with maximum privilege. A newly-added privileged run-as account is itself a persistence escalation

Investigation Tips

  1. 1.XML diff is the core investigation: open Task New Content and focus on the <Actions><Exec> block. Any new <Command> or <Arguments> entry not matching the task's historical baseline is the modification. Compare against a known-good snapshot from SCCM, Intune, or a previously captured 4702 event.
  2. 2.Built-in task hijacking: any 4702 for a task under \Microsoft\Windows\, \Microsoft\Edge\, or \Microsoft\Office\ where Subject Account Name is not SYSTEM or a known deployment account is a critical incident. Legitimate Windows task updates come from Windows Update or SYSTEM — never from a user account or interactive session.
  3. 3.Encoded payload detection: search the Task New Content XML for -EncodedCommand, -enc, -w hidden, FromBase64String, or any http:// / https:// URL inside <Arguments>. These strings in task XML are unambiguous malicious modification indicators.
  4. 4.Persistence upgrade via triggers: if the <Triggers> section now includes <LogonTrigger> or <BootTrigger> that wasn't there before, the attacker has ensured their payload executes on every user logon or system boot — treat this as a high-confidence persistence IOC.
  5. 5.Correlate with 4688: look for schtasks.exe, PowerShell, or cmd.exe executing immediately before the 4702 timestamp on the same host. This shows the attack chain — what process made the modification and what command it ran.
  6. 6.Audit policy verification: 4702 requires 'Audit Other Object Access Events' in Advanced Audit Policy Configuration → Object Access to be enabled. Without it, task modifications are completely invisible. Verify this is deployed via GPO on endpoints and servers — gaps in coverage are attacker opportunities.
  7. 7.Mass modification pattern: multiple 4702 events across different task names from a single account within seconds indicates a script or framework (Cobalt Strike's schtasks module, Impacket's atexec) performing batch task hijacking. Corroborate with network logon events on the target hosts.

Detection Logic (KQL)

Microsoft Sentinel (KQL) — flag task modifications containing encoded payloads or targeting built-in Windows tasks from unexpected accounts.

// Task modifications with encoded or suspicious command content
SecurityEvent
| where EventID == 4702
| where TaskContent has_any (
    "-EncodedCommand", "-enc ", "FromBase64String",
    "http://", "https://", "\\AppData\\", "\\Temp\\",
    "-w hidden", "-WindowStyle Hidden")
| project TimeGenerated, SubjectAccount, TaskName, TaskContent, Computer
| sort by TimeGenerated desc

// Built-in Windows task modified by non-SYSTEM account
SecurityEvent
| where EventID == 4702
| where TaskName has_any ("\Microsoft\Windows\", "\Microsoft\Edge\",
    "\Microsoft\Office\")
| where SubjectAccount !endswith "$"   // exclude machine accounts
| where SubjectAccount !in ("SYSTEM", "NT AUTHORITY\SYSTEM")
| project TimeGenerated, SubjectAccount, TaskName, Computer

Related Event IDs

4698Scheduled task created — baseline to compare: was 4698 followed immediately by 4702? That pattern = create-then-modify to evade creation monitoring
4699Scheduled task deleted — attackers delete tasks during cleanup; 4702 followed by 4699 = modification then evidence removal
4700Scheduled task enabled — attackers sometimes disable a task (4701), modify it (4702), then re-enable it (4700) to minimize the window the malicious version is active
4688Process creation — schtasks.exe or cmd.exe executing just before 4702 shows what made the modification; the process spawned by the modified task shows what it executes
4624Successful logon — correlate Subject Logon ID to find the source IP and logon type of the account that made the modification
4104PowerShell script block — if the modified task runs encoded PowerShell, 4104 will capture the decoded script on execution

Full Detection Guide Available

This event ID has a full detection guide with investigation steps, remediation advice, and example log entries.

View full guide for Event ID 4702

See Event ID 4702 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects scheduled task modified patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →