detection.wiki

Microsoft-Windows-Security-Auditing › Event 4698

Event ID 4698 — A scheduled task was created.

Provider
Microsoft-Windows-Security-Auditing
Channel
Security
Audit Policy
Object Access → Other Object Access Events
Collection Priority
Recommended (Palantir, others)
Opcode
Info

Description

A scheduled task was created.

Message #

A scheduled task was created.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Task Information:
	Task Name: %5
	Task Content: %6

Fields #

NameDescription
Security_ID[Subject] Security ID.
Account_Name[Subject] Account Name.
Account_Domain[Subject] Account Domain.
Logon_ID[Subject] Logon ID.
Task_Name[Task Information] Task Name.
Task_Content[Task Information] Task Content.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4698,
    "version": 0,
    "level": 0,
    "task": 12804,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2019-03-19T00:02:04.319945Z",
    "event_record_id": 566836,
    "correlation": {},
    "execution": {
      "process_id": 452,
      "thread_id": 2836
    },
    "channel": "Security",
    "computer": "WIN-77LTAPHIQ1R.example.corp",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-21-1587066498-1489273250-1035260531-500",
    "SubjectUserName": "Administrator",
    "SubjectDomainName": "EXAMPLE",
    "SubjectLogonId": "0x17e2d2",
    "TaskName": "\\CYAlyNSS",
    "TaskContent": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <Triggers>\r\n    <CalendarTrigger>\r\n      <StartBoundary>2015-07-15T20:35:13.2757294</StartBoundary>\r\n      <Enabled>true</Enabled>\r\n      <ScheduleByDay>\r\n        <DaysInterval>1</DaysInterval>\r\n      </ScheduleByDay>\r\n    </CalendarTrigger>\r\n  </Triggers>\r\n  <Principals>\r\n    <Principal id=\"LocalSystem\">\r\n      <UserId>S-1-5-18</UserId>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n      <LogonType>InteractiveToken</LogonType>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>true</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>true</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>P3D</ExecutionTimeLimit>\r\n    <Priority>7</Priority>\r\n  </Settings>\r\n  <Actions Context=\"LocalSystem\">\r\n    <Exec>\r\n      <Command>cmd.exe</Command>\r\n      <Arguments>/C tasklist &gt; %windir%\\Temp\\CYAlyNSS.tmp 2&gt;&amp;1</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task>"
  }
}

Detection Patterns #

Community Notes #

May also indicate remote creation via relayed SMB/WinRM session, PS cmdlets, DCOM over RPC, WMI, others.

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Elastic # view in reference

Splunk # view in reference

  • Randomly Generated Scheduled Task Name source: The following analytic detects the creation of a Scheduled Task with a high entropy, randomly generated name, leveraging Event ID 4698. It uses the `ut_shannon` function from the URL ToolBox Splunk application to measure the entropy of the Task Name. This activity is significant as adversaries often use randomly named Scheduled Tasks for lateral movement and remote code execution, employing tools like Impacket or CrackMapExec. If confirmed malicious, this could allow attackers to execute arbitrary code remotely, potentially leading to further compromise and persistence within the network.
  • Schedule Task with HTTP Command Arguments source: The following analytic detects the creation of scheduled tasks on Windows systems that include HTTP command arguments, using Windows Security EventCode 4698. It identifies tasks registered via schtasks.exe or TaskService with HTTP in their command arguments. This behavior is significant as it often indicates malware activity or the use of Living off the Land binaries (lolbins) to download additional payloads. If confirmed malicious, this activity could lead to data exfiltration, malware propagation, or unauthorized access to sensitive information, necessitating immediate investigation and mitigation.
  • Schedule Task with Rundll32 Command Trigger source: The following analytic detects the creation of scheduled tasks in Windows that use the rundll32 command. It leverages Windows Security EventCode 4698, which logs the creation of scheduled tasks, and filters for tasks executed via rundll32. This activity is significant as it is a common technique used by malware, such as TrickBot, to persist in an environment or deliver additional payloads. If confirmed malicious, this could lead to data theft, ransomware deployment, or other damaging outcomes. Immediate investigation and mitigation are crucial to prevent further compromise.
Show 4 more (7 total)
  • Windows Hidden Schedule Task Settings source: The following analytic detects the creation of hidden scheduled tasks on Windows systems, which are not visible in the UI. It leverages Windows Security EventCode 4698 to identify tasks where the 'Hidden' setting is enabled. This behavior is significant as it may indicate malware activity, such as Industroyer2, or the use of living-off-the-land binaries (LOLBINs) to download additional payloads. If confirmed malicious, this activity could allow attackers to execute code stealthily, maintain persistence, or further compromise the system by downloading additional malicious payloads.
  • Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr source: The following analytic detects the creation or modification of Windows Scheduled Tasks related to CompMgmtLauncher or Eventvwr. These legitimate system utilities, used for launching the Computer Management Console and Event Viewer, can be abused by attackers to execute malicious payloads under the guise of normal system processes. By leveraging these tasks, adversaries can establish persistence or elevate privileges without raising suspicion. This detection helps security analysts identify unusual or unauthorized scheduled tasks involving these executables, allowing for timely investigation and remediation of potential threats.
  • WinEvent Scheduled Task Created to Spawn Shell source: The following analytic detects the creation of scheduled tasks designed to execute commands using native Windows shells like PowerShell, Cmd, Wscript, or Cscript. It leverages Windows Security EventCode 4698 to identify when such tasks are registered. This activity is significant as it may indicate an attempt to establish persistence or execute malicious commands on a system. If confirmed malicious, this could allow an attacker to maintain access, execute arbitrary code, or escalate privileges, posing a severe threat to the environment.
  • WinEvent Scheduled Task Created Within Public Path source: The following analytic detects the creation of scheduled tasks within user-writable paths using Windows Security EventCode 4698. It identifies tasks registered via schtasks.exe or TaskService that execute commands from directories like Public, ProgramData, Temp, and AppData. This behavior is significant as it may indicate an attempt to establish persistence or execute unauthorized commands. If confirmed malicious, an attacker could maintain long-term access, escalate privileges, or execute arbitrary code, posing a severe threat to system integrity and security.

References #