This note documents detection patterns related to Scheduled Task Persistence within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4698 | Scheduled task created | Critical | Primary detection point. Review task name, author, action command, trigger type, creator SID, and XML body. |
| Security | 4702 | Scheduled task updated | Critical | Attackers often modify legitimate tasks. |
| Security | 4699 | Scheduled task deleted | High | Useful for cleanup timeline. |
| Microsoft-Windows-TaskScheduler/Operational | 106 | Task registered | Critical | Strong confirmation of task creation. |
| Microsoft-Windows-TaskScheduler/Operational | 200 | Action executed | Critical | Confirms payload execution. |
| Sysmon | 1 | Process creation | Critical | Hunt schtasks.exe, powershell.exe, cmd.exe. |
| Security | 4688 | Process creation | High | Command-line visibility. |
Indirect Indicators
- Hidden task names mimicking Microsoft tasks
- High-frequency triggers
- Payload in AppData / Temp
- Encoded PowerShell in task action
- Remote RPC task creation
Common Tools
- schtasks.exe
- PowerShell Register-ScheduledTask
- SharpPersist
- Cobalt Strike
- Empire
- Impacket atexec.py
Relevant Artifacts
- Security 4698 / 4702 / 4699
- Task Scheduler Operational log
- C:\Windows\System32\Tasks
- Registry TaskCache
- Prefetch SCHTASKS.EXE
- PowerShell 4104
MITRE ATT&CK References
- T1053.005 Scheduled Task
Decision Tree
- Was task created?
- What process created it?
- What action executes?
- Hidden or modified legitimate task?
- Did payload run?
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4698
Sigma
title: Scheduled Task Persistence Creation
logsource:
product: windows
service: security
detection:
selection:
EventID: 4698
condition: selection
Mitigation & Hardening
- Alert on 4698 / 4702
- Baseline legitimate tasks
- Restrict task creation rights
- Enable PowerShell logging