During an incident investigation, a security analyst notices suspicious outbound traffic from a Windows 10 workstation every 15 minutes. The analyst suspects a malicious scheduled task is triggering the activity and examines the Windows Security log. Which of the following Event IDs would BEST confirm that a new scheduled task was created on the system?
4648 - A logon was attempted using explicit credentials.
4624 - An account was successfully logged on.
4698 - A scheduled task was created.
5156 - The Windows Filtering Platform permitted a connection.
Windows logs Event ID 4698 whenever a new scheduled task is created. Monitoring this ID in the Security log helps analysts spot attacker persistence through rogue tasks. The other IDs relate to successful logons (4624), explicit-credential logons (4648), and permitted network connections (5156), none of which specifically confirm task creation.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are scheduled tasks and how can they be used maliciously?
Open an interactive chat with Bash
What tools can help in monitoring scheduled tasks on a system?