Windows Event ID 4702 – Security: Scheduled Task Created

Start by examining the specific Event ID 4702 entry to understand what task was created and by whom.

1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
2. Navigate to Windows Logs → Security
3. Filter the log by clicking Filter Current Log in the Actions pane
4. Enter 4702 in the Event IDs field and click OK
5. Double-click the relevant event to view detailed information
6. Review the following key fields in the event details:
   • Subject: Shows the user account that created the task
   • Task Name: The name assigned to the scheduled task
   • Task Content: XML configuration of the task including triggers and actions

Use PowerShell to efficiently search and analyze Event ID 4702 occurrences across specific time periods.

1. Open PowerShell as Administrator
2. Query recent task creation events:

   Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4702} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap

3. Filter events by specific user account:

   Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4702} | Where-Object {$_.Message -like "*DOMAIN\username*"}

4. Export events to CSV for analysis:

   Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4702} | Select-Object TimeCreated, Id, LevelDisplayName, Message | Export-Csv -Path "C:\temp\TaskCreationEvents.csv" -NoTypeInformation

5. Search for events within a specific date range:

   $StartTime = (Get-Date).AddDays(-7)
   $EndTime = Get-Date
   Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4702; StartTime=$StartTime; EndTime=$EndTime}

Cross-reference Event ID 4702 entries with currently existing scheduled tasks to identify which tasks are still active.

1. List all current scheduled tasks:

   Get-ScheduledTask | Select-Object TaskName, State, Author, Date | Sort-Object Date -Descending

2. Get detailed information about a specific task mentioned in Event ID 4702:

   Get-ScheduledTask -TaskName "TaskNameFromEvent" | Get-ScheduledTaskInfo

3. Export task definitions for comparison:

   Get-ScheduledTask | ForEach-Object { Export-ScheduledTask -TaskName $_.TaskName -TaskPath $_.TaskPath } | Out-File "C:\temp\AllTasks.xml"

4. Check task execution history:

   Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-TaskScheduler/Operational'} -MaxEvents 100 | Where-Object {$_.Id -eq 200 -or $_.Id -eq 201}

5. Identify tasks created by specific users:

   Get-ScheduledTask | Where-Object {$_.Author -like "*username*"} | Format-Table TaskName, Author, State

Perform detailed analysis of the task configuration to assess security risks and compliance implications.

1. Extract and analyze the XML task definition from Event ID 4702:

   $Event = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4702} -MaxEvents 1
   $EventXML = [xml]$Event.ToXml()
   $TaskContent = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'TaskContent'} | Select-Object -ExpandProperty '#text'
   $TaskContent | Out-File "C:\temp\TaskDefinition.xml"

2. Parse the XML to identify key security elements:

   [xml]$TaskXML = Get-Content "C:\temp\TaskDefinition.xml"
   $TaskXML.Task.Actions.Exec | Select-Object Command, Arguments
   $TaskXML.Task.Triggers | Select-Object *
   $TaskXML.Task.Principals.Principal | Select-Object UserId, RunLevel

3. Check for suspicious characteristics:
   • Tasks running with SYSTEM privileges
   • Tasks executing from unusual locations (temp directories, user profiles)
   • Tasks with obfuscated command lines or encoded PowerShell
   • Tasks scheduled to run at unusual intervals
4. Validate against organizational policies:

   # Check if task executable is in approved locations
   $ApprovedPaths = @("C:\Windows\System32", "C:\Program Files", "C:\Program Files (x86)")
   $TaskCommand = $TaskXML.Task.Actions.Exec.Command
   $IsApproved = $ApprovedPaths | Where-Object {$TaskCommand -like "$_*"}

5. Document findings and create alerts for policy violations

Set up automated monitoring to detect and alert on suspicious scheduled task creation patterns.

1. Create a PowerShell script for continuous monitoring:

   # TaskMonitor.ps1
   $LastCheck = (Get-Date).AddMinutes(-5)
   $SuspiciousEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4702; StartTime=$LastCheck} | Where-Object {
       $_.Message -like "*powershell*" -or 
       $_.Message -like "*cmd.exe*" -or
       $_.Message -like "*temp*" -or
       $_.Message -like "*SYSTEM*"
   }
   if ($SuspiciousEvents) {
       $SuspiciousEvents | Export-Csv "C:\logs\SuspiciousTasks.csv" -Append -NoTypeInformation
       # Send alert email or SIEM notification
   }

2. Configure Windows Event Forwarding for centralized collection:
   • Enable WinRM on source computers: winrm quickconfig
   • Configure subscription on collector server
   • Create custom views for Event ID 4702 analysis
3. Set up Event Viewer custom views:
   • Open Event Viewer → Custom Views → Create Custom View
   • Filter by Event ID 4702 and save as "Scheduled Task Creation"
   • Configure email notifications for critical events
4. Integrate with SIEM platforms:

   # Example: Forward to Splunk Universal Forwarder
   $LogPath = "C:\Program Files\SplunkUniversalForwarder\etc\apps\windows\local\inputs.conf"
   Add-Content -Path $LogPath -Value "[WinEventLog://Security]`nwhitelist = 4702`nindex = windows_security"

5. Create baseline reports of legitimate task creation patterns for comparison