EXPLORE
Sign In
← Back to Explore
sigmalowHunting

Scheduled Task Deletion

Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \TASKNAME

MITRE ATT&CK

T1053.005
executionprivilege-escalationpersistence

Detection Query

selection:
  EventID: 4699
filter_main_generic:
  TaskName: \Microsoft\Windows\RemovalTools\MRT_ERROR_HB
filter_main_firefox:
  TaskName|contains: "\\Mozilla\\Firefox Default Browser Agent "
condition: selection and not 1 of filter_*

Author

David Strassegger, Tim Shelton

Created

2021-01-22

Data Sources

windowssecurity

Platforms

windows

References

Tags

attack.executionattack.privilege-escalationattack.persistencecar.2013-08-001attack.t1053.005detection.threat-hunting
Raw Content
title: Scheduled Task Deletion
id: 4f86b304-3e02-40e3-aa5d-e88a167c9617
status: test
description: Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \TASKNAME
references:
    - https://twitter.com/matthewdunwoody/status/1352356685982146562
    - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699
author: David Strassegger, Tim Shelton
date: 2021-01-22
modified: 2023-01-20
tags:
    - attack.execution
    - attack.privilege-escalation
    - attack.persistence
    - car.2013-08-001
    - attack.t1053.005
    - detection.threat-hunting
logsource:
    product: windows
    service: security
    definition: 'Requirements: The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.'
detection:
    selection:
        EventID: 4699
    filter_main_generic:
        TaskName: '\Microsoft\Windows\RemovalTools\MRT_ERROR_HB' # Triggered by ParentCommandLine=C:\WINDOWS\system32\MRT.exe /EHB /HeartbeatFailure ErrorStack,Previous=ErrorStack,Previous=ErrorStack,Previous=ErrorStack,Previous=ErrorStack,Previous=SubmitHeartbeatReportData,Hr=0x80072f8f,Hr=0x80072f8f,Hr=0x80072f8f,Hr=0x80072f8f,Hr=0x80072f8f /HeartbeatError 0x80072f8f
    filter_main_firefox:
        TaskName|contains: '\Mozilla\Firefox Default Browser Agent ' # Triggered by firefox updates
    condition: selection and not 1 of filter_*
falsepositives:
    - Software installation
level: low