← Back to Explore
sigmahighHunting
Disable Important Scheduled Task
Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities
Detection Query
selection_img:
- Image|endswith: \schtasks.exe
- OriginalFileName: schtasks.exe
selection_cli_disable:
CommandLine|contains|windash: /disable
selection_cli_task:
CommandLine|contains:
- \Windows\BitLocker
- \Windows\ExploitGuard
- \Windows\ExploitGuard\ExploitGuard MDM policy Refresh
- \Windows\SystemRestore\SR
- \Windows\UpdateOrchestrator\
- \Windows\Windows Defender\
- \Windows\WindowsBackup\
- \Windows\WindowsUpdate\
condition: all of selection_*
Author
frack113, Nasreddine Bencherchali (Nextron Systems), X__Junior
Created
2021-12-26
Data Sources
windowsProcess Creation Events
Platforms
windows
References
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task
- https://twitter.com/MichalKoczwara/status/1553634816016498688
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
Tags
attack.impactattack.t1489
Raw Content
title: Disable Important Scheduled Task
id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980
related:
- id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad # Security-Audting Eventlog
type: similar
- id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d # TaskScheduler EventLog
type: similar
status: test
description: Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task
- https://twitter.com/MichalKoczwara/status/1553634816016498688
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
author: frack113, Nasreddine Bencherchali (Nextron Systems), X__Junior
date: 2021-12-26
modified: 2026-03-11
tags:
- attack.impact
- attack.t1489
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_cli_disable:
CommandLine|contains|windash: '/disable'
selection_cli_task:
CommandLine|contains:
# Add more important tasks
- '\Windows\BitLocker'
- '\Windows\ExploitGuard'
- '\Windows\ExploitGuard\ExploitGuard MDM policy Refresh'
- '\Windows\SystemRestore\SR'
- '\Windows\UpdateOrchestrator\'
- '\Windows\Windows Defender\'
- '\Windows\WindowsBackup\'
- '\Windows\WindowsUpdate\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_schtasks_disable/info.yml
simulation:
- type: atomic-red-team
name: Windows - Disable the SR scheduled task
technique: T1490
atomic_guid: 1c68c68d-83a4-4981-974e-8993055fa034