← Back to Explore
sigmahighHunting
Delete Important Scheduled Task
Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities
Detection Query
selection_img:
- Image|endswith: \schtasks.exe
- OriginalFileName: schtasks.exe
selection_cli_delete:
CommandLine|contains|windash: /delete
selection_cli_task:
CommandLine|contains:
- \Windows\BitLocker
- \Windows\ExploitGuard
- \Windows\SystemRestore\SR
- \Windows\UpdateOrchestrator\
- \Windows\Windows Defender\
- \Windows\WindowsBackup\
- \Windows\WindowsUpdate\
condition: all of selection_*
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2022-09-09
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.impactattack.t1489
Raw Content
title: Delete Important Scheduled Task
id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78
related:
- id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d # TaskScheduler EventLog
type: similar
- id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad # Security-Audting Eventlog
type: similar
status: test
description: Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09
modified: 2026-03-11
tags:
- attack.impact
- attack.t1489
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_cli_delete:
CommandLine|contains|windash: '/delete'
selection_cli_task:
CommandLine|contains:
# Add more important tasks
- '\Windows\BitLocker'
- '\Windows\ExploitGuard'
- '\Windows\SystemRestore\SR'
- '\Windows\UpdateOrchestrator\'
- '\Windows\Windows Defender\'
- '\Windows\WindowsBackup\'
- '\Windows\WindowsUpdate\'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_schtasks_delete/info.yml