← Back to Explore
sigmahighHunting
Delete Important Scheduled Task
Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities
Detection Query
selection:
Image|endswith: \schtasks.exe
CommandLine|contains|all:
- /delete
- /tn
CommandLine|contains:
- \Windows\BitLocker
- \Windows\ExploitGuard
- \Windows\SystemRestore\SR
- \Windows\UpdateOrchestrator\
- \Windows\Windows Defender\
- \Windows\WindowsBackup\
- \Windows\WindowsUpdate\
condition: selection
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2022-09-09
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.impactattack.t1489
Raw Content
title: Delete Important Scheduled Task
id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78
related:
- id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d # TaskScheduler EventLog
type: similar
- id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad # Security-Audting Eventlog
type: similar
status: test
description: Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09
tags:
- attack.impact
- attack.t1489
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\schtasks.exe'
CommandLine|contains|all:
- '/delete'
- '/tn'
CommandLine|contains:
# Add more important tasks
- '\Windows\BitLocker'
- '\Windows\ExploitGuard'
- '\Windows\SystemRestore\SR'
- '\Windows\UpdateOrchestrator\'
- '\Windows\Windows Defender\'
- '\Windows\WindowsBackup\'
- '\Windows\WindowsUpdate\'
condition: selection
falsepositives:
- Unlikely
level: high