Threat Huntlowtest
Scheduled Task Deletion
Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \TASKNAME
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
David Strassegger, Tim SheltonCreated Fri Jan 22Updated Fri Jan 204f86b304-3e02-40e3-aa5d-e88a167c9617windows
Hunting Hypothesis
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Definition
Requirements: The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.
Detection Logic
Detection Logic3 selectors
detection:
selection:
EventID: 4699
filter_main_generic:
TaskName: '\Microsoft\Windows\RemovalTools\MRT_ERROR_HB' # Triggered by ParentCommandLine=C:\WINDOWS\system32\MRT.exe /EHB /HeartbeatFailure ErrorStack,Previous=ErrorStack,Previous=ErrorStack,Previous=ErrorStack,Previous=ErrorStack,Previous=SubmitHeartbeatReportData,Hr=0x80072f8f,Hr=0x80072f8f,Hr=0x80072f8f,Hr=0x80072f8f,Hr=0x80072f8f /HeartbeatError 0x80072f8f
filter_main_firefox:
TaskName|contains: '\Mozilla\Firefox Default Browser Agent ' # Triggered by firefox updates
condition: selection and not 1 of filter_*False Positives
Software installation
MITRE ATT&CK
Sub-techniques
CAR Analytics
2013-08-001 · CAR 2013-08-001
Other
detection.threat-hunting
Rule Metadata
Rule ID
4f86b304-3e02-40e3-aa5d-e88a167c9617
Status
test
Level
low
Type
Threat Hunt
Created
Fri Jan 22
Modified
Fri Jan 20
Author
Path
rules-threat-hunting/windows/builtin/security/win_security_scheduled_task_deletion.yml
Raw Tags
attack.executionattack.privilege-escalationattack.persistencecar.2013-08-001attack.t1053.005detection.threat-hunting