Hide Schedule Task Via Index Value Tamper
Detects when the "index" value of a scheduled task is modified from the registry Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique)
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
detection:
selection:
TargetObject|contains|all:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\'
- 'Index'
Details: DWORD (0x00000000)
condition: selectionFalse positives are unlikely for most environments. High confidence detection.
Tactics
Techniques
Removal Of SD Value to Hide Schedule Task - Registry
Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware
Detects similar activity. Both rules may fire on overlapping events.
Removal Of Index Value to Hide Schedule Task - Registry
Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query"
Detects similar activity. Both rules may fire on overlapping events.