Detectionhightest

Important Scheduled Task Deleted/Disabled

Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Mon Dec 05Updated Mon Mar 137595ba94-cf3b-4471-aa03-4f6baa9e5fadwindows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security

Definition

The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.

Detection Logic
Detection Logic2 selectors
detection:
    selection:
        EventID:
            - 4699 # Task Deleted Event
            - 4701 # Task Disabled Event
        TaskName|contains:
            # Add more important tasks
            - '\Windows\SystemRestore\SR'
            - '\Windows\Windows Defender\'
            - '\Windows\BitLocker'
            - '\Windows\WindowsBackup\'
            - '\Windows\WindowsUpdate\'
            - '\Windows\UpdateOrchestrator\Schedule'
            - '\Windows\ExploitGuard'
    filter_sys_username:
        EventID: 4699
        SubjectUserName|endswith: '$'  # False positives during upgrades of Defender, where its tasks get removed and added
        TaskName|contains: '\Windows\Windows Defender\'
    condition: selection and not 1 of filter_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.