Important Scheduled Task Deleted or Disabled
Detects when adversaries try to stop system services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Definition
Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger
detection:
selection:
EventID:
- 141 # Task Deleted
- 142 # Task Disabled
TaskName|contains:
- '\Windows\SystemRestore\SR'
- '\Windows\Windows Defender\'
- '\Windows\BitLocker'
- '\Windows\WindowsBackup\'
- '\Windows\WindowsUpdate\'
- '\Windows\UpdateOrchestrator\'
- '\Windows\ExploitGuard'
filter_main_user:
UserName|contains:
- 'AUTHORI'
- 'AUTORI'
condition: selection and not 1 of filter_main_*False positive likelihood has not been assessed. Additional context may be needed during triage.
Simulations
Windows - Disable the SR scheduled task
GUID: 1c68c68d-83a4-4981-974e-8993055fa034
Tactics
Techniques
Delete Important Scheduled Task
Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities
Detects similar activity. Both rules may fire on overlapping events.
Important Scheduled Task Deleted/Disabled
Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities
Detects similar activity. Both rules may fire on overlapping events.
Disable Important Scheduled Task
Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities
Detects similar activity. Both rules may fire on overlapping events.