Delete Important Scheduled Task
Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
detection:
selection:
Image|endswith: '\schtasks.exe'
CommandLine|contains|all:
- '/delete'
- '/tn'
CommandLine|contains:
# Add more important tasks
- '\Windows\BitLocker'
- '\Windows\ExploitGuard'
- '\Windows\SystemRestore\SR'
- '\Windows\UpdateOrchestrator\'
- '\Windows\Windows Defender\'
- '\Windows\WindowsBackup\'
- '\Windows\WindowsUpdate\'
condition: selectionFalse positives are unlikely for most environments. High confidence detection.
Tactics
Techniques
Important Scheduled Task Deleted
Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities
Detects similar activity. Both rules may fire on overlapping events.
Important Scheduled Task Deleted/Disabled
Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities
Detects similar activity. Both rules may fire on overlapping events.