Defrag Deactivation - Security

calendar Oct 23, 2025 · attack.privilege-escalation attack.execution attack.persistence attack.t1053 attack.s0111 detection.emerging-threats  ·
Share on: linkedin copy

Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group

Sigma rule (View on GitHub)

 1title: Defrag Deactivation - Security
 2id: c5a178bf-9cfb-4340-b584-e4df39b6a3e7
 3related:
 4    - id: 958d81aa-8566-4cea-a565-59ccd4df27b0
 5      type: derived
 6status: test
 7description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
 8references:
 9    - https://securelist.com/apt-slingshot/84312/
10author: Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)
11date: 2019-03-04
12modified: 2022-11-27
13tags:
14    - attack.privilege-escalation
15    - attack.execution
16    - attack.persistence
17    - attack.t1053
18    - attack.s0111
19    - detection.emerging-threats
20logsource:
21    product: windows
22    service: security
23    definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'
24detection:
25    selection:
26        EventID: 4701
27        TaskName: '\Microsoft\Windows\Defrag\ScheduledDefrag'
28    condition: selection
29falsepositives:
30    - Unknown
31level: medium

References

  • The Slingshot APT FAQ

    While analyzing some memory dumps suspicious of being infected with a keylogger, we identified a library containing strings to interact with a virtual file system. This turned out to be a malicious loader internally named “Slingshot”.


    Read More

Related rules

to-top