Important Scheduled Task Deleted/Disabled

calendar Aug 12, 2024 · attack.execution attack.privilege-escalation attack.persistence attack.t1053.005  ·
Share on: linkedin copy

Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities

Sigma rule (View on GitHub)

 1title: Important Scheduled Task Deleted/Disabled
 2id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad
 3related:
 4    - id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78 # ProcCreation schtasks delete
 5      type: similar
 6    - id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 # ProcCreation schtasks disable
 7      type: similar
 8    - id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d # TaskScheduler EventLog
 9      type: similar
10status: test
11description: Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities
12references:
13    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4699
14    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4701
15author: Nasreddine Bencherchali (Nextron Systems)
16date: 2022-12-05
17modified: 2023-03-13
18tags:
19    - attack.execution
20    - attack.privilege-escalation
21    - attack.persistence
22    - attack.t1053.005
23logsource:
24    product: windows
25    service: security
26    definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.'
27detection:
28    selection:
29        EventID:
30            - 4699 # Task Deleted Event
31            - 4701 # Task Disabled Event
32        TaskName|contains:
33            # Add more important tasks
34            - '\Windows\SystemRestore\SR'
35            - '\Windows\Windows Defender\'
36            - '\Windows\BitLocker'
37            - '\Windows\WindowsBackup\'
38            - '\Windows\WindowsUpdate\'
39            - '\Windows\UpdateOrchestrator\Schedule'
40            - '\Windows\ExploitGuard'
41    filter_sys_username:
42        EventID: 4699
43        SubjectUserName|endswith: '$'  # False positives during upgrades of Defender, where its tasks get removed and added
44        TaskName|contains: '\Windows\Windows Defender\'
45    condition: selection and not 1 of filter_*
46falsepositives:
47    - Unknown
48level: high

References

Related rules

to-top