Important Scheduled Task Deleted

 1title: Important Scheduled Task Deleted
 2id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d
 3related:
 4    - id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78 # ProcCreation schtasks delete
 5      type: similar
 6    - id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad # Security-Audting Eventlog
 7      type: similar
 8status: test
 9description: |
10        Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities
11references:
12    - https://www.socinvestigation.com/most-common-windows-event-ids-to-hunt-mind-map/
13author: frack113
14date: 2023-01-13
15modified: 2023-02-07
16tags:
17    - attack.impact
18    - attack.t1489
19logsource:
20    product: windows
21    service: taskscheduler
22    definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger'
23detection:
24    selection:
25        EventID: 141
26        TaskName|contains:
27            - '\Windows\SystemRestore\SR'
28            - '\Windows\Windows Defender\'
29            - '\Windows\BitLocker'
30            - '\Windows\WindowsBackup\'
31            - '\Windows\WindowsUpdate\'
32            - '\Windows\UpdateOrchestrator\'
33            - '\Windows\ExploitGuard'
34    filter:
35        UserName|contains:
36            - 'AUTHORI'
37            - 'AUTORI'
38    condition: selection and not filter
39falsepositives:
40    - Unknown
41level: high