Important Scheduled Task Deleted

Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities

Sigma rule (View on GitHub)

 1title: Important Scheduled Task Deleted
 2id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d
 3related:
 4    - id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78 # ProcCreation schtasks delete
 5      type: similar
 6    - id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad # Security-Audting Eventlog
 7      type: similar
 8status: test
 9description: |
10        Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities
11references:
12    - https://www.socinvestigation.com/most-common-windows-event-ids-to-hunt-mind-map/
13author: frack113
14date: 2023/01/13
15modified: 2023/02/07
16tags:
17    - attack.impact
18    - attack.t1489
19logsource:
20    product: windows
21    service: taskscheduler
22    definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger'
23detection:
24    selection:
25        EventID: 141
26        TaskName|contains:
27            - '\Windows\SystemRestore\SR'
28            - '\Windows\Windows Defender\'
29            - '\Windows\BitLocker'
30            - '\Windows\WindowsBackup\'
31            - '\Windows\WindowsUpdate\'
32            - '\Windows\UpdateOrchestrator\'
33            - '\Windows\ExploitGuard'
34    filter:
35        UserName|contains:
36            - 'AUTHORI'
37            - 'AUTORI'
38    condition: selection and not filter
39falsepositives:
40    - Unknown
41level: high

References

Related rules

to-top