Important Scheduled Task Deleted or Disabled

calendar Apr 28, 2026 · attack.impact attack.t1489  ·
Share on: linkedin copy

Detects when adversaries try to stop system services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities

Sigma rule (View on GitHub)

 1title: Important Scheduled Task Deleted or Disabled
 2id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d
 3related:
 4    - id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78 # ProcCreation schtasks delete
 5      type: similar
 6    - id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad # Security-Audting Eventlog
 7      type: similar
 8    - id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 # ProcCreation schtasks disable
 9      type: similar
10status: test
11description: |
12        Detects when adversaries try to stop system services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities
13references:
14    - https://www.socinvestigation.com/most-common-windows-event-ids-to-hunt-mind-map/
15author: frack113
16date: 2023-01-13
17modified: 2026-03-11
18tags:
19    - attack.impact
20    - attack.t1489
21logsource:
22    product: windows
23    service: taskscheduler
24    definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger'
25detection:
26    selection:
27        EventID:
28            - 141 # Task Deleted
29            - 142 # Task Disabled
30        TaskName|contains:
31            - '\Windows\SystemRestore\SR'
32            - '\Windows\Windows Defender\'
33            - '\Windows\BitLocker'
34            - '\Windows\WindowsBackup\'
35            - '\Windows\WindowsUpdate\'
36            - '\Windows\UpdateOrchestrator\'
37            - '\Windows\ExploitGuard'
38    filter_main_user:
39        UserName|contains:
40            - 'AUTHORI'
41            - 'AUTORI'
42    condition: selection and not 1 of filter_main_*
43falsepositives:
44    - Unknown
45level: high
46regression_tests_path: regression_data/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable/info.yml
47simulation:
48    - type: atomic-red-team
49      name: Windows - Disable the SR scheduled task
50      technique: T1490
51      atomic_guid: 1c68c68d-83a4-4981-974e-8993055fa034

References

Related rules

to-top