Delete All Scheduled Tasks

calendar Aug 12, 2024 · attack.impact attack.t1489  ·
Share on: linkedin copy

Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.

Sigma rule (View on GitHub)

 1title: Delete All Scheduled Tasks
 2id: 220457c1-1c9f-4c2e-afe6-9598926222c1
 3status: test
 4description: Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.
 5references:
 6    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022-09-09
 9tags:
10    - attack.impact
11    - attack.t1489
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection:
17        Image|endswith: '\schtasks.exe'
18        CommandLine|contains|all:
19            - ' /delete '
20            - '/tn \*'
21            - ' /f'
22    condition: selection
23falsepositives:
24    - Unlikely
25level: high

References

  • schtasks delete

    Reference article for the schtasks delete command, which deletes a scheduled task from the schedule.


    Read More

Related rules

to-top