Delete All Scheduled Tasks
Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.
Sigma rule (View on GitHub)
1title: Delete All Scheduled Tasks
2id: 220457c1-1c9f-4c2e-afe6-9598926222c1
3status: test
4description: Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.
5references:
6 - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/09/09
9tags:
10 - attack.impact
11 - attack.t1489
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 Image|endswith: '\schtasks.exe'
18 CommandLine|contains|all:
19 - ' /delete '
20 - '/tn \*'
21 - ' /f'
22 condition: selection
23falsepositives:
24 - Unlikely
25level: high
References
Related rules
- Delete Important Scheduled Task
- Disable Important Scheduled Task
- Azure Application Deleted
- Delete Volume Shadow Copies Via WMI With PowerShell
- BlueSky Ransomware Artefacts