Deleting Windows Defender scheduled tasks

calendar Feb 23, 2024 · attack.defense_evasion attack.t1562.001  ·
Share on: linkedin copy

Detects the deletion of scheduled tasks related to Windows Defender.

Sigma rule (View on GitHub)

 1title: Deleting Windows Defender scheduled tasks
 2id: 2a6239f4-fefa-4080-adba-196f8006b54e
 3status: experimental
 4description: Detects the deletion of scheduled tasks related to Windows Defender.
 5author: 'Kostastsale, TheDFIRReport'
 6references: 
 7  - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
 8date: 2022-05-09
 9modified: 2024-02-23
10logsource:
11  product: windows
12  category: process_creation
13detection:
14  selection1:
15    Image|endswith: '\schtasks.exe'
16    CommandLine|contains|all:
17      - '/delete'
18      - '/tn'
19      - 'Windows Defender'
20  condition: selection1
21falsepositives:
22  - Unknown
23level: high
24tags:
25  - attack.defense_evasion
26  - attack.t1562.001

References

  • SEO Poisoning – A Gootloader Story

    In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector. The intrusion lasted two days and comprised discovery, persistence, lateral moveme…


    Read More

Related rules

to-top