Deleting Windows Defender scheduled tasks
Detects the deletion of scheduled tasks related to Windows Defender.
Sigma rule (View on GitHub)
1title: Deleting Windows Defender scheduled tasks
2id: 2a6239f4-fefa-4080-adba-196f8006b54e
3status: experimental
4description: Detects the deletion of scheduled tasks related to Windows Defender.
5author: 'Kostastsale, TheDFIRReport'
6references:
7 - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
8date: 2022-05-09
9modified: 2024-02-23
10logsource:
11 product: windows
12 category: process_creation
13detection:
14 selection1:
15 Image|endswith: '\schtasks.exe'
16 CommandLine|contains|all:
17 - '/delete'
18 - '/tn'
19 - 'Windows Defender'
20 condition: selection1
21falsepositives:
22 - Unknown
23level: high
24tags:
25 - attack.defense_evasion
26 - attack.t1562.001
References
-
In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector.The intrusion lasted two days and comprised discovery, persistence, lateral movement, collection, defense evasion, credential access and command and control activity.
Read More
Related rules
- Custom Cobalt Strike Command Execution
- Enabling restricted admin mode
- Tamper Windows Defender Remove-MpPreference
- Sysinternals PsSuspend Suspicious Execution
- AWS Config Disabling Channel/Recorder