Deleting Windows Defender scheduled tasks
Detects the deletion of scheduled tasks related to Windows Defender.
Sigma rule (View on GitHub)
1title: Deleting Windows Defender scheduled tasks
2id: 2a6239f4-fefa-4080-adba-196f8006b54e
3status: experimental
4description: Detects the deletion of scheduled tasks related to Windows Defender.
5author: 'Kostastsale, TheDFIRReport'
6references:
7 - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
8date: 2022-05-09
9modified: 2024-02-23
10logsource:
11 product: windows
12 category: process_creation
13detection:
14 selection:
15 Image|endswith: '\schtasks.exe'
16 CommandLine|contains|all:
17 - '/delete'
18 - '/tn'
19 - 'Windows Defender'
20 condition: selection
21falsepositives:
22 - Unknown
23level: high
24tags:
25 - attack.defense-evasion
26 - attack.t1562.001
References
-
In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector. The intrusion lasted two days and comprised discovery, persistence, lateral moveme…
Read More
Related rules
- Custom Cobalt Strike Command Execution
- Enabling restricted admin mode
- Sysmon Driver Altitude Change
- Windows Defender Service Disabled - Registry
- Bitbucket Audit Log Configuration Updated