Deleting Windows Defender scheduled tasks
Detects the deletion of scheduled tasks related to Windows Defender.
Sigma rule (View on GitHub)
1title: Deleting Windows Defender scheduled tasks
2id: c0d0392c-de50-4a11-9565-a457587e0c9d
3status: Experimental
4description: Detects the deletion of scheduled tasks related to Windows Defender.
5author: \@Kostastsale, \@TheDFIRReport
6references:
7 - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
8date: 2022/05/09
9logsource:
10 product: windows
11 category: process_creation
12detection:
13 selection1:
14 Image|endswith: '\schtasks.exe'
15 CommandLine|contains|all:
16 - '/delete'
17 - '/tn'
18 - 'Windows Defender'
19 condition: selection1
20falsepositives:
21 - Uknown
22level: high
23tags:
24 - attack.defense_evasion
25 - attack.t1562.001```
References
-
In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector. The intrusion lasted two days and comprised discovery, persistence, lateral moveme…
Read More
Related rules
- Enabling restricted admin mode
- PowerShell AMSI Bypass Pattern
- Using powershell specific download cradle OneLiner
- Custom Cobalt Strike Command Execution
- Deleting Windows Defender scheduled tasks