security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 45 Packages Projects Releases Wiki Activity

Merge PR #5900 from @swachchhanda000 - Update Important scheduled task manipulation related rules

Browse Source 
update: Important Scheduled Task Deleted or Disabled - Add EventID 142.
update: Disable Important Scheduled Task - Add OFN and remove unecessary string binding for increased coverage.
update: Delete Important Scheduled Task - Add OFN and remove unecessary string binding for increased coverage.
new: System Restore Registry Modification via CommandLine
chore: add regression tests for Important scheduled task manipulation rules

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
This commit is contained in:
Swachchhanda Shrawan Poudel
2026-04-28 07:45:16 +05:45
committed by GitHub
parent fcb2aead3a
commit 797bcaebfe
24 changed files with 893 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files
regression_data/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable/7595ba94-cf3b-4471-aa03-4f6baa9e5fad.evtx
BIN
View File
Binary file not shown.
regression_data/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable/7595ba94-cf3b-4471-aa03-4f6baa9e5fad.json
+54
View File
@@ -0,0 +1,54 @@
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Security-Auditing",
"Guid": "54849625-5478-4994-A5BA-3E3B0328C30D"
}
},
"EventID": 4701,
"Version": 1,
"Level": 0,
"Task": 12804,
"Opcode": 0,
"Keywords": "0x8020000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2026-03-11T05:16:41.816327Z"
}
},
"EventRecordID": 27732,
"Correlation": {
"#attributes": {
"ActivityID": "8E521E2B-7C26-0003-031F-528E267CDB01"
}
},
"Execution": {
"#attributes": {
"ProcessID": 852,
"ThreadID": 968
}
},
"Channel": "Security",
"Computer": "swachchhanda",
"Security": null
},
"EventData": {
"SubjectUserSid": "S-1-5-21-2555720767-1205513275-3893774561-1001",
"SubjectUserName": "xodih",
"SubjectDomainName": "SWACHCHHANDA",
"SubjectLogonId": "0x3144c",
"TaskName": "\\Microsoft\\Windows\\SystemRestore\\SR",
"TaskContent": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo>\r\n <SecurityDescriptor>D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;FRFX;;;LS)</SecurityDescriptor>\r\n <Source>$(@%systemroot%\\system32\\srrstr.dll,-320)</Source>\r\n <Author>$(@%systemroot%\\system32\\srrstr.dll,-321)</Author>\r\n <Description>$(@%systemroot%\\system32\\srrstr.dll,-322)</Description>\r\n <URI>Microsoft\\Windows\\SystemRestore\\SR</URI>\r\n </RegistrationInfo>\r\n <Principals>\r\n <Principal id=\"LocalSystem\">\r\n <UserId>S-1-5-18</UserId>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <Enabled>false</Enabled>\r\n <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>\r\n <StartWhenAvailable>true</StartWhenAvailable>\r\n <RunOnlyIfIdle>true</RunOnlyIfIdle>\r\n <IdleSettings>\r\n <StopOnIdleEnd>true</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>\r\n <MaintenanceSettings>\r\n <Period>P3D</Period>\r\n <Deadline>P3DT1M</Deadline>\r\n <Exclusive>true</Exclusive>\r\n </MaintenanceSettings>\r\n </Settings>\r\n <Triggers />\r\n <Actions Context=\"LocalSystem\">\r\n <Exec>\r\n <Command>%windir%\\system32\\srtasks.exe</Command>\r\n <Arguments>ExecuteScheduledSPPCreation</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task>",
"ClientProcessStartKey": 2251799813691708,
"ClientProcessId": 5204,
"ParentProcessId": 15816,
"RpcCallClientLocality": 0,
"FQDN": "swachchhanda"
}
}
}
regression_data/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable/info.yml
+13
View File
@@ -0,0 +1,13 @@
id: fbeed033-1556-49ae-881d-1e12e8aceb49
description: N/A
date: 2026-03-11
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad
title: Important Scheduled Task Deleted/Disabled
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable/7595ba94-cf3b-4471-aa03-4f6baa9e5fad.evtx
regression_data/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable/9e3cb244-bdb8-4632-8c90-6079c8f4f16d.evtx
BIN
View File
Binary file not shown.
regression_data/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable/9e3cb244-bdb8-4632-8c90-6079c8f4f16d.json
+48
View File
@@ -0,0 +1,48 @@
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-TaskScheduler",
"Guid": "DE7B24EA-73C8-4A09-985D-5BDADCFA9017"
}
},
"EventID": 142,
"Version": 0,
"Level": 4,
"Task": 142,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2026-03-11T05:16:41.815720Z"
}
},
"EventRecordID": 14,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 1996,
"ThreadID": 15932
}
},
"Channel": "Microsoft-Windows-TaskScheduler/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"#attributes": {
"Name": "TaskDisabled"
},
"TaskName": "\\Microsoft\\Windows\\SystemRestore\\SR",
"UserName": "System"
}
}
}
regression_data/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable/info.yml
+13
View File
@@ -0,0 +1,13 @@
id: 89bcf8d7-2f92-4ae4-9492-bba11f26dd10
description: N/A
date: 2026-03-11
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d
title: Important Scheduled Task Deleted or Disabled
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable/9e3cb244-bdb8-4632-8c90-6079c8f4f16d.evtx
regression_data/rules/windows/process_creation/proc_creation_win_reg_system_restore_modification/7c06ab9b-b1d2-4ba9-b06e-09491ded20d9.evtx
BIN
View File
Binary file not shown.
regression_data/rules/windows/process_creation/proc_creation_win_reg_system_restore_modification/7c06ab9b-b1d2-4ba9-b06e-09491ded20d9.json
+264
View File
@@ -0,0 +1,264 @@
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2026-03-11T05:43:26.345335Z"
}
},
"EventRecordID": 35549,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3208,
"ThreadID": 1724
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2026-03-11 05:43:26.311",
"ProcessGuid": "0197231E-00FE-69B1-981A-000000000800",
"ProcessId": 376,
"Image": "C:\\Windows\\System32\\reg.exe",
"FileVersion": "10.0.26100.1 (WinBuild.160101.0800)",
"Description": "Registry Console Tool",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "reg.exe",
"CommandLine": "reg add \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\" /v \"DisableConfig\" /t \"REG_DWORD\" /d \"1\" /f",
"CurrentDirectory": "C:\\Windows\\System32\\",
"User": "swachchhanda\\xodih",
"LogonGuid": "0197231E-AB9F-67AA-4C14-030000000000",
"LogonId": "0x3144c",
"TerminalSessionId": 1,
"IntegrityLevel": "High",
"Hashes": "MD5=573EB13AC2BA31E9C2E17FB6DAD14154,SHA256=E295E776FD4F7F73DFAAA5698A19EA7A2F4A2F0C5E1681FAC94E45D00296C926,IMPHASH=A26BCB048DF34CBB422F2656F38634D0",
"ParentProcessGuid": "0197231E-5098-69AE-5814-000000000800",
"ParentProcessId": 15816,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "cmd.exe",
"ParentUser": "swachchhanda\\xodih"
}
}
}
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2026-03-11T05:43:26.390084Z"
}
},
"EventRecordID": 35550,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3208,
"ThreadID": 1724
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2026-03-11 05:43:26.378",
"ProcessGuid": "0197231E-00FE-69B1-991A-000000000800",
"ProcessId": 12068,
"Image": "C:\\Windows\\System32\\reg.exe",
"FileVersion": "10.0.26100.1 (WinBuild.160101.0800)",
"Description": "Registry Console Tool",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "reg.exe",
"CommandLine": "reg add \"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\" /v \"DisableSR\" /t \"REG_DWORD\" /d \"1\" /f",
"CurrentDirectory": "C:\\Windows\\System32\\",
"User": "swachchhanda\\xodih",
"LogonGuid": "0197231E-AB9F-67AA-4C14-030000000000",
"LogonId": "0x3144c",
"TerminalSessionId": 1,
"IntegrityLevel": "High",
"Hashes": "MD5=573EB13AC2BA31E9C2E17FB6DAD14154,SHA256=E295E776FD4F7F73DFAAA5698A19EA7A2F4A2F0C5E1681FAC94E45D00296C926,IMPHASH=A26BCB048DF34CBB422F2656F38634D0",
"ParentProcessGuid": "0197231E-5098-69AE-5814-000000000800",
"ParentProcessId": 15816,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "cmd.exe",
"ParentUser": "swachchhanda\\xodih"
}
}
}
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2026-03-11T05:43:26.438522Z"
}
},
"EventRecordID": 35551,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3208,
"ThreadID": 1724
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2026-03-11 05:43:26.429",
"ProcessGuid": "0197231E-00FE-69B1-9A1A-000000000800",
"ProcessId": 2964,
"Image": "C:\\Windows\\System32\\reg.exe",
"FileVersion": "10.0.26100.1 (WinBuild.160101.0800)",
"Description": "Registry Console Tool",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "reg.exe",
"CommandLine": "reg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\" /v \"DisableConfig\" /t \"REG_DWORD\" /d \"1\" /f",
"CurrentDirectory": "C:\\Windows\\System32\\",
"User": "swachchhanda\\xodih",
"LogonGuid": "0197231E-AB9F-67AA-4C14-030000000000",
"LogonId": "0x3144c",
"TerminalSessionId": 1,
"IntegrityLevel": "High",
"Hashes": "MD5=573EB13AC2BA31E9C2E17FB6DAD14154,SHA256=E295E776FD4F7F73DFAAA5698A19EA7A2F4A2F0C5E1681FAC94E45D00296C926,IMPHASH=A26BCB048DF34CBB422F2656F38634D0",
"ParentProcessGuid": "0197231E-5098-69AE-5814-000000000800",
"ParentProcessId": 15816,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "cmd.exe",
"ParentUser": "swachchhanda\\xodih"
}
}
}
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2026-03-11T05:43:27.502020Z"
}
},
"EventRecordID": 35552,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3208,
"ThreadID": 1724
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2026-03-11 05:43:27.480",
"ProcessGuid": "0197231E-00FF-69B1-9B1A-000000000800",
"ProcessId": 13620,
"Image": "C:\\Windows\\System32\\reg.exe",
"FileVersion": "10.0.26100.1 (WinBuild.160101.0800)",
"Description": "Registry Console Tool",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "reg.exe",
"CommandLine": "reg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\" /v \"DisableSR\" /t \"REG_DWORD\" /d \"1\" /f",
"CurrentDirectory": "C:\\Windows\\System32\\",
"User": "swachchhanda\\xodih",
"LogonGuid": "0197231E-AB9F-67AA-4C14-030000000000",
"LogonId": "0x3144c",
"TerminalSessionId": 1,
"IntegrityLevel": "High",
"Hashes": "MD5=573EB13AC2BA31E9C2E17FB6DAD14154,SHA256=E295E776FD4F7F73DFAAA5698A19EA7A2F4A2F0C5E1681FAC94E45D00296C926,IMPHASH=A26BCB048DF34CBB422F2656F38634D0",
"ParentProcessGuid": "0197231E-5098-69AE-5814-000000000800",
"ParentProcessId": 15816,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "cmd.exe",
"ParentUser": "swachchhanda\\xodih"
}
}
}
regression_data/rules/windows/process_creation/proc_creation_win_reg_system_restore_modification/info.yml
+13
View File
@@ -0,0 +1,13 @@
id: 75a7a650-1934-4994-9447-addc8cea2c50
description: N/A
date: 2026-03-11
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: 7c06ab9b-b1d2-4ba9-b06e-09491ded20d9
title: System Restore Registry Modification via CommandLine
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 4
path: regression_data/rules/windows/process_creation/proc_creation_win_reg_system_restore_modification/7c06ab9b-b1d2-4ba9-b06e-09491ded20d9.evtx
regression_data/rules/windows/process_creation/proc_creation_win_schtasks_delete/dbc1f800-0fe0-4bc0-9c66-292c2abe3f78.evtx
BIN
View File
Binary file not shown.
regression_data/rules/windows/process_creation/proc_creation_win_schtasks_delete/dbc1f800-0fe0-4bc0-9c66-292c2abe3f78.json
+66
View File
@@ -0,0 +1,66 @@
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2026-03-11T05:50:15.050582Z"
}
},
"EventRecordID": 35558,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3208,
"ThreadID": 1724
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2026-03-11 05:50:15.010",
"ProcessGuid": "0197231E-0297-69B1-A51A-000000000800",
"ProcessId": 3824,
"Image": "C:\\Windows\\System32\\schtasks.exe",
"FileVersion": "10.0.26100.1 (WinBuild.160101.0800)",
"Description": "Task Scheduler Configuration Tool",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "schtasks.exe",
"CommandLine": "schtasks /delete /f /tn \"\\Microsoft\\Windows\\SystemRestore\\SR\"",
"CurrentDirectory": "C:\\Windows\\System32\\",
"User": "swachchhanda\\xodih",
"LogonGuid": "0197231E-AB9F-67AA-4C14-030000000000",
"LogonId": "0x3144c",
"TerminalSessionId": 1,
"IntegrityLevel": "High",
"Hashes": "MD5=F6A8EAD7A0201CD4B70BC27880EF5D90,SHA256=50D05E4D9CACE1FE8620CE95DDEA9978B26987787A0FFBCFEF4C25381DB9BB79,IMPHASH=15B98131447F3FE7853021D3B8BDBE26",
"ParentProcessGuid": "0197231E-5098-69AE-5814-000000000800",
"ParentProcessId": 15816,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "cmd.exe",
"ParentUser": "swachchhanda\\xodih"
}
}
}
regression_data/rules/windows/process_creation/proc_creation_win_schtasks_delete/info.yml
+13
View File
@@ -0,0 +1,13 @@
id: 26749dc2-d5d4-4e6e-917a-b21be70dde32
description: N/A
date: 2026-03-11
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78
title: Delete Important Scheduled Task
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_schtasks_delete/dbc1f800-0fe0-4bc0-9c66-292c2abe3f78.evtx
regression_data/rules/windows/process_creation/proc_creation_win_schtasks_disable/9ac94dc8-9042-493c-ba45-3b5e7c86b980.evtx
BIN
View File
Binary file not shown.
regression_data/rules/windows/process_creation/proc_creation_win_schtasks_disable/9ac94dc8-9042-493c-ba45-3b5e7c86b980.json
+66
View File
@@ -0,0 +1,66 @@
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 1,
"Version": 5,
"Level": 4,
"Task": 1,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2026-03-11T06:15:38.256405Z"
}
},
"EventRecordID": 35626,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3208,
"ThreadID": 1724
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"UtcTime": "2026-03-11 06:15:38.244",
"ProcessGuid": "0197231E-088A-69B1-E71A-000000000800",
"ProcessId": 15968,
"Image": "C:\\Windows\\System32\\schtasks.exe",
"FileVersion": "10.0.26100.1 (WinBuild.160101.0800)",
"Description": "Task Scheduler Configuration Tool",
"Product": "Microsoft® Windows® Operating System",
"Company": "Microsoft Corporation",
"OriginalFileName": "schtasks.exe",
"CommandLine": "schtasks.exe /Change /TN \"\\Microsoft\\Windows\\SystemRestore\\SR\" /disable",
"CurrentDirectory": "C:\\Users\\xodih\\Downloads\\Sysmon\\",
"User": "swachchhanda\\xodih",
"LogonGuid": "0197231E-AB9F-67AA-4C14-030000000000",
"LogonId": "0x3144c",
"TerminalSessionId": 1,
"IntegrityLevel": "High",
"Hashes": "MD5=F6A8EAD7A0201CD4B70BC27880EF5D90,SHA256=50D05E4D9CACE1FE8620CE95DDEA9978B26987787A0FFBCFEF4C25381DB9BB79,IMPHASH=15B98131447F3FE7853021D3B8BDBE26",
"ParentProcessGuid": "0197231E-5098-69AE-5814-000000000800",
"ParentProcessId": 15816,
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"ParentCommandLine": "cmd.exe",
"ParentUser": "swachchhanda\\xodih"
}
}
}
regression_data/rules/windows/process_creation/proc_creation_win_schtasks_disable/info.yml
+13
View File
@@ -0,0 +1,13 @@
id: 081cb657-2a63-4c7f-8c93-3610f7555370
description: N/A
date: 2026-03-11
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980
title: Disable Important Scheduled Task
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 1
path: regression_data/rules/windows/process_creation/proc_creation_win_schtasks_disable/9ac94dc8-9042-493c-ba45-3b5e7c86b980.evtx
regression_data/rules/windows/registry/registry_set/registry_set_disable_system_restore/5de03871-5d46-4539-a82d-3aa992a69a83.evtx
BIN
View File
Binary file not shown.
regression_data/rules/windows/registry/registry_set/registry_set_disable_system_restore/5de03871-5d46-4539-a82d-3aa992a69a83.json
+208
View File
@@ -0,0 +1,208 @@
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 13,
"Version": 2,
"Level": 4,
"Task": 13,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2026-03-11T05:55:53.550235Z"
}
},
"EventRecordID": 35579,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3208,
"ThreadID": 1724
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"EventType": "SetValue",
"UtcTime": "2026-03-11 05:55:53.547",
"ProcessGuid": "0197231E-03E9-69B1-BA1A-000000000800",
"ProcessId": 9860,
"Image": "C:\\WINDOWS\\system32\\reg.exe",
"TargetObject": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\\DisableConfig",
"Details": "DWORD (0x00000001)",
"User": "swachchhanda\\xodih"
}
}
}
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 13,
"Version": 2,
"Level": 4,
"Task": 13,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2026-03-11T05:55:53.593526Z"
}
},
"EventRecordID": 35581,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3208,
"ThreadID": 1724
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"EventType": "SetValue",
"UtcTime": "2026-03-11 05:55:53.581",
"ProcessGuid": "0197231E-03E9-69B1-BB1A-000000000800",
"ProcessId": 6164,
"Image": "C:\\WINDOWS\\system32\\reg.exe",
"TargetObject": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\\DisableSR",
"Details": "DWORD (0x00000001)",
"User": "swachchhanda\\xodih"
}
}
}
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 13,
"Version": 2,
"Level": 4,
"Task": 13,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2026-03-11T05:55:53.648759Z"
}
},
"EventRecordID": 35583,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3208,
"ThreadID": 1724
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"EventType": "SetValue",
"UtcTime": "2026-03-11 05:55:53.645",
"ProcessGuid": "0197231E-03E9-69B1-BC1A-000000000800",
"ProcessId": 8776,
"Image": "C:\\WINDOWS\\system32\\reg.exe",
"TargetObject": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableConfig",
"Details": "DWORD (0x00000001)",
"User": "swachchhanda\\xodih"
}
}
}
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"System": {
"Provider": {
"#attributes": {
"Name": "Microsoft-Windows-Sysmon",
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
}
},
"EventID": 13,
"Version": 2,
"Level": 4,
"Task": 13,
"Opcode": 0,
"Keywords": "0x8000000000000000",
"TimeCreated": {
"#attributes": {
"SystemTime": "2026-03-11T05:55:54.364135Z"
}
},
"EventRecordID": 35585,
"Correlation": null,
"Execution": {
"#attributes": {
"ProcessID": 3208,
"ThreadID": 1724
}
},
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "swachchhanda",
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
}
},
"EventData": {
"RuleName": "-",
"EventType": "SetValue",
"UtcTime": "2026-03-11 05:55:54.362",
"ProcessGuid": "0197231E-03EA-69B1-BD1A-000000000800",
"ProcessId": 9004,
"Image": "C:\\WINDOWS\\system32\\reg.exe",
"TargetObject": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableSR",
"Details": "DWORD (0x00000001)",
"User": "swachchhanda\\xodih"
}
}
}
regression_data/rules/windows/registry/registry_set/registry_set_disable_system_restore/info.yml
+13
View File
@@ -0,0 +1,13 @@
id: 70b0db86-1b38-48dd-8ddb-29357e0c0149
description: N/A
date: 2026-03-11
author: Swachchhanda Shrawan Poudel (Nextron Systems)
rule_metadata:
- id: 5de03871-5d46-4539-a82d-3aa992a69a83
title: Registry Disable System Restore
regression_tests_info:
- name: Positive Detection Test
type: evtx
provider: Microsoft-Windows-Sysmon
match_count: 4
path: regression_data/rules/windows/registry/registry_set/registry_set_disable_system_restore/5de03871-5d46-4539-a82d-3aa992a69a83.evtx
rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml
+8 -2
View File
@@ -38,11 +38,17 @@ detection:
- '\Windows\WindowsUpdate\' - '\Windows\WindowsUpdate\'
- '\Windows\UpdateOrchestrator\Schedule' - '\Windows\UpdateOrchestrator\Schedule'
- '\Windows\ExploitGuard' - '\Windows\ExploitGuard'
filter_sys_username: filter_main_defender_update:
EventID: 4699 EventID: 4699
SubjectUserName|endswith: '$' # False positives during upgrades of Defender, where its tasks get removed and added SubjectUserName|endswith: '$' # False positives during upgrades of Defender, where its tasks get removed and added
TaskName|contains: '\Windows\Windows Defender\' TaskName|contains: '\Windows\Windows Defender\'
condition: selection and not 1 of filter_* condition: selection and not 1 of filter_main_*
falsepositives: falsepositives:
- Unknown - Unknown
level: high level: high
regression_tests_path: regression_data/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable/info.yml
simulation:
- type: atomic-red-team
name: Windows - Disable the SR scheduled task
technique: T1490
atomic_guid: 1c68c68d-83a4-4981-974e-8993055fa034
rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml → rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable.yml
+16 -6
View File
@@ -1,18 +1,20 @@
title: Important Scheduled Task Deleted title: Important Scheduled Task Deleted or Disabled
id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d
related: related:
- id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78 # ProcCreation schtasks delete - id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78 # ProcCreation schtasks delete
type: similar type: similar
- id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad # Security-Audting Eventlog - id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad # Security-Audting Eventlog
type: similar type: similar
- id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 # ProcCreation schtasks disable
type: similar
status: test status: test
description: | description: |
Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities Detects when adversaries try to stop system services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities
references: references:
- https://www.socinvestigation.com/most-common-windows-event-ids-to-hunt-mind-map/ - https://www.socinvestigation.com/most-common-windows-event-ids-to-hunt-mind-map/
author: frack113 author: frack113
date: 2023-01-13 date: 2023-01-13
modified: 2023-02-07 modified: 2026-03-11
tags: tags:
- attack.impact - attack.impact
- attack.t1489 - attack.t1489
@@ -22,7 +24,9 @@ logsource:
definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger' definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger'
detection: detection:
selection: selection:
EventID: 141 EventID:
- 141 # Task Deleted
- 142 # Task Disabled
TaskName|contains: TaskName|contains:
- '\Windows\SystemRestore\SR' - '\Windows\SystemRestore\SR'
- '\Windows\Windows Defender\' - '\Windows\Windows Defender\'
@@ -31,11 +35,17 @@ detection:
- '\Windows\WindowsUpdate\' - '\Windows\WindowsUpdate\'
- '\Windows\UpdateOrchestrator\' - '\Windows\UpdateOrchestrator\'
- '\Windows\ExploitGuard' - '\Windows\ExploitGuard'
filter: filter_main_user:
UserName|contains: UserName|contains:
- 'AUTHORI' - 'AUTHORI'
- 'AUTORI' - 'AUTORI'
condition: selection and not filter condition: selection and not 1 of filter_main_*
falsepositives: falsepositives:
- Unknown - Unknown
level: high level: high
regression_tests_path: regression_data/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete_or_disable/info.yml
simulation:
- type: atomic-red-team
name: Windows - Disable the SR scheduled task
technique: T1490
atomic_guid: 1c68c68d-83a4-4981-974e-8993055fa034
rules/windows/process_creation/proc_creation_win_reg_system_restore_modification.yml
+51
View File
@@ -0,0 +1,51 @@
title: System Restore Registry Modification via CommandLine
id: 7c06ab9b-b1d2-4ba9-b06e-09491ded20d9
related:
- id: 5de03871-5d46-4539-a82d-3aa992a69a83
type: similar
status: experimental
description: |
Detects system restore registry modification via command line, which can be used by adversaries to disable system restore on the computer.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-03-11
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\reg.exe'
- OriginalFileName:
- 'powershell.exe'
- 'pwsh.dll'
- 'reg.exe'
selection_cli_action:
CommandLine|contains:
- ' add '
- 'Set-ItemProperty'
- 'New-ItemProperty'
selection_cli_reg_root:
CommandLine|contains:
- '\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore'
selection_cli_reg_key:
CommandLine|contains:
- 'DisableConfig'
- 'DisableSR'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_reg_system_restore_modification/info.yml
simulation:
- type: atomic-red-team
name: Disable System Restore Through Registry
technique: T1490
atomic_guid: 66e647d1-8741-4e43-b7c1-334760c2047f
rules/windows/process_creation/proc_creation_win_schtasks_delete.yml
+9 -6
View File
@@ -11,6 +11,7 @@ references:
- Internal Research - Internal Research
author: Nasreddine Bencherchali (Nextron Systems) author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09 date: 2022-09-09
modified: 2026-03-11
tags: tags:
- attack.impact - attack.impact
- attack.t1489 - attack.t1489
@@ -18,11 +19,12 @@ logsource:
category: process_creation category: process_creation
product: windows product: windows
detection: detection:
selection: selection_img:
Image|endswith: '\schtasks.exe' - Image|endswith: '\schtasks.exe'
CommandLine|contains|all: - OriginalFileName: 'schtasks.exe'
- '/delete' selection_cli_delete:
- '/tn' CommandLine|contains|windash: '/delete'
selection_cli_task:
CommandLine|contains: CommandLine|contains:
# Add more important tasks # Add more important tasks
- '\Windows\BitLocker' - '\Windows\BitLocker'
@@ -32,7 +34,8 @@ detection:
- '\Windows\Windows Defender\' - '\Windows\Windows Defender\'
- '\Windows\WindowsBackup\' - '\Windows\WindowsBackup\'
- '\Windows\WindowsUpdate\' - '\Windows\WindowsUpdate\'
condition: selection condition: all of selection_*
falsepositives: falsepositives:
- Unlikely - Unlikely
level: high level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_schtasks_delete/info.yml
rules/windows/process_creation/proc_creation_win_schtasks_disable.yml
+16 -8
View File
@@ -3,6 +3,8 @@ id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980
related: related:
- id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad # Security-Audting Eventlog - id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad # Security-Audting Eventlog
type: similar type: similar
- id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d # TaskScheduler EventLog
type: similar
status: test status: test
description: Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities description: Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities
references: references:
@@ -11,7 +13,7 @@ references:
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
author: frack113, Nasreddine Bencherchali (Nextron Systems), X__Junior author: frack113, Nasreddine Bencherchali (Nextron Systems), X__Junior
date: 2021-12-26 date: 2021-12-26
modified: 2024-08-25 modified: 2026-03-11
tags: tags:
- attack.impact - attack.impact
- attack.t1489 - attack.t1489
@@ -19,12 +21,12 @@ logsource:
category: process_creation category: process_creation
product: windows product: windows
detection: detection:
selection: selection_img:
Image|endswith: '\schtasks.exe' - Image|endswith: '\schtasks.exe'
CommandLine|contains|all: - OriginalFileName: 'schtasks.exe'
- '/Change' selection_cli_disable:
- '/TN' CommandLine|contains|windash: '/disable'
- '/disable' selection_cli_task:
CommandLine|contains: CommandLine|contains:
# Add more important tasks # Add more important tasks
- '\Windows\BitLocker' - '\Windows\BitLocker'
@@ -35,7 +37,13 @@ detection:
- '\Windows\Windows Defender\' - '\Windows\Windows Defender\'
- '\Windows\WindowsBackup\' - '\Windows\WindowsBackup\'
- '\Windows\WindowsUpdate\' - '\Windows\WindowsUpdate\'
condition: selection condition: all of selection_*
falsepositives: falsepositives:
- Unknown - Unknown
level: high level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_schtasks_disable/info.yml
simulation:
- type: atomic-red-team
name: Windows - Disable the SR scheduled task
technique: T1490
atomic_guid: 1c68c68d-83a4-4981-974e-8993055fa034
rules/windows/registry/registry_set/registry_set_disable_system_restore.yml
+9
View File
@@ -1,5 +1,8 @@
title: Registry Disable System Restore title: Registry Disable System Restore
id: 5de03871-5d46-4539-a82d-3aa992a69a83 id: 5de03871-5d46-4539-a82d-3aa992a69a83
related:
- id: 7c06ab9b-b1d2-4ba9-b06e-09491ded20d9
type: similar
status: test status: test
description: Detects the modification of the registry to disable a system restore on the computer description: Detects the modification of the registry to disable a system restore on the computer
references: references:
@@ -26,3 +29,9 @@ detection:
falsepositives: falsepositives:
- Unknown - Unknown
level: high level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_disable_system_restore/info.yml
simulation:
- type: atomic-red-team
name: Disable System Restore Through Registry
technique: T1490
atomic_guid: 66e647d1-8741-4e43-b7c1-334760c2047f