frack113
7d6f32d1be
chore: Cleanup conditions update: Scheduled Task Creation From Potential Suspicious Parent Location - Add additional "temporary folder" locations. --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
39 lines
1.2 KiB
YAML
39 lines
1.2 KiB
YAML
title: Delete Important Scheduled Task
|
|
id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78
|
|
related:
|
|
- id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d # TaskScheduler EventLog
|
|
type: similar
|
|
- id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad # Security-Audting Eventlog
|
|
type: similar
|
|
status: test
|
|
description: Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities
|
|
references:
|
|
- Internal Research
|
|
author: Nasreddine Bencherchali (Nextron Systems)
|
|
date: 2022/09/09
|
|
tags:
|
|
- attack.impact
|
|
- attack.t1489
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection:
|
|
Image|endswith: '\schtasks.exe'
|
|
CommandLine|contains|all:
|
|
- '/delete'
|
|
- '/tn'
|
|
CommandLine|contains:
|
|
# Add more important tasks
|
|
- '\Windows\BitLocker'
|
|
- '\Windows\ExploitGuard'
|
|
- '\Windows\SystemRestore\SR'
|
|
- '\Windows\UpdateOrchestrator\'
|
|
- '\Windows\Windows Defender\'
|
|
- '\Windows\WindowsBackup\'
|
|
- '\Windows\WindowsUpdate\'
|
|
condition: selection
|
|
falsepositives:
|
|
- Unlikely
|
|
level: high
|