Nasreddine Bencherchali
39 lines
1.2 KiB
YAML
39 lines
1.2 KiB
YAML
title: Delete Important Scheduled Task
|
|
id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78
|
|
related:
|
|
- id: 9e3cb244-bdb8-4632-8c90-6079c8f4f16d # TaskScheduler EventLog
|
|
type: similar
|
|
- id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad # Security-Audting Eventlog
|
|
type: similar
|
|
status: experimental
|
|
description: Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities
|
|
references:
|
|
- Internal Research
|
|
author: Nasreddine Bencherchali (Nextron Systems)
|
|
date: 2022/09/09
|
|
tags:
|
|
- attack.impact
|
|
- attack.t1489
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
schtasks_exe:
|
|
Image|endswith: '\schtasks.exe'
|
|
CommandLine|contains|all:
|
|
- '/delete'
|
|
- '/tn'
|
|
CommandLine|contains:
|
|
# Add more important tasks
|
|
- '\Windows\SystemRestore\SR'
|
|
- '\Windows\Windows Defender\'
|
|
- '\Windows\BitLocker'
|
|
- '\Windows\WindowsBackup\'
|
|
- '\Windows\WindowsUpdate\'
|
|
- '\Windows\UpdateOrchestrator\'
|
|
- '\Windows\ExploitGuard'
|
|
condition: all of schtasks_*
|
|
falsepositives:
|
|
- Unlikely
|
|
level: high
|