Deletion of Critical Scheduled Tasks
Adversaries delete critical scheduled tasks, such as those related to BitLocker, ExploitGuard, System Restore, Windows Defender, and Windows Update, to disrupt security measures and enable data destruction.
Attackers may attempt to delete scheduled tasks to disable security mechanisms or prevent system recovery, creating an environment conducive to data destruction. This involves using the schtasks.exe utility to remove scheduled tasks related to critical system functions. This activity is designed to impair incident response, prevent restoration of systems, and generally increase the impact of an attack. This is done by removing the scheduled tasks, which prevents the execution of security…
Detection coverage 2
Detect Deletion of Critical Scheduled Tasks via schtasks.exe
highDetects the use of schtasks.exe to delete scheduled tasks associated with critical Windows functions like BitLocker, ExploitGuard, System Restore, Windows Defender, and Windows Update.
Detect Deletion of Scheduled Tasks via schtasks.exe (Generic)
mediumDetects the use of schtasks.exe with the delete parameter.
Detection queries are kept inside the platform. Get full rules →