Detection of Important Scheduled Task Deletion or Disablement
Adversaries delete or disable critical scheduled tasks, such as those related to system restore, Windows Defender, BitLocker, Windows Backup, or Windows Update, to disrupt operations and potentially conduct data destructive activities.
This brief focuses on the detection of malicious activity related to the deletion or disabling of important scheduled tasks within a Windows environment. Adversaries may target these tasks to disrupt normal system operations, escalate privileges, establish persistence, or facilitate data destruction. The targeted tasks often include critical system functions like System Restore, Windows Defender updates, BitLocker encryption, Windows Backup processes, and Windows Update mechanisms. This…
Detection coverage 2
Suspicious Scheduled Task Deletion/Disablement of Critical Tasks
highDetects the deletion or disabling of important scheduled tasks based on Event ID and Task Name.
Scheduled Task Deletion via Schtasks.exe
mediumDetects the execution of schtasks.exe to delete scheduled tasks, which may indicate malicious activity.
Detection queries are kept inside the platform. Get full rules →