Adversaries Disabling Important Scheduled Tasks
Adversaries disable crucial scheduled tasks, such as those related to BitLocker, Windows Defender, System Restore and Windows Update, using schtasks.exe to disrupt services and potentially facilitate data destruction or ransomware deployment.
Attackers are increasingly targeting scheduled tasks to disable critical system functions. This tactic involves using schtasks.exe to disable essential tasks related to security, backup, and update mechanisms. By disabling tasks like Windows Defender scans, System Restore points, BitLocker encryption, and Windows Update, adversaries can significantly weaken a system’s defenses, making it more vulnerable to data destruction or ransomware attacks. The observed behavior involves the execution of…
Detection coverage 2
Detect Schtasks Task Disable
highDetects when adversaries stop services or processes by disabling their respective scheduled tasks via schtasks.exe in order to conduct data destructive activities
Detect Schtasks Task Change with /disable Parameter
mediumDetects the use of schtasks.exe to modify a scheduled task by using the /change and /disable parameters.
Detection queries are kept inside the platform. Get full rules →