Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1053-scheduled-task-or-job

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects when critical Windows system scheduled tasks are deleted or disabled.

Strategy

This detection monitors event logs for deletion (Event ID 4699) or disabling (Event ID 4701) of critical scheduled tasks related to system security and maintenance. For deletion events, it specifically filters out service account activity by excluding events where SubjectUserName ends with “$”. The detection looks for tasks matching specific patterns such as paths containing Windows Defender, BitLocker, System Restore, Windows Update, and other security-related scheduled tasks.

These critical scheduled tasks are essential components of Windows security infrastructure, providing functions like automated backups, malware scanning, and system updates. Tampering with these tasks could indicate defense evasion tactics being employed by threat actors attempting to weaken security controls.

Triage & Response

• Identify the {{host}} where the critical scheduled task was deleted or disabled.
• Determine which user account performed the action by reviewing the event details.
• Verify if the action was part of legitimate system maintenance or authorized activity.
• Check which specific task was affected to understand the potential security impact.
• Look for other suspicious activities on the same host, such as the creation of new scheduled tasks.
• Investigate how the user gained sufficient privileges to modify these critical tasks.
• Restore the deleted or disabled scheduled task to ensure proper system security.
• Review authentication logs to determine if the user account may have been compromised.