Date: 08/27/2024
Severity: High
Summary
Detects when adversaries halt services or processes by disabling their scheduled tasks to carry out data-destructive actions.
Indicators of Compromise (IOC) List
Image | '\schtasks.exe' |
CommandLine | '/Change' '/TN' '/disable' '\Windows\BitLocker' '\Windows\ExploitGuard' '\Windows\ExploitGuard\ExploitGuard MDM policy Refresh' '\Windows\SystemRestore\SR' '\Windows\UpdateOrchestrator\' '\Windows\Windows Defender\' '\Windows\WindowsBackup\' '\Windows\WindowsUpdate\' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | ((resourceName = "Sysmon" AND eventtype = "1" ) AND image = "\\schtasks.exe" ) AND commandline In ("//Change" , "//TN" , "/disable" , "\\Windows\\BitLocker" , "\\Windows\\ExploitGuard" , "\\Windows\\ExploitGuard\\ExploitGuard MDM policy Refresh" , "\\Windows\\SystemRestore\\SR" , "\\Windows\\UpdateOrchestrator" , "\\Windows\\Windows Defender" , "\\Windows\\WindowsBackup" , "\\Windows\\WindowsUpdate" ) |
Detection Query 2 | ((Technologygroup = "EDR" ) AND image = "\\schtasks.exe" ) AND commandline In ("//Change" , "//TN" , "/disable" , "\\Windows\\BitLocker" , "\\Windows\\ExploitGuard" , "\\Windows\\ExploitGuard\\ExploitGuard MDM policy Refresh" , "\\Windows\\SystemRestore\\SR" , "\\Windows\\UpdateOrchestrator" , "\\Windows\\Windows Defender" , "\\Windows\\WindowsBackup" , "\\Windows\\WindowsUpdate" ) |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task
https://twitter.com/MichalKoczwara/status/1553634816016498688
https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/