Detection rules › Kusto Query Language
Scheduled Task Hide
'This query detects attempts by malware to hide the scheduled task by deleting the SD (Security Descriptor) value. Removal of SD value results in the scheduled task disappearing from schtasks /query and Task Scheduler. The query requires auditing to be turned on for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree registry hive as well as audit policy for registry auditing to be turned on. Reference: https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/ Reference: https://4sysops.com/archives/audit-changes-in-the-windows-registry/'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1562 Impair Defenses |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4657 | A registry value was modified. |
Stages and Predicates
Stage 1: source
SecurityEvent
Stage 2: where
EventID eq "4657"
Stage 3: extend
Stage 4: mv-expand
Stage 5: evaluate
Stage 6: extend
Stage 7: evaluate
Stage 8: extend
Stage 9: where
and
ObjectName match "Schedule\\\\TaskCache\\\\Tree"
ObjectValueName eq "SD"
OperationType eq "%%1906"
Stage 10: extend
Stage 11: extend
Stage 12: extend
Stage 13: extend
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventID | eq |
|
ObjectName | match |
|
ObjectValueName | eq |
|
OperationType | eq |
|