title: Scheduled Task Deletion
id: 4f86b304-3e02-40e3-aa5d-e88a167c9617 
description: Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \TASKNAME
status: experimental
author: David Strassegger, Tim Shelton
date: 2021/01/22
modified: 2022/05/16
tags:
    - attack.execution
    - attack.privilege_escalation
    - car.2013-08-001
    - attack.t1053.005
references:
    - https://twitter.com/matthewdunwoody/status/1352356685982146562
    - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699
logsource:
    product: windows
    service: security
    definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.'
detection:
    selection:
        EventID: 4699
    falsepositive1:
        TaskName: '\Microsoft\Windows\RemovalTools\MRT_ERROR_HB' # triggered by ParentCommandLine=C:\WINDOWS\system32\MRT.exe /EHB /HeartbeatFailure ErrorStack,Previous=ErrorStack,Previous=ErrorStack,Previous=ErrorStack,Previous=ErrorStack,Previous=SubmitHeartbeatReportData,Hr=0x80072f8f,Hr=0x80072f8f,Hr=0x80072f8f,Hr=0x80072f8f,Hr=0x80072f8f /HeartbeatError 0x80072f8f
    condition: selection and not 1 of falsepositive*
falsepositives:
    - Software installation
level: low