DC0012 Scheduled Job Modification
| Item | Value |
|---|---|
| ID | DC0012 |
| Version | 2.0 |
| Created | 20 October 2021 |
| Last Modified | 21 October 2025 |
Log Sources
| Name | Channel |
|---|---|
| auditd:CONFIG_CHANGE | /var/log/audit/audit.log |
| m365:exchange | Remove-InboxRule, Clear-Mailbox |
| Scheduled Job | None |
| WinEventLog:Security | EventCode=4702 |
Detection Strategy
| ID | Name | Technique Detected |
|---|---|---|
| DET0184 | Behavioral Detection of Indicator Removal Across Platforms | T1070 |
| DET0117 | Detection of Masqueraded Tasks or Services with Suspicious Naming and Execution | T1036.004 |
| DET0725 | Detection of Masquerading | T0849 |
| DET0441 | Detection of Suspicious Scheduled Task Creation and Execution on Windows | T1053.005 |