This detection rule monitors the deletion of scheduled task Security Descriptors (SD) from the Windows Registry. It utilizes Sysmon events to identify actions performed by the SYSTEM user that involve deleting or modifying the SD values in the registry path associated with scheduled tasks. The primary objective of this rule is to alert security teams on potential defense evasion tactics that could indicate an attacker attempting to cover their tracks by manipulating critical registry settings pertinent to scheduled tasks. This behavior is highly suspicious and warrants immediate investigation, as it has implications for the integrity and security of the system. The rule is implemented by querying the Endpoint.Registry data model, focusing on Sysmon monitored registry actions.