This detection rule identifies the deletion of Security Descriptor (SD) values in the Windows Registry under the \Schedule\TaskCache\Tree path, which can indicate an attempt to conceal scheduled tasks. This technique is associated with the Tarrask malware, which employs methods of defense evasion by manipulating registry entries crucial for task schedules. When the SD value is removed, it typically results in tasks being undetectable to standard tools, potentially enabling unauthorized actions without alerting the system administrator. The rule specifically looks for delete operations that result in a match of registry keys indicating that the security descriptor has been tampered with. Monitoring for these changes is essential for detecting potential malicious activities that leverage altered scheduled tasks to evade security mechanisms.