Scheduled Tasks AT Command Enabled
Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still exists for backwards compatibility.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/23"
3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to
13move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still
14exists for backwards compatibility.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Scheduled Tasks AT Command Enabled"
21references = ["https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"]
22risk_score = 47
23rule_id = "9aa0e1f6-52ce-42e1-abb3-09657cee2698"
24severity = "medium"
25tags = [
26 "Domain: Endpoint",
27 "OS: Windows",
28 "Use Case: Threat Detection",
29 "Tactic: Defense Evasion",
30 "Tactic: Execution",
31 "Data Source: Elastic Endgame",
32 "Data Source: Elastic Defend",
33 "Data Source: Sysmon",
34 "Data Source: Microsoft Defender for Endpoint",
35 "Data Source: SentinelOne",
36]
37timestamp_override = "event.ingested"
38type = "eql"
39
40query = '''
41registry where host.os.type == "windows" and event.type == "change" and
42 registry.path : (
43 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt",
44 "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt",
45 "MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt"
46 ) and registry.data.strings : ("1", "0x00000001")
47'''
48
49
50[[rule.threat]]
51framework = "MITRE ATT&CK"
52[[rule.threat.technique]]
53id = "T1562"
54name = "Impair Defenses"
55reference = "https://attack.mitre.org/techniques/T1562/"
56[[rule.threat.technique.subtechnique]]
57id = "T1562.001"
58name = "Disable or Modify Tools"
59reference = "https://attack.mitre.org/techniques/T1562/001/"
60
61
62
63[rule.threat.tactic]
64id = "TA0005"
65name = "Defense Evasion"
66reference = "https://attack.mitre.org/tactics/TA0005/"
67[[rule.threat]]
68framework = "MITRE ATT&CK"
69[[rule.threat.technique]]
70id = "T1053"
71name = "Scheduled Task/Job"
72reference = "https://attack.mitre.org/techniques/T1053/"
73[[rule.threat.technique.subtechnique]]
74id = "T1053.002"
75name = "At"
76reference = "https://attack.mitre.org/techniques/T1053/002/"
77
78
79
80[rule.threat.tactic]
81id = "TA0002"
82name = "Execution"
83reference = "https://attack.mitre.org/tactics/TA0002/"
References
Related rules
- Command Shell Activity Started via RunDLL32
- Conhost Spawned By Suspicious Parent Process
- Execution from Unusual Directory - Command Line
- Suspicious Execution via Windows Subsystem for Linux
- Suspicious Explorer Child Process