Scheduled Tasks AT Command Enabled

  1[metadata]
  2creation_date = "2020/11/23"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to
 11move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still
 12exists for backwards compatibility.
 13"""
 14from = "now-9m"
 15index = [
 16    "winlogbeat-*",
 17    "logs-endpoint.events.registry-*",
 18    "logs-windows.sysmon_operational-*",
 19    "endgame-*",
 20    "logs-m365_defender.event-*",
 21    "logs-sentinel_one_cloud_funnel.*",
 22]
 23language = "eql"
 24license = "Elastic License v2"
 25name = "Scheduled Tasks AT Command Enabled"
 26note = """## Triage and analysis
 27
 28> **Disclaimer**:
 29> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 30
 31### Investigating Scheduled Tasks AT Command Enabled
 32
 33The AT command, a legacy Windows utility, schedules tasks for execution, often used for automation. Despite its deprecation post-Windows 8, it remains for compatibility, posing a security risk. Attackers exploit it to maintain persistence or move laterally. The detection rule monitors registry changes enabling this command, flagging potential misuse by checking specific registry paths and values indicative of enabling the AT command.
 34
 35### Possible investigation steps
 36
 37- Review the registry event logs to confirm the change in the registry path "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt" and verify if the value was set to "1" or "0x00000001".
 38- Identify the user account and process responsible for the registry change by examining the event logs for associated user and process information.
 39- Check for any scheduled tasks created or modified around the time of the registry change to determine if the AT command was used to schedule any tasks.
 40- Investigate the system for any signs of lateral movement or persistence mechanisms that may have been established using the AT command.
 41- Correlate the event with other security alerts or logs from data sources like Elastic Endgame, Elastic Defend, Sysmon, Microsoft Defender for Endpoint, or SentinelOne to gather additional context and assess the scope of potential malicious activity.
 42
 43### False positive analysis
 44
 45- System administrators or IT management tools may enable the AT command for legacy support or compatibility testing. Verify if the change aligns with scheduled maintenance or updates.
 46- Some enterprise environments might have legacy applications that rely on the AT command for task scheduling. Confirm with application owners if such dependencies exist and document them.
 47- Security software or monitoring tools might trigger registry changes as part of their normal operation. Cross-reference with logs from these tools to ensure the change is benign.
 48- If a specific user or system frequently triggers this alert without malicious intent, consider creating an exception for that user or system in your monitoring solution to reduce noise.
 49- Regularly review and update the list of exceptions to ensure they remain relevant and do not inadvertently allow malicious activity.
 50
 51### Response and remediation
 52
 53- Immediately isolate the affected system from the network to prevent further lateral movement or persistence by the attacker.
 54- Review the registry changes identified in the alert to confirm unauthorized enabling of the AT command. Revert the registry setting to its secure state by setting the value to "0" or "0x00000000".
 55- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious software or scripts.
 56- Investigate user accounts and permissions on the affected system to ensure no unauthorized accounts or privilege escalations have occurred. Reset passwords for any compromised accounts.
 57- Monitor network traffic and logs for any signs of data exfiltration or communication with known malicious IP addresses or domains.
 58- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.
 59- Implement enhanced monitoring and alerting for similar registry changes across the network to detect and respond to future attempts promptly."""
 60references = ["https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"]
 61risk_score = 47
 62rule_id = "9aa0e1f6-52ce-42e1-abb3-09657cee2698"
 63severity = "medium"
 64tags = [
 65    "Domain: Endpoint",
 66    "OS: Windows",
 67    "Use Case: Threat Detection",
 68    "Tactic: Defense Evasion",
 69    "Tactic: Execution",
 70    "Data Source: Elastic Endgame",
 71    "Data Source: Elastic Defend",
 72    "Data Source: Sysmon",
 73    "Data Source: Microsoft Defender for Endpoint",
 74    "Data Source: SentinelOne",
 75    "Resources: Investigation Guide",
 76]
 77timestamp_override = "event.ingested"
 78type = "eql"
 79
 80query = '''
 81registry where host.os.type == "windows" and event.type == "change" and
 82  registry.path : (
 83    "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt",
 84    "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt",
 85    "MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt"
 86  ) and registry.data.strings : ("1", "0x00000001")
 87'''
 88
 89
 90[[rule.threat]]
 91framework = "MITRE ATT&CK"
 92[[rule.threat.technique]]
 93id = "T1562"
 94name = "Impair Defenses"
 95reference = "https://attack.mitre.org/techniques/T1562/"
 96[[rule.threat.technique.subtechnique]]
 97id = "T1562.001"
 98name = "Disable or Modify Tools"
 99reference = "https://attack.mitre.org/techniques/T1562/001/"
100
101
102
103[rule.threat.tactic]
104id = "TA0005"
105name = "Defense Evasion"
106reference = "https://attack.mitre.org/tactics/TA0005/"
107[[rule.threat]]
108framework = "MITRE ATT&CK"
109[[rule.threat.technique]]
110id = "T1053"
111name = "Scheduled Task/Job"
112reference = "https://attack.mitre.org/techniques/T1053/"
113[[rule.threat.technique.subtechnique]]
114id = "T1053.002"
115name = "At"
116reference = "https://attack.mitre.org/techniques/T1053/002/"
117
118
119
120[rule.threat.tactic]
121id = "TA0002"
122name = "Execution"
123reference = "https://attack.mitre.org/tactics/TA0002/"