Scheduled Tasks AT Command Enabled
Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still exists for backwards compatibility.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/23"
3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to
13move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still
14exists for backwards compatibility.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Scheduled Tasks AT Command Enabled"
21references = ["https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"]
22risk_score = 47
23rule_id = "9aa0e1f6-52ce-42e1-abb3-09657cee2698"
24severity = "medium"
25tags = [
26 "Domain: Endpoint",
27 "OS: Windows",
28 "Use Case: Threat Detection",
29 "Tactic: Defense Evasion",
30 "Tactic: Execution",
31 "Data Source: Elastic Endgame",
32 "Data Source: Elastic Defend",
33 "Data Source: Sysmon",
34 "Data Source: Microsoft Defender for Endpoint",
35 "Data Source: SentinelOne",
36]
37timestamp_override = "event.ingested"
38type = "eql"
39
40query = '''
41registry where host.os.type == "windows" and event.type == "change" and
42 registry.path : (
43 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt",
44 "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt",
45 "MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt"
46 ) and registry.data.strings : ("1", "0x00000001")
47'''
48
49
50[[rule.threat]]
51framework = "MITRE ATT&CK"
52[[rule.threat.technique]]
53id = "T1562"
54name = "Impair Defenses"
55reference = "https://attack.mitre.org/techniques/T1562/"
56[[rule.threat.technique.subtechnique]]
57id = "T1562.001"
58name = "Disable or Modify Tools"
59reference = "https://attack.mitre.org/techniques/T1562/001/"
60
61
62
63[rule.threat.tactic]
64id = "TA0005"
65name = "Defense Evasion"
66reference = "https://attack.mitre.org/tactics/TA0005/"
67[[rule.threat]]
68framework = "MITRE ATT&CK"
69[[rule.threat.technique]]
70id = "T1053"
71name = "Scheduled Task/Job"
72reference = "https://attack.mitre.org/techniques/T1053/"
73[[rule.threat.technique.subtechnique]]
74id = "T1053.002"
75name = "At"
76reference = "https://attack.mitre.org/techniques/T1053/002/"
77
78
79
80[rule.threat.tactic]
81id = "TA0002"
82name = "Execution"
83reference = "https://attack.mitre.org/tactics/TA0002/"
References
Related rules
- Clearing Windows Console History
- Command Shell Activity Started via RunDLL32
- Conhost Spawned By Suspicious Parent Process
- Control Panel Process with Unusual Arguments
- Disabling Windows Defender Security Settings via PowerShell