Scheduled Tasks AT Command Enabled
Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still exists for backwards compatibility.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/23"
3integration = ["endpoint", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/03/28"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to
13move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still
14exists for backwards compatibility.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Scheduled Tasks AT Command Enabled"
21references = ["https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"]
22risk_score = 47
23rule_id = "9aa0e1f6-52ce-42e1-abb3-09657cee2698"
24setup = """## Setup
25
26If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
27events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
28Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
29`event.ingested` to @timestamp.
30For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
31"""
32severity = "medium"
33tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"]
34timestamp_override = "event.ingested"
35type = "eql"
36
37query = '''
38registry where host.os.type == "windows" and
39 registry.path : (
40 "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt",
41 "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt"
42 ) and registry.data.strings : ("1", "0x00000001")
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1562"
50name = "Impair Defenses"
51reference = "https://attack.mitre.org/techniques/T1562/"
52[[rule.threat.technique.subtechnique]]
53id = "T1562.001"
54name = "Disable or Modify Tools"
55reference = "https://attack.mitre.org/techniques/T1562/001/"
56
57
58
59[rule.threat.tactic]
60id = "TA0005"
61name = "Defense Evasion"
62reference = "https://attack.mitre.org/tactics/TA0005/"
63
64
65[[rule.threat]]
66framework = "MITRE ATT&CK"
67
68[[rule.threat.technique]]
69id = "T1053"
70name = "Scheduled Task/Job"
71reference = "https://attack.mitre.org/techniques/T1053/"
72
73[[rule.threat.technique.subtechnique]]
74id = "T1053.002"
75name = "At"
76reference = "https://attack.mitre.org/techniques/T1053/002/"
77
78[rule.threat.tactic]
79id = "TA0002"
80name = "Execution"
81reference = "https://attack.mitre.org/tactics/TA0002/"
References
Related rules
- Command Shell Activity Started via RunDLL32
- Conhost Spawned By Suspicious Parent Process
- Microsoft Build Engine Using an Alternate Name
- Persistence via Hidden Run Key Detected
- Potential DLL Side-Loading via Microsoft Antimalware Service Executable