Scheduled Tasks AT Command Enabled

Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still exists for backwards compatibility.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/11/23"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to
13move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still
14exists for backwards compatibility.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Scheduled Tasks AT Command Enabled"
21note = """## Setup
22
23If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
24"""
25references = ["https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"]
26risk_score = 47
27rule_id = "9aa0e1f6-52ce-42e1-abb3-09657cee2698"
28severity = "medium"
29tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
30timestamp_override = "event.ingested"
31type = "eql"
32
33query = '''
34registry where host.os.type == "windows" and
35  registry.path : (
36    "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt",
37    "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt"
38  ) and registry.data.strings : ("1", "0x00000001")
39'''
40
41
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44[[rule.threat.technique]]
45id = "T1562"
46name = "Impair Defenses"
47reference = "https://attack.mitre.org/techniques/T1562/"
48[[rule.threat.technique.subtechnique]]
49id = "T1562.001"
50name = "Disable or Modify Tools"
51reference = "https://attack.mitre.org/techniques/T1562/001/"
52
53
54
55[rule.threat.tactic]
56id = "TA0005"
57name = "Defense Evasion"
58reference = "https://attack.mitre.org/tactics/TA0005/"

Setup

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested to @timestamp for this rule to work.

References

Related rules

to-top