Scheduled Tasks AT Command Enabled | Elastic Security Solution [7.12]

IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› › ›

« Scheduled Task Created by a Windows Script Searching for Saved Credentials via VaultCmd »

Scheduled Tasks AT Command Enablededit

Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still exists for backwards compatibility.

Rule type: eql

Rule indices:

winlogbeat-*
logs-endpoint.events.*
logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob

Tags:

Elastic
Host
Windows
Threat Detection
Defense Evasion

Version: 3 (version history)

Added (Elastic Stack release): 7.11.0

Last modified (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

Rule queryedit

registry where registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt" and
registry.data.strings == "1"

Threat mappingedit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Impair Defenses
- ID: T1562
- Reference URL: https://attack.mitre.org/techniques/T1562/

Rule version historyedit

Version 3 (7.12.0 release)

Formatting only

Version 2 (7.11.2 release)

Formatting only

« Scheduled Task Created by a Windows Script Searching for Saved Credentials via VaultCmd »