Win32_ScheduledJob Class or At.exe Enabled - Process

Rule Info

Name
Win32_ScheduledJob Class or At.exe Enabled - Process
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the enabling of the Win32_ScheduledJob WMI class or At.exe via registry modification. The Win32_ScheduledJob class is used to create and manage scheduled jobs in Windows. This class is disabled by default for security reasons, and enabling it may indicate an attempt to create or manage scheduled jobs in a potentially malicious manner.
Reference
https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob
Date
2026-01-29 00:00:00
Modified
None
Id
cda43885-b606-4cff-92b0-4e0bba171950
Tags
attack.persistence attack.execution attack.privilege-escalation attack.t1053.002
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022