Win32_ScheduledJob Class or At.exe Enabled - Registry

Rule Info

Name
Win32_ScheduledJob Class or At.exe Enabled - Registry
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the enabling of the Win32_ScheduledJob WMI class or At.exe via registry modification. The Win32_ScheduledJob class is used to create and manage scheduled jobs in Windows. This class is disabled by default for security reasons, and enabling it may indicate an attempt to create or manage scheduled jobs in a potentially malicious manner.
Reference
https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob
Date
2026-01-29 00:00:00
Modified
None
Id
d8f32c5b-50de-4cfd-8536-a75b2c64d896
Tags
attack.persistence attack.execution attack.privilege-escalation attack.t1053.002
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022