This rule identifies attempts to enable the Windows scheduled tasks capability via the deprecated AT command within the registry. The AT command can be used by attackers to achieve persistence or lateral movement in a compromised system, leveraging its existence for backward compatibility in modern Windows environments post-Windows 8 and Windows Server 2012. By monitoring specific registry paths and values that indicate the enabling of this command, the rule seeks to flag potential exploitation attempts. The key focus is on relevant registry changes noted by events of type 'change' concerning the path 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration\EnableAt', alongside checking for values indicative of activation such as "1" or "0x00000001". Potential investigation steps include verifying event logs related to registry changes, identifying responsible users or processes, and noting any scheduled tasks modified around the same time. This rule serves a dual purpose of detecting potential malicious actions while allowing for the identification of benign uses in enterprise settings.