Attackers often use tasks as a means to hide their tracks. They might also use the ability to run tasks with different user rights to gain more access. Earlier, I recommended that you set up auditing to track tasks being set. Now I recommend you harden a setting on your workstations to prevent task scheduling in the first place.Below are the Microsoft Defender Advanced Threat Protection (ATP) recommended actions: Susan BradleyWindows Defender ATP recommendationsThe \u201cDomain controller: Allow server operators to schedule tasks\u201d setting determines whether scheduled tasks are forced to run under the context of the authenticated account instead of allowing them to run as SYSTEM. Disabling this setting affects only the ability to schedule jobs using the AT command and does not affect tasks set using Task Scheduler.\u00a0As noted by blogger Randy Franklin Smith, \u201cUnlike Scheduled Tasks which require you to specify the credential under which the task will run, AT jobs run under the authority of whatever account the AT service runs, which is SYSTEM by default. Non-administrators who can schedule AT commands thus have a means to elevate their privileges. This policy controls whether members of the local Server Operators group can schedule AT jobs. If disabled, only administrators can.\u201dSo, if you haven\u2019t done so already, I recommend setting the following value using registry. Set the following registry value to 0:HKLMSYSTEMCurrentControlSetControlLsaSubmitControlThe SubmitControl key was not on my machine, so you might need to add it. To do so, go to the Registry Hive: HKEY_LOCAL_MACHINE, then to the registry path: SystemCurrentControlSetControlLSA. Add the value name "SubmitControl" as a REG_DWORD of 0.If you need to set this via Group Policy, go to \u201cComputer Configuration\u201d > \u201c[Policies]\u201d > \u201cWindows Settings\u201d > \u201cSecurity Settings\u201d > \u201cLocal Policies\u201d. Under Security Options, set \u201cDomain Controller: Allow server operators to schedule tasks\u201d to disabled. Susan BradleySetting the value in Group PolicyUsing tasks to hide an adversarial activity is a common tool. As noted on the Mitre ATT&CK site, \u201cAn adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote execution as part of lateral movement, to gain system privileges, or to run a process under the context of a specified account.\u201dPersistent threat actors often use task scheduling to target vertical industries. Phishing emails are used to enter the systems and then set the task to be run at a later date. Setting this value ensures that attackers have one less methodology to set a task in your systems.Enable LSA protectionAnother recommended setting is to Enable LSA (Local Security Authority) protection. This protects against pass the pass-the-hash or Mimikatz-style attacks. Susan BradleyEnable LSA protectionThis requires a registry key to be set:HKLMSYSTEMCurrentControlSetControlLsaRunAsPPLSet the following to a value of 1. First, press the Windows key to go to the Start screen and enter \u201cregedit\u201d. Right-click regedit in the search results and click \u201cRun as administrator\u201d at the bottom of the screen.In the left pane of Registry Editor, expand HKEY_LOCAL MACHINE > SYSTEM > CurrentControlSet > Control > Lsa. In the right pane, right-click an area of empty space and select \u201cNew > DWORD (32-bit) Value\u201d from the menu.In the new value box, type \u201cRunAsPPL\u201d and press enter. Now double-click the new RunAsPPL value. In the Value data box, type \u201c1\u201d and press \u201cOK\u201d.Close Registry Editor and restart the computer. Reboot the computer to have it take effect. Susan BradleyEnter the value in the Windows registryAttackers often target this process to harvest credentials using such tools as Mimikatz and perform pass-the-hash attacks. If you have plug-ins in your environment, you may need to set the value to \u201caudit\u201d before you fully enable it to test for the impact in your network.As Mitre noted:\u201cOn Windows 8.1 and Server 2012 R2, enable LSA Protection by setting the registry key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaRunAsPPL to dword:00000001. LSA Protection ensures that LSA plug-ins and drivers are only loaded if they are digitally signed with a Microsoft signature and adhere to the Microsoft Security Development Lifecycle (SDL) process guidance. On Windows 10 and Server 2016, enable Windows Defender Credential Guard to run lsass.exe in an isolated virtualized environment without any device drivers. Ensure safe DLL search mode is enabled HKEY_LOCAL_MACHINESystemCurrentControlSetControlSession ManagerSafeDllSearchMode to mitigate risk that lsass.exe loads a malicious code library.\u201dTake the time to investigate if you have protected yourself against Mimikatz and pass-the-hash techniques by reviewing these settings.