T1053.002 At (Windows)
Author: Stefan Waldvogel
LimaCharlie vs. At(Windows)
Overview:
Description from ATT&CK
Adversaries may abuse the at.exe utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows for scheduling tasks at a specified time and date. Using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
An adversary may use at.exe in Windows environments to execute programs at system startup or on a scheduled basis for persistence. at can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM).
Note: The at.exe command line utility has been deprecated in current versions of Windows in favor of schtasks.
source: github.com/redcanaryco/atomic-red-team/tree/master/atomics
Commands:
Invoke-AtomicTest T1053.002 -ShowDetailsBrief
Invoke-AtomicTest T1053.002 -CheckPrereqs
Invoke-AtomicTest T1053.002 -GetPrereqs
Invoke-AtomicTest T1053.002
Invoke-AtomicTest T1053.002 -Cleanup
Changes:
-none-
Limitations:
My Windows does not support this request, but got still detected.
Result:
sigma, detected as Interactive AT job
Description from ATT&CK
Adversaries may abuse the at.exe utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows for scheduling tasks at a specified time and date. Using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
An adversary may use at.exe in Windows environments to execute programs at system startup or on a scheduled basis for persistence. at can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM).
Note: The at.exe command line utility has been deprecated in current versions of Windows in favor of schtasks.
source: github.com/redcanaryco/atomic-red-team/tree/master/atomics
Commands:
Invoke-AtomicTest T1053.002 -ShowDetailsBrief
Invoke-AtomicTest T1053.002 -CheckPrereqs
Invoke-AtomicTest T1053.002 -GetPrereqs
Invoke-AtomicTest T1053.002
Invoke-AtomicTest T1053.002 -Cleanup
Changes:
-none-
Limitations:
My Windows does not support this request, but got still detected.
Result:
sigma, detected as Interactive AT job
© 2021. This work is licensed under a CC BY-SA 4.0 license