In order to gain persistence, privilege escalation, or remote execution, an adversary may use the Windows built-in command AT (at.exe) to schedule a command to be run at a specified time, date, and even host. This method has been used by adversaries and administrators alike. Its use may lead to detection of compromised hosts and compromised users if it is used to move laterally. The built-in Windows tool schtasks.exe (CAR-2013-08-001) offers greater flexibility when creating, modifying, and enumerating tasks. For these reasons, schtasks.exe is more commonly used by administrators, tools/scripts, and power users.

ATT&CK Detection

Technique Tactic Level of Coverage
Scheduled Task Execution,Persistence, Privilege Escalation Moderate

Pseudocode

Instances of the process at.exe running imply the querying or creation of tasks. Although the command_line is not essential for the analytic to run, it is critical when identifying the command that was scheduled.

process = search Process:Create
at = filter process where (exe == "at.exe")
output at

Unit Tests

Test Case 1:

  • Configurations: Windows 7
  • Requirements: Administrator Account
  • Description: Create a new scheduled task with at.exe and verify that the analytic fires when the task executes.
    • From an admin account, open Windows command prompt (right click, run as administrator).
    • Execute “at 10:00 calc.exe,” substituting a time in the near future for 10:00.
    • The program should respond with “Added a new job with job ID = 1” where the job ID is dependent on what tasks are scheduled.
    • The program should execute at the time specified. This is what the analytic should fire on.
    • To remove the scheduled task, execute “at 1 /delete” where you replace “1” with the job ID output in step 2a above.
  • Commands:
    at 10:00 calc.exe // returns a job number X
    at X /delete
    

Data Model References

Object Action Field
process create command_line
process create exe