In order to gain persistence, privilege escalation, or remote execution, an adversary may use the Windows built-in command AT (at.exe) to schedule a command to be run at a specified time, date, and even host. This method has been used by adversaries and administrators alike. Its use may lead to detection of compromised hosts and compromised users if it is used to move laterally. The built-in Windows tool schtasks.exe (CAR-2013-08-001) offers greater flexibility when creating, modifying, and enumerating tasks. For these reasons, schtasks.exe is more commonly used by administrators, tools/scripts, and power users.
|Technique||Tactic||Level of Coverage|
|Scheduled Task||Execution,Persistence, Privilege Escalation||Moderate|
Instances of the process
at.exe running imply the querying or creation of tasks. Although the command_line is not essential for the analytic to run, it is critical when identifying the command that was scheduled.
process = search Process:Create at = filter process where (exe == "at.exe") output at
Test Case 1:
- Configurations: Windows 7
- Requirements: Administrator Account
- Description: Create a new scheduled task with at.exe and verify that the analytic fires when the task executes.
- From an admin account, open Windows command prompt (right click, run as administrator).
- Execute “at 10:00 calc.exe,” substituting a time in the near future for 10:00.
- The program should respond with “Added a new job with job ID = 1” where the job ID is dependent on what tasks are scheduled.
- The program should execute at the time specified. This is what the analytic should fire on.
- To remove the scheduled task, execute “at 1 /delete” where you replace “1” with the job ID output in step 2a above.
at 10:00 calc.exe // returns a job number X at X /delete
Data Model References