Adversaries may abuse the <code>at.exe</code> utility to perform task scheduling for initial or recurring execution of malicious code. The at utility exists as an executable within Windows for scheduling tasks at a specified time and date. Using at requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
An adversary may use <code>at.exe</code> in Windows environments to execute programs at system startup or on a scheduled basis for persistence. at can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM).
Note: The <code>at.exe</code> command line utility has been deprecated in current versions of Windows in favor of <code>schtasks</code>.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
AC-2 | Account Management | Protects | T1053.002 | At (Windows) | |
AC-3 | Access Enforcement | Protects | T1053.002 | At (Windows) | |
AC-5 | Separation of Duties | Protects | T1053.002 | At (Windows) | |
AC-6 | Least Privilege | Protects | T1053.002 | At (Windows) | |
CA-8 | Penetration Testing | Protects | T1053.002 | At (Windows) | |
CM-2 | Baseline Configuration | Protects | T1053.002 | At (Windows) | |
CM-5 | Access Restrictions for Change | Protects | T1053.002 | At (Windows) | |
CM-6 | Configuration Settings | Protects | T1053.002 | At (Windows) | |
CM-7 | Least Functionality | Protects | T1053.002 | At (Windows) | |
CM-8 | System Component Inventory | Protects | T1053.002 | At (Windows) | |
IA-2 | Identification and Authentication (organizational Users) | Protects | T1053.002 | At (Windows) | |
IA-4 | Identifier Management | Protects | T1053.002 | At (Windows) | |
RA-5 | Vulnerability Monitoring and Scanning | Protects | T1053.002 | At (Windows) | |
SI-4 | System Monitoring | Protects | T1053.002 | At (Windows) |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
file_integrity_monitoring | File Integrity Monitoring | technique_scores | T1053.002 | At (Windows) |
Comments
This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|