Scheduled Task/Job: At

Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. The at utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of Scheduled Task's schtasks in Windows environments, using at requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the at command, adversaries may also schedule a task with at by directly leveraging the Windows Management Instrumentation Win32_ScheduledJob WMI class.[1]

On Linux and macOS, at may be invoked by the superuser as well as any users added to the at.allow file. If the at.allow file does not exist, the at.deny file is checked. Every username not listed in at.deny is allowed to invoke at. If the at.deny exists and is empty, global use of at is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use at.[2]

Adversaries may use at to execute programs at system startup or on a scheduled basis for Persistence. at can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM).

In Linux environments, adversaries may also abuse at to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, at may also be used for Privilege Escalation if the binary is allowed to run as superuser via sudo.[3]

ID: T1053.002
Sub-technique of:  T1053
Platforms: Linux, Windows, macOS
Permissions Required: Administrator, User
Supports Remote:  Yes
Version: 2.3
Created: 27 November 2019
Last Modified: 12 October 2024

Procedure Examples

ID Name Description
G0026 APT18

APT18 actors used the native at Windows task scheduler tool to use scheduled tasks for execution on a victim network.[4]

S0110 at

at can be used to schedule a task on a system to be executed at a specific date or time.[5][2]

G0060 BRONZE BUTLER

BRONZE BUTLER has used at to register a scheduled task to execute malware during lateral movement.[6]

S0488 CrackMapExec

CrackMapExec can set a scheduled task on the target system to execute commands remotely using at.[7]

S0233 MURKYTOP

MURKYTOP has the capability to schedule remote AT jobs.[8]

G0027 Threat Group-3390

Threat Group-3390 actors use at to schedule tasks to run self-extracting RAR archives, which install HTTPBrowser or PlugX on other victims on a network.[9]

Mitigations

ID Mitigation Description
M1047 Audit

Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. [10] Windows operating system also creates a registry key specifically associated with the creation of a scheduled task on the destination host at: Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1. [11] In Linux and macOS environments, scheduled tasks using at can be audited locally, or through centrally collected logging, using syslog, or auditd events from the host. [12]

M1028 Operating System Configuration

Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SubmitControl. The setting can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled. [13]

M1026 Privileged Account Management

Configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority. [14]

M1018 User Account Management

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems. In Linux environments, users account-level access to at can be managed using at.allow and at.deny files. Users listed in the at.allow are enabled to schedule actions using at, whereas users listed in at.deny file disabled from the utility.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments for actions that could be taken to create/modify tasks. Tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.

Analytic 1 - Linux Command Execution

index=linux_logs sourcetype=syslog "at" | rex "user=(?\w+)"

Analytic 2 - Windows Command Execution index=windows_logs sourcetype=WinEventLog:System EventCode=4698 TaskName="at*"| where NOT (user="SYSTEM" AND TaskName="\Microsoft\Windows\Defrag\ScheduledDefrag")

DS0022 File File Modification

On Windows, monitor Windows Task Scheduler stores in %systemroot%\System32\Tasks for change entries related to scheduled tasks, especially those that do not correlate with known software, patch cycles, etc. On Linux and macOS, all at jobs are stored in /var/spool/cron/atjobs/.[15]

Analytic 1 - Look for task file modifications with unusual parameters. (Linux)

index=linux_logs sourcetype=syslog "at" "/var/spool/cron/atjobs/"| rex "user=(?\w+)"

Analytic 2 - Look for task file modifications with unusual parameters. (Windows)

index=windows_logs sourcetype=WinEventLog:System EventCode=4663 Object_Type="File"| rex field=_raw "Object_Name=(?[^\r\n]+)"| search file_path="at"| where NOT (user="SYSTEM" AND file_path="C:\Windows\Tasks\allowed_task.job")

DS0029 Network Traffic Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. When AT.exe is used to remotely schedule tasks, Windows uses named pipes over SMB to communicate with the API on the remote machine. After authentication over SMB, the Named Pipe ATSVC is opened, over which the JobAdd function is called. On the remote host, the job files are created by the Task Scheduler and follow the convention C:\Windows\System32\AT.

This pipe activity could be discovered with a network decoder, such as that in wireshark, that can inspect SMB traffic to identify the use of pipes. It could also be detected by looking for raw packet capture streams or from a custom sensor on the host that hooks the appropriate API functions. If no network or API level of visibility is possible, this traffic may inferred by looking at SMB connections over 445/tcp followed by the creation of files matching the pattern C:\Windows\System32\AT\<job_id>.

To detect AT via network traffic, a sensor is needed that has the ability to extract and decode PCAP information. Specifically, it needs to properly decode SMB and the functions that are implemented over it via NamedPipes. If a sensor meets these criteria, then the PCAP data needs to search for instances of the command JobAdd over the pipe ATSVC, which is all implemented over Windows SMB 445/tcp.

Analytic 1 - Remotely Scheduled Tasks via AT

index=network dest_port=445 protocol="smb" pipe="ATSVC" command="JobAdd"

DS0009 Process Process Creation

Monitor for newly constructed processes with command-lines that create/modify or are executed from tasks. For example, on Windows tasks may spawn from svchost.exe or the Windows Task Scheduler taskeng.exe for older OS versions. [16] Suspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Instances of the process at.exe running imply the querying or creation of tasks. Although the command_line is not essential for the analytic to run, it is critical when identifying the command that was scheduled.

Analytic 1 - Scheduled Task

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="*at.exe"

DS0003 Scheduled Job Scheduled Job Creation

Monitor for newly constructed scheduled jobs. If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. On Windows, enable the "Microsoft-Windows-TaskScheduler/Operational" setting within the event logging service where several events will then be logged on scheduled task activity, including:[17]

  • Event ID 106 on Windows 7, Server 2008 R2 - Scheduled task registered
  • Event ID 4698 on Windows 10, Server 2016 - Scheduled task created
  • Event ID 4700 on Windows 10, Server 2016 - Scheduled task enabled
  • Event ID 4701 on Windows 10, Server 2016 - Scheduled task disabled

Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. [18]

References