At

Information

• Name: At

• ID: T1053.002

• Tactics: TA0002, TA0003, TA0004

• Technique: T1053

Introduction

Scheduled Task/Job: At (T1053.002) is a sub-technique within the MITRE ATT&CK framework, categorized under the Execution tactic. It specifically involves adversaries leveraging the built-in Windows AT utility to schedule tasks on a compromised host. The AT utility allows scheduling of programs or scripts to execute at a specific date and time, enabling attackers to maintain persistence, automate execution, or escalate privileges without immediate detection.

Deep Dive Into Technique

The AT utility is a legacy Windows command-line tool that provides task scheduling capabilities. Attackers commonly exploit it due to its inherent availability on Windows systems and its ability to execute commands or scripts at a defined time, often with SYSTEM-level privileges.

Technical details and execution methods include:

• Command Syntax: Attackers typically utilize the AT command in the following syntax:

  Copy

  at [\\computername] [time] [/interactive] [/every:date[,...] | /next:date[,...]] "command"

• Privilege Level: Tasks scheduled using AT generally run with SYSTEM-level privileges, providing attackers elevated access.

• Persistence: Tasks scheduled through AT persist across system reboots, allowing attackers long-term footholds within compromised systems.

• Interactive Mode: The /interactive switch can be used to allow interaction with the desktop session, potentially enabling further exploitation or privilege escalation.

• Remote Scheduling: Attackers may remotely schedule tasks on other machines using the \\computername parameter, provided they have sufficient privileges and network access.

• Legacy Utility: The AT utility is considered legacy and has been replaced by schtasks in newer Windows versions. However, it remains present and functional in many environments, making it a viable attack vector.

When this Technique is Usually Used

Attackers typically leverage this sub-technique in various stages and scenarios of cyber-attacks, including:

• Persistence Stage: Establishing a persistent foothold on compromised hosts by scheduling recurring execution of malicious payloads.

• Privilege Escalation: Exploiting the elevated privileges (SYSTEM-level) associated with AT-scheduled tasks to escalate privileges on compromised systems.

• Lateral Movement: Remotely scheduling tasks on other networked systems to spread malware or execute reconnaissance scripts.

• Execution Stage: Automating the execution of malicious scripts or binaries at specific times to evade immediate detection or monitoring.

• Defense Evasion: Utilizing scheduled tasks to avoid real-time detection mechanisms by delaying execution or timing malicious activities during off-hours or low-monitoring periods.

How this Technique is Usually Detected

Detection of malicious use of the AT utility involves various approaches, including monitoring, logging, and analysis:

• Event Log Monitoring:

  • Monitor Windows Security Event Logs (Event ID 4698 for task creation).

  • Monitor Application and System event logs for suspicious task executions.

• Process Creation Monitoring:

  • Observe command-line parameters associated with the at.exe execution.

  • Detect unusual or unexpected commands executed by scheduled tasks.

• Registry Analysis:

  • Scheduled tasks created with AT are stored in the registry under:

    Copy

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache

  • Monitor registry changes or new task entries for suspicious patterns.

• File System Analysis:

  • Inspect scheduled task directories (C:\Windows\Tasks\) for suspicious .job files.

• Endpoint Detection and Response (EDR):

  • Utilize EDR solutions to detect and alert on suspicious task scheduling activities.

• Indicators of Compromise (IoCs):

  • Unusual scheduled tasks running at odd times.

  • Tasks executing scripts or binaries from temporary locations or uncommon directories.

  • Presence of tasks with obfuscated or encoded commands.

  • Scheduled tasks created remotely or by unexpected user accounts.

Why it is Important to Detect This Technique

Detecting the malicious use of the AT utility is crucial for maintaining the security and integrity of enterprise environments due to the following reasons:

• Persistence and Long-Term Compromise:

  • Attackers utilize scheduled tasks to maintain persistent access, allowing them to execute malicious payloads repeatedly over extended periods.

• Privilege Escalation:

  • Scheduled tasks through AT often run under SYSTEM privileges, enabling attackers to escalate privileges and gain complete control over compromised systems.

• Stealth and Evasion:

  • Scheduled tasks can execute malicious code at predetermined intervals, potentially bypassing real-time detection mechanisms and security monitoring.

• Lateral Movement:

  • Attackers may remotely schedule tasks on multiple systems, facilitating rapid lateral movement and widespread malware distribution.

• Data Exfiltration and Damage:

  • Malicious tasks can automate data theft, ransomware deployment, or sabotage operations, causing significant damage to organizational assets and reputation.

• Early Detection:

  • Timely identification of malicious scheduled tasks can mitigate further compromise, limit damage, and facilitate quicker incident response and remediation.

Examples

Real-world examples of attacks leveraging the AT utility include:

• APT Groups:

  • APT29 (Cozy Bear) has been known to schedule tasks for persistence and execution of reconnaissance scripts and malware payloads.

  • APT32 (OceanLotus) has utilized scheduled tasks to execute malicious binaries and scripts, maintaining access and evading detection.

• Commodity Malware:

  • Emotet malware variants have used scheduled tasks, including AT commands, to maintain persistent execution of malicious payloads and modules.

• Ransomware Attacks:

  • Ryuk ransomware operators have leveraged scheduled tasks to execute ransomware payloads at specific times, maximizing damage and evading immediate detection.

• Attack Scenario Example:

  1. Attacker compromises initial host via phishing email delivering malicious payload.

  2. Attacker schedules a task using AT to execute malware payload periodically:

     Copy

     at 02:00 /every:M,T,W,Th,F "C:\Temp\malicious.exe"

  3. Scheduled task executes malware payload daily at 2 AM, maintaining persistence and allowing attacker continuous access.

  4. Attacker escalates privileges, performs lateral movement, and schedules similar tasks on multiple hosts within the network.

  5. Malicious tasks facilitate data exfiltration, ransomware deployment, or reconnaissance activities, resulting in significant organizational impact.