Scheduled Task/Job: At (Windows)
Other sub-techniques of Scheduled Task/Job (6)
ID | Name |
---|---|
T1053.001 | At (Linux) |
T1053.002 | At (Windows) |
T1053.003 | Cron |
T1053.004 | Launchd |
T1053.005 | Scheduled Task |
T1053.006 | Systemd Timers |
Adversaries may abuse the at.exe
utility to perform task scheduling for initial or recurring execution of malicious code. The at utility exists as an executable within Windows for scheduling tasks at a specified time and date. Using at requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
An adversary may use at.exe
in Windows environments to execute programs at system startup or on a scheduled basis for persistence. at can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM).
Note: The at.exe
command line utility has been deprecated in current versions of Windows in favor of schtasks
.
Procedure Examples
Name | Description |
---|---|
APT18 |
APT18 actors used the native at Windows task scheduler tool to use scheduled tasks for execution on a victim network.[1] |
at | |
BRONZE BUTLER |
BRONZE BUTLER has used at to register a scheduled task to execute malware during lateral movement.[3] |
CrackMapExec |
CrackMapExec can set a scheduled task on the target system to execute commands remotely using at.[4] |
MURKYTOP | |
Threat Group-3390 |
Threat Group-3390 actors use at to schedule tasks to run self-extracting RAR archives, which install HTTPBrowser or PlugX on other victims on a network.[6] |
Mitigations
Mitigation | Description |
---|---|
Audit |
Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. [7] Windows operating system also creates a registry key specifically associated with the creation of a scheduled task on the destination host at: Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1. [8] |
Operating System Configuration |
Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at |
Privileged Account Management |
Configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority. [10] |
User Account Management |
Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems. |
Detection
Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. [11] If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\System32\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc.
Configure event logging for scheduled task creation and changes by enabling the "Microsoft-Windows-TaskScheduler/Operational" setting within the event logging service. [12] Several events will then be logged on scheduled task activity, including: [13][14]
- Event ID 106 on Windows 7, Server 2008 R2 - Scheduled task registered
- Event ID 140 on Windows 7, Server 2008 R2 / 4702 on Windows 10, Server 2016 - Scheduled task updated
- Event ID 141 on Windows 7, Server 2008 R2 / 4699 on Windows 10, Server 2016 - Scheduled task deleted
- Event ID 4698 on Windows 10, Server 2016 - Scheduled task created
- Event ID 4700 on Windows 10, Server 2016 - Scheduled task enabled
- Event ID 4701 on Windows 10, Server 2016 - Scheduled task disabled
Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. [15]
Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.
References
- Carvey, H.. (2014, September 2). Where you AT?: Indicators of lateral movement using at.exe on Windows 7 systems. Retrieved January 25, 2016.
- Microsoft. (n.d.). At. Retrieved April 28, 2016.
- Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
- byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020.
- FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
- Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
- PowerSploit. (n.d.). Retrieved December 4, 2014.
- Carvey, H.. (2014, September). Where You AT?: Indicators of Lateral Movement Using at.exe on Windows 7 Systems. Retrieved November 27, 2019.
- Microsoft. (2012, November 15). Domain controller: Allow server operators to schedule tasks. Retrieved December 18, 2017.
- Microsoft. (2013, May 8). Increase scheduling priority. Retrieved December 18, 2017.
- Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved December 12, 2017.
- Satyajit321. (2015, November 3). Scheduled Tasks History Retention settings. Retrieved December 12, 2017.
- Microsoft. (n.d.). General Task Registration. Retrieved December 12, 2017.
- Microsoft. (2017, May 28). Audit Other Object Access Events. Retrieved June 27, 2019.
- Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.