T1053.002 - At#
Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. The at utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of Scheduled Task’s schtasks in Windows environments, using at requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
On Linux and macOS, at may be invoked by the superuser as well as any users added to the at.allow file. If the at.allow file does not exist, the at.deny file is checked. Every username not listed in at.deny is allowed to invoke at. If the at.deny exists and is empty, global use of at is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use at.(Citation: Linux at)
Adversaries may use at to execute programs at system startup or on a scheduled basis for Persistence. at can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM).
In Linux environments, adversaries may also abuse at to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, at may also be used for Privilege Escalation if the binary is allowed to run as superuser via sudo.(Citation: GTFObins at)
Atomic Tests#
Atomic Test #1 - At.exe Scheduled taskExecutes cmd.exe#
Note: deprecated in Windows 8+
Upon successful execution, cmd.exe will spawn at.exe and create a scheduled task that will spawn cmd at a specific time.
Supported Platforms: windows
Elevation Required (e.g. root or admin)#### Attack Commands: Run with command_prompt
at 13:20 /interactive cmd
Invoke-AtomicTest T1053.002 -TestNumbers 1
Atomic Test #2 - At - Schedule a job#
This test submits a command to be run in the future by the at daemon.
Supported Platforms: linux
Elevation Required (e.g. root or admin)
Dependencies: Run with sh!#
Description: The at and atd executables must exist in the PATH#
Check Prereq Commands:#
if [ "$(uname)" = 'FreeBSD' ]; then which at; else which at && which atd; fi;
Get Prereq Commands:#
echo 'Please install `at` and `atd`; they were not found in the PATH (Package name: `at`)'
Description: The atd daemon must be running#
Check Prereq Commands:#
if [ $(uname) = 'Linux' ]; then systemctl status atd || service atd status; fi;
Get Prereq Commands:#
echo 'Please start the `atd` daemon (sysv: `service atd start` ; systemd: `systemctl start atd`)'
Invoke-AtomicTest T1053.002 -TestNumbers 2 -GetPreReqs
Attack Commands: Run with sh#
echo "echo Hello from Atomic Red Team" | at now + 1 minute```
Invoke-AtomicTest T1053.002 -TestNumbers 2
Detection#
Monitor process execution from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in %systemroot%\System32\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc.
Configure event logging for scheduled task creation and changes by enabling the “Microsoft-Windows-TaskScheduler/Operational” setting within the event logging service. (Citation: TechNet Forum Scheduled Task Operational Setting) Several events will then be logged on scheduled task activity, including: (Citation: TechNet Scheduled Task Events)(Citation: Microsoft Scheduled Task Events Win10)
Event ID 106 on Windows 7, Server 2008 R2 - Scheduled task registered
Event ID 140 on Windows 7, Server 2008 R2 / 4702 on Windows 10, Server 2016 - Scheduled task updated
Event ID 141 on Windows 7, Server 2008 R2 / 4699 on Windows 10, Server 2016 - Scheduled task deleted
Event ID 4698 on Windows 10, Server 2016 - Scheduled task created
Event ID 4700 on Windows 10, Server 2016 - Scheduled task enabled
Event ID 4701 on Windows 10, Server 2016 - Scheduled task disabled
Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns)
Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.
In Linux and macOS environments, monitor scheduled task creation using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc.
Review all jobs using the atq command and ensure IP addresses stored in the SSH_CONNECTION and SSH_CLIENT variables, machines that created the jobs, are trusted hosts. All at jobs are stored in /var/spool/cron/atjobs/.(Citation: rowland linux at 2019)
Suspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.