Interactive AT Job¶
Detect an interactive AT job, which may be used as a form of privilege escalation.
id: | d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56 |
---|---|
categories: | detect |
confidence: | medium |
os: | windows |
created: | 11/30/2018 |
updated: | 11/30/2018 |
MITRE ATT&CK™ Mapping¶
tactics: | Privilege Escalation |
---|---|
techniques: | T1053 Scheduled Task |
Note
- As of Windows 8, the
at.exe
command was deprecated and prints the error message - The AT command has been deprecated. Please use schtasks.exe instead.
Query¶
process where subtype.create and
process_name == "at.exe" and command_line == "* interactive *"