Interactive AT Job

Detect an interactive AT job, which may be used as a form of privilege escalation.

id:d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56 categories:detect confidence:medium os:windows created:11/30/2018 updated:11/30/2018

MITRE ATT&CK™ Mapping

tactics:Privilege Escalation techniques:T1053 Scheduled Task

Note

As of Windows 8, the at.exe command was deprecated and prints the error message

The AT command has been deprecated. Please use schtasks.exe instead.

Query

process where subtype.create and
  process_name == "at.exe" and command_line == "* interactive *"

Detonation

Atomic Red Team: T1053

Contributors

• Endgame

References

• https://blogs.technet.microsoft.com/supportingwindows/2013/07/05/whats-new-in-task-scheduler-for-windows-8-server-2012/