-
Notifications
You must be signed in to change notification settings - Fork 327
/
CAR-2013-05-004.yaml
70 lines (70 loc) · 3.19 KB
/
CAR-2013-05-004.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
title: Execution with AT
submission_date: 2013/05/13
information_domain: Host
platforms:
- Windows
subtypes:
- Process
analytic_types:
- TTP
contributors:
- MITRE
id: CAR-2013-05-004
description: |-
In order to gain [persistence](https://attack.mitre.org/tactics/TA0003/), [privilege escalation](https://attack.mitre.org/tactics/TA0004/), or [remote execution](https://attack.mitre.org/tactics/TA0002/), an adversary may use the Windows built-in command AT (at.exe) to [schedule a command](https://attack.mitre.org/techniques/T1053/002) to be run at a specified time, date, and even host. This method has been used by adversaries and administrators alike. Its use may lead to detection of compromised hosts and compromised users if it is used to move laterally.
The built-in Windows tool schtasks.exe ([CAR-2013-08-001](../CAR-2013-08-001)) offers greater flexibility when creating, modifying, and enumerating tasks. For these reasons, schtasks.exe is more commonly used by administrators, tools/scripts, and power users.
coverage:
- technique: T1053
tactics:
- TA0002
- TA0003
- TA0004
subtechniques:
- T1053.002
coverage: Moderate
implementations:
- description: 'Instances of the process `at.exe` running imply the querying or creation of tasks. Although the command_line is not essential for the analytic to run, it is critical when identifying the command that was scheduled.'
code: |-
process = search Process:Create
at = filter process where (exe == "at.exe")
output at
type: pseudocode
- description: Splunk version of the above pseudocode.
code: |-
index=__your_sysmon_index__ Image="C:\\Windows\\*\\at.exe"|stats values(CommandLine) as "Command Lines" by ComputerName
type: Splunk
data_model: Sysmon native
- description: EQL version of the above pseudocode.
code: |-
process where subtype.create and process_name == "at.exe"
type: EQL
data_model: EQL native
- description: DNIF version of the above pseudocode.
code: |-
_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 AND $App=at.exe limit 100
type: DNIF
data_model: Sysmon native
- description: LogPoint version of the above pseudocode.
code: |-
norm_id=WindowsSysmon event_id=1 image="*\at.exe"
type: LogPoint
data_model: LogPoint native
data_model_references:
- process/create/command_line
- process/create/exe
unit_tests:
- configurations:
- Windows 7
description: |-
- From an admin account, open Windows command prompt (right click, run as administrator).
- Execute "at 10:00 calc.exe," substituting a time in the near future for 10:00.
- The program should respond with “Added a new job with job ID = 1” where the job ID is dependent on what tasks are scheduled.
- The program should execute at the time specified. This is what the analytic should fire on.
- To remove the scheduled task, execute "at 1 /delete" where you replace "1" with the job ID output in step 2a above.
commands:
- 'at 10:00 calc.exe // returns a job number X'
- at X /delete
d3fend_mappings:
- iri: d3f:ScheduledJobAnalysis
id: D3-SJA
label: Scheduled Job Analysis