Detect At in Sumo Logic CSE
Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. The at utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of schtasks in Windows environments, at can be used to execute programs at system startup or on a scheduled basis for persistence, remote execution as part of lateral movement, and privilege escalation on Linux if allowed to run as superuser via sudo. Adversaries may also leverage the WMI Win32_ScheduledJob class to schedule tasks programmatically.
MITRE ATT&CK
- Technique
- T1053 Scheduled Task/Job
- Sub-technique
- T1053.002 At
- Canonical reference
- https://attack.mitre.org/techniques/T1053/002/
Sumo Detection Query
_sourceCategory="windows/*" OR _sourceCategory="sysmon/*"
| where (%"EventID" = "4688" OR %"EventID" = "1")
| parse field=%"CommandLine" "*" as CommandLine nodrop
| parse field=%"NewProcessName" "*" as ProcessImage nodrop
| parse field=%"Image" "*" as SysmonImage nodrop
| parse field=%"ParentImage" "*" as ParentImage nodrop
| parse field=%"ParentProcessName" "*" as ParentProcessName nodrop
| parse field=%"SubjectUserName" "*" as SecurityUser nodrop
| parse field=%"User" "*" as SysmonUser nodrop
| eval ProcessPath = if(!isNull(SysmonImage), SysmonImage, ProcessImage)
| eval UserName = if(!isNull(SysmonUser), SysmonUser, SecurityUser)
| eval ParentProc = if(!isNull(ParentImage), ParentImage, ParentProcessName)
| where matches(ProcessPath, "(?i).*\\at\.exe") OR
(matches(ProcessPath, "(?i).*\\wmic\.exe") AND matches(CommandLine, "(?i).*ScheduledJob.*")) OR
(matches(ProcessPath, "(?i).*\\(powershell|pwsh)\.exe") AND matches(CommandLine, "(?i).*Win32_ScheduledJob.*"))
| eval IsSuspiciousPayload = if(matches(toLowerCase(CommandLine), ".*(cmd\\.exe|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|\\.bat|\\.vbs|\\.ps1|\\.hta|mimikatz|whoami|net user|net use).*"), 1, 0)
| eval IsInteractive = if(matches(toLowerCase(CommandLine), ".*/interactive.*"), 1, 0)
| eval IsSuspiciousParent = if(matches(toLowerCase(ParentProc), ".*(powershell|wscript|cscript|mshta|python|perl|ruby).*"), 1, 0)
| eval IsWMIScheduledJob = if(matches(toLowerCase(CommandLine), ".*(win32_scheduledjob|scheduledjob).*"), 1, 0)
| eval SuspicionScore = IsSuspiciousPayload + IsInteractive + IsSuspiciousParent + IsWMIScheduledJob
| where SuspicionScore > 0 OR matches(ProcessPath, "(?i).*\\at\.exe")
| fields _messageTime, %"Computer", UserName, ProcessPath, CommandLine, ParentProc, IsSuspiciousPayload, IsInteractive, IsSuspiciousParent, IsWMIScheduledJob, SuspicionScore
| sort by _messageTime descSumo Logic query detecting at.exe and WMI Win32_ScheduledJob abuse for T1053.002. Normalizes fields across Windows Security and Sysmon log sources, computes a suspicion score based on payload type, interactive flag, parent process, and WMI scheduling method.
Data Sources
Required Tables
False Positives & Tuning
- Legacy Windows applications (e.g., older ERP systems) that still rely on at.exe for scheduling batch jobs on systems where schtasks is not supported
- IT automation frameworks calling wmic.exe with ScheduledJob parameters to enumerate existing scheduled tasks during compliance scans
- PowerShell-based configuration management scripts that query Win32_ScheduledJob WMI class for auditing purposes without creating new tasks
Other platforms for T1053.002
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Schedule Command Execution via at.exe (Windows)
Expected signal: Sysmon Event ID 1: Process Create with Image=at.exe, CommandLine containing a time value and 'cmd.exe /c whoami'. Security Event ID 4688 (if command line auditing enabled). Security Event ID 4698 (Scheduled Task Created) capturing the job. When the job fires, Security Event ID 4624 for the SYSTEM logon context and another Sysmon Event ID 1 for cmd.exe spawned by the Task Scheduler service (parent: svchost.exe).
- Test 2Schedule PowerShell Execution via at.exe (Windows)
Expected signal: Sysmon Event ID 1 for at.exe with CommandLine containing 'powershell.exe'. Security Event ID 4698 for scheduled task creation. When fired: Sysmon Event ID 1 for powershell.exe spawned by svchost.exe (Task Scheduler context), Sysmon Event ID 11 for file creation in TEMP.
- Test 3WMI Win32_ScheduledJob Creation via PowerShell (Windows)
Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Win32_ScheduledJob' and 'Create'. Microsoft-Windows-WMI-Activity/Operational Event ID 5861. Security Event ID 4698 (Scheduled Task Created) may fire depending on Windows version. When job executes: cmd.exe spawned by svchost.exe (Task Scheduler), Sysmon Event ID 11 for file creation in C:\Windows\Temp.
- Test 4Linux at Command for Deferred Execution
Expected signal: Syslog/auditd: execve syscall for 'at' binary with arguments 'now + 1 minute'. atd daemon log entries in /var/log/syslog or /var/log/cron. When the job fires: execve for 'sh' or 'bash' spawned by atd, then execve for 'id'. Auditd records with key 'at_usage' if rule is configured: -a always,exit -F path=/usr/bin/at -F perm=x -k at_usage.
- Test 5Linux at Privilege Escalation via sudo (GTFObins)
Expected signal: Auditd: syscall execve for sudo with arguments 'at', preceded by sudo authentication event. Syslog: sudo log entry 'USER=root ; COMMAND=/usr/bin/at'. When job fires: sh or bash process spawned by atd running as root. Auditd EUID=0 for the spawned shell process.
References (11)
- https://attack.mitre.org/techniques/T1053/002/
- https://man7.org/linux/man-pages/man1/at.1p.html
- https://gtfobins.github.io/gtfobins/at/
- https://technet.microsoft.com/library/dd315590.aspx
- https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe
- https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
- https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events
- https://social.technet.microsoft.com/Forums/en-US/e5bca729-52e7-4fcb-ba12-3225c564674c/scheduled-tasks-history-retention-settings
- https://www.linkedin.com/pulse/getting-attacker-ip-address-from-malicious-linux-job-craig-rowland/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md
Unlock Pro Content
Get the full detection package for T1053.002 including response playbook, investigation guide, and atomic red team tests.