IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Archive File with Unusual Extension Attempt to Clear Kernel Ring Buffer »

› › ›

At.exe Command Lateral Movement

edit

At.exe Command Lateral Movement

edit

Identifies use of at.exe to interact with the task scheduler on remote hosts. Remote task creations, modifications or execution could be indicative of adversary lateral movement.

Rule type: eql

Rule indices:

logs-endpoint.events.*

Severity: low

Risk score: 21

Runs every: 60m

Searches indices from: now-119m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Defend
Rule Type: BBR

Version: 2

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

process where host.os.type == "windows" and event.type == "start" and process.name : "at.exe" and process.args : "\\\\*"

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
Technique:
- Name: Remote Services
- ID: T1021
- Reference URL: https://attack.mitre.org/techniques/T1021/
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
Technique:
- Name: Scheduled Task/Job
- ID: T1053
- Reference URL: https://attack.mitre.org/techniques/T1053/
Sub-technique:
- Name: At
- ID: T1053.002
- Reference URL: https://attack.mitre.org/techniques/T1053/002/
Sub-technique:
- Name: Scheduled Task
- ID: T1053.005
- Reference URL: https://attack.mitre.org/techniques/T1053/005/

« Archive File with Unusual Extension Attempt to Clear Kernel Ring Buffer »