Detectionhightest

Interactive AT Job

Detects an interactive AT job, which may be used as a form of privilege escalation.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.communityCreated Thu Oct 24Updated Sat Nov 2760fc936d-2eb0-4543-8a13-911c750a1dfcwindows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        Image|endswith: '\at.exe'
        CommandLine|contains: 'interactive'
    condition: selection

False Positives

Unlikely (at.exe deprecated as of Windows 8)

References

Resolving title…

github.com

Resolving title…

eqllib.readthedocs.io

Testing & Validation

Simulations

atomic-red-teamT1053.002

View on ART

At.exe Scheduled task

GUID: 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0002 · Execution TA0004 · Privilege Escalation

Sub-techniques

T1053.002 · At

Rule Metadata

Rule ID

60fc936d-2eb0-4543-8a13-911c750a1dfc

Status

test

Level

high

Type

Detection

Created

Thu Oct 24

Modified

Sat Nov 27

Author

E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community

Path

rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml

Raw Tags

attack.persistenceattack.executionattack.privilege-escalationattack.t1053.002

View on GitHub