at.exe

  • File Path: C:\Windows\system32\at.exe
  • Description: Schedule service command line interface

Hashes

Type Hash
MD5 F4416891D11BBA6975E5067FA10507C8
SHA1 EC6F04AA61D8F0FA0945EBFC58F6CC7CEBB1377A
SHA256 73A9A6A4C9CF19FCD117EB3C430E1C9ACADED31B42875BA4F02FA61DA1B8A6DC
SHA384 2862687074918DC554A4C300F887D68B48E5967E670B499DB8B188072FB8DC412B1E4B18DC49FD8C5BE9C12F3013F701
SHA512 AE12DD30AFD9D9EFA45A22BF256D1E6BF781F407A07208DD9B832E3B8FC78AF31FEA5E77CEC2F3B83471F20462DF4626E68AECA8BC4D940B169E72B2003EF380
SSDEEP 768:ddvxiSkGxY6ZQppLMVt+QFZ7Xu9qAJ9jq2g:ncXGhcC+QFBFAJJdg
IMP FA9A9B0D471E4B5F3683C346C3D880BD
PESHA1 50100574B4582C8F47E396B53381740431C28B06
PE256 AA623094D8EE1C822CBB5EB044FFC58EB085E49733DF47F4382840EF1C35C8B2

Runtime Data

Usage (stdout):

The AT command has been deprecated. Please use schtasks.exe instead.

Invalid command.

The AT command schedules commands and programs to run on a computer at      
a specified time and date. The Schedule service must be running to use      
the AT command.
                                                           
AT [\\computername] [ [id] [/DELETE] | /DELETE [/YES]]                    
AT [\\computername] time [/INTERACTIVE]
    [ /EVERY:date[,...] | /NEXT:date[,...]] "command"

\\computername     Specifies a remote computer. Commands are scheduled on the
                   local computer if this parameter is omitted.             
id                 Is an identification number assigned to a scheduled      
                   command.                                                 
/delete            Cancels a scheduled command. If id is omitted, all the
                   scheduled commands on the computer are canceled.
/yes               Used with cancel all jobs command when no further
                   confirmation is desired.
time               Specifies the time when command is to run.
/interactive       Allows the job to interact with the desktop of the user   
                   who is logged on at the time the job runs.
/every:date[,...]  Runs the command on each specified day(s) of the week or
                   month. If date is omitted, the current day of the month
                   is assumed.                                              
/next:date[,...]   Runs the specified command on the next occurrence of the
                   day (for example, next Thursday).  If date is omitted, the
                   current day of the month is assumed.
"command"          Is the Windows NT command, or batch program to be run.


Child Processes:

csrss.exe wininit.exe

Loaded Modules:

Path
C:\Windows\system32\at.exe
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: AT.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/67
  • VirusTotal Link: https://www.virustotal.com/gui/file/73a9a6a4c9cf19fcd117eb3c430e1c9acaded31b42875ba4f02fa61da1b8a6dc/detection/

Possible Misuse

The following table contains possible examples of at.exe being misused. While at.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma zeek_smb_converted_win_atsvc_task.yml description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe DRL 1.0
sigma win_atsvc_task.yml description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe DRL 1.0
sigma win_interactive_at.yml Image\|endswith: '\at.exe' DRL 1.0
sigma win_interactive_at.yml - Unlikely (at.exe deprecated as of Windows 8) DRL 1.0
sigma win_multiple_suspicious_cli.yml - at.exe DRL 1.0
LOLBAS At.yml Name: At.exe  
LOLBAS At.yml - Command: C:\Windows\System32\at.exe at 09:00 /interactive /every:m,t,w,th,f,s,su C:\Windows\System32\revshell.exe  
LOLBAS At.yml - Path: C:\WINDOWS\System32\At.exe  
LOLBAS At.yml - Path: C:\WINDOWS\SysWOW64\At.exe  
LOLBAS At.yml - Link: https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems  
atomic-red-team index.md - Atomic Test #1: At.exe Scheduled task [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: At.exe Scheduled task [windows] MIT License. © 2018 Red Canary
atomic-red-team T1053.002.md <blockquote>Adversaries may abuse the at.exe utility to perform task scheduling for initial or recurring execution of malicious code. The at utility exists as an executable within Windows for scheduling tasks at a specified time and date. Using at requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. MIT License. © 2018 Red Canary
atomic-red-team T1053.002.md An adversary may use at.exe in Windows environments to execute programs at system startup or on a scheduled basis for persistence. at can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM). MIT License. © 2018 Red Canary
atomic-red-team T1053.002.md Note: The at.exe command line utility has been deprecated in current versions of Windows in favor of schtasks.</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1053.002.md - Atomic Test #1 - At.exe Scheduled task MIT License. © 2018 Red Canary
atomic-red-team T1053.002.md ## Atomic Test #1 - At.exe Scheduled task MIT License. © 2018 Red Canary
atomic-red-team T1053.002.md Upon successful execution, cmd.exe will spawn at.exe and create a scheduled task that will spawn cmd at a specific time. MIT License. © 2018 Red Canary
atomic-red-team T1053.005.md The deprecated at utility could also be abused by adversaries (ex: At (Windows)), though at.exe can not access tasks created with schtasks or the Control Panel. MIT License. © 2018 Red Canary

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


at

Applies to: Windows Server (Semi-Annual Channel), Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Schedules commands and programs to run on a computer at a specified time and date. You can use at only when the Schedule service is running. Used without parameters, at lists scheduled commands. You must be a member of the local Administrators group to run this command.

Syntax

at [\computername] [[id] [/delete] | /delete [/yes]]
at [\computername] <time> [/interactive] [/every:date[,...] | /next:date[,...]] <command>

Parameters

Parameter Description
\<computername\> Specifies a remote computer. If you omit this parameter, at schedules the commands and programs on the local computer.
<id> Specifies the identification number assigned to a scheduled command.
/delete Cancels a scheduled command. If you omit ID, all of the scheduled commands on the computer are canceled.
/yes Answers yes to all queries from the system when you delete scheduled events.
<time> Specifies the time when you want to run the command. time is expressed as Hours:Minutes in 24-hour notation (that is, 00:00 (midnight) through 23:59).
interactive Allows command to interact with the desktop of the user who is logged on at the time Command runs.
every: Runs command on every specified day or days of the week or month (for example, every Thursday, or the third day of every month).
<date> Specifies the date when you want to run the command. You can specify one or more days of the week (that is, type M,T,W,Th,F,S,Su) or one or more days of the month (that is, type 1 through 31). Separate multiple date entries with commas. If you omit date, at uses the current day of the month.
next: Runs command on the next occurrence of the day (for example, next Thursday).
<command> Specifies the Windows command, program (that is, .exe or .com file), or batch program (that is, .bat or .cmd file) that you want to run. When the command requires a path as an argument, use the absolute path (that is, the entire path beginning with the drive letter). If the command is on a remote computer, specify Universal Naming Convention (UNC) notation for the server and share name, rather than a remote drive letter.
/? Displays help at the command prompt.

Remarks

  • This command doesn’t automatically load cmd.exe before running commands. If you’re not running an executable (.exe) file, you must explicitly load cmd.exe at the beginning of the command as follows:

      cmd /c dir > c:\test.out
    
  • If using this command without command-line options, scheduled tasks appear in a table formatted similar to the following:

      Status  ID   Day        time        Command Line
      OK      1    Each F     4:30 PM     net send group leads status due
      OK      2    Each M     12:00 AM    chkstor > check.file
      OK      3    Each F     11:59 PM    backup2.bat
    
  • If including an identification number (ID) with this command, only information for a single entry appears in a format similar to the following:

      Task ID: 1
      Status: OK
      Schedule: Each  F
      Time of Day: 4:30 PM
      Command: net send group leads status due
    
  • After you schedule a command, especially a command that has command-line options, check that the command syntax is correct by typing at without any command-line options. If the information in the Command Line column is wrong, delete the command and retype it. If it’s still incorrect, retype the command using fewer command-line options.

  • Commands scheduled with at run as background processes. Output is not displayed on the computer screen. To redirect output to a file, use the redirection symbol >. If you redirect output to a file, you need to use the escape symbol ^ before the redirection symbol, whether you are using at at the command line or in a batch file. For example, to redirect output to output.txt, type:

      at 14:45 c:\test.bat ^>c:\output.txt
    

    The current directory for the executing command is the systemroot folder.

  • If you change the system time after you schedule a command to run, synchronize the at scheduler with the revised system time by typing at without command-line options.

  • Scheduled commands are stored in the registry. As a result, you don’t lose scheduled tasks if you restart the Schedule service.

  • Do not use a redirected drive for scheduled jobs that access the network. The Schedule service might not be able to access the redirected drive, or the redirected drive might not be present if a different user is logged on at the time the scheduled task runs. Instead, use UNC paths for scheduled jobs. For example:

      at 1:00pm my_backup \\server\share
    

    Do not use the following syntax, where x: is a connection made by the user:

      at 1:00pm my_backup x:
    

    If you schedule an at command that uses a drive letter to connect to a shared directory, include an at command to disconnect the drive when you are finished using the drive. If the drive is not disconnected, the assigned drive letter won’t be available at the command prompt.

  • By default, tasks scheduled using this command will stop after 72 hours. You can modify the registry to change this default value.

    To modify the registry

    [!Caution] Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

    1. Start the registry editor (regedit.exe).

    2. Locate and click the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule

    3. On the Edit menu, click Add Value, and then add the following registry values:

      • Value Name. atTaskMaxHours

      • Data type. reg_DWOrd

      • Radix. Decimal

      • Value Data: 0. A value of 0 in the Value Data field indicates no limit and doesn’t not stop. Values from 1 through 99 indicates the number of hours.

  • You can use the Scheduled Tasks folder to view or modify the settings of a task that was created by using this command. When you schedule a task using this command, the task is listed in the Scheduled Tasks folder, with a name such as the following:at3478. However, if you modify a task through the Scheduled Tasks folder, it’s upgraded to a normal scheduled task. The task is no longer visible to the at command, and the at account setting no longer applies to it. You must explicitly enter a user account and password for the task.

Examples

To display a list of commands scheduled on the Marketing server, type:

at \\marketing

To learn more about a command with the identification number 3 on the Corp server, type:

at \\corp 3

To schedule a net share command to run on the Corp server at 8:00 A.M. and redirect the listing to the Maintenance server, in the Reports shared directory, and the Corp.txt file, type:

at \\corp 08:00 cmd /c net share reports=d:\marketing\reports >> \\maintenance\reports\corp.txt

To back up the hard drive of the Marketing server to a tape drive at midnight every five days, create a batch program called Archive.cmd, which contains the backup commands, and then schedule the batch program to run, type:

at \\marketing 00:00 /every:5,10,15,20,25,30 archive

To cancel all commands scheduled on the current server, clear the at schedule information as follows:

at /delete

To run a command that is not an executable (.exe) file, precede the command with cmd /c to load cmd.exe as follows:

cmd /c dir > c:\test.out

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.