at.exe
- File Path:
C:\Windows\system32\at.exe
- Description: Schedule service command line interface
Hashes
Type | Hash |
---|---|
MD5 | F4416891D11BBA6975E5067FA10507C8 |
SHA1 | EC6F04AA61D8F0FA0945EBFC58F6CC7CEBB1377A |
SHA256 | 73A9A6A4C9CF19FCD117EB3C430E1C9ACADED31B42875BA4F02FA61DA1B8A6DC |
SHA384 | 2862687074918DC554A4C300F887D68B48E5967E670B499DB8B188072FB8DC412B1E4B18DC49FD8C5BE9C12F3013F701 |
SHA512 | AE12DD30AFD9D9EFA45A22BF256D1E6BF781F407A07208DD9B832E3B8FC78AF31FEA5E77CEC2F3B83471F20462DF4626E68AECA8BC4D940B169E72B2003EF380 |
SSDEEP | 768:ddvxiSkGxY6ZQppLMVt+QFZ7Xu9qAJ9jq2g:ncXGhcC+QFBFAJJdg |
IMP | FA9A9B0D471E4B5F3683C346C3D880BD |
PESHA1 | 50100574B4582C8F47E396B53381740431C28B06 |
PE256 | AA623094D8EE1C822CBB5EB044FFC58EB085E49733DF47F4382840EF1C35C8B2 |
Runtime Data
Usage (stdout):
The AT command has been deprecated. Please use schtasks.exe instead.
Invalid command.
The AT command schedules commands and programs to run on a computer at
a specified time and date. The Schedule service must be running to use
the AT command.
AT [\\computername] [ [id] [/DELETE] | /DELETE [/YES]]
AT [\\computername] time [/INTERACTIVE]
[ /EVERY:date[,...] | /NEXT:date[,...]] "command"
\\computername Specifies a remote computer. Commands are scheduled on the
local computer if this parameter is omitted.
id Is an identification number assigned to a scheduled
command.
/delete Cancels a scheduled command. If id is omitted, all the
scheduled commands on the computer are canceled.
/yes Used with cancel all jobs command when no further
confirmation is desired.
time Specifies the time when command is to run.
/interactive Allows the job to interact with the desktop of the user
who is logged on at the time the job runs.
/every:date[,...] Runs the command on each specified day(s) of the week or
month. If date is omitted, the current day of the month
is assumed.
/next:date[,...] Runs the specified command on the next occurrence of the
day (for example, next Thursday). If date is omitted, the
current day of the month is assumed.
"command" Is the Windows NT command, or batch program to be run.
Child Processes:
csrss.exe wininit.exe
Loaded Modules:
Path |
---|
C:\Windows\system32\at.exe |
C:\Windows\System32\KERNEL32.DLL |
C:\Windows\System32\KERNELBASE.dll |
C:\Windows\SYSTEM32\ntdll.dll |
Signature
- Status: Signature verified.
- Serial:
33000001C422B2F79B793DACB20000000001C4
- Thumbprint:
AE9C1AE54763822EEC42474983D8B635116C8452
- Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: AT.EXE.MUI
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.17763.1 (WinBuild.160101.0800)
- Product Version: 10.0.17763.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/67
- VirusTotal Link: https://www.virustotal.com/gui/file/73a9a6a4c9cf19fcd117eb3c430e1c9acaded31b42875ba4f02fa61da1b8a6dc/detection/
Possible Misuse
The following table contains possible examples of at.exe
being misused. While at.exe
is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
Source | Source File | Example | License |
---|---|---|---|
sigma | zeek_smb_converted_win_atsvc_task.yml | description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe |
DRL 1.0 |
sigma | win_atsvc_task.yml | description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe |
DRL 1.0 |
sigma | proc_creation_win_interactive_at.yml | Image\|endswith: '\at.exe' |
DRL 1.0 |
sigma | proc_creation_win_interactive_at.yml | - Unlikely (at.exe deprecated as of Windows 8) |
DRL 1.0 |
sigma | proc_creation_win_multiple_suspicious_cli.yml | - at.exe |
DRL 1.0 |
LOLBAS | At.yml | Name: At.exe |
|
LOLBAS | At.yml | - Command: C:\Windows\System32\at.exe at 09:00 /interactive /every:m,t,w,th,f,s,su C:\Windows\System32\revshell.exe |
|
LOLBAS | At.yml | - Path: C:\WINDOWS\System32\At.exe |
|
LOLBAS | At.yml | - Path: C:\WINDOWS\SysWOW64\At.exe |
|
LOLBAS | At.yml | - Link: https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems |
|
atomic-red-team | index.md | - Atomic Test #1: At.exe Scheduled task [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | windows-index.md | - Atomic Test #1: At.exe Scheduled task [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | T1053.002.md | <blockquote>Adversaries may abuse the at.exe utility to perform task scheduling for initial or recurring execution of malicious code. The at utility exists as an executable within Windows for scheduling tasks at a specified time and date. Using at requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. |
MIT License. © 2018 Red Canary |
atomic-red-team | T1053.002.md | An adversary may use at.exe in Windows environments to execute programs at system startup or on a scheduled basis for persistence. at can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM). |
MIT License. © 2018 Red Canary |
atomic-red-team | T1053.002.md | Note: The at.exe command line utility has been deprecated in current versions of Windows in favor of schtasks .</blockquote> |
MIT License. © 2018 Red Canary |
atomic-red-team | T1053.002.md | - Atomic Test #1 - At.exe Scheduled task | MIT License. © 2018 Red Canary |
atomic-red-team | T1053.002.md | ## Atomic Test #1 - At.exe Scheduled task | MIT License. © 2018 Red Canary |
atomic-red-team | T1053.002.md | Upon successful execution, cmd.exe will spawn at.exe and create a scheduled task that will spawn cmd at a specific time. | MIT License. © 2018 Red Canary |
atomic-red-team | T1053.005.md | The deprecated at utility could also be abused by adversaries (ex: At (Windows)), though at.exe can not access tasks created with schtasks or the Control Panel. |
MIT License. © 2018 Red Canary |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
at
Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Schedules commands and programs to run on a computer at a specified time and date. You can use at only when the Schedule service is running. Used without parameters, at lists scheduled commands. You must be a member of the local Administrators group to run this command.
Syntax
at [\computername] [[id] [/delete] | /delete [/yes]]
at [\computername] <time> [/interactive] [/every:date[,...] | /next:date[,...]] <command>
Parameters
Parameter | Description |
---|---|
\<computername\> |
Specifies a remote computer. If you omit this parameter, at schedules the commands and programs on the local computer. |
<id> |
Specifies the identification number assigned to a scheduled command. |
/delete | Cancels a scheduled command. If you omit ID, all of the scheduled commands on the computer are canceled. |
/yes | Answers yes to all queries from the system when you delete scheduled events. |
<time> |
Specifies the time when you want to run the command. time is expressed as Hours:Minutes in 24-hour notation (that is, 00:00 (midnight) through 23:59). |
interactive | Allows command to interact with the desktop of the user who is logged on at the time Command runs. |
every: | Runs command on every specified day or days of the week or month (for example, every Thursday, or the third day of every month). |
<date> |
Specifies the date when you want to run the command. You can specify one or more days of the week (that is, type M,T,W,Th,F,S,Su) or one or more days of the month (that is, type 1 through 31). Separate multiple date entries with commas. If you omit date, at uses the current day of the month. |
next: | Runs command on the next occurrence of the day (for example, next Thursday). |
<command> |
Specifies the Windows command, program (that is, .exe or .com file), or batch program (that is, .bat or .cmd file) that you want to run. When the command requires a path as an argument, use the absolute path (that is, the entire path beginning with the drive letter). If the command is on a remote computer, specify Universal Naming Convention (UNC) notation for the server and share name, rather than a remote drive letter. |
/? | Displays help at the command prompt. |
Remarks
-
This command doesn’t automatically load cmd.exe before running commands. If you’re not running an executable (.exe) file, you must explicitly load cmd.exe at the beginning of the command as follows:
cmd /c dir > c:\test.out
-
If using this command without command-line options, scheduled tasks appear in a table formatted similar to the following:
Status ID Day time Command Line OK 1 Each F 4:30 PM net send group leads status due OK 2 Each M 12:00 AM chkstor > check.file OK 3 Each F 11:59 PM backup2.bat
-
If including an identification number (ID) with this command, only information for a single entry appears in a format similar to the following:
Task ID: 1 Status: OK Schedule: Each F Time of Day: 4:30 PM Command: net send group leads status due
-
After you schedule a command, especially a command that has command-line options, check that the command syntax is correct by typing at without any command-line options. If the information in the Command Line column is wrong, delete the command and retype it. If it’s still incorrect, retype the command using fewer command-line options.
-
Commands scheduled with at run as background processes. Output is not displayed on the computer screen. To redirect output to a file, use the redirection symbol
>
. If you redirect output to a file, you need to use the escape symbol^
before the redirection symbol, whether you are using at at the command line or in a batch file. For example, to redirect output to output.txt, type:at 14:45 c:\test.bat ^>c:\output.txt
The current directory for the executing command is the systemroot folder.
-
If you change the system time after you schedule a command to run, synchronize the at scheduler with the revised system time by typing at without command-line options.
-
Scheduled commands are stored in the registry. As a result, you don’t lose scheduled tasks if you restart the Schedule service.
-
Do not use a redirected drive for scheduled jobs that access the network. The Schedule service might not be able to access the redirected drive, or the redirected drive might not be present if a different user is logged on at the time the scheduled task runs. Instead, use UNC paths for scheduled jobs. For example:
at 1:00pm my_backup \\server\share
Do not use the following syntax, where x: is a connection made by the user:
at 1:00pm my_backup x:
If you schedule an at command that uses a drive letter to connect to a shared directory, include an at command to disconnect the drive when you are finished using the drive. If the drive is not disconnected, the assigned drive letter won’t be available at the command prompt.
-
By default, tasks scheduled using this command will stop after 72 hours. You can modify the registry to change this default value.
To modify the registry
[!Caution] Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
-
Start the registry editor (regedit.exe).
-
Locate and click the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule
-
On the Edit menu, click Add Value, and then add the following registry values:
-
Value Name. atTaskMaxHours
-
Data type. reg_DWOrd
-
Radix. Decimal
-
Value Data: 0. A value of 0 in the Value Data field indicates no limit and doesn’t not stop. Values from 1 through 99 indicates the number of hours.
-
-
-
You can use the Scheduled Tasks folder to view or modify the settings of a task that was created by using this command. When you schedule a task using this command, the task is listed in the Scheduled Tasks folder, with a name such as the following:at3478. However, if you modify a task through the Scheduled Tasks folder, it’s upgraded to a normal scheduled task. The task is no longer visible to the at command, and the at account setting no longer applies to it. You must explicitly enter a user account and password for the task.
Examples
To display a list of commands scheduled on the Marketing server, type:
at \\marketing
To learn more about a command with the identification number 3 on the Corp server, type:
at \\corp 3
To schedule a net share command to run on the Corp server at 8:00 A.M. and redirect the listing to the Maintenance server, in the Reports shared directory, and the Corp.txt file, type:
at \\corp 08:00 cmd /c net share reports=d:\marketing\reports >> \\maintenance\reports\corp.txt
To back up the hard drive of the Marketing server to a tape drive at midnight every five days, create a batch program called Archive.cmd, which contains the backup commands, and then schedule the batch program to run, type:
at \\marketing 00:00 /every:5,10,15,20,25,30 archive
To cancel all commands scheduled on the current server, clear the at schedule information as follows:
at /delete
To run a command that is not an executable (.exe) file, precede the command with cmd /c to load cmd.exe as follows:
cmd /c dir > c:\test.out
Additional References
-
schtasks. Another command-line scheduling tool.
MIT License. Copyright (c) 2020-2021 Strontic.