Bhavin Patel
89 lines
2.9 KiB
YAML
89 lines
2.9 KiB
YAML
attack_technique: T1053.002
|
|
display_name: 'Scheduled Task/Job: At'
|
|
|
|
atomic_tests:
|
|
- name: At.exe Scheduled task
|
|
auto_generated_guid: 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8
|
|
description: |
|
|
Executes cmd.exe
|
|
Note: deprecated in Windows 8+
|
|
|
|
Upon successful execution, cmd.exe will spawn at.exe and create a scheduled task that will spawn cmd at a specific time.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
name: command_prompt
|
|
elevation_required: false
|
|
command: |
|
|
at 13:20 /interactive cmd
|
|
- name: At - Schedule a job
|
|
auto_generated_guid: 7266d898-ac82-4ec0-97c7-436075d0d08e
|
|
description: |
|
|
This test submits a command to be run in the future by the `at` daemon.
|
|
|
|
supported_platforms:
|
|
- linux
|
|
|
|
input_arguments:
|
|
time_spec:
|
|
description: Time specification of when the command should run
|
|
type: string
|
|
default: now + 1 minute
|
|
at_command:
|
|
description: The command to be run
|
|
type: string
|
|
default: echo Hello from Atomic Red Team
|
|
|
|
dependency_executor_name: sh
|
|
dependencies:
|
|
- description: |
|
|
The `at` and `atd` executables must exist in the PATH
|
|
prereq_command: |
|
|
if [ "$(uname)" = 'FreeBSD' ]; then which at; else which at && which atd; fi;
|
|
get_prereq_command: |
|
|
echo 'Please install `at` and `atd`; they were not found in the PATH (Package name: `at`)'
|
|
- description: |
|
|
The `atd` daemon must be running
|
|
prereq_command: |
|
|
if [ $(uname) = 'Linux' ]; then systemctl status atd || service atd status; fi;
|
|
get_prereq_command: |
|
|
echo 'Please start the `atd` daemon (sysv: `service atd start` ; systemd: `systemctl start atd`)'
|
|
|
|
executor:
|
|
name: sh
|
|
elevation_required: false
|
|
command: |-
|
|
echo "#{at_command}" | at #{time_spec}
|
|
|
|
- name: At - Schedule a job via kubectl in a Pod
|
|
auto_generated_guid: 9c8a5a3e-1d64-4b4a-9f9a-0e6a9c1b5f2e
|
|
description: |
|
|
Launches a short-lived Ubuntu pod, installs the `at` utility, starts the `atd` daemon,
|
|
and submits a job with `at`. The pod is deleted after execution.
|
|
supported_platforms:
|
|
- containers
|
|
input_arguments:
|
|
pod_name:
|
|
description: K8s pod name to execute the command in
|
|
type: string
|
|
default: atomic-at-schedule
|
|
time_spec:
|
|
description: Time specification of when the command should run
|
|
type: string
|
|
default: now + 1 minute
|
|
at_command:
|
|
description: The command to be run
|
|
type: string
|
|
default: echo Hello from Atomic Red Team
|
|
dependencies:
|
|
- description: kubectl must be installed and configured
|
|
get_prereq_command: |
|
|
echo "kubectl must be installed manually"
|
|
prereq_command: |
|
|
which kubectl
|
|
executor:
|
|
name: bash
|
|
elevation_required: false
|
|
command: |
|
|
kubectl run #{pod_name} --image=ubuntu --restart=Never --attach --rm -i -- bash -lc "apt-get update -y >/dev/null 2>&1 && apt-get install -y at >/dev/null 2>&1 && (atd || /usr/sbin/atd) && echo '#{at_command}' | at #{time_spec} && at -l"
|