security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1663bf7d524b6fc8a9a39104feb2949b36368dfc
atomic-red-team/atomics/T1053/T1053.md
T
CircleCI Atomic Red Team doc generator 91e86258e6 Generate docs from job=validate_atomics_generate_docs branch=master
2019-10-24 17:09:43 +00:00

79 lines
2.5 KiB
Markdown
Raw Blame History

# T1053 - Scheduled Task
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1053)
<blockquote>Utilities such as [at](https://attack.mitre.org/software/S0110) and [schtasks](https://attack.mitre.org/software/S0111), along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the remote system. (Citation: TechNet Task Scheduler Security)
An adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.</blockquote>
## Atomic Tests
- [Atomic Test #1 - At.exe Scheduled task](#atomic-test-1---atexe-scheduled-task)
- [Atomic Test #2 - Scheduled task Local](#atomic-test-2---scheduled-task-local)
- [Atomic Test #3 - Scheduled task Remote](#atomic-test-3---scheduled-task-remote)
<br/>
## Atomic Test #1 - At.exe Scheduled task
Executes cmd.exe
Note: deprecated in Windows 8+
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
at 13:20 /interactive cmd
```
<br/>
<br/>
## Atomic Test #2 - Scheduled task Local
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| task_command | What you want to execute | String | C:\windows\system32\cmd.exe|
| time | What time 24 Hour | String | 72600|
#### Run it with `command_prompt`!
```
SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
```
<br/>
<br/>
## Atomic Test #3 - Scheduled task Remote
Create a task on a remote system
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| task_command | What you want to execute | String | C:\windows\system32\cmd.exe|
| time | What time 24 Hour | String | 72600|
| target | Target | String | localhost|
| user_name | Username DOMAIN\User | String | DOMAIN\user|
| password | Password | String | At0micStrong|
#### Run it with `command_prompt`!
```
SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
```
<br/>
Reference in New Issue View Git Blame Copy Permalink