SigmaHQ/rules/windows/process_creation/win_interactive_at.yml

title: Interactive AT Job
description: Detect an interactive AT job, which may be used as a form of privilege escalation.
status: experimental
author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame)
date: 2019/10/24
tags:
    - attack.privilege_escalation
    - attack.t1053
detection:
    selection:
        Image:
            - '*at.exe'
        CommandLine:
            - '* interactive*'
    condition: selection
falsepositives:
    - unlike (at.exe deprecated as of Windows 8)
level: high
logsource:
    category: process_creation
    product: windows
Added Atomic Blue Detections Repo 2019-10-28 10:59:49 +00:00			`title: Interactive AT Job`
			`description: Detect an interactive AT job, which may be used as a form of privilege escalation.`
			`status: experimental`
			`author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame)`
			`date: 2019/10/24`
			`tags:`
			`- attack.privilege_escalation`
			`- attack.t1053`
			`detection:`
			`selection:`
			`Image:`
			`- '*at.exe'`
			`CommandLine:`
			`- '* interactive*'`
			`condition: selection`
			`falsepositives:`
			`- unlike (at.exe deprecated as of Windows 8)`
			`level: high`
			`logsource:`
			`category: process_creation`
			`product: windows`