attack.t1053.002

Remote Schedule Task Lateral Movement via SASec
level
status experimental

Detects remote RPC calls to create or execute a scheduled task via SASec

Remote Schedule Task Lateral Movement via ITaskSchedulerService
level
status experimental

Detects remote RPC calls to create or execute a scheduled task

Remote Schedule Task Lateral Movement via ATSvc
level
status experimental

Detects remote RPC calls to create or execute a scheduled task via ATSvc

Interactive AT Job
level
status test

Detect an interactive AT job, which may be used as a form of privilege escalation.

Remote Task Creation via ATSVC Named Pipe - Zeek
level
status test

Detects remote task creation via at.exe or API interacting with ATSVC namedpipe

Remote Task Creation via ATSVC Named Pipe
level
status test

Detects remote task creation via at.exe or API interacting with ATSVC namedpipe

MITRE BZAR Indicators for Execution
level
status test

Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE

Sponsored by

Phish Report logo
With Phish Report you can achieve streamlined phishing takedowns using your existing security team.