Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Fixed URL
  • Loading branch information
ikiril01 committed May 15, 2019
1 parent 0b57e59 commit 0d84eea
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion analytics/CAR-2015-04-001.yaml
Expand Up @@ -10,7 +10,7 @@ contributors:
- MITRE
id: CAR-2015-04-001
description: |-
When AT.exe is used to remotely [schedule tasks](https://attack.mitre.org/techniques/T1053), Windows uses named pipes over [SMB]\(<https://en.wikipedia.org/wiki/Server> Message Block) to communicate with the API on the remote machine. After authentication over SMB, the Named Pipe "ATSVC" is opened, over which the JobAdd function is called. On the remote host, the job files are created by the Task Scheduler and follow the convention `C:\Windows\System32\AT<job\_id>`. Unlike [CAR-2013-05-004](CAR-2013-05-004), this analytic specifically focuses on uses of AT that can be detected between hosts, indicating remotely gained [execution](https://attack.mitre.org/tactics/TA0002).
When AT.exe is used to remotely [schedule tasks](https://attack.mitre.org/techniques/T1053), Windows uses named pipes over [SMB](<https://en.wikipedia.org/wiki/Server_Message_Block) to communicate with the API on the remote machine. After authentication over SMB, the Named Pipe "ATSVC" is opened, over which the JobAdd function is called. On the remote host, the job files are created by the Task Scheduler and follow the convention `C:\Windows\System32\AT<job\_id>`. Unlike [CAR-2013-05-004](CAR-2013-05-004), this analytic specifically focuses on uses of AT that can be detected between hosts, indicating remotely gained [execution](https://attack.mitre.org/tactics/TA0002).
This pipe activity could be discovered with a network decoder, such as that in wireshark, that can inspect SMB traffic to identify the use of pipes. It could also be detected by looking for raw packet capture streams or from a custom sensor on the host that hooks the appropriate API functions. If no network or API level of visibility is possible, this traffic may inferred by looking at SMB connections over 445/tcp followed by the creation of files matching the pattern `C:\Windows\System32\AT\<job_id\>`.
coverage:
Expand Down

0 comments on commit 0d84eea

Please sign in to comment.