Adding At.exe, for submission to LOLbas list, with proof of malware using it in wild :O

yml/OSBinaries/At.yml

@@ -0,0 +1,31 @@
+---
+Name: At.exe
+Description: Schedule periodic tasks
+Author: 'Freddie Barr-Smith'
+Created: '2019-09-20'
+Commands:
+  - Command: C:\Windows\System32\at.exe at 09:00 /interactive /every:m,t,w,th,f,s,su C:\Windows\System32\revshell.exe
+    Description: Create a recurring task to execute every day at a specific time. Only available up to Windows 7.
+    Usecase: Create a recurring task, to eg. to keep reverse shell session(s) alive
+    Category: Execute 
+    Privileges: Local Admin
+    MitreID: T1053
+    MitreLink: https://attack.mitre.org/wiki/Technique/T1053
+    OperatingSystem: Windows
+Full_Path:
+  - Path: C:\WINDOWS\System32\At.exe
+  - Path: C:\WINDOWS\SysWOW64\At.exe
+Detection:
+  - IOC: Scheduled task is created
+  - IOC: Windows event log - type 3 login 
+  - IOC: C:\Windows\System32\Tasks\At1 (substitute 1 with subsequent number of at job)
+  - IOC: C:\Windows\Tasks\At1.job
+  - IOC: Registry Key Created: Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1. 
+Resources:
+  - Link: https://freddiebarrsmith.com/at.txt
+  - Link: https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html - Escalate to System from Administrator
+  - Link: https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems
+Acknowledgement:
+  - Person: Freddie Barr-Smith, Riccardo Spolaor, Mariano Graziano, Xabier Ugarte-Pedrero
+---
+