Removing AT File Mole — Step‑by‑Step Cleanup Tutorial

Preventing AT File Mole: Best Practices for System Security”AT File Mole” (hereafter referred to as AT File Mole) describes a class of threats that exploit automated task scheduling and file-handling mechanisms to persist on, propagate through, or exfiltrate data from a system. These threats can be malware that creates, modifies, or uses scheduled tasks (for example, Windows “at” or Task Scheduler jobs), or specially crafted files that piggyback on legitimate automation processes. Preventing them requires a layered approach covering policy, configuration, monitoring, endpoint hygiene, and user behavior.

Understanding how AT File Mole works

AT File Mole techniques commonly combine one or more of the following behaviors:

• Abuse of scheduled tasks or cron jobs to run malicious binaries or scripts at specific times or system events.
• Dropping or modifying files in directories that are processed automatically (startup folders, watch directories, backup targets).
• Creating or modifying configuration or automation scripts (PowerShell, shell scripts, .bat/.cmd, systemd unit files).
• Leveraging weak permissions on automation tools or service accounts to escalate privileges or persist after reboots.
• Hiding payloads inside seemingly legitimate files (document macros, signed installers) that are later executed by scheduled tasks or a user action.

By understanding these patterns, defenders can prioritize controls that break the attack chain at multiple points.

Core prevention strategies

1) Harden scheduling and automation services

• Restrict who can create, modify, or run scheduled tasks. Use group policy or configuration management to limit access to Task Scheduler and cron.
• Require strong authentication for service and automation accounts; avoid using high-privilege accounts for routine scheduled tasks.
• Disable legacy or unused scheduling utilities (Windows “at”) and unnecessary automation features.
• Enforce signed, verified scripts where possible (PowerShell execution policies with code-signing, signed systemd units).

2) Implement strict file and directory permissions

• Apply least-privilege permissions on directories processed by automation (startup folders, web app upload paths, backup locations). Ensure only trusted administrators can write to these locations.
• Use access control lists (ACLs) and SELinux/AppArmor policies to confine processes and prevent unauthorized file writes.
• Restrict creation of executables and script files in user-writable directories (Downloads, Temp) with file system rules or endpoint controls.

3) Secure endpoints and servers

• Keep operating systems and software updated with security patches to limit weaknesses that attackers exploit to plant AT File Mole components.
• Employ endpoint protection platforms (EPP) and endpoint detection and response (EDR) that detect suspicious scheduled task creation, script executions, and anomalous file modifications.
• Use application allowlisting (whitelisting) so only approved binaries and scripts can execute; complement with software restriction policies on Windows or AppArmor/SELinux on Linux.

4) Protect scripting subsystems

• Enforce PowerShell Constrained Language Mode for untrusted users and require signed scripts for enterprise use. Enable script-block logging and module logging to capture unexpected script behavior.
• Monitor and restrict use of wmic, schtasks, at, curl, wget, netcat, and other tooling often used in automation or by attackers.
• On Linux, monitor cron, systemd timers, and user crontabs; restrict editing of /etc/cron.* and system-wide timer units to administrators.

5) Lock down backups and archive tools

• Ensure backups are immutable or versioned to prevent attackers from modifying or deleting backups to cover tracks.
• Limit who can run, configure, or write to backup jobs and storage.
• Verify integrity of backups regularly and perform test restores.

6) Network and perimeter controls

• Use network segmentation to separate systems that run automated tasks from general-purpose user systems.
• Block outbound traffic from servers that have no business initiating external connections; use egress filtering and web proxies.
• Monitor for suspicious C2 patterns and unusual scheduled outbound connections.

7) Monitoring, detection, and alerting

• Instrument logging for scheduled task creation/modification events (Event ID 4698/4700/4702 on Windows Task Scheduler; cron/syslog on Linux).
• Centralize logs (SIEM) and create rules to alert on:
  • New or modified scheduled tasks running from uncommon paths.
  • Execution of scripts from user-writable directories.
  • Creation of executable files with odd parent processes.
• Use file integrity monitoring (FIM) to detect unauthorized changes to automation scripts, service files, and startup locations.

8) User education and policy

• Train users not to run unknown attachments or macros. Emphasize risks of saving executables or scripts in shared automation directories.
• Maintain clear policies for deploying automated tasks: change control, review, and approval before adding scheduled jobs.
• Encourage use of secure methods for legitimate automation (central orchestration tools with RBAC and audit trails rather than ad-hoc user-created scheduled tasks).

Practical checklist — quick wins

• Disable legacy scheduling tools (e.g., Windows “at”) unless explicitly needed.
• Enforce application allowlisting for servers and critical endpoints.
• Restrict write permissions on startup, automation, and web upload folders.
• Enable script logging and require signed scripts for PowerShell.
• Configure EDR to alert on creation/modification of scheduled tasks and unusual script execution.
• Make backups immutable and regularly test restores.
• Centralize logs and create SIEM alerts for scheduled-task-related events.

Incident response considerations if AT File Mole is suspected

• Isolate affected hosts quickly to prevent further scheduling or lateral movement.
• Collect relevant artifacts: scheduled task XML files, crontabs, systemd unit files, startup folder contents, script files, and relevant event logs.
• Use FIM and SIEM to identify when the first modification occurred and which accounts/processes were involved.
• Rotate credentials for any accounts used by discovered tasks or services; check for credential theft.
• Restore affected automation configuration from known-good backups; ensure persistence mechanisms are removed before re-enabling systems.
• Conduct a post-incident review to improve controls and update the checklist above.

Example controls mapped to tools/platforms (brief)

• Windows: Group Policy for Task Scheduler permissions, AppLocker/WDAC for allowlisting, PowerShell Constrained Language and script-block logging, Event IDs 4698/4700/4702 monitoring, EDR (examples: Microsoft Defender for Endpoint).
• Linux: Restrict /etc/cron.* and /var/spool/cron, use systemd unit permissions, AppArmor/SELinux, auditd rules for monitoring cron/systemd activities, FIM (OSSEC, Tripwire), EDR agents.
• Cloud/Containers: Use IAM least privilege for cron-like services (Cloud Scheduler, AWS EventBridge), restrict container images to signed images, use orchestrator RBAC and immutable deployments.

Final note

No single control stops every variant of AT File Mole. Combine least-privilege policies, hardened automation, strong endpoint defenses, logging/alerting, immutable backups, and user training for a layered defense that prevents, detects, and rapidly responds to threats that abuse scheduled tasks and automated file processing.