| Item |
Value |
| ID |
DET0333 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1053.002 (At)
Analytics
Windows
AN0943
Detects creation of scheduled tasks via at.exe or WMI Win32_ScheduledJob class, followed by execution of anomalous processes by svchost.exe or taskeng.exe.
Log Sources
Mutable Elements
| Field |
Description |
| TaskUser |
Unusual users creating jobs (e.g., non-admin accounts or service users). |
| ExecutionTimeWindow |
Delay between task registration and execution. |
| CommandLinePattern |
Unexpected script or binary execution (e.g., cmd.exe /c PowerShell payload). |
Linux
AN0944
Detects usage of at command to schedule jobs, followed by job execution and modification of job files under /var/spool/cron/atjobs.
Log Sources
Mutable Elements
| Field |
Description |
| AtJobPath |
Monitoring additional paths (e.g., tmp-mounted spool dirs) for modified at jobs. |
| ScheduleLatency |
Expected delay between at job creation and execution. |
| JobScriptEntropy |
High entropy or obfuscation in at job payloads. |
macOS
AN0945
Detects user or root invocation of at command to schedule a job, followed by job execution using LaunchServices and activity in /usr/lib/cron/at.
Log Sources
Mutable Elements
| Field |
Description |
| AtPermissions |
Whether at.allow and at.deny are properly configured. |
| ExecutionCommand |
Target binary executed via the at job. |
| RunUser |
Detection of root user scheduling job with unusual command. |