Skip to content

T1053.001 At (Linux)

Adversaries may abuse the at utility to perform task scheduling for initial, recurring, or future execution of malicious code. The at command within Linux operating systems enables administrators to schedule tasks.1

An adversary may use at in Linux environments to execute programs at system startup or on a scheduled basis for persistence. at can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account.

Adversaries may also abuse at to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, at may also be used for Privilege Escalation if the binary is allowed to run as superuser via sudo.2

Item Value
ID T1053.001
Sub-techniques T1053.001, T1053.002, T1053.003, T1053.004, T1053.005, T1053.006, T1053.007
Tactics TA0002, TA0003, TA0004
Platforms Linux
Version 1.1
Created 03 December 2019
Last Modified 15 October 2021

Mitigations

ID Mitigation Description
M1047 Audit Scheduled tasks using at can be audited locally, or through centrally collected logging, using syslog, or auditd events from the host. 1
M1018 User Account Management Users account-level access to at can be managed using /etc/at.allow and /etc/at.deny files. Users listed in the at.allow are enabled to schedule actions using at, whereas users listed in at.deny file disabled from the utility.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0009 Process Process Creation
DS0003 Scheduled Job Scheduled Job Creation

References

  1. Koromicha. (2019, September 7). Scheduling tasks using at command in Linux. Retrieved December 3, 2019. 

  2. Emilio Pinna, Andrea Cardaci. (n.d.). gtfobins at. Retrieved September 28, 2021. 

  3. Craig Rowland. (2019, July 25). Getting an Attacker IP Address from a Malicious Linux At Job. Retrieved October 15, 2021. 

Back to top