Skip to content

T1053.002 At

Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. The at utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of Scheduled Task‘s schtasks in Windows environments, using at requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.

On Linux and macOS, at may be invoked by the superuser as well as any users added to the at.allow file. If the at.allow file does not exist, the at.deny file is checked. Every username not listed in at.deny is allowed to invoke at. If the at.deny exists and is empty, global use of at is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use at.3

Adversaries may use at to execute programs at system startup or on a scheduled basis for Persistence. at can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM).

In Linux environments, adversaries may also abuse at to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, at may also be used for Privilege Escalation if the binary is allowed to run as superuser via sudo.2

Item Value
ID T1053.002
Sub-techniques T1053.002, T1053.003, T1053.005, T1053.006, T1053.007
Tactics TA0002, TA0003, TA0004
Platforms Linux, Windows, macOS
Permissions required Administrator, User
Version 2.0
Created 27 November 2019
Last Modified 18 April 2022

Procedure Examples

ID Name Description
G0026 APT18 APT18 actors used the native at Windows task scheduler tool to use scheduled tasks for execution on a victim network.17
S0110 at at can be used to schedule a task on a system to be executed at a specific date or time.153
G0060 BRONZE BUTLER BRONZE BUTLER has used at to register a scheduled task to execute malware during lateral movement.18
S0488 CrackMapExec CrackMapExec can set a scheduled task on the target system to execute commands remotely using at.14
S0233 MURKYTOP MURKYTOP has the capability to schedule remote AT jobs.16
G0027 Threat Group-3390 Threat Group-3390 actors use at to schedule tasks to run self-extracting RAR archives, which install HTTPBrowser or PlugX on other victims on a network.19

Mitigations

ID Mitigation Description
M1047 Audit Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. 13 Windows operating system also creates a registry key specifically associated with the creation of a scheduled task on the destination host at: Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1. 11 In Linux and macOS environments, scheduled tasks using at can be audited locally, or through centrally collected logging, using syslog, or auditd events from the host. 12
M1028 Operating System Configuration Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SubmitControl. The setting can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled. 10
M1026 Privileged Account Management Configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority. 9
M1018 User Account Management Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems. In Linux environments, users account-level access to at can be managed using at.allow and at.deny files. Users listed in the at.allow are enabled to schedule actions using at, whereas users listed in at.deny file disabled from the utility.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Modification
DS0009 Process Process Creation
DS0003 Scheduled Job Scheduled Job Creation

References

  1. Craig Rowland. (2019, July 25). Getting an Attacker IP Address from a Malicious Linux At Job. Retrieved October 15, 2021. 

  2. Emilio Pinna, Andrea Cardaci. (n.d.). gtfobins at. Retrieved September 28, 2021. 

  3. IEEE/The Open Group. (2017). at(1p) — Linux manual page. Retrieved February 25, 2022. 

  4. Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved December 12, 2017. 

  5. Microsoft. (2017, May 28). Audit Other Object Access Events. Retrieved June 27, 2019. 

  6. Microsoft. (n.d.). General Task Registration. Retrieved December 12, 2017. 

  7. Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. 

  8. Satyajit321. (2015, November 3). Scheduled Tasks History Retention settings. Retrieved December 12, 2017. 

  9. Microsoft. (2013, May 8). Increase scheduling priority. Retrieved December 18, 2017. 

  10. Microsoft. (2012, November 15). Domain controller: Allow server operators to schedule tasks. Retrieved December 18, 2017. 

  11. Carvey, H.. (2014, September). Where You AT?: Indicators of Lateral Movement Using at.exe on Windows 7 Systems. Retrieved November 27, 2019. 

  12. Koromicha. (2019, September 7). Scheduling tasks using at command in Linux. Retrieved December 3, 2019. 

  13. PowerSploit. (n.d.). Retrieved December 4, 2014. 

  14. byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020. 

  15. Microsoft. (n.d.). At. Retrieved April 28, 2016. 

  16. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. 

  17. Carvey, H.. (2014, September 2). Where you AT?: Indicators of lateral movement using at.exe on Windows 7 systems. Retrieved January 25, 2016. 

  18. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. 

  19. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.