| ID | Name |
|---|---|
| T1053.002 | At |
| T1053.003 | Cron |
| T1053.005 | Scheduled Task |
| T1053.006 | Systemd Timers |
| T1053.007 | Container Orchestration Job |
Adversaries may abuse theat utility to perform task scheduling for initial or recurring execution of malicious code. Theat utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor ofScheduled Task'sschtasks in Windows environments, usingat requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running theat command, adversaries may also schedule a task withat by directly leveraging theWindows Management InstrumentationWin32_ScheduledJob WMI class.[1]
On Linux and macOS,at may be invoked by the superuser as well as any users added to theat.allow file. If theat.allow file does not exist, theat.deny file is checked. Every username not listed inat.deny is allowed to invokeat. If theat.deny exists and is empty, global use ofat is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to useat.[2]
Adversaries may useat to execute programs at system startup or on a scheduled basis forPersistence.at can also be abused to conduct remoteExecution as part ofLateral Movement and/or to run a process under the context of a specified account (such as SYSTEM).
In Linux environments, adversaries may also abuseat to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly,at may also be used forPrivilege Escalation if the binary is allowed to run as superuser viasudo.[3]
| ID | Name | Description |
|---|---|---|
| G0026 | APT18 | APT18 actors used the nativeat Windows task scheduler tool to use scheduled tasks for execution on a victim network.[4] |
| S0110 | at | at can be used to schedule a task on a system to be executed at a specific date or time.[5][2] |
| G0060 | BRONZE BUTLER | BRONZE BUTLER has usedat to register a scheduled task to execute malware during lateral movement.[6] |
| S0488 | CrackMapExec | CrackMapExec can set a scheduled task on the target system to execute commands remotely usingat.[7] |
| S0233 | MURKYTOP | |
| G0027 | Threat Group-3390 | Threat Group-3390 actors useat to schedule tasks to run self-extracting RAR archives, which installHTTPBrowser orPlugX on other victims on a network.[9] |
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit | Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges.[10] Windows operating system also creates a registry key specifically associated with the creation of a scheduled task on the destination host at: Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1.[11] In Linux and macOS environments, scheduled tasks using |
| M1028 | Operating System Configuration | Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at |
| M1026 | Privileged Account Management | Configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority.[14] |
| M1018 | User Account Management | Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems. In Linux environments, users account-level access to |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0333 | Cross-Platform Detection of Scheduled Task/Job Abuse via `at` Utility | AN0943 | Detects creation of scheduled tasks via |
| AN0944 | Detects usage of | ||
| AN0945 | Detects user or root invocation of |