Adversaries may abuse the at utility to perform task scheduling for initial, recurring, or future execution of malicious code. The at command within Linux operating systems enables administrators to schedule tasks.(Citation: Kifarunix - Task Scheduling in Linux)
An adversary may use at in Linux environments to execute programs at system startup or on a scheduled basis for persistence. at can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account.
Adversaries may also abuse at to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, at may also be used for Privilege Escalation if the binary is allowed to run as superuser via <code>sudo</code>.(Citation: GTFObins at)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1053.001 | At (Linux) | |
| AC-3 | Access Enforcement | Protects | T1053.001 | At (Linux) | |
| AC-5 | Separation of Duties | Protects | T1053.001 | At (Linux) | |
| AC-6 | Least Privilege | Protects | T1053.001 | At (Linux) | |
| CA-8 | Penetration Testing | Protects | T1053.001 | At (Linux) | |
| CM-5 | Access Restrictions for Change | Protects | T1053.001 | At (Linux) | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1053.001 | At (Linux) | |
| RA-5 | Vulnerability Monitoring and Scanning | Protects | T1053.001 | At (Linux) | |
| SI-4 | System Monitoring | Protects | T1053.001 | At (Linux) |