T1053.002 At Mappings

Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. The at utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of Scheduled Task's schtasks in Windows environments, using at requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.

On Linux and macOS, at may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke at. If the <code>at.deny</code> exists and is empty, global use of at is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use at.(Citation: Linux at)

Adversaries may use at to execute programs at system startup or on a scheduled basis for Persistence. at can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM).

In Linux environments, adversaries may also abuse at to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, at may also be used for Privilege Escalation if the binary is allowed to run as superuser via <code>sudo</code>.(Citation: GTFObins at)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-02 Account Management Protects T1053.002 At
AC-05 Separation of Duties Protects T1053.002 At
AC-06 Least Privilege Protects T1053.002 At
CA-08 Penetration Testing Protects T1053.002 At
CM-02 Baseline Configuration Protects T1053.002 At
CM-05 Access Restrictions for Change Protects T1053.002 At
CM-06 Configuration Settings Protects T1053.002 At
CM-07 Least Functionality Protects T1053.002 At
CM-08 System Component Inventory Protects T1053.002 At
IA-04 Identifier Management Protects T1053.002 At
RA-05 Vulnerability Monitoring and Scanning Protects T1053.002 At
SI-04 System Monitoring Protects T1053.002 At
IA-02 Identification and Authentication (organizational Users) Protects T1053.002 At
AC-03 Access Enforcement Protects T1053.002 At