Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. The at utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of Scheduled Task's schtasks in Windows environments, using at requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
On Linux and macOS, at may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke at. If the <code>at.deny</code> exists and is empty, global use of at is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use at.(Citation: Linux at)
Adversaries may use at to execute programs at system startup or on a scheduled basis for Persistence. at can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM).
In Linux environments, adversaries may also abuse at to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, at may also be used for Privilege Escalation if the binary is allowed to run as superuser via <code>sudo</code>.(Citation: GTFObins at)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
AC-02 | Account Management | Protects | T1053.002 | At |
AC-05 | Separation of Duties | Protects | T1053.002 | At |
AC-06 | Least Privilege | Protects | T1053.002 | At |
CA-08 | Penetration Testing | Protects | T1053.002 | At |
CM-02 | Baseline Configuration | Protects | T1053.002 | At |
CM-05 | Access Restrictions for Change | Protects | T1053.002 | At |
CM-06 | Configuration Settings | Protects | T1053.002 | At |
CM-07 | Least Functionality | Protects | T1053.002 | At |
CM-08 | System Component Inventory | Protects | T1053.002 | At |
IA-04 | Identifier Management | Protects | T1053.002 | At |
RA-05 | Vulnerability Monitoring and Scanning | Protects | T1053.002 | At |
SI-04 | System Monitoring | Protects | T1053.002 | At |
IA-02 | Identification and Authentication (organizational Users) | Protects | T1053.002 | At |
AC-03 | Access Enforcement | Protects | T1053.002 | At |