Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. The at utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of Scheduled Task's schtasks in Windows environments, using at requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the at command, adversaries may also schedule a task with at by directly leveraging the Windows Management Instrumentation Win32_ScheduledJob WMI class.(Citation: Malicious Life by Cybereason)
On Linux and macOS, at may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke at. If the <code>at.deny</code> exists and is empty, global use of at is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use at.(Citation: Linux at)
Adversaries may use at to execute programs at system startup or on a scheduled basis for Persistence. at can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM).
In Linux environments, adversaries may also abuse at to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, at may also be used for Privilege Escalation if the binary is allowed to run as superuser via <code>sudo</code>.(Citation: GTFObins at)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1053.002 | At |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
| PR.PS-01.02 | Least functionality | Mitigates | T1053.002 | At |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1053.002 | At |
Comments
This diagnostic statement protects against At through the use of privileged account management and the use of multi-factor authentication.
References
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1053.002 | At |
Comments
This diagnostic statement provides protection from Scheduled Task/Job: At through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System including running of scheduled tasks as authenticated user instead of SYSTEM and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
References
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1053.002 | At |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1053.002 | At |
Comments
This diagnostic statement protects against At through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1053.002 | At | |
| CM-05 | Access Restrictions for Change | mitigates | T1053.002 | At | |
| IA-04 | Identifier Management | mitigates | T1053.002 | At | |
| RA-05 | Vulnerability Monitoring and Scanning | mitigates | T1053.002 | At | |
| CM-08 | System Component Inventory | mitigates | T1053.002 | At | |
| CM-02 | Baseline Configuration | mitigates | T1053.002 | At | |
| CM-02 | Baseline Configuration | mitigates | T1053.002 | At | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1053.002 | At | |
| CM-07 | Least Functionality | mitigates | T1053.002 | At | |
| SI-04 | System Monitoring | mitigates | T1053.002 | At | |
| AC-02 | Account Management | mitigates | T1053.002 | At | |
| AC-05 | Separation of Duties | mitigates | T1053.002 | At | |
| AC-06 | Least Privilege | mitigates | T1053.002 | At | |
| AC-03 | Access Enforcement | mitigates | T1053.002 | At |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1053.002 | At | |
| action.malware.variety.In-memory | (malware never stored to persistent storage) | related-to | T1053.002 | At |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | technique_scores | T1053.002 | At |
Comments
This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|