Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. The at command within Linux operating systems enables administrators to schedule tasks.(Citation: Kifarunix - Task Scheduling in Linux)
An adversary may use at in Linux environments to execute programs at system startup or on a scheduled basis for persistence. at can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
AC-2 | Account Management | Protects | T1053.001 | At (Linux) |
AC-3 | Access Enforcement | Protects | T1053.001 | At (Linux) |
AC-5 | Separation of Duties | Protects | T1053.001 | At (Linux) |
AC-6 | Least Privilege | Protects | T1053.001 | At (Linux) |
CA-8 | Penetration Testing | Protects | T1053.001 | At (Linux) |
CM-5 | Access Restrictions for Change | Protects | T1053.001 | At (Linux) |
IA-2 | Identification and Authentication (organizational Users) | Protects | T1053.001 | At (Linux) |
RA-5 | Vulnerability Monitoring and Scanning | Protects | T1053.001 | At (Linux) |
SI-4 | System Monitoring | Protects | T1053.001 | At (Linux) |
file_integrity_monitoring | File Integrity Monitoring | technique_scores | T1053.001 | At (Linux) |