T1053.002 At (Windows) Mappings

Adversaries may abuse the <code>at.exe</code> utility to perform task scheduling for initial or recurring execution of malicious code. The at utility exists as an executable within Windows for scheduling tasks at a specified time and date. Using at requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.

An adversary may use <code>at.exe</code> in Windows environments to execute programs at system startup or on a scheduled basis for persistence. at can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM).

Note: The <code>at.exe</code> command line utility has been deprecated in current versions of Windows in favor of <code>schtasks</code>.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1053.002 At (Windows)
AC-3 Access Enforcement Protects T1053.002 At (Windows)
AC-5 Separation of Duties Protects T1053.002 At (Windows)
AC-6 Least Privilege Protects T1053.002 At (Windows)
CA-8 Penetration Testing Protects T1053.002 At (Windows)
CM-2 Baseline Configuration Protects T1053.002 At (Windows)
CM-5 Access Restrictions for Change Protects T1053.002 At (Windows)
CM-6 Configuration Settings Protects T1053.002 At (Windows)
CM-7 Least Functionality Protects T1053.002 At (Windows)
CM-8 System Component Inventory Protects T1053.002 At (Windows)
IA-2 Identification and Authentication (organizational Users) Protects T1053.002 At (Windows)
IA-4 Identifier Management Protects T1053.002 At (Windows)
RA-5 Vulnerability Monitoring and Scanning Protects T1053.002 At (Windows)
SI-4 System Monitoring Protects T1053.002 At (Windows)
file_integrity_monitoring File Integrity Monitoring technique_scores T1053.002 At (Windows)