Adversaries may abuse the <code>at.exe</code> utility to perform task scheduling for initial or recurring execution of malicious code. The at utility exists as an executable within Windows for scheduling tasks at a specified time and date. Using at requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
An adversary may use <code>at.exe</code> in Windows environments to execute programs at system startup or on a scheduled basis for persistence. at can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM).
Note: The <code>at.exe</code> command line utility has been deprecated in current versions of Windows in favor of <code>schtasks</code>.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1053.002 | At (Windows) | |
| AC-3 | Access Enforcement | Protects | T1053.002 | At (Windows) | |
| AC-5 | Separation of Duties | Protects | T1053.002 | At (Windows) | |
| AC-6 | Least Privilege | Protects | T1053.002 | At (Windows) | |
| CA-8 | Penetration Testing | Protects | T1053.002 | At (Windows) | |
| CM-2 | Baseline Configuration | Protects | T1053.002 | At (Windows) | |
| CM-5 | Access Restrictions for Change | Protects | T1053.002 | At (Windows) | |
| CM-6 | Configuration Settings | Protects | T1053.002 | At (Windows) | |
| CM-7 | Least Functionality | Protects | T1053.002 | At (Windows) | |
| CM-8 | System Component Inventory | Protects | T1053.002 | At (Windows) | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1053.002 | At (Windows) | |
| IA-4 | Identifier Management | Protects | T1053.002 | At (Windows) | |
| RA-5 | Vulnerability Monitoring and Scanning | Protects | T1053.002 | At (Windows) | |
| SI-4 | System Monitoring | Protects | T1053.002 | At (Windows) |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Abuse of functionality | Abuse of functionality | related-to | T1053.002 | Scheduled Task/Job: At (Windows) |