Skip to content
Atomic Red Team
atomics
T1053.002

T1053.002 - Scheduled Task/Job: At

Description from ATT&CK (opens in a new tab)

Adversaries may abuse the at (opens in a new tab) utility to perform task scheduling for initial or recurring execution of malicious code. The at (opens in a new tab) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of Scheduled Task (opens in a new tab)'s schtasks (opens in a new tab) in Windows environments, using at (opens in a new tab) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the at command, adversaries may also schedule a task with at (opens in a new tab) by directly leveraging the Windows Management Instrumentation (opens in a new tab) Win32_ScheduledJob WMI class.(Citation: Malicious Life by Cybereason)

On Linux and macOS, at (opens in a new tab) may be invoked by the superuser as well as any users added to the at.allow file. If the at.allow file does not exist, the at.deny file is checked. Every username not listed in at.deny is allowed to invoke at (opens in a new tab). If the at.deny exists and is empty, global use of at (opens in a new tab) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use at (opens in a new tab).(Citation: Linux at)

Adversaries may use at (opens in a new tab) to execute programs at system startup or on a scheduled basis for Persistence (opens in a new tab). at (opens in a new tab) can also be abused to conduct remote Execution (opens in a new tab) as part of Lateral Movement (opens in a new tab) and/or to run a process under the context of a specified account (such as SYSTEM).

In Linux environments, adversaries may also abuse at (opens in a new tab) to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, at (opens in a new tab) may also be used for Privilege Escalation (opens in a new tab) if the binary is allowed to run as superuser via sudo.(Citation: GTFObins at)

Atomic Tests


Atomic Test #1 - At.exe Scheduled task

Executes cmd.exe Note: deprecated in Windows 8+

Upon successful execution, cmd.exe will spawn at.exe and create a scheduled task that will spawn cmd at a specific time.

Supported Platforms: Windows

auto_generated_guid: 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8

Attack Commands: Run with command_prompt!

at 13:20 /interactive cmd


Atomic Test #2 - At - Schedule a job

This test submits a command to be run in the future by the at daemon.

Supported Platforms: Linux

auto_generated_guid: 7266d898-ac82-4ec0-97c7-436075d0d08e

Inputs:

NameDescriptionTypeDefault Value
time_specTime specification of when the command should runstringnow + 1 minute
at_commandThe command to be runstringecho Hello from Atomic Red Team

Attack Commands: Run with sh!

echo "#{at_command}" | at #{time_spec}

Dependencies: Run with sh!

Description: The at and atd executables must exist in the PATH
Check Prereq Commands:
if [ "$(uname)" = 'FreeBSD' ]; then which at; else which at && which atd; fi;
Get Prereq Commands:
echo 'Please install `at` and `atd`; they were not found in the PATH (Package name: `at`)'
Description: The atd daemon must be running
Check Prereq Commands:
if [ $(uname) = 'Linux' ]; then systemctl status atd || service atd status; fi;
Get Prereq Commands:
echo 'Please start the `atd` daemon (sysv: `service atd start` ; systemd: `systemctl start atd`)'