T1053.002 - Scheduled Task/Job: At
Description from ATT&CK (opens in a new tab)
Adversaries may abuse the at (opens in a new tab) utility to perform task scheduling for initial or recurring execution of malicious code. The at (opens in a new tab) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of Scheduled Task (opens in a new tab)'s schtasks (opens in a new tab) in Windows environments, using at (opens in a new tab) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the
at
command, adversaries may also schedule a task with at (opens in a new tab) by directly leveraging the Windows Management Instrumentation (opens in a new tab)Win32_ScheduledJob
WMI class.(Citation: Malicious Life by Cybereason)On Linux and macOS, at (opens in a new tab) may be invoked by the superuser as well as any users added to the
at.allow
file. If theat.allow
file does not exist, theat.deny
file is checked. Every username not listed inat.deny
is allowed to invoke at (opens in a new tab). If theat.deny
exists and is empty, global use of at (opens in a new tab) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use at (opens in a new tab).(Citation: Linux at)Adversaries may use at (opens in a new tab) to execute programs at system startup or on a scheduled basis for Persistence (opens in a new tab). at (opens in a new tab) can also be abused to conduct remote Execution (opens in a new tab) as part of Lateral Movement (opens in a new tab) and/or to run a process under the context of a specified account (such as SYSTEM).
In Linux environments, adversaries may also abuse at (opens in a new tab) to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, at (opens in a new tab) may also be used for Privilege Escalation (opens in a new tab) if the binary is allowed to run as superuser via
sudo
.(Citation: GTFObins at)
Atomic Tests
Atomic Test #1 - At.exe Scheduled task
Executes cmd.exe Note: deprecated in Windows 8+
Upon successful execution, cmd.exe will spawn at.exe and create a scheduled task that will spawn cmd at a specific time.
Supported Platforms: Windows
auto_generated_guid: 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8
Attack Commands: Run with command_prompt
!
at 13:20 /interactive cmd
Atomic Test #2 - At - Schedule a job
This test submits a command to be run in the future by the at
daemon.
Supported Platforms: Linux
auto_generated_guid: 7266d898-ac82-4ec0-97c7-436075d0d08e
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
time_spec | Time specification of when the command should run | string | now + 1 minute |
at_command | The command to be run | string | echo Hello from Atomic Red Team |
Attack Commands: Run with sh
!
echo "#{at_command}" | at #{time_spec}
Dependencies: Run with sh
!
Description: The at
and atd
executables must exist in the PATH
Check Prereq Commands:
if [ "$(uname)" = 'FreeBSD' ]; then which at; else which at && which atd; fi;
Get Prereq Commands:
echo 'Please install `at` and `atd`; they were not found in the PATH (Package name: `at`)'
Description: The atd
daemon must be running
Check Prereq Commands:
if [ $(uname) = 'Linux' ]; then systemctl status atd || service atd status; fi;
Get Prereq Commands:
echo 'Please start the `atd` daemon (sysv: `service atd start` ; systemd: `systemctl start atd`)'