AN0944: Analytic 0944
Detects usage of `at` command to schedule jobs, followed by job execution and modification of job files under /var/spool/cron/atjobs.
Analyst context for executives and security teams
This analytic focuses on Linux systems where the `at` command is used to schedule one-time jobs and where job files under `/var/spool/cron/atjobs` are created, modified, and later executed. For leaders, the significance is not the command itself, but whether the organization can prove it sees scheduled execution paths that may persist beyond an interactive session and run later without obvious user activity.
Executive priority
Prioritize this as a Linux monitoring and incident-readiness validation item. Security leaders should ask whether critical Linux servers collect enough process, file, and job-execution evidence to explain who scheduled a job, what ran, and whether spool files were changed. This supports SOC triage, incident reconstruction, and compliance evidence for administrative activity monitoring. Because no ATT&CK relationships or tactic mapping were supplied, treat it as a focused detection-control check rather than a standalone risk conclusion.
Technical view
For SOC and detection engineering teams, validate coverage for `at` command invocation, subsequent job execution, and file activity under `/var/spool/cron/atjobs` on Linux. Correlate process execution with file creation or modification in the atjobs spool location and later execution context. Pay attention to legitimate administrative scheduling, backup, maintenance, or batch-processing workflows to avoid noisy alerts. Since the official detection field is not provided, local implementation must define correlation windows, expected users, and approved scheduling patterns.
Likely telemetry
- Linux process execution telemetry showing `at` command usage
- Command-line arguments and parent/child process context where available
- File creation, modification, ownership, and permission changes under `/var/spool/cron/atjobs`
- Job execution evidence from Linux audit, endpoint, or system logs
- User, UID, host, and timestamp context for scheduled and executed jobs
Detection direction
- Confirm that Linux endpoints and servers generate and retain process execution data for `at`.
- Confirm file monitoring exists for `/var/spool/cron/atjobs`, including modification events rather than only creation events.
- Correlate scheduling activity with later execution instead of alerting on the command alone where legitimate use is common.
- Build allowlists or baselines for known administrative accounts and recurring operational use, while reviewing unusual users, hosts, timing, or modified job files.
- Test whether telemetry survives common SOC gaps such as short log retention, missing command-line capture, limited audit rules, or endpoint coverage exclusions on servers.
Mitigation priorities
- Restrict use of job scheduling utilities to authorized administrators where operationally feasible.
- Harden Linux administrative access and ensure privileged actions are attributable to named users or controlled service accounts.
- Apply file integrity or audit monitoring to sensitive scheduling directories such as `/var/spool/cron/atjobs`.
- Review operational processes that rely on `at` so detection tuning can distinguish expected maintenance from suspicious scheduling behavior.
- Maintain sufficient log retention to support investigation from scheduling through job execution.
Analyst notes and limits
The supplied object is a detection analytic for Linux only. It describes detecting `at` usage followed by job execution and modification of job files under `/var/spool/cron/atjobs`. No ATT&CK tactic, technique relationship, official detection logic, or related threat context was supplied, so this take frames the object as a coverage-validation and SOC-readiness item rather than as evidence of a specific adversary behavior chain.
This assessment is limited to the official STIX fields, external reference, and the absence of supplied relationships. It does not establish active exploitation, actor use, business impact, or complete detection coverage. Local Linux configuration, logging depth, administrative practices, and retention determine whether this analytic can be implemented effectively.
Analytic 0944
Detects usage of `at` command to schedule jobs, followed by job execution and modification of job files under /var/spool/cron/atjobs.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5e874db38b14… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0944Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.