AN0945: Analytic 0945
Detects user or root invocation of `at` command to schedule a job, followed by job execution using LaunchServices and activity in /usr/lib/cron/at.
Analyst context for executives and security teams
This analytic is relevant to macOS environments where the legacy `at` command can be used to schedule work that later executes outside the original user session. For leaders, the practical issue is persistence and delayed execution visibility: if scheduled jobs are not monitored, incident responders may miss activity that happens after the initial command has run.
Executive priority
Prioritize this where macOS endpoints support business-critical users, privileged administrators, or regulated workflows. The key management question is whether the organization can prove it collects enough endpoint evidence to reconstruct who scheduled a job, whether it ran as a user or root, and what executed afterward. This supports incident scoping, audit evidence, and endpoint control validation.
Technical view
Validate macOS telemetry for user or root invocation of the `at` command, subsequent job execution through LaunchServices, and related activity in `/usr/lib/cron/at`. Because the ATT&CK object provides no tactic mapping, official detection logic, or relationship context, teams should treat this as a coverage validation analytic rather than a complete rule. Correlate scheduler invocation, execution time, user context, parent/child process lineage, and filesystem activity to distinguish expected administrative scheduling from suspicious delayed execution.
Likely telemetry
- macOS process execution events including command name, command line, parent process, user, and effective privilege context
- Endpoint telemetry showing `at` command invocation by user or root
- LaunchServices-related execution events following scheduled job creation
- Filesystem activity involving `/usr/lib/cron/at`
- Timestamps that allow correlation between job scheduling and later execution
Detection direction
- Confirm whether endpoint tooling records `at` invocations on macOS with sufficient command-line and user context.
- Correlate job creation with later LaunchServices execution rather than alerting only on the initial command.
- Review activity in `/usr/lib/cron/at` as supporting evidence, not as a standalone indicator without process and user context.
- Tune for known administrative or operational use of scheduled jobs to reduce false positives.
- Check for blind spots on macOS hosts with limited EDR, incomplete command-line logging, or insufficient file activity collection.
Mitigation priorities
- Inventory whether `at` is required on managed macOS systems and restrict unnecessary use where policy allows.
- Ensure privileged use of scheduling utilities is governed by administrative access controls and reviewed operational procedures.
- Preserve endpoint logs needed to link scheduling, execution, user identity, and filesystem activity.
- Include scheduled-job review in macOS incident response triage when investigating delayed or recurring execution.
- Use detection validation results as evidence for endpoint monitoring, privileged access, and compliance readiness programs.
Analyst notes and limits
This take is based only on ATT&CK analytic AN0945. The supplied object identifies macOS, `at` command scheduling, LaunchServices execution, and `/usr/lib/cron/at` activity, but does not provide tactics, detection pseudocode, mitigations, related techniques, groups, or software. Local baseline knowledge is required to judge whether `at` usage is normal.
No active exploitation, attribution, impact, or guaranteed detection coverage is implied. The object has no supplied relationships and no official detection text, so implementation details must be validated in the customer environment.
Analytic 0945
Detects user or root invocation of `at` command to schedule a job, followed by job execution using LaunchServices and activity in /usr/lib/cron/at.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | aec5fa4794ae… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0945Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.