DET0333: Cross-Platform Detection of Scheduled Task/Job Abuse via `at` Utility
This detection strategy is about recognizing abuse of the `at` scheduling utility, which ATT&CK relates to execution, persistence, and privilege escalation...
Analyst context for executives and security teams
This detection strategy is about recognizing abuse of the `at` scheduling utility, which ATT&CK relates to execution, persistence, and privilege escalation. For leaders, the practical issue is that scheduled jobs can let an intruder run code later or repeatedly, potentially surviving reboots or shifting activity outside normal monitoring windows. Because this DET object has no official description or detection text, teams should treat it as a validation prompt rather than a complete detection recipe.
Executive priority
Prioritize this where Windows, Linux, or macOS systems are in scope and scheduled execution could affect business continuity, privileged access, or incident containment. Security leaders should ask whether SOC and IR teams can prove who created scheduled `at` jobs, what command was scheduled, when it executed, and whether the activity was authorized. This also supports audit and compliance evidence around privileged activity monitoring and change accountability.
Technical view
ATT&CK states this detection strategy detects T1053.002, At, associated with execution, persistence, and privilege-escalation across Windows, Linux, and macOS. Detection engineers should validate visibility into scheduled job creation and execution involving the `at` utility, correlate it with user context and host privilege level, and distinguish expected administrative scheduling from unusual or unauthorized use. Because no official detection analytics are supplied, local baselining and environment-specific allowlisting are required.
Likely telemetry
- Process creation telemetry showing invocation of the `at` utility and command-line context
- Scheduled job/task creation and execution records where available
- User, account, and privilege context for the creator of the scheduled job
- Host operating system and asset criticality context
- Authentication/session telemetry around the time the job was created
Detection direction
- Confirm whether telemetry exists for `at` usage on Windows, Linux, and macOS systems in scope; the detection strategy itself does not specify platforms, but the related ATT&CK technique does.
- Alert on unusual or unauthorized `at` job creation, especially from privileged accounts, service accounts, remote sessions, or hosts where administrative scheduling is rare.
- Correlate scheduled job creation with later process execution to avoid seeing only the setup event and missing the execution outcome.
- Tune for legitimate administrative use, maintenance windows, and automation to reduce false positives.
- Review blind spots on legacy systems, unmanaged endpoints, minimal Linux/macOS logging, and environments where command-line capture is disabled or incomplete.
Mitigation priorities
- Inventory where `at` is available and whether its use is operationally required.
- Restrict scheduled job creation to authorized administrators and controlled automation accounts.
- Harden endpoint logging so scheduled job creation, creator identity, command content, and execution events are retained.
- Use change management or administrative approval processes for recurring scheduled execution on critical systems.
- During incidents, review recent and recurring `at` jobs as part of persistence and privilege-escalation triage.
Analyst notes and limits
The supplied ATT&CK object is a detection strategy, DET0333, and only provides relationship context to T1053.002 At. The related technique description supports the focus on scheduling tasks for initial or recurring execution and the tactics of execution, persistence, and privilege escalation. Local environment knowledge is needed to determine what `at` usage is normal and which hosts or accounts are high risk.
The official detection strategy fields include no description, no detection logic, no tactics, and no platforms. Platform and tactic references in this take come from the supplied relationship to T1053.002, not from the DET object itself. This summary does not assert active exploitation, attribution, or guaranteed detection coverage.
Cross-Platform Detection of Scheduled Task/Job Abuse via `at` Utility
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 46210fdfd6ca… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0333Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.