S0110: at
Analyst context for executives and security teams
The "at" utility is a legitimate task scheduler present across Windows, Linux, and macOS. Its security significance is that a normal administrative tool can be used to run commands later, which can blur the line between routine operations and adversary execution, persistence, or privilege escalation activity tied to ATT&CK technique T1053.002.
Executive priority
Leaders should treat use of legacy or cross-platform scheduling utilities as an operational resilience and audit-evidence issue: can the organization prove who scheduled what, on which systems, and why? This matters most where scheduled execution could affect critical servers, privileged accounts, or environments connected to sensitive industrial, energy, telecom, government, or manufacturing operations reflected in the related ATT&CK campaign and group context.
Technical view
SOC and IR teams should validate visibility for execution of the at utility on Windows, Linux, and macOS and correlate it with the related ATT&CK technique T1053.002, which maps to execution, persistence, and privilege-escalation. Because MITRE provides no detection text for this software object, coverage should be proven locally through endpoint process telemetry, scheduler/job artifacts, account context, and follow-on command or script execution. On Windows, the relationship text notes that at is deprecated in favor of scheduled tasks/schtasks, so legacy at usage may be unusual in some environments but must be baselined before alerting.
Likely telemetry
- Endpoint process creation events showing invocation of at and command-line arguments where collected
- Operating system scheduler or job records showing created, modified, or executed scheduled jobs
- User, privilege, logon session, and host context associated with the scheduling action
- File or script paths referenced by scheduled commands and subsequent process execution
- System logs or endpoint detection records around the scheduled execution time
Detection direction
- Baseline legitimate administrative use of at by platform, server role, user group, and maintenance window before treating all executions as malicious.
- Prioritize review of at usage by privileged accounts, on sensitive servers, or outside normal operating windows.
- Correlate job creation with later process execution so delayed commands are not missed by detections that only examine the original scheduling event.
- Tune for legacy-tool blind spots, especially where Windows monitoring focuses on newer scheduled task mechanisms and may not separately track at usage.
- Use the relationship context to enrich threat hunting, but do not infer attribution from at usage alone because it is a legitimate utility used by administrators as well as referenced threat actors.
Mitigation priorities
- Inventory where at is available and whether it is required on Windows, Linux, and macOS systems.
- Restrict scheduling privileges to authorized administrative roles and review privileged account use regularly.
- Ensure endpoint and system logging captures both job creation and the command that eventually runs.
- Apply change-management expectations for scheduled administrative actions on critical systems.
- For sensitive or OT-adjacent environments, confirm scheduled execution on enterprise hosts can be correlated with access to systems holding operational, production, or SCADA-related data where relevant.
Analyst notes and limits
ATT&CK identifies at as software used to schedule tasks and links it to T1053.002 At, with related usage by Night Dragon, BRONZE BUTLER, Leviathan, and GALLIUM. The decision value is not that at is inherently malicious, but that scheduled execution can create delayed activity, persistence opportunities, and audit gaps if organizations cannot reconstruct the scheduler event and subsequent command execution.
The supplied MITRE software object has no official detection guidance and no tactics directly listed on the software object; tactics are derived only from the related T1053.002 technique. Local baselines, platform logging configuration, and administrative practices are required to determine suspiciousness. Related campaign and group entries should be used for context, not as proof of attribution.
at
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
Groups, software, and campaigns
G0093: GALLIUM
GALLIUM is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. This group is particularly known for launching Operation Soft Cell, a long-term campaign targeting telecommunications providers.[1] Security researchers have identified GALLIUM as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.[1][2][3]
G0065: Leviathan
Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.[1] Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast Asia.[1][2][3][4]
G0060: BRONZE BUTLER
BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.[1][2][3]
C0002: Night Dragon
Night Dragon was a cyber espionage campaign that targeted oil, energy, and petrochemical companies, along with individuals and executives in Kazakhstan, Taiwan, Greece, and the United States. The unidentified threat actors searched for information related to oil and gas field production systems, financials, and collected data from SCADA systems. Based on the observed techniques, tools, and network activities, security researchers assessed the campaign involved a threat group based in China.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | 55aff5b3ed6e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
TechNet At
Microsoft. (n.d.). At. Retrieved April 28, 2016.
Open source URL -
[2]
Linux at
IEEE/The Open Group. (2017). at(1p) — Linux manual page. Retrieved February 25, 2022.
Open source URL -
[3]
mitre-attack S0110Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.