Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1053.002: At

Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. The at utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of Scheduled Task's schtasks in Windows environments, using at requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with at by directly leveraging the Windows Management Instrumentation `Win32_ScheduledJob` WMI class.[1]

On Linux and macOS, at may be invoked by the superuser as well as any users added to the at.allow file. If the at.allow file does not exist, the at.deny file is checked. Every username not listed in at.deny is allowed to invoke at. If the at.deny exists and is empty, global use of at is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use at.[2]

Adversaries may use at to execute programs at system startup or on a scheduled basis for Persistence. at can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM).

In Linux environments, adversaries may also abuse at to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, at may also be used for Privilege Escalation if the binary is allowed to run as superuser via sudo.[3]

EnterpriseT1053.002Sub-techniqueObject v2.4 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

The `at` utility is a legitimate cross-platform scheduler that can become a quiet execution, persistence, or privilege-escalation path when abused. Its business significance is that malicious activity may look like routine administration: a job is scheduled to run later, potentially under an elevated account or through Windows WMI, making incident timelines and accountability harder if logging and account controls are weak.

Executive priority

Treat this as a resilience and audit-readiness issue, not just a command-line detection problem. Leaders should ask whether administrative scheduling is governed, logged, and reviewable across Windows, Linux, and macOS; whether privileged users can schedule jobs unnecessarily; and whether IR teams can quickly determine who created a job, what it launched, when it ran, and under which account context.

Technical view

Validate coverage for `at` abuse across execution, persistence, and privilege-escalation use cases on Windows, Linux, and macOS. On Windows, include both explicit `at` execution and task creation through the WMI `Win32_ScheduledJob` class, with attention to Task Scheduler service availability and administrator context. On Linux and macOS, review authorization behavior around `at.allow` and `at.deny`, and assess whether superuser or sudo-enabled use could create elevated scheduled execution. The related ATT&CK detection strategy DET0333 indicates cross-platform detection of scheduled task/job abuse via `at`, but the ATT&CK technique itself does not provide official detection text.

Likely telemetry

  • Process creation and command-line telemetry for `at` and scheduled job execution
  • Windows Task Scheduler service and scheduled task event logs where enabled
  • WMI activity involving `Win32_ScheduledJob` on Windows
  • Account context for job creation and execution, especially local Administrators, SYSTEM, root, and sudo-enabled users
  • Linux/macOS file and configuration state for `at.allow` and `at.deny`

Detection direction

  • Baseline legitimate administrative use of `at`; in many environments it should be rare, especially on Windows where it is deprecated in favor of scheduled tasks.
  • Alert on unusual `at` invocation, newly created scheduled jobs, or jobs launching interpreters, shells, scripts, or unexpected binaries, while tuning for approved maintenance activity.
  • Include WMI-based scheduled job creation in Windows logic so detections are not limited to direct command execution.
  • Correlate scheduled job creation with privileged account use, remote administration, and subsequent process execution to separate benign scheduling from persistence or lateral execution patterns.
  • Confirm scheduled task history retention and audit settings are sufficient; lack of historical logs is a material blind spot for IR and compliance evidence.

Mitigation priorities

  • Apply user account management: restrict who can create scheduled jobs and remove unnecessary accounts from allowed scheduling paths.
  • Apply privileged account management: limit administrator, SYSTEM-equivalent, root, and sudo-enabled scheduling rights to defined operational roles.
  • Harden operating system configuration: disable or restrict unused scheduling functionality where business processes do not require it, and review `at.allow`/`at.deny` behavior on Linux and macOS.
  • Enable and routinely review auditing for scheduled job creation, modification, and execution so investigations can prove account, time, and launched command context.
  • Periodically review scheduled jobs and autorun-style persistence locations for unauthorized or unexplained entries.
Analyst notes and limits

This technique is a sub-technique of Scheduled Task/Job and is associated with execution, persistence, and privilege escalation. ATT&CK relationships show use by multiple groups and software entries, including the legitimate `at` utility, but those relationships should be used as context for threat modeling rather than as evidence of current activity in any specific environment.

MITRE does not provide an official detection section for this object. Detection and mitigation recommendations here are derived from the official description, external references, and supplied relationships; local operating system configuration, audit policy, endpoint telemetry, and administrative practices determine actual coverage.

Official MITRE ATT&CK definition

At

Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. The at utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of Scheduled Task's schtasks in Windows environments, using at requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with at by directly leveraging the Windows Management Instrumentation `Win32_ScheduledJob` WMI class.[1]

On Linux and macOS, at may be invoked by the superuser as well as any users added to the at.allow file. If the at.allow file does not exist, the at.deny file is checked. Every username not listed in at.deny is allowed to invoke at. If the at.deny exists and is empty, global use of at is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use at.[2]

Adversaries may use at to execute programs at system startup or on a scheduled basis for Persistence. at can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM).

In Linux environments, adversaries may also abuse at to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, at may also be used for Privilege Escalation if the binary is allowed to run as superuser via sudo.[3]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Enterprise T1053.001 At (Linux) Sub-technique At (Linux) revoked by this object.
Enterprise T1053 Scheduled Task/Job This object subtechnique of Scheduled Task/Job.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0027: Threat Group-3390

Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.[1] The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.[2][3][4]

Group Enterprise

G0026: APT18

APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical. [1]

Group Enterprise

G0060: BRONZE BUTLER

BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.[1][2][3]

Tool Enterprise

S0488: CrackMapExec

CrackMapExec, or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. CrackMapExec collects Active Directory information to conduct lateral movement through targeted networks.[1]

Windows
Tool Enterprise

S0110: at

at is used to schedule tasks on a system to run at a specified date or time.[1][2]

LinuxWindowsmacOS
Relationship explorer

All related ATT&CK context

uses · Group G0027: Threat Group-3390 Enterprise mitigates · Mitigation M1028: Operating System Configuration Enterprise mitigates · Mitigation M1047: Audit Enterprise detects · Detection Strategy DET0333: Cross-Platform Detection of Scheduled Task/Job Abuse via `at` Utility Enterprise revoked by · Technique T1053.001: At (Linux) Enterprise uses · Tool S0488: CrackMapExec Enterprise uses · Group G0026: APT18 Enterprise uses · Group G0060: BRONZE BUTLER Enterprise uses · Malware S0233: MURKYTOP Enterprise mitigates · Mitigation M1018: User Account Management Enterprise uses · Tool S0110: at Enterprise mitigates · Mitigation M1026: Privileged Account Management Enterprise subtechnique of · Technique T1053: Scheduled Task/Job Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1028: Operating System Configuration

Operating System Configuration involves adjusting system settings and hardening the default configurations of an operating system (OS) to mitigate adversary exploitation and prevent abuse of system functionality. Proper OS configurations address security vulnerabilities, limit attack surfaces, and ensure robust defense against a wide range of techniques. This mitigation can be implemented through the following measures:

Disable Unused Features:

- Turn off SMBv1, LLMNR, and NetBIOS where not needed. - Disable remote registry and unnecessary services.

Enforce OS-level Protections:

- Enable Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Control Flow Guard (CFG) on Windows. - Use AppArmor or SELinux on Linux for mandatory access controls.

Secure Access Settings:

- Enable User Account Control (UAC) for Windows. - Restrict root/sudo access on Linux/macOS and enforce strong permissions using sudoers files.

File System Hardening:

- Implement least-privilege access for critical files and system directories. - Audit permissions regularly using tools like icacls (Windows) or getfacl/chmod (Linux/macOS).

Secure Remote Access:

- Restrict RDP, SSH, and VNC to authorized IPs using firewall rules. - Enable NLA for RDP and enforce strong password/lockout policies.

Harden Boot Configurations:

- Enable Secure Boot and enforce UEFI/BIOS password protection. - Use BitLocker or LUKS to encrypt boot drives.

Regular Audits:

- Periodically audit OS configurations using tools like CIS Benchmarks or SCAP tools.

*Tools for Implementation*

Windows:

- Microsoft Group Policy Objects (GPO): Centrally enforce OS security settings. - Windows Defender Exploit Guard: Built-in OS protection against exploits. - CIS-CAT Pro: Audit Windows security configurations based on CIS Benchmarks.

Linux/macOS:

- AppArmor/SELinux: Enforce mandatory access controls. - Lynis: Perform comprehensive security audits. - SCAP Security Guide: Automate configuration hardening using Security Content Automation Protocol.

Cross-Platform:

- Ansible or Chef/Puppet: Automate configuration hardening at scale. - OpenSCAP: Perform compliance and configuration checks.

Mitigation Enterprise

M1047: Audit

Auditing is the process of recording activity and systematically reviewing and analyzing the activity and system configurations. The primary purpose of auditing is to detect anomalies and identify potential threats or weaknesses in the environment. Proper auditing configurations can also help to meet compliance requirements. The process of auditing encompasses regular analysis of user behaviors and system logs in support of proactive security measures.

Auditing is applicable to all systems used within an organization, from the front door of a building to accessing a file on a fileserver. It is considered more critical for regulated industries such as, healthcare, finance and government where compliance requirements demand stringent tracking of user and system activates.This mitigation can be implemented through the following measures:

System Audit:

- Use Case: Regularly assess system configurations to ensure compliance with organizational security policies. - Implementation: Use tools to scan for deviations from established benchmarks.

Permission Audits:

- Use Case: Review file and folder permissions to minimize the risk of unauthorized access or privilege escalation. - Implementation: Run access reviews to identify users or groups with excessive permissions.

Software Audits:

- Use Case: Identify outdated, unsupported, or insecure software that could serve as an attack vector. - Implementation: Use inventory and vulnerability scanning tools to detect outdated versions and recommend secure alternatives.

Configuration Audits:

- Use Case: Evaluate system and network configurations to ensure secure settings (e.g., disabled SMBv1, enabled MFA). - Implementation: Implement automated configuration scanning tools like SCAP (Security Content Automation Protocol) to identify non-compliant systems.

Network Audits:

- Use Case: Examine network traffic, firewall rules, and endpoint communications to identify unauthorized or insecure connections. - Implementation: Utilize tools such as Wireshark, or Zeek to monitor and log suspicious network behavior.

Mitigation Enterprise

M1018: User Account Management

User Account Management involves implementing and enforcing policies for the lifecycle of user accounts, including creation, modification, and deactivation. Proper account management reduces the attack surface by limiting unauthorized access, managing account privileges, and ensuring accounts are used according to organizational policies. This mitigation can be implemented through the following measures:

Enforcing the Principle of Least Privilege

- Implementation: Assign users only the minimum permissions required to perform their job functions. Regularly audit accounts to ensure no excess permissions are granted. - Use Case: Reduces the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions.

Implementing Strong Password Policies

- Implementation: Enforce password complexity requirements (e.g., length, character types). Require password expiration every 90 days and disallow password reuse. - Use Case: Prevents adversaries from gaining unauthorized access through password guessing or brute force attacks.

Managing Dormant and Orphaned Accounts

- Implementation: Implement automated workflows to disable accounts after a set period of inactivity (e.g., 30 days). Remove orphaned accounts (e.g., accounts without an assigned owner) during regular account audits. - Use Case: Eliminates dormant accounts that could be exploited by attackers.

Account Lockout Policies

- Implementation: Configure account lockout thresholds (e.g., lock accounts after five failed login attempts). Set lockout durations to a minimum of 15 minutes. - Use Case: Mitigates automated attack techniques that rely on repeated login attempts.

Multi-Factor Authentication (MFA) for High-Risk Accounts

- Implementation: Require MFA for all administrative accounts and high-risk users. Use MFA mechanisms like hardware tokens, authenticator apps, or biometrics. - Use Case: Prevents unauthorized access, even if credentials are stolen.

Restricting Interactive Logins

- Implementation: Restrict interactive logins for privileged accounts to specific secure systems or management consoles. Use group policies to enforce logon restrictions. - Use Case: Protects sensitive accounts from misuse or exploitation.

*Tools for Implementation*

Built-in Tools:

- Microsoft Active Directory (AD): Centralized account management and RBAC enforcement. - Group Policy Object (GPO): Enforce password policies, logon restrictions, and account lockout policies.

Identity and Access Management (IAM) Tools:

- Okta: Centralized user provisioning, MFA, and SSO integration. - Microsoft Azure Active Directory: Provides advanced account lifecycle management, role-based access, and conditional access policies.

Privileged Account Management (PAM): - CyberArk, BeyondTrust, Thycotic: Manage and monitor privileged account usage, enforce session recording, and JIT access.

Mitigation Enterprise

M1026: Privileged Account Management

Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through the following measures:

Account Permissions and Roles:

- Implement RBAC and least privilege principles to allocate permissions securely. - Use tools like Active Directory Group Policies to enforce access restrictions.

Credential Security:

- Deploy password vaulting tools like CyberArk, HashiCorp Vault, or KeePass for secure storage and rotation of credentials. - Enforce password policies for complexity, uniqueness, and expiration using tools like Microsoft Group Policy Objects (GPO).

Multi-Factor Authentication (MFA):

- Enforce MFA for all privileged accounts using Duo Security, Okta, or Microsoft Azure AD MFA.

Privileged Access Management (PAM):

- Use PAM solutions like CyberArk, BeyondTrust, or Thycotic to manage, monitor, and audit privileged access.

Auditing and Monitoring:

- Integrate activity monitoring into your SIEM (e.g., Splunk or QRadar) to detect and alert on anomalous privileged account usage.

Just-In-Time Access:

- Deploy JIT solutions like Azure Privileged Identity Management (PIM) or configure ephemeral roles in AWS and GCP to grant time-limited elevated permissions.

*Tools for Implementation*

Privileged Access Management (PAM):

- CyberArk, BeyondTrust, Thycotic, HashiCorp Vault.

Credential Management:

- Microsoft LAPS (Local Admin Password Solution), Password Safe, HashiCorp Vault, KeePass.

Multi-Factor Authentication:

- Duo Security, Okta, Microsoft Azure MFA, Google Authenticator.

Linux Privilege Management:

- sudo configuration, SELinux, AppArmor.

Just-In-Time Access:

- Azure Privileged Identity Management (PIM), AWS IAM Roles with session constraints, GCP Identity-Aware Proxy.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.4
Created
Modified
Raw hash
b23c82a4228694c3...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.4 Current bundle b23c82a42286…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Malicious Life by Cybereason

    Philip Tsukerman. (n.d.). No Win32 Process Needed | Expanding the WMI Lateral Movement Arsenal. Retrieved June 19, 2024.

    Open source URL
  2. [2]
    Linux at

    IEEE/The Open Group. (2017). at(1p) — Linux manual page. Retrieved February 25, 2022.

    Open source URL
  3. [3]
    GTFObins at

    Emilio Pinna, Andrea Cardaci. (n.d.). gtfobins at. Retrieved September 28, 2021.

    Open source URL
  4. [4]
    Microsoft Scheduled Task Events Win10

    Microsoft. (2017, May 28). Audit Other Object Access Events. Retrieved June 27, 2019.

    Open source URL
  5. [5]
    TechNet Autoruns

    Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.

    Open source URL
  6. [6]
    TechNet Forum Scheduled Task Operational Setting

    Satyajit321. (2015, November 3). Scheduled Tasks History Retention settings. Retrieved December 12, 2017.

    Open source URL
  7. [7]
    TechNet Scheduled Task Events

    Microsoft. (n.d.). General Task Registration. Retrieved December 12, 2017.

    Open source URL
  8. [8]
    Twitter Leoloobeek Scheduled Task

    Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved September 12, 2024.

    Open source URL
  9. [9]
    mitre-attack T1053.002
    Open source URL
  10. [10]
    rowland linux at 2019

    Craig Rowland. (2019, July 25). Getting an Attacker IP Address from a Malicious Linux At Job. Retrieved October 15, 2021.

    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use