EXPLORE
Sign In
← Back to Explore
T1053.002

At

Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments...

WindowsLinuxmacOS
17
Detections
3
Sources
3
Threat Actors

BY SOURCE

8sigma5elastic4splunk_escu

PROCEDURES (12)

Privilege2 detections

Auto-extracted: 2 detections for privilege

Ransomware2 detections

Auto-extracted: 2 detections for ransomware

Container2 detections

Auto-extracted: 2 detections for container

Scheduled Task2 detections

Auto-extracted: 2 detections for scheduled task

Api2 detections

Auto-extracted: 2 detections for api

Persist1 detections

Auto-extracted: 1 detections for persist

Persist1 detections

Auto-extracted: 1 detections for persist

Scheduled Task1 detections

Auto-extracted: 1 detections for scheduled task

Lateral1 detections

Auto-extracted: 1 detections for lateral

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Lateral1 detections

Auto-extracted: 1 detections for lateral

THREAT ACTORS (3)

APT18BRONZE BUTLERThreat Group-3390

DETECTIONS (17)

At Job Created or Modified
elasticmedium
Interactive AT Job
sigmahigh
Linux At Application Execution
splunk_escu
Linux Auditd At Application Execution
splunk_escu
Linux Possible Append Command To At Allow Config File
splunk_escu
MITRE BZAR Indicators for Execution
sigmamedium
Modification of Persistence Relevant Files Detected via Defend for Containers
elasticlow
Pod or Container Creation with Suspicious Command-Line
elasticmedium
Potential Persistence via File Modification
elasticlow
Remote Schedule Task Lateral Movement via ATSvc
sigmahigh
Remote Schedule Task Lateral Movement via ITaskSchedulerService
sigmahigh
Remote Schedule Task Lateral Movement via SASec
sigmahigh
Remote Task Creation via ATSVC Named Pipe
sigmamedium
Remote Task Creation via ATSVC Named Pipe - Zeek
sigmamedium
Scheduled Task Creation on Remote Endpoint using At
splunk_escu
Scheduled Task/Job At
sigmalow
Scheduled Tasks AT Command Enabled
elasticmedium