Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. The at utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of Scheduled Task's schtasks in Windows environments, using at requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the
atcommand, adversaries may also schedule a task with at by directly leveraging the Windows Management InstrumentationWin32_ScheduledJobWMI class.(Citation: Malicious Life by Cybereason)On Linux and macOS, at may be invoked by the superuser as well as any users added to the
at.allowfile. If theat.allowfile does not exist, theat.denyfile is checked. Every username not listed inat.denyis allowed to invoke at. If theat.denyexists and is empty, global use of at is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use at.(Citation: Linux at)Adversaries may use at to execute programs at system startup or on a scheduled basis for Persistence. at can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM).
In Linux environments, adversaries may also abuse at to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, at may also be used for Privilege Escalation if the binary is allowed to run as superuser via
sudo.(Citation: GTFObins at)
- Atomic Test #1: At.exe Scheduled task
- Atomic Test #2: At - Schedule a job
- Atomic Test #3: At - Schedule a job via kubectl in a Pod
Executes cmd.exe Note: deprecated in Windows 8+
Upon successful execution, cmd.exe will spawn at.exe and create a scheduled task that will spawn cmd at a specific time.
Supported Platforms: Windows
auto_generated_guid: 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8
at 13:20 /interactive cmdThis test submits a command to be run in the future by the at daemon.
Supported Platforms: Linux
auto_generated_guid: 7266d898-ac82-4ec0-97c7-436075d0d08e
| Name | Description | Type | Default Value |
|---|---|---|---|
| time_spec | Time specification of when the command should run | string | now + 1 minute |
| at_command | The command to be run | string | echo Hello from Atomic Red Team |
echo "#{at_command}" | at #{time_spec}if [ "$(uname)" = 'FreeBSD' ]; then which at; else which at && which atd; fi;echo 'Please install `at` and `atd`; they were not found in the PATH (Package name: `at`)'if [ $(uname) = 'Linux' ]; then systemctl status atd || service atd status; fi;echo 'Please start the `atd` daemon (sysv: `service atd start` ; systemd: `systemctl start atd`)'Launches a short-lived Ubuntu pod, installs the at utility, starts the atd daemon,
and submits a job with at. The pod is deleted after execution.
Supported Platforms: Containers
auto_generated_guid: 9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213
| Name | Description | Type | Default Value |
|---|---|---|---|
| image_name | Name of the image | string | ubuntu |
| pod_name | K8s pod name to execute the command in | string | atomic-at-schedule |
| time_spec | Time specification of when the command should run | string | now + 1 minute |
| at_command | The command to be run | string | echo Hello from Atomic Red Team |
kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach --rm -i -- bash -lc "apt-get update -y >/dev/null 2>&1 && apt-get install -y at >/dev/null 2>&1 && (atd || /usr/sbin/atd) && echo '#{at_command}' | at #{time_spec} && at -l"which kubectlecho "kubectl must be installed manually"