Esc
At (Linux) Execution - T1053.001
(ATT&CK® Technique)
Definition
Adversaries may abuse the at utility to perform task scheduling for initial, recurring, or future execution of malicious code. The at command within Linux operating systems enables administrators to schedule tasks.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1053001["At (Linux) Execution"] --> |modifies| JobSchedule["Job Schedule"]; class T1053001 OffensiveTechniqueNode;
class JobSchedule ArtifactNode; click JobSchedule href "/dao/artifact/d3f:JobSchedule";
click T1053001 href "/offensive-technique/attack/T1053.001/"; click JobSchedule href "/dao/artifact/d3f:JobSchedule"; T1053001["At (Linux) Execution"] --> |invokes| CreateProcess["Create Process"]; class T1053001 OffensiveTechniqueNode;
class CreateProcess ArtifactNode; click CreateProcess href "/dao/artifact/d3f:CreateProcess";
click T1053001 href "/offensive-technique/attack/T1053.001/"; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; T1053001["At (Linux) Execution"] --> |executes| ScheduledJob["Scheduled Job"]; class T1053001 OffensiveTechniqueNode;
class ScheduledJob ArtifactNode; click ScheduledJob href "/dao/artifact/d3f:ScheduledJob";
click T1053001 href "/offensive-technique/attack/T1053.001/"; click ScheduledJob href "/dao/artifact/d3f:ScheduledJob"; SystemCallAnalysis["System Call Analysis"] -->
| analyzes | CreateProcess["Create Process"];
SystemCallAnalysis["System Call Analysis"] -.->
| may-detect | T1053001["At (Linux) Execution"] ;
class SystemCallAnalysis DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; ProcessTermination["Process Termination"] -->
| terminates | ScheduledJob["Scheduled Job"];
ProcessTermination["Process Termination"] -.->
| may-evict | T1053001["At (Linux) Execution"] ;
class ProcessTermination DefensiveTechniqueNode;
class ScheduledJob ArtifactNode;
click ProcessTermination href "/technique/d3f:ProcessTermination"; ProcessSuspension["Process Suspension"] -->
| suspends | ScheduledJob["Scheduled Job"];
ProcessSuspension["Process Suspension"] -.->
| may-evict | T1053001["At (Linux) Execution"] ;
class ProcessSuspension DefensiveTechniqueNode;
class ScheduledJob ArtifactNode;
click ProcessSuspension href "/technique/d3f:ProcessSuspension"; HostShutdown["Host Shutdown"] -->
| terminates | ScheduledJob["Scheduled Job"];
HostShutdown["Host Shutdown"] -.->
| may-evict | T1053001["At (Linux) Execution"] ;
class HostShutdown DefensiveTechniqueNode;
class ScheduledJob ArtifactNode;
click HostShutdown href "/technique/d3f:HostShutdown"; ExecutableAllowlisting["Executable Allowlisting"] -->
| filters | CreateProcess["Create Process"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1053001["At (Linux) Execution"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] -->
| filters | CreateProcess["Create Process"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1053001["At (Linux) Execution"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -->
| analyzes | ScheduledJob["Scheduled Job"];
ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -.->
| may-detect | T1053001["At (Linux) Execution"] ;
class ProcessSelf-ModificationDetection DefensiveTechniqueNode;
class ScheduledJob ArtifactNode;
click ProcessSelf-ModificationDetection href "/technique/d3f:ProcessSelf-ModificationDetection"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
| analyzes | ScheduledJob["Scheduled Job"];
ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
| may-detect | T1053001["At (Linux) Execution"] ;
class ProcessSpawnAnalysis DefensiveTechniqueNode;
class ScheduledJob ArtifactNode;
click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
| analyzes | CreateProcess["Create Process"];
class ProcessSpawnAnalysis DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
| isolates | ScheduledJob["Scheduled Job"];
Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
| may-isolate | T1053001["At (Linux) Execution"] ;
class Hardware-basedProcessIsolation DefensiveTechniqueNode;
class ScheduledJob ArtifactNode;
click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
| restricts | CreateProcess["Create Process"];
class Hardware-basedProcessIsolation DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -->
| isolates | ScheduledJob["Scheduled Job"];
Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -.->
| may-isolate | T1053001["At (Linux) Execution"] ;
class Kernel-basedProcessIsolation DefensiveTechniqueNode;
class ScheduledJob ArtifactNode;
click Kernel-basedProcessIsolation href "/technique/d3f:Kernel-basedProcessIsolation"; Application-basedProcessIsolation["Application-based Process Isolation"] -->
| isolates | ScheduledJob["Scheduled Job"];
Application-basedProcessIsolation["Application-based Process Isolation"] -.->
| may-isolate | T1053001["At (Linux) Execution"] ;
class Application-basedProcessIsolation DefensiveTechniqueNode;
class ScheduledJob ArtifactNode;
click Application-basedProcessIsolation href "/technique/d3f:Application-basedProcessIsolation"; SystemCallFiltering["System Call Filtering"] -->
| filters | CreateProcess["Create Process"];
SystemCallFiltering["System Call Filtering"] -.->
| may-isolate | T1053001["At (Linux) Execution"] ;
class SystemCallFiltering DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; SystemCallFiltering["System Call Filtering"] -->
| isolates | ScheduledJob["Scheduled Job"];
class SystemCallFiltering DefensiveTechniqueNode;
class ScheduledJob ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; SystemDaemonMonitoring["System Daemon Monitoring"] -->
| monitors | ScheduledJob["Scheduled Job"];
SystemDaemonMonitoring["System Daemon Monitoring"] -.->
| may-detect | T1053001["At (Linux) Execution"] ;
class SystemDaemonMonitoring DefensiveTechniqueNode;
class ScheduledJob ArtifactNode;
click SystemDaemonMonitoring href "/technique/d3f:SystemDaemonMonitoring"; ScheduledJobAnalysis["Scheduled Job Analysis"] -->
| analyzes | JobSchedule["Job Schedule"];
ScheduledJobAnalysis["Scheduled Job Analysis"] -.->
| may-detect | T1053001["At (Linux) Execution"] ;
class ScheduledJobAnalysis DefensiveTechniqueNode;
class JobSchedule ArtifactNode;
click ScheduledJobAnalysis href "/technique/d3f:ScheduledJobAnalysis"; HostReboot["Host Reboot"] -->
| terminates | ScheduledJob["Scheduled Job"];
HostReboot["Host Reboot"] -.->
| may-evict | T1053001["At (Linux) Execution"] ;
class HostReboot DefensiveTechniqueNode;
class ScheduledJob ArtifactNode;
click HostReboot href "/technique/d3f:HostReboot"; ProcessLineageAnalysis["Process Lineage Analysis"] -->
| analyzes | ScheduledJob["Scheduled Job"];
ProcessLineageAnalysis["Process Lineage Analysis"] -.->
| may-detect | T1053001["At (Linux) Execution"] ;
class ProcessLineageAnalysis DefensiveTechniqueNode;
class ScheduledJob ArtifactNode;
click ProcessLineageAnalysis href "/technique/d3f:ProcessLineageAnalysis";