Esc
At - T1053.002
(ATT&CK® Technique)
Definition
Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. The at utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of Scheduled Task's schtasks in Windows environments, using at requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1053002["At"] --> |modifies| JobSchedule["Job Schedule"]; class T1053002 OffensiveTechniqueNode;
class JobSchedule ArtifactNode; click JobSchedule href "/dao/artifact/d3f:JobSchedule";
click T1053002 href "/offensive-technique/attack/T1053.002/"; click JobSchedule href "/dao/artifact/d3f:JobSchedule"; T1053002["At"] --> |invokes| CreateProcess["Create Process"]; class T1053002 OffensiveTechniqueNode;
class CreateProcess ArtifactNode; click CreateProcess href "/dao/artifact/d3f:CreateProcess";
click T1053002 href "/offensive-technique/attack/T1053.002/"; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; T1053002["At"] --> |executes| ScheduledJob["Scheduled Job"]; class T1053002 OffensiveTechniqueNode;
class ScheduledJob ArtifactNode; click ScheduledJob href "/dao/artifact/d3f:ScheduledJob";
click T1053002 href "/offensive-technique/attack/T1053.002/"; click ScheduledJob href "/dao/artifact/d3f:ScheduledJob"; HostShutdown["Host Shutdown"] -->
| terminates | ScheduledJob["Scheduled Job"];
HostShutdown["Host Shutdown"] -.->
| may-evict | T1053002["At"] ;
class HostShutdown DefensiveTechniqueNode;
class ScheduledJob ArtifactNode;
click HostShutdown href "/technique/d3f:HostShutdown"; ProcessTermination["Process Termination"] -->
| terminates | ScheduledJob["Scheduled Job"];
ProcessTermination["Process Termination"] -.->
| may-evict | T1053002["At"] ;
class ProcessTermination DefensiveTechniqueNode;
class ScheduledJob ArtifactNode;
click ProcessTermination href "/technique/d3f:ProcessTermination"; ProcessSuspension["Process Suspension"] -->
| suspends | ScheduledJob["Scheduled Job"];
ProcessSuspension["Process Suspension"] -.->
| may-evict | T1053002["At"] ;
class ProcessSuspension DefensiveTechniqueNode;
class ScheduledJob ArtifactNode;
click ProcessSuspension href "/technique/d3f:ProcessSuspension"; ExecutableAllowlisting["Executable Allowlisting"] -->
| filters | CreateProcess["Create Process"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1053002["At"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] -->
| filters | CreateProcess["Create Process"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1053002["At"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
| isolates | ScheduledJob["Scheduled Job"];
Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
| may-isolate | T1053002["At"] ;
class Hardware-basedProcessIsolation DefensiveTechniqueNode;
class ScheduledJob ArtifactNode;
click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
| restricts | CreateProcess["Create Process"];
class Hardware-basedProcessIsolation DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -->
| isolates | ScheduledJob["Scheduled Job"];
Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -.->
| may-isolate | T1053002["At"] ;
class Kernel-basedProcessIsolation DefensiveTechniqueNode;
class ScheduledJob ArtifactNode;
click Kernel-basedProcessIsolation href "/technique/d3f:Kernel-basedProcessIsolation"; Application-basedProcessIsolation["Application-based Process Isolation"] -->
| isolates | ScheduledJob["Scheduled Job"];
Application-basedProcessIsolation["Application-based Process Isolation"] -.->
| may-isolate | T1053002["At"] ;
class Application-basedProcessIsolation DefensiveTechniqueNode;
class ScheduledJob ArtifactNode;
click Application-basedProcessIsolation href "/technique/d3f:Application-basedProcessIsolation"; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -->
| analyzes | ScheduledJob["Scheduled Job"];
ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -.->
| may-detect | T1053002["At"] ;
class ProcessSelf-ModificationDetection DefensiveTechniqueNode;
class ScheduledJob ArtifactNode;
click ProcessSelf-ModificationDetection href "/technique/d3f:ProcessSelf-ModificationDetection"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
| analyzes | ScheduledJob["Scheduled Job"];
ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
| may-detect | T1053002["At"] ;
class ProcessSpawnAnalysis DefensiveTechniqueNode;
class ScheduledJob ArtifactNode;
click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
| analyzes | CreateProcess["Create Process"];
class ProcessSpawnAnalysis DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; SystemCallAnalysis["System Call Analysis"] -->
| analyzes | CreateProcess["Create Process"];
SystemCallAnalysis["System Call Analysis"] -.->
| may-detect | T1053002["At"] ;
class SystemCallAnalysis DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; SystemCallFiltering["System Call Filtering"] -->
| filters | CreateProcess["Create Process"];
SystemCallFiltering["System Call Filtering"] -.->
| may-isolate | T1053002["At"] ;
class SystemCallFiltering DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; SystemCallFiltering["System Call Filtering"] -->
| isolates | ScheduledJob["Scheduled Job"];
class SystemCallFiltering DefensiveTechniqueNode;
class ScheduledJob ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; HostReboot["Host Reboot"] -->
| terminates | ScheduledJob["Scheduled Job"];
HostReboot["Host Reboot"] -.->
| may-evict | T1053002["At"] ;
class HostReboot DefensiveTechniqueNode;
class ScheduledJob ArtifactNode;
click HostReboot href "/technique/d3f:HostReboot"; ScheduledJobAnalysis["Scheduled Job Analysis"] -->
| analyzes | JobSchedule["Job Schedule"];
ScheduledJobAnalysis["Scheduled Job Analysis"] -.->
| may-detect | T1053002["At"] ;
class ScheduledJobAnalysis DefensiveTechniqueNode;
class JobSchedule ArtifactNode;
click ScheduledJobAnalysis href "/technique/d3f:ScheduledJobAnalysis"; SystemDaemonMonitoring["System Daemon Monitoring"] -->
| monitors | ScheduledJob["Scheduled Job"];
SystemDaemonMonitoring["System Daemon Monitoring"] -.->
| may-detect | T1053002["At"] ;
class SystemDaemonMonitoring DefensiveTechniqueNode;
class ScheduledJob ArtifactNode;
click SystemDaemonMonitoring href "/technique/d3f:SystemDaemonMonitoring"; ProcessLineageAnalysis["Process Lineage Analysis"] -->
| analyzes | ScheduledJob["Scheduled Job"];
ProcessLineageAnalysis["Process Lineage Analysis"] -.->
| may-detect | T1053002["At"] ;
class ProcessLineageAnalysis DefensiveTechniqueNode;
class ScheduledJob ArtifactNode;
click ProcessLineageAnalysis href "/technique/d3f:ProcessLineageAnalysis";