| ID | Name |
|---|---|
| ATAGS-T1059.001 | At |
| ATAGS-T1059.002 | Container Orchestration Job |
| ATAGS-T1059.003 | Cron |
| ATAGS-T1059.004 | Scheduled Task |
| ATAGS-T1059.005 | Systemd Timers |
Threat actors may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. The at utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of Scheduled Task's schtasks in Windows environments, using at requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the at command, Threat actors may also schedule a task with at by directly leveraging the Windows Management Instrumentation Win32_ScheduledJob WMI class.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.