1. Home
  2. Techniques
  3. Enterprise
  4. Scheduled Task/Job
  5. At (Linux)

Scheduled Task/Job: At (Linux)

ID Name
T1053.001 At (Linux)
T1053.002 At (Windows)
T1053.003 Cron
T1053.004 Launchd
T1053.005 Scheduled Task
T1053.006 Systemd Timers
T1053.007 Container Orchestration Job

Adversaries may abuse the at utility to perform task scheduling for initial, recurring, or future execution of malicious code. The at command within Linux operating systems enables administrators to schedule tasks.[1]

An adversary may use at in Linux environments to execute programs at system startup or on a scheduled basis for persistence. at can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account.

Adversaries may also abuse at to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, at may also be used for Privilege Escalation if the binary is allowed to run as superuser via sudo.[2]

ID: T1053.001
Sub-technique of:  T1053
Platforms: Linux
Supports Remote:  Yes
Version: 1.1
Created: 03 December 2019
Last Modified: 15 October 2021
Provided by LAYER 8

Mitigations

ID Mitigation Description
M1047 Audit

Scheduled tasks using at can be audited locally, or through centrally collected logging, using syslog, or auditd events from the host. [1]
M1018 User Account Management

Users account-level access to at can be managed using /etc/at.allow and /etc/at.deny files. Users listed in the at.allow are enabled to schedule actions using at, whereas users listed in at.deny file disabled from the utility.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0009 Process Process Creation
DS0003 Scheduled Job Scheduled Job Creation

Monitor scheduled task creation using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc.

Review all jobs using the atq command and ensure IP addresses stored in the SSH_CONNECTION and SSH_CLIENT variables, machines that created the jobs, are trusted hosts. All at jobs are stored in /var/spool/cron/atjobs/.[3]

Suspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.

References

  1. Koromicha. (2019, September 7). Scheduling tasks using at command in Linux. Retrieved December 3, 2019.
  2. Emilio Pinna, Andrea Cardaci. (n.d.). gtfobins at. Retrieved September 28, 2021.
  1. Craig Rowland. (2019, July 25). Getting an Attacker IP Address from a Malicious Linux At Job. Retrieved October 15, 2021.