At

The 'at' command is a Unix-based scheduling utility that allows adversaries to maintain persistence and schedule tasks to execute commands or scripts at specified times. As part of the "Deepening Control" phase, attackers leverage this capability to establish scheduled execution of malicious code, ensuring their presence persists even after system reboots or user logouts. Unlike more modern alternatives such as cron, the 'at' command is designed for one-time task execution rather than recurring jobs, making it potentially less noticeable in system monitoring. Adversaries typically use 'at' by specifying a future execution time along with a command or script, which the system then stores in the /var/spool/at/ directory until execution time. This technique is particularly effective because 'at' jobs run with the privileges of the user who created them, allowing attackers who have compromised privileged accounts to schedule tasks with elevated permissions. Security teams should monitor for unexpected or unauthorized 'at' job creations, especially those created outside of normal business hours or by accounts that don't typically utilize scheduling functions.

Detection

ID	Data Source	Detection
DS0003	Scheduled Job Creation	Monitor /var/spool/at/ file writes and audit events for new at jobs created by users outside maintenance windows.
DS0009	Process Creation	Alert on execution of /usr/bin/at or /usr/bin/atq by non-admin users or from unusual directories.
DS0022	File: File Modification	Detect modifications to /etc/at.allow or /etc/at.deny that expand scheduled-task privileges.

Mitigations

ID	Mitigation	Description
M1026	Privileged Account Management	Restrict use of at to a small admin group via /etc/at.allow and disable the service on servers where not required.
M1047	Audit	Enable auditd rules to log invocations of the at binary and changes to at job directories.
M1030	Network Segmentation	Limit SSH/remote shell access to hosts that still require legacy at scheduling, reducing attack surface.