TIARAS - T1053.001: At (Linux)

MITRE ATT&CK Technique

Execution T1053.001

Description

Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial, recurring, or future execution of malicious code. The [at](https://attack.mitre.org/software/S0110) command within Linux operating systems enables administrators to schedule tasks.(Citation: Kifarunix - Task Scheduling in Linux) An adversary may use [at](https://attack.mitre.org/software/S0110) in Linux environments to execute programs at system startup or on a scheduled basis for persistence. [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account. Adversaries may also abuse [at](https://attack.mitre.org/software/S0110) to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, [at](https://attack.mitre.org/software/S0110) may also be used for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) if the binary is allowed to run as superuser via <code>sudo</code>.(Citation: GTFObins at)

Supported Platforms

Linux

Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data

{'created': '2019-12-03T12:59:36.749Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may abuse the '
                '[at](https://attack.mitre.org/software/S0110) utility to '
                'perform task scheduling for initial, recurring, or future '
                'execution of malicious code. The '
                '[at](https://attack.mitre.org/software/S0110) command within '
                'Linux operating systems enables administrators to schedule '
                'tasks.(Citation: Kifarunix - Task Scheduling in Linux)\n'
                '\n'
                'An adversary may use '
                '[at](https://attack.mitre.org/software/S0110) in Linux '
                'environments to execute programs at system startup or on a '
                'scheduled basis for persistence. '
                '[at](https://attack.mitre.org/software/S0110) can also be '
                'abused to conduct remote Execution as part of Lateral '
                'Movement and or to run a process under the context of a '
                'specified account.\n'
                '\n'
                'Adversaries may also abuse '
                '[at](https://attack.mitre.org/software/S0110) to break out of '
                'restricted environments by using a task to spawn an '
                'interactive system shell or to run system commands. '
                'Similarly, [at](https://attack.mitre.org/software/S0110) may '
                'also be used for [Privilege '
                'Escalation](https://attack.mitre.org/tactics/TA0004) if the '
                'binary is allowed to run as superuser via '
                '<code>sudo</code>.(Citation: GTFObins at)',
 'external_references': [{'external_id': 'T1053.001',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1053/001'},
                         {'description': 'Craig Rowland. (2019, July 25). '
                                         'Getting an Attacker IP Address from '
                                         'a Malicious Linux At Job. Retrieved '
                                         'October 15, 2021.',
                          'source_name': 'rowland linux at 2019',
                          'url': 'https://www.linkedin.com/pulse/getting-attacker-ip-address-from-malicious-linux-job-craig-rowland/'},
                         {'description': 'Emilio Pinna, Andrea Cardaci. '
                                         '(n.d.). gtfobins at. Retrieved '
                                         'September 28, 2021.',
                          'source_name': 'GTFObins at',
                          'url': 'https://gtfobins.github.io/gtfobins/at/'},
                         {'description': 'Koromicha. (2019, September 7). '
                                         'Scheduling tasks using at command in '
                                         'Linux. Retrieved December 3, 2019.',
                          'source_name': 'Kifarunix - Task Scheduling in Linux',
                          'url': 'https://kifarunix.com/scheduling-tasks-using-at-command-in-linux/'}],
 'id': 'attack-pattern--6636bc83-0611-45a6-b74f-1f3daf635b8e',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'execution'},
                       {'kill_chain_name': 'mitre-attack',
                        'phase_name': 'persistence'},
                       {'kill_chain_name': 'mitre-attack',
                        'phase_name': 'privilege-escalation'}],
 'modified': '2025-10-24T17:48:52.747Z',
 'name': 'At (Linux)',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': True,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': True,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Linux'],
 'x_mitre_version': '1.2'}

Quick Actions

Edit TTP Update from Web

Back to TTPs

Dashboard About