MITRE ATT&CK Technique
Description
Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason) On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at) Adversaries may use [at](https://attack.mitre.org/software/S0110) to execute programs at system startup or on a scheduled basis for [Persistence](https://attack.mitre.org/tactics/TA0003). [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote [Execution](https://attack.mitre.org/tactics/TA0002) as part of [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or to run a process under the context of a specified account (such as SYSTEM). In Linux environments, adversaries may also abuse [at](https://attack.mitre.org/software/S0110) to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, [at](https://attack.mitre.org/software/S0110) may also be used for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) if the binary is allowed to run as superuser via <code>sudo</code>.(Citation: GTFObins at)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2019-11-27T13:52:45.853Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may abuse the '
'[at](https://attack.mitre.org/software/S0110) utility to '
'perform task scheduling for initial or recurring execution of '
'malicious code. The '
'[at](https://attack.mitre.org/software/S0110) utility exists '
'as an executable within Windows, Linux, and macOS for '
'scheduling tasks at a specified time and date. Although '
'deprecated in favor of [Scheduled '
"Task](https://attack.mitre.org/techniques/T1053/005)'s "
'[schtasks](https://attack.mitre.org/software/S0111) in '
'Windows environments, using '
'[at](https://attack.mitre.org/software/S0110) requires that '
'the Task Scheduler service be running, and the user to be '
'logged on as a member of the local Administrators group. In '
'addition to explicitly running the `at` command, adversaries '
'may also schedule a task with '
'[at](https://attack.mitre.org/software/S0110) by directly '
'leveraging the [Windows Management '
'Instrumentation](https://attack.mitre.org/techniques/T1047) '
'`Win32_ScheduledJob` WMI class.(Citation: Malicious Life by '
'Cybereason)\n'
'\n'
'On Linux and macOS, '
'[at](https://attack.mitre.org/software/S0110) may be invoked '
'by the superuser as well as any users added to the '
'<code>at.allow</code> file. If the <code>at.allow</code> file '
'does not exist, the <code>at.deny</code> file is checked. '
'Every username not listed in <code>at.deny</code> is allowed '
'to invoke [at](https://attack.mitre.org/software/S0110). If '
'the <code>at.deny</code> exists and is empty, global use of '
'[at](https://attack.mitre.org/software/S0110) is permitted. '
'If neither file exists (which is often the baseline) only the '
'superuser is allowed to use '
'[at](https://attack.mitre.org/software/S0110).(Citation: '
'Linux at)\n'
'\n'
'Adversaries may use '
'[at](https://attack.mitre.org/software/S0110) to execute '
'programs at system startup or on a scheduled basis for '
'[Persistence](https://attack.mitre.org/tactics/TA0003). '
'[at](https://attack.mitre.org/software/S0110) can also be '
'abused to conduct remote '
'[Execution](https://attack.mitre.org/tactics/TA0002) as part '
'of [Lateral '
'Movement](https://attack.mitre.org/tactics/TA0008) and/or to '
'run a process under the context of a specified account (such '
'as SYSTEM).\n'
'\n'
'In Linux environments, adversaries may also abuse '
'[at](https://attack.mitre.org/software/S0110) to break out of '
'restricted environments by using a task to spawn an '
'interactive system shell or to run system commands. '
'Similarly, [at](https://attack.mitre.org/software/S0110) may '
'also be used for [Privilege '
'Escalation](https://attack.mitre.org/tactics/TA0004) if the '
'binary is allowed to run as superuser via '
'<code>sudo</code>.(Citation: GTFObins at)',
'external_references': [{'external_id': 'T1053.002',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1053/002'},
{'description': 'Craig Rowland. (2019, July 25). '
'Getting an Attacker IP Address from '
'a Malicious Linux At Job. Retrieved '
'October 15, 2021.',
'source_name': 'rowland linux at 2019',
'url': 'https://www.linkedin.com/pulse/getting-attacker-ip-address-from-malicious-linux-job-craig-rowland/'},
{'description': 'Emilio Pinna, Andrea Cardaci. '
'(n.d.). gtfobins at. Retrieved '
'September 28, 2021.',
'source_name': 'GTFObins at',
'url': 'https://gtfobins.github.io/gtfobins/at/'},
{'description': 'IEEE/The Open Group. (2017). at(1p) '
'— Linux manual page. Retrieved '
'February 25, 2022.',
'source_name': 'Linux at',
'url': 'https://man7.org/linux/man-pages/man1/at.1p.html'},
{'description': 'Loobeek, L. (2017, December 8). '
'leoloobeek Status. Retrieved '
'September 12, 2024.',
'source_name': 'Twitter Leoloobeek Scheduled Task',
'url': 'https://x.com/leoloobeek/status/939248813465853953'},
{'description': 'Microsoft. (2017, May 28). Audit '
'Other Object Access Events. '
'Retrieved June 27, 2019.',
'source_name': 'Microsoft Scheduled Task Events '
'Win10',
'url': 'https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events'},
{'description': 'Microsoft. (n.d.). General Task '
'Registration. Retrieved December 12, '
'2017.',
'source_name': 'TechNet Scheduled Task Events',
'url': 'https://technet.microsoft.com/library/dd315590.aspx'},
{'description': 'Philip Tsukerman. (n.d.). No Win32 '
'Process Needed | Expanding the WMI '
'Lateral Movement Arsenal. Retrieved '
'June 19, 2024.',
'source_name': 'Malicious Life by Cybereason',
'url': 'https://www.cybereason.com/blog/wmi-lateral-movement-win32#blog-subscribe'},
{'description': 'Russinovich, M. (2016, January 4). '
'Autoruns for Windows v13.51. '
'Retrieved June 6, 2016.',
'source_name': 'TechNet Autoruns',
'url': 'https://technet.microsoft.com/en-us/sysinternals/bb963902'},
{'description': 'Satyajit321. (2015, November 3). '
'Scheduled Tasks History Retention '
'settings. Retrieved December 12, '
'2017.',
'source_name': 'TechNet Forum Scheduled Task '
'Operational Setting',
'url': 'https://social.technet.microsoft.com/Forums/en-US/e5bca729-52e7-4fcb-ba12-3225c564674c/scheduled-tasks-history-retention-settings?forum=winserver8gen'}],
'id': 'attack-pattern--f3d95a1f-bba2-44ce-9af7-37866cd63fd0',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'execution'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'}],
'modified': '2025-10-24T17:49:36.495Z',
'name': 'At',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows', 'Linux', 'macOS'],
'x_mitre_version': '2.4'}