atomic-red-team/atomics/T1053.002/T1053.002.md

# T1053.002 - Scheduled Task/Job: At

## Description from ATT&CK

> Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of [Scheduled Task](https://attack.mitre.org/techniques/T1053/005)'s [schtasks](https://attack.mitre.org/software/S0111) in Windows environments, using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group. In addition to explicitly running the `at` command, adversaries may also schedule a task with [at](https://attack.mitre.org/software/S0110) by directly leveraging the [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) `Win32_ScheduledJob` WMI class.(Citation: Malicious Life by Cybereason)
> 
> On Linux and macOS, [at](https://attack.mitre.org/software/S0110) may be invoked by the superuser as well as any users added to the <code>at.allow</code> file. If the <code>at.allow</code> file does not exist, the <code>at.deny</code> file is checked. Every username not listed in <code>at.deny</code> is allowed to invoke [at](https://attack.mitre.org/software/S0110). If the <code>at.deny</code> exists and is empty, global use of [at](https://attack.mitre.org/software/S0110) is permitted. If neither file exists (which is often the baseline) only the superuser is allowed to use [at](https://attack.mitre.org/software/S0110).(Citation: Linux at)
> 
> Adversaries may use [at](https://attack.mitre.org/software/S0110) to execute programs at system startup or on a scheduled basis for [Persistence](https://attack.mitre.org/tactics/TA0003). [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote [Execution](https://attack.mitre.org/tactics/TA0002) as part of [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or to run a process under the context of a specified account (such as SYSTEM).
> 
> In Linux environments, adversaries may also abuse [at](https://attack.mitre.org/software/S0110) to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, [at](https://attack.mitre.org/software/S0110) may also be used for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) if the binary is allowed to run as superuser via <code>sudo</code>.(Citation: GTFObins at)

[Source](https://attack.mitre.org/techniques/T1053/002)

## Atomic Tests

- [Atomic Test #1: At.exe Scheduled task](#atomic-test-1-atexe-scheduled-task)
- [Atomic Test #2: At - Schedule a job](#atomic-test-2-at---schedule-a-job)
- [Atomic Test #3: At - Schedule a job via kubectl in a Pod](#atomic-test-3-at---schedule-a-job-via-kubectl-in-a-pod)

### Atomic Test #1: At.exe Scheduled task

Executes cmd.exe
Note: deprecated in Windows 8+

Upon successful execution, cmd.exe will spawn at.exe and create a scheduled task that will spawn cmd at a specific time.

**Supported Platforms:** Windows

**auto_generated_guid:** `4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8`

#### Attack Commands: Run with `command_prompt`!

```cmd
at 13:20 /interactive cmd
```

### Atomic Test #2: At - Schedule a job

This test submits a command to be run in the future by the `at` daemon.

**Supported Platforms:** Linux

**auto_generated_guid:** `7266d898-ac82-4ec0-97c7-436075d0d08e`

#### Inputs

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| time_spec | Time specification of when the command should run | string | now + 1 minute|
| at_command | The command to be run | string | echo Hello from Atomic Red Team|

#### Attack Commands: Run with `sh`!

```sh
echo "#{at_command}" | at #{time_spec}
```


#### Dependencies: Run with `sh`!

##### Description: The `at` and `atd` executables must exist in the PATH

###### Check Prereq Commands

```sh
if [ "$(uname)" = 'FreeBSD' ]; then which at; else which at && which atd; fi;
```

###### Get Prereq Commands

```sh
echo 'Please install `at` and `atd`; they were not found in the PATH (Package name: `at`)'
```

##### Description: The `atd` daemon must be running

###### Check Prereq Commands

```sh
if [ $(uname) = 'Linux' ]; then systemctl status atd || service atd status; fi;
```

###### Get Prereq Commands

```sh
echo 'Please start the `atd` daemon (sysv: `service atd start` ; systemd: `systemctl start atd`)'
```

### Atomic Test #3: At - Schedule a job via kubectl in a Pod

Launches a short-lived Ubuntu pod, installs the `at` utility, starts the `atd` daemon,
and submits a job with `at`. The pod is deleted after execution.

**Supported Platforms:** Containers

**auto_generated_guid:** `9ddf2e5e-7e2c-46c2-9940-3c2ff29c7213`

#### Inputs

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| image_name | Name of the image | string | ubuntu|
| pod_name | K8s pod name to execute the command in | string | atomic-at-schedule|
| time_spec | Time specification of when the command should run | string | now + 1 minute|
| at_command | The command to be run | string | echo Hello from Atomic Red Team|

#### Attack Commands: Run with `bash`!

```bash
kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach --rm -i -- bash -lc "apt-get update -y >/dev/null 2>&1 && apt-get install -y at >/dev/null 2>&1 && (atd || /usr/sbin/atd) && echo '#{at_command}' | at #{time_spec} && at -l"
```


#### Dependencies: Run with `bash`!

##### Description: kubectl must be installed and configured

###### Check Prereq Commands

```bash
which kubectl
```

###### Get Prereq Commands

```bash
echo "kubectl must be installed manually"
```