The hypothesis is that an adversary is using the at or atd utility to schedule tasks for persistence or to execute payloads at specific times. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential adversary-controlled scheduled tasks that could be used for persistence or covert operations.
Detection Rule
title: Scheduled Task/Job At
id: d2d642d7-b393-43fe-bae4-e81ed5915c4b
status: stable
description: |
Detects the use of at/atd which are utilities that are used to schedule tasks.
They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md
author: Ömer Günal, oscd.community
date: 2020-10-06
modified: 2022-07-07
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.002
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith:
- '/at'
- '/atd'
condition: selection
falsepositives:
- Legitimate administration activities
level: low
imProcessCreate
| where TargetProcessName endswith "/at" or TargetProcessName endswith "/atd"Scenario: A system administrator schedules a routine system backup using the at command to run a script at a specific time.
Filter/Exclusion: Exclude tasks created by known administrative users (e.g., root, admin, system) or tasks that match known backup job names (e.g., backup_script.sh).
Scenario: A legitimate scheduled job is configured to run a maintenance script using atd to execute at a specific time during off-peak hours.
Filter/Exclusion: Exclude tasks that match known maintenance scripts or are scheduled during standard maintenance windows (e.g., maintenance_script.sh at 2:00 AM).
Scenario: A developer uses at to schedule a local test script for execution on a development server.
Filter/Exclusion: Exclude tasks associated with development environments or users with developer roles (e.g., dev_user or test_user).
Scenario: A system update job is scheduled using at to run a package installation script during a scheduled maintenance window.
Filter/Exclusion: Exclude tasks that match known update scripts or are associated with system update processes (e.g., update_script.sh or yum-cron).
Scenario: A user schedules a personal reminder or a non-critical task using at for personal productivity.
Filter/Exclusion: Exclude tasks created by non-admin users for non-critical or personal purposes (e.g., reminder.sh or tasks with non-standard execution times).