T1053.002

At

Execution Persistence Privilege Escalation

Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. The at utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of schtasks in Windows environments, at can be used to execute programs at system startup or on a scheduled basis for persistence, remote execution as part of lateral movement, and privilege escalation on Linux if allowed to run as superuser via sudo. Adversaries may also leverage the WMI Win32_ScheduledJob class to schedule tasks programmatically.

Microsoft Sentinel / Defender

kusto

// Detect suspicious use of the 'at' scheduler utility on Windows and WMI-based job scheduling
let AtSuspiciousArgs = dynamic([
  "cmd.exe", "powershell", "wscript", "cscript", "mshta", "rundll32", "regsvr32",
  "certutil", "bitsadmin", "net use", "net user", "whoami", "mimikatz",
  ".exe", ".bat", ".vbs", ".ps1", ".hta"
]);
union
(
  // Windows: at.exe process creation via DeviceProcessEvents
  DeviceProcessEvents
  | where Timestamp > ago(24h)
  | where FileName =~ "at.exe"
  | where ProcessCommandLine has_any (AtSuspiciousArgs)
     or ProcessCommandLine matches regex @"\d{1,2}:\d{2}\s+(AM|PM|/every|/next)"
     or ProcessCommandLine has "/interactive"
  | extend Source = "at.exe direct execution"
  | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
            InitiatingProcessFileName, InitiatingProcessCommandLine,
            InitiatingProcessAccountName, FolderPath, Source
),
(
  // Windows: at.exe spawned by unusual parents (lateral movement pattern)
  DeviceProcessEvents
  | where Timestamp > ago(24h)
  | where FileName =~ "at.exe"
  | where InitiatingProcessFileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe",
                                          "mshta.exe", "python.exe", "python3.exe", "perl.exe")
  | extend Source = "at.exe spawned by scripting engine"
  | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
            InitiatingProcessFileName, InitiatingProcessCommandLine,
            InitiatingProcessAccountName, FolderPath, Source
),
(
  // WMI Win32_ScheduledJob creation detected via DeviceProcessEvents (wmic or powershell invoking Win32_ScheduledJob)
  DeviceProcessEvents
  | where Timestamp > ago(24h)
  | where (FileName =~ "wmic.exe" and ProcessCommandLine has "ScheduledJob")
     or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has "Win32_ScheduledJob")
  | extend Source = "WMI Win32_ScheduledJob"
  | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
            InitiatingProcessFileName, InitiatingProcessCommandLine,
            InitiatingProcessAccountName, FolderPath, Source
)
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legacy enterprise applications that still use at.exe for scheduled maintenance tasks (e.g., older backup software or batch job schedulers)
IT administrators manually scheduling jobs via at.exe on older Windows Server systems that have not migrated to schtasks
Security testing tools or vulnerability scanners that enumerate or test scheduled task functionality
Automated build or CI/CD pipelines that invoke at.exe for timed job coordination on legacy systems

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
(
  (EventCode=1 (Image="*\\at.exe" OR Image="*\\at"))
  OR (EventCode=4688 (NewProcessName="*\\at.exe" OR NewProcessName="*\\at"))
  OR (EventCode=1 (Image="*\\wmic.exe" CommandLine="*ScheduledJob*"))
  OR (EventCode=1 (Image="*\\powershell.exe" OR Image="*\\pwsh.exe") CommandLine="*Win32_ScheduledJob*")
  OR (EventCode=4688 (NewProcessName="*\\wmic.exe" CommandLine="*ScheduledJob*"))
)
| eval CommandLine=coalesce(CommandLine, ProcessCommandLine)
| eval Image=coalesce(Image, NewProcessName)
| eval ParentImage=coalesce(ParentImage, ParentProcessName)
| eval User=coalesce(User, SubjectUserName)
| eval host=coalesce(host, ComputerName)
| eval IsSuspiciousPayload=if(
    match(lower(CommandLine), "(cmd\.exe|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|\.bat|\.vbs|\.ps1|\.hta)"),
    1, 0)
| eval IsInteractive=if(match(lower(CommandLine), "/interactive"), 1, 0)
| eval IsSuspiciousParent=if(
    match(lower(ParentImage), "(powershell|wscript|cscript|mshta|python|perl|ruby)"),
    1, 0)
| eval IsWMIScheduledJob=if(match(lower(CommandLine), "(win32_scheduledjob|scheduledjob)"), 1, 0)
| eval SuspicionScore=IsSuspiciousPayload + IsInteractive + IsSuspiciousParent + IsWMIScheduledJob
| where SuspicionScore > 0 OR Image LIKE "%\\at.exe"
| table _time, host, User, Image, CommandLine, ParentImage,
        IsSuspiciousPayload, IsInteractive, IsSuspiciousParent, IsWMIScheduledJob, SuspicionScore
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1 Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Legacy enterprise applications that still use at.exe for scheduled maintenance tasks (e.g., older backup software or batch job schedulers)
IT administrators manually scheduling jobs via at.exe on older Windows Server systems that have not migrated to schtasks
Security testing tools or vulnerability scanners that enumerate or test scheduled task functionality
Automated build or CI/CD pipelines that invoke at.exe for timed job coordination on legacy systems

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  QIDNAME(qid) AS event_name,
  "ProcessPath",
  "CommandLine",
  "ParentProcessPath",
  CASE
    WHEN LOWER("CommandLine") MATCHES '(cmd\.exe|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|\.bat|\.vbs|\.ps1|\.hta|mimikatz|whoami)' THEN 1
    ELSE 0
  END AS is_suspicious_payload,
  CASE
    WHEN LOWER("CommandLine") MATCHES '(/interactive)' THEN 1
    ELSE 0
  END AS is_interactive,
  CASE
    WHEN LOWER("ParentProcessPath") MATCHES '(powershell|wscript|cscript|mshta|python|perl|ruby)' THEN 1
    ELSE 0
  END AS is_suspicious_parent,
  CASE
    WHEN LOWER("CommandLine") MATCHES '(win32_scheduledjob|scheduledjob)' THEN 1
    ELSE 0
  END AS is_wmi_scheduled_job
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 45)
  AND (
    (eventid = 4688 AND (LOWER("NewProcessName") LIKE '%\\at.exe' OR LOWER("NewProcessName") LIKE '%\\at'))
    OR (eventid = 1 AND (LOWER("Image") LIKE '%\\at.exe' OR LOWER("Image") LIKE '%\\at'))
    OR (eventid = 4688 AND LOWER("NewProcessName") LIKE '%\\wmic.exe' AND LOWER("CommandLine") LIKE '%scheduledjob%')
    OR (eventid = 1 AND LOWER("Image") LIKE '%\\wmic.exe' AND LOWER("CommandLine") LIKE '%scheduledjob%')
    OR (eventid IN (1, 4688) AND (LOWER("Image") LIKE '%\\powershell.exe' OR LOWER("Image") LIKE '%\\pwsh.exe' OR LOWER("NewProcessName") LIKE '%\\powershell.exe') AND LOWER("CommandLine") LIKE '%win32_scheduledjob%')
  )
  AND (
    LOWER("CommandLine") MATCHES '(cmd\.exe|powershell|wscript|cscript|mshta|rundll32|\.bat|\.vbs|\.ps1|\.hta|mimikatz|whoami|certutil|bitsadmin|net use|net user|/interactive)'
    OR LOWER("ParentProcessPath") MATCHES '(powershell|wscript|cscript|mshta|python|perl)'
    OR LOWER("CommandLine") MATCHES '(win32_scheduledjob|scheduledjob)'
    OR LOWER("Image") LIKE '%\\at.exe'
    OR LOWER("NewProcessName") LIKE '%\\at.exe'
  )
ORDER BY devicetime DESC
LAST 24 HOURS

high severity high confidence

Data Sources

Windows Security Event Log (EventID 4688) Microsoft Windows Sysmon (EventID 1) QRadar DSM for Microsoft Windows

Required Tables

events

False Positives

Scheduled backup or maintenance scripts running under service accounts that invoke at.exe or wmic for task scheduling on legacy Windows systems
Enterprise monitoring agents that use WMI Win32_ScheduledJob queries for auditing existing scheduled tasks rather than creating new ones
Software deployment tools (SCCM, PDQ Deploy) that leverage wmic.exe with ScheduledJob parameters for software push tasks

Sumo Logic CSE

sql

_sourceCategory="windows/*" OR _sourceCategory="sysmon/*"
| where (%"EventID" = "4688" OR %"EventID" = "1")
| parse field=%"CommandLine" "*" as CommandLine nodrop
| parse field=%"NewProcessName" "*" as ProcessImage nodrop
| parse field=%"Image" "*" as SysmonImage nodrop
| parse field=%"ParentImage" "*" as ParentImage nodrop
| parse field=%"ParentProcessName" "*" as ParentProcessName nodrop
| parse field=%"SubjectUserName" "*" as SecurityUser nodrop
| parse field=%"User" "*" as SysmonUser nodrop
| eval ProcessPath = if(!isNull(SysmonImage), SysmonImage, ProcessImage)
| eval UserName = if(!isNull(SysmonUser), SysmonUser, SecurityUser)
| eval ParentProc = if(!isNull(ParentImage), ParentImage, ParentProcessName)
| where matches(ProcessPath, "(?i).*\\at\.exe") OR
  (matches(ProcessPath, "(?i).*\\wmic\.exe") AND matches(CommandLine, "(?i).*ScheduledJob.*")) OR
  (matches(ProcessPath, "(?i).*\\(powershell|pwsh)\.exe") AND matches(CommandLine, "(?i).*Win32_ScheduledJob.*"))
| eval IsSuspiciousPayload = if(matches(toLowerCase(CommandLine), ".*(cmd\\.exe|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|\\.bat|\\.vbs|\\.ps1|\\.hta|mimikatz|whoami|net user|net use).*"), 1, 0)
| eval IsInteractive = if(matches(toLowerCase(CommandLine), ".*/interactive.*"), 1, 0)
| eval IsSuspiciousParent = if(matches(toLowerCase(ParentProc), ".*(powershell|wscript|cscript|mshta|python|perl|ruby).*"), 1, 0)
| eval IsWMIScheduledJob = if(matches(toLowerCase(CommandLine), ".*(win32_scheduledjob|scheduledjob).*"), 1, 0)
| eval SuspicionScore = IsSuspiciousPayload + IsInteractive + IsSuspiciousParent + IsWMIScheduledJob
| where SuspicionScore > 0 OR matches(ProcessPath, "(?i).*\\at\.exe")
| fields _messageTime, %"Computer", UserName, ProcessPath, CommandLine, ParentProc, IsSuspiciousPayload, IsInteractive, IsSuspiciousParent, IsWMIScheduledJob, SuspicionScore
| sort by _messageTime desc

high severity high confidence

Data Sources

Windows Security Event Logs (EventID 4688) Windows Sysmon Operational Logs (EventID 1) Sumo Logic Windows collector or Cloud Syslog

Required Tables

windows/security sysmon/operational

False Positives

Legacy Windows applications (e.g., older ERP systems) that still rely on at.exe for scheduling batch jobs on systems where schtasks is not supported
IT automation frameworks calling wmic.exe with ScheduledJob parameters to enumerate existing scheduled tasks during compliance scans
PowerShell-based configuration management scripts that query Win32_ScheduledJob WMI class for auditing purposes without creating new tasks

Google Chronicle / SecOps

yaral

rule t1053_002_at_scheduler_abuse {
  meta:
    author = "Detection Engineering"
    description = "Detects abuse of at.exe and WMI Win32_ScheduledJob for scheduled task persistence and lateral movement (T1053.002)"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Persistence, Privilege Escalation, Lateral Movement"
    mitre_attack_technique = "T1053.002"
    reference = "https://attack.mitre.org/techniques/T1053/002/"
    created = "2026-04-16"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.command_line = $cmdline
    $e.target.process.file.full_path = $process_path
    $e.principal.user.userid = $user

    (
      // at.exe direct execution with suspicious arguments
      (
        re.regex($process_path, `(?i).*\\at\.exe$`)
        and (
          re.regex($cmdline, `(?i)(cmd\.exe|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|\.bat|\.vbs|\.ps1|\.hta|mimikatz|whoami|net\s+user|net\s+use)`)
          or re.regex($cmdline, `(?i)/interactive`)
          or re.regex($cmdline, `\d{1,2}:\d{2}\s+(AM|PM|/every|/next)`)
        )
      )
      or
      // at.exe spawned by scripting engine
      (
        re.regex($process_path, `(?i).*\\at\.exe$`)
        and re.regex($e.src.process.file.full_path, `(?i)(powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|python\.exe|python3\.exe|perl\.exe)`)
      )
      or
      // WMI Win32_ScheduledJob via wmic.exe
      (
        re.regex($process_path, `(?i).*\\wmic\.exe$`)
        and re.regex($cmdline, `(?i)ScheduledJob`)
      )
      or
      // WMI Win32_ScheduledJob via PowerShell
      (
        re.regex($process_path, `(?i).*\\(powershell|pwsh)\.exe$`)
        and re.regex($cmdline, `(?i)Win32_ScheduledJob`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM (Unified Data Model) Windows Endpoint telemetry ingested via Chronicle forwarder Sysmon logs normalized to UDM via Chronicle parsers

Required Tables

UDM PROCESS_LAUNCH events

False Positives

Legacy enterprise scheduling systems or ERP batch processors that invoke at.exe as part of end-of-day processing routines on older Windows Server environments
Endpoint management tools using PowerShell to query Win32_ScheduledJob for policy enforcement or scheduled task enumeration without creation intent
Penetration testing or red team exercises using at.exe or WMI scheduled jobs in authorized testing windows

CrowdStrike LogScale (CQL)

cql

// T1053.002 - at.exe and WMI Win32_ScheduledJob abuse detection
// Detect at.exe direct execution with suspicious payload arguments
#event_simpleName = "ProcessRollup2"
| ImageFileName = /.*\\at\.exe$/i
| CommandLine = /(cmd\.exe|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|\.bat|\.vbs|\.ps1|\.hta|mimikatz|whoami|net\s+user|net\s+use|\/interactive)/i
  OR CommandLine = /\d{1,2}:\d{2}\s+(AM|PM|\/every|\/next)/i
| eval Detection = "at.exe with suspicious payload"
| table [ @timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, Detection ]

union

// Detect at.exe spawned by scripting engines
#event_simpleName = "ProcessRollup2"
| ImageFileName = /.*\\at\.exe$/i
| ParentBaseFileName = /(powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|python\.exe|python3\.exe|perl\.exe)/i
| eval Detection = "at.exe spawned by scripting engine"
| table [ @timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, Detection ]

union

// Detect wmic.exe with ScheduledJob argument
#event_simpleName = "ProcessRollup2"
| ImageFileName = /.*\\wmic\.exe$/i
| CommandLine = /ScheduledJob/i
| eval Detection = "wmic Win32_ScheduledJob"
| table [ @timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, Detection ]

union

// Detect PowerShell Win32_ScheduledJob usage
#event_simpleName = "ProcessRollup2"
| ImageFileName = /(powershell\.exe|pwsh\.exe)$/i
| CommandLine = /Win32_ScheduledJob/i
| eval Detection = "PowerShell Win32_ScheduledJob"
| table [ @timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, Detection ]

| sort @timestamp desc

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection (EDR) Falcon ProcessRollup2 telemetry events CrowdStrike Humio/LogScale SIEM

Required Tables

ProcessRollup2

False Positives

Falcon sensor telemetry from legacy systems where at.exe is legitimately used by automated batch processing scripts predating schtasks adoption
Security operations tooling or threat hunting scripts that invoke wmic.exe with ScheduledJob parameters to enumerate scheduled tasks across managed endpoints
Software deployment systems or IT automation tools using PowerShell Win32_ScheduledJob queries to audit or validate scheduled task configurations

Last updated: 2026-04-16 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1053.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1053Scheduled Task/Job

Related Sub-techniques

T1053.003Cron T1053.005Scheduled Task T1053.006Systemd Timers T1053.007Container Orchestration Job

At

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Execution

Popular Detections