T1053.002 IBM QRadar · QRadar

Detect At in IBM QRadar

Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. The at utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of schtasks in Windows environments, at can be used to execute programs at system startup or on a scheduled basis for persistence, remote execution as part of lateral movement, and privilege escalation on Linux if allowed to run as superuser via sudo. Adversaries may also leverage the WMI Win32_ScheduledJob class to schedule tasks programmatically.

MITRE ATT&CK

Tactic
Execution Persistence Privilege Escalation
Technique
T1053 Scheduled Task/Job
Sub-technique
T1053.002 At
Canonical reference
https://attack.mitre.org/techniques/T1053/002/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  QIDNAME(qid) AS event_name,
  "ProcessPath",
  "CommandLine",
  "ParentProcessPath",
  CASE
    WHEN LOWER("CommandLine") MATCHES '(cmd\.exe|powershell|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|\.bat|\.vbs|\.ps1|\.hta|mimikatz|whoami)' THEN 1
    ELSE 0
  END AS is_suspicious_payload,
  CASE
    WHEN LOWER("CommandLine") MATCHES '(/interactive)' THEN 1
    ELSE 0
  END AS is_interactive,
  CASE
    WHEN LOWER("ParentProcessPath") MATCHES '(powershell|wscript|cscript|mshta|python|perl|ruby)' THEN 1
    ELSE 0
  END AS is_suspicious_parent,
  CASE
    WHEN LOWER("CommandLine") MATCHES '(win32_scheduledjob|scheduledjob)' THEN 1
    ELSE 0
  END AS is_wmi_scheduled_job
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 45)
  AND (
    (eventid = 4688 AND (LOWER("NewProcessName") LIKE '%\\at.exe' OR LOWER("NewProcessName") LIKE '%\\at'))
    OR (eventid = 1 AND (LOWER("Image") LIKE '%\\at.exe' OR LOWER("Image") LIKE '%\\at'))
    OR (eventid = 4688 AND LOWER("NewProcessName") LIKE '%\\wmic.exe' AND LOWER("CommandLine") LIKE '%scheduledjob%')
    OR (eventid = 1 AND LOWER("Image") LIKE '%\\wmic.exe' AND LOWER("CommandLine") LIKE '%scheduledjob%')
    OR (eventid IN (1, 4688) AND (LOWER("Image") LIKE '%\\powershell.exe' OR LOWER("Image") LIKE '%\\pwsh.exe' OR LOWER("NewProcessName") LIKE '%\\powershell.exe') AND LOWER("CommandLine") LIKE '%win32_scheduledjob%')
  )
  AND (
    LOWER("CommandLine") MATCHES '(cmd\.exe|powershell|wscript|cscript|mshta|rundll32|\.bat|\.vbs|\.ps1|\.hta|mimikatz|whoami|certutil|bitsadmin|net use|net user|/interactive)'
    OR LOWER("ParentProcessPath") MATCHES '(powershell|wscript|cscript|mshta|python|perl)'
    OR LOWER("CommandLine") MATCHES '(win32_scheduledjob|scheduledjob)'
    OR LOWER("Image") LIKE '%\\at.exe'
    OR LOWER("NewProcessName") LIKE '%\\at.exe'
  )
ORDER BY devicetime DESC
LAST 24 HOURS
high severity high confidence

QRadar AQL query detecting abuse of at.exe and WMI Win32_ScheduledJob for scheduled task creation. Correlates Windows Security Event 4688 and Sysmon Event 1 process creation logs, scoring suspicion based on payload type, parent process, and WMI scheduling activity.

Data Sources

Windows Security Event Log (EventID 4688)Microsoft Windows Sysmon (EventID 1)QRadar DSM for Microsoft Windows

Required Tables

events

False Positives & Tuning

  • Scheduled backup or maintenance scripts running under service accounts that invoke at.exe or wmic for task scheduling on legacy Windows systems
  • Enterprise monitoring agents that use WMI Win32_ScheduledJob queries for auditing existing scheduled tasks rather than creating new ones
  • Software deployment tools (SCCM, PDQ Deploy) that leverage wmic.exe with ScheduledJob parameters for software push tasks
Download portable Sigma rule (.yml)

Other platforms for T1053.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Schedule Command Execution via at.exe (Windows)

    Expected signal: Sysmon Event ID 1: Process Create with Image=at.exe, CommandLine containing a time value and 'cmd.exe /c whoami'. Security Event ID 4688 (if command line auditing enabled). Security Event ID 4698 (Scheduled Task Created) capturing the job. When the job fires, Security Event ID 4624 for the SYSTEM logon context and another Sysmon Event ID 1 for cmd.exe spawned by the Task Scheduler service (parent: svchost.exe).

  2. Test 2Schedule PowerShell Execution via at.exe (Windows)

    Expected signal: Sysmon Event ID 1 for at.exe with CommandLine containing 'powershell.exe'. Security Event ID 4698 for scheduled task creation. When fired: Sysmon Event ID 1 for powershell.exe spawned by svchost.exe (Task Scheduler context), Sysmon Event ID 11 for file creation in TEMP.

  3. Test 3WMI Win32_ScheduledJob Creation via PowerShell (Windows)

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Win32_ScheduledJob' and 'Create'. Microsoft-Windows-WMI-Activity/Operational Event ID 5861. Security Event ID 4698 (Scheduled Task Created) may fire depending on Windows version. When job executes: cmd.exe spawned by svchost.exe (Task Scheduler), Sysmon Event ID 11 for file creation in C:\Windows\Temp.

  4. Test 4Linux at Command for Deferred Execution

    Expected signal: Syslog/auditd: execve syscall for 'at' binary with arguments 'now + 1 minute'. atd daemon log entries in /var/log/syslog or /var/log/cron. When the job fires: execve for 'sh' or 'bash' spawned by atd, then execve for 'id'. Auditd records with key 'at_usage' if rule is configured: -a always,exit -F path=/usr/bin/at -F perm=x -k at_usage.

  5. Test 5Linux at Privilege Escalation via sudo (GTFObins)

    Expected signal: Auditd: syscall execve for sudo with arguments 'at', preceded by sudo authentication event. Syslog: sudo log entry 'USER=root ; COMMAND=/usr/bin/at'. When job fires: sh or bash process spawned by atd running as root. Auditd EUID=0 for the spawned shell process.

Last updated: 2026-04-16 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1053.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1053Scheduled Task/Job

Related Sub-techniques

T1053.003CronT1053.005Scheduled TaskT1053.006Systemd TimersT1053.007Container Orchestration Job

Related Techniques

T1053Scheduled Task/JobT1053.005Scheduled TaskT1047Windows Management InstrumentationT1021.002SMB/Windows Admin SharesT1569.002Service ExecutionT1059.001PowerShellT1059.003Windows Command ShellT1078Valid AccountsT1560.001Archive via UtilityT1136Create Account

Same Tactic: Execution

Popular Detections