title: At (T1053.002)
id: df00tech-t1053-002
status: experimental
description: "Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. The at utility exists as an executable within Windows, Linux, and macOS for scheduling tasks at a specified time and date. Although deprecated in favor of schtasks in Windows environments, at can be used to execute programs at system startup or on a scheduled basis for persistence, remote execution as part of lateral movement, and privilege escalation on Linux if allowed to run as superuser via sudo. Adversaries may also leverage the WMI Win32_ScheduledJob class to schedule tasks programmatically."
references:
  - https://attack.mitre.org/techniques/T1053/002/
  - https://df00tech.com/detections/T1053.002
author: df00tech
date: 2026/04/16
tags:
  - attack.t1053.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legacy enterprise applications that still use at.exe for scheduled maintenance tasks (e.g., older backup software or batch job schedulers)"
  - IT administrators manually scheduling jobs via at.exe on older Windows Server systems that have not migrated to schtasks
  - Security testing tools or vulnerability scanners that enumerate or test scheduled task functionality
  - Automated build or CI/CD pipelines that invoke at.exe for timed job coordination on legacy systems
level: high