At

The 'at' command is a Unix-based scheduling utility that allows adversaries to maintain persistence and schedule tasks to execute commands or scripts at specified times. As part of the "Deepening Control" phase, attackers leverage this capability to establish scheduled execution of malicious code, ensuring their presence persists even after system reboots or user logouts. Unlike more modern alternatives such as cron, the 'at' command is designed for one-time task execution rather than recurring jobs, making it potentially less noticeable in system monitoring. Adversaries typically use 'at' by specifying a future execution time along with a command or script, which the system then stores in the /var/spool/at/ directory until execution time. This technique is particularly effective because 'at' jobs run with the privileges of the user who created them, allowing attackers who have compromised privileged accounts to schedule tasks with elevated permissions. Security teams should monitor for unexpected or unauthorized 'at' job creations, especially those created outside of normal business hours or by accounts that don't typically utilize scheduling functions.