This detection rule identifies the use of the 'at' or 'atd' commands in a Linux environment, which are commonly utilized for scheduling tasks. While these utilities can be legitimate tools for system administrators to schedule jobs or automate tasks, threat actors often exploit them to maintain persistence on compromised systems or to schedule malicious scripts for execution. This rule specifically looks for instances where command images end with '/at' or '/atd' to trigger alerts. Since these commands might also be invoked during routine administrative functions, the rule has been deemed to have a low false positive rate. Administrators are advised to correlate such alerts with context surrounding the execution of these commands to ascertain whether they are a sign of malicious activity or a legitimate administrative task. The detection focuses on process creation events, making it a vital component of monitoring systems for potential adversarial behavior or unauthorized task scheduling.