You never mentioned the version of Windows you were analyzing, and that may have an effect on what you find, and what may be possible...
If you assume that these AT jobs were the result of someone using at.exe within your infrastructure and reaching to the system remotely, you should probably examine the Event Logs, looking for network-type logins. On Windows XP/2003, the event ID is 540, type 3. For Vista+, add 4096.
If the system you're analyzing is Vista or above, your chances of finding something of value are a bit better, simply because of the more verbose logging on those systems.
HTH
↧