valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
b7b0bd4275
SigmaHQ/rules/linux/macos_schedule_task_job_cron.yml

27 lines
823 B
YAML
Raw Normal View History

Use process_creation for the detection
2020-10-13 08:41:50 +00:00
title: Scheduled Cron Task/Job
id: 7c3b43d8-d794-47d2-800a-d277715aa460
status: experimental
description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
author: Alejandro Ortuno, oscd.community
date: 2020/10/06
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md
logsource:
category: process_creation
product: macos
detection:
selection:
Renamed ProcessName field to Image for the process_creation category.
2021-02-24 22:57:26 +00:00
Image|endswith:
Add slash to bypass testing
2020-10-14 06:50:15 +00:00
- '/crontab'
Use process_creation for the detection
2020-10-13 08:41:50 +00:00
CommandLine|contains:
- '/tmp/'
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
tags:
- attack.execution
- attack.persistence
- attack.privilege_escalation
- attack.t1053.003
Reference in New Issue Copy Permalink