2020-10-08 11:15:02 +00:00
title : Scheduled Cron Task/Job
id : 6b14bac8-3e3a-4324-8109-42f0546a347f
status : experimental
2020-10-13 08:41:50 +00:00
description : Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
2020-10-08 11:15:02 +00:00
author : Alejandro Ortuno, oscd.community
date : 2020 /10/06
references :
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md
logsource :
2020-10-13 08:41:50 +00:00
category : process_creation
product : linux
2020-10-08 11:15:02 +00:00
detection :
2020-10-13 08:41:50 +00:00
selection :
ProcessName|endswith :
2020-10-17 20:22:20 +00:00
- '/crontab'
2020-10-13 08:41:50 +00:00
CommandLine|contains :
- '/tmp/'
condition : selection
2020-10-08 11:15:02 +00:00
falsepositives :
- Legitimate administration activities
2020-10-13 08:41:50 +00:00
level : medium
2020-10-08 11:15:02 +00:00
tags :
- attack.execution
- attack.persistence
- attack.privilege_escalation
2020-10-13 08:41:50 +00:00
- attack.t1053.003