SigmaHQ/rules/linux/at_command.yml

title: Scheduled Task/Job At
id: d2d642d7-b393-43fe-bae4-e81ed5915c4b
status: stable
description: Detects the use of at/atd
author: Ömer Günal, oscd.community
date: 2020/10/06
references:
    - https://attack.mitre.org/techniques/T1053/001/
logsource:
    product: linux
detection:
    keywords:
        - keys|contains:
          - ' at '
        - keys2|contains:
          - ' atd '
        - enumeration|contains:
          - 'which atd'
          - 'which at'
          - 'systemctl status atd'
          - 'service atd status '
    condition: keywords
falsepositives:
    - Legitimate administration activities
level: low
tags:
    - attack.persistence
    - attack.t1053.001