2020-10-07 00:07:30 +03:00
|
|
|
title: Scheduled Task/Job At
|
2020-10-06 23:48:25 +03:00
|
|
|
id: d2d642d7-b393-43fe-bae4-e81ed5915c4b
|
|
|
|
|
status: stable
|
2022-10-25 08:53:44 +02:00
|
|
|
description: |
|
|
|
|
|
Detects the use of at/atd which are utilities that are used to schedule tasks.
|
|
|
|
|
They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code
|
|
|
|
|
references:
|
|
|
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md
|
2020-10-07 22:22:31 +03:00
|
|
|
author: Ömer Günal, oscd.community
|
2024-08-12 12:02:50 +02:00
|
|
|
date: 2020-10-06
|
|
|
|
|
modified: 2022-07-07
|
2022-10-25 08:53:44 +02:00
|
|
|
tags:
|
|
|
|
|
- attack.persistence
|
|
|
|
|
- attack.t1053.002
|
2020-10-06 23:48:25 +03:00
|
|
|
logsource:
|
|
|
|
|
product: linux
|
2020-10-16 22:49:40 +03:00
|
|
|
category: process_creation
|
2020-10-06 23:48:25 +03:00
|
|
|
detection:
|
2020-10-07 22:23:48 +03:00
|
|
|
selection:
|
2021-10-15 15:46:59 -04:00
|
|
|
Image|endswith:
|
2022-09-16 09:22:57 +02:00
|
|
|
- '/at'
|
|
|
|
|
- '/atd'
|
2020-10-07 22:23:48 +03:00
|
|
|
condition: selection
|
2020-10-06 23:48:25 +03:00
|
|
|
falsepositives:
|
|
|
|
|
- Legitimate administration activities
|
|
|
|
|
level: low
|
