rules/linux/macos_schedule_task_job_cron.yml

title: Scheduled Cron Task/Job
id: 7c3b43d8-d794-47d2-800a-d277715aa460
status: experimental
description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
author: Alejandro Ortuno, oscd.community
date: 2020/10/06
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md
logsource:
  category: process_creation
  product: macos
detection:
  selection:
    Image|endswith:
      - '/crontab'
    CommandLine|contains:
      - '/tmp/'
  condition: selection
falsepositives:
    - Legitimate administration activities
level: medium
tags:
    - attack.execution
    - attack.persistence
    - attack.privilege_escalation
    - attack.t1053.003
Use process_creation for the detection 2020-10-13 10:41:50 +02:00			`title: Scheduled Cron Task/Job`
			`id: 7c3b43d8-d794-47d2-800a-d277715aa460`
			`status: experimental`
			`description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.`
			`author: Alejandro Ortuno, oscd.community`
			`date: 2020/10/06`
			`references:`
			`- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md`
			`logsource:`
			`category: process_creation`
			`product: macos`
			`detection:`
			`selection:`
Renamed ProcessName field to Image for the process_creation category. 2021-02-25 01:57:26 +03:00			`Image\|endswith:`
Add slash to bypass testing 2020-10-14 08:50:15 +02:00			`- '/crontab'`
Use process_creation for the detection 2020-10-13 10:41:50 +02:00			`CommandLine\|contains:`
			`- '/tmp/'`
			`condition: selection`
			`falsepositives:`
			`- Legitimate administration activities`
			`level: medium`
			`tags:`
			`- attack.execution`
			`- attack.persistence`
			`- attack.privilege_escalation`
			`- attack.t1053.003`