Masquerading as Linux Crond Process
Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.
Sigma rule (View on GitHub)
1title: Masquerading as Linux Crond Process
2id: 9d4548fa-bba0-4e88-bd66-5d5bf516cda0
3status: test
4description: |
5 Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation.
6 Several different variations of this technique have been observed.
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/8a82e9b66a5b4f4bc5b91089e9f24e0544f20ad7/atomics/T1036.003/T1036.003.md#atomic-test-2---masquerading-as-linux-crond-process
9author: Timur Zinniatullin, oscd.community
10date: 2019/10/21
11modified: 2023/08/22
12tags:
13 - attack.defense_evasion
14 - attack.t1036.003
15logsource:
16 product: linux
17 service: auditd
18detection:
19 selection:
20 type: 'execve'
21 a0: 'cp'
22 a1: '/bin/sh'
23 a2|endswith: '/crond'
24 condition: selection
25level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Suspicious Download From File-Sharing Website Via Bitsadmin
- Potential WerFault ReflectDebugger Registry Value Abuse
- Potential Defense Evasion Via Binary Rename
- Ps.exe Renamed SysInternals Tool
- File Download Via Bitsadmin To A Suspicious Target Folder