Scheduled Task/Job At
Detects the use of at/atd which are utilities that are used to schedule tasks. They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code
Sigma rule (View on GitHub)
1title: Scheduled Task/Job At
2id: d2d642d7-b393-43fe-bae4-e81ed5915c4b
3status: stable
4description: |
5 Detects the use of at/atd which are utilities that are used to schedule tasks.
6 They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md
9author: Ömer Günal, oscd.community
10date: 2020-10-06
11modified: 2022-07-07
12tags:
13 - attack.privilege-escalation
14 - attack.execution
15 - attack.persistence
16 - attack.t1053.002
17logsource:
18 product: linux
19 category: process_creation
20detection:
21 selection:
22 Image|endswith:
23 - '/at'
24 - '/atd'
25 condition: selection
26falsepositives:
27 - Legitimate administration activities
28level: low
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Interactive AT Job
- MITRE BZAR Indicators for Execution
- Remote Schedule Task Lateral Movement via ATSvc
- Remote Schedule Task Lateral Movement via ITaskSchedulerService
- Remote Schedule Task Lateral Movement via SASec