Scheduled Task/Job At
Detects the use of at/atd which are utilities that are used to schedule tasks. They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code
Sigma rule (View on GitHub)
1title: Scheduled Task/Job At
2id: d2d642d7-b393-43fe-bae4-e81ed5915c4b
3status: stable
4description: |
5 Detects the use of at/atd which are utilities that are used to schedule tasks.
6 They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md
9author: Ömer Günal, oscd.community
10date: 2020-10-06
11modified: 2022-07-07
12tags:
13 - attack.persistence
14 - attack.t1053.002
15logsource:
16 product: linux
17 category: process_creation
18detection:
19 selection:
20 Image|endswith:
21 - '/at'
22 - '/atd'
23 condition: selection
24falsepositives:
25 - Legitimate administration activities
26level: low
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Remote Task Creation via ATSVC Named Pipe
- Remote Task Creation via ATSVC Named Pipe - Zeek
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain