Scheduled Task/Job At
Detects the use of at/atd which are utilities that are used to schedule tasks. They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code
Sigma rule (View on GitHub)
1title: Scheduled Task/Job At
2id: d2d642d7-b393-43fe-bae4-e81ed5915c4b
3status: stable
4description: |
5 Detects the use of at/atd which are utilities that are used to schedule tasks.
6 They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md
9author: Ömer Günal, oscd.community
10date: 2020/10/06
11modified: 2022/07/07
12tags:
13 - attack.persistence
14 - attack.t1053.002
15logsource:
16 product: linux
17 category: process_creation
18detection:
19 selection:
20 Image|endswith:
21 - '/at'
22 - '/atd'
23 condition: selection
24falsepositives:
25 - Legitimate administration activities
26level: low
References
Related rules
- Addition of SID History to Active Directory Object
- Password Change on Directory Service Restore Mode (DSRM) Account
- Suspicious Windows ANONYMOUS LOGON Local Account Created
- HybridConnectionManager Service Running
- Scheduled task executing powershell encoded payload from registry