Scheduled Cron Task/Job - MacOs
Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
Sigma rule (View on GitHub)
1title: Scheduled Cron Task/Job - MacOs
2id: 7c3b43d8-d794-47d2-800a-d277715aa460
3status: test
4description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md
7author: Alejandro Ortuno, oscd.community
8date: 2020-10-06
9modified: 2022-11-27
10tags:
11 - attack.execution
12 - attack.persistence
13 - attack.privilege-escalation
14 - attack.t1053.003
15logsource:
16 category: process_creation
17 product: macos
18detection:
19 selection:
20 Image|endswith: '/crontab'
21 CommandLine|contains: '/tmp/'
22 condition: selection
23falsepositives:
24 - Legitimate administration activities
25level: medium
References
Related rules
- Azure Kubernetes CronJob
- Scheduled Cron Task/Job - Linux
- Google Cloud Kubernetes CronJob
- HackTool - CrackMapExec Execution
- HackTool - Default PowerSploit/Empire Scheduled Task Creation