Scheduled Cron Task/Job - MacOs

Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.

Sigma rule (View on GitHub)

 1title: Scheduled Cron Task/Job - MacOs
 2id: 7c3b43d8-d794-47d2-800a-d277715aa460
 3status: test
 4description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md
 7author: Alejandro Ortuno, oscd.community
 8date: 2020-10-06
 9modified: 2022-11-27
10tags:
11    - attack.execution
12    - attack.persistence
13    - attack.privilege-escalation
14    - attack.t1053.003
15logsource:
16    category: process_creation
17    product: macos
18detection:
19    selection:
20        Image|endswith: '/crontab'
21        CommandLine|contains: '/tmp/'
22    condition: selection
23falsepositives:
24    - Legitimate administration activities
25level: medium

References

Related rules

to-top