Scheduled Cron Task/Job - MacOs
Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
Sigma rule (View on GitHub)
1title: Scheduled Cron Task/Job - MacOs
2id: 7c3b43d8-d794-47d2-800a-d277715aa460
3status: test
4description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md
7author: Alejandro Ortuno, oscd.community
8date: 2020/10/06
9modified: 2022/11/27
10tags:
11 - attack.execution
12 - attack.persistence
13 - attack.privilege_escalation
14 - attack.t1053.003
15logsource:
16 category: process_creation
17 product: macos
18detection:
19 selection:
20 Image|endswith: '/crontab'
21 CommandLine|contains: '/tmp/'
22 condition: selection
23falsepositives:
24 - Legitimate administration activities
25level: medium
References
Related rules
- Scheduled Cron Task/Job - Linux
- Command Shell Unusual or Suspicious Process Ancestry
- Windows Scheduled Task Behaving Improperly or Suspiciously
- Windows Scheduled Task Create Shell
- Windows Scheduled Task Making Suspicious Network Connection