sigmamediumHunting

Scheduled Cron Task/Job - MacOs

Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.

MITRE ATT&CK

T1053.003

executionpersistenceprivilege-escalation

Detection Query

selection:
  Image|endswith: /crontab
  CommandLine|contains: /tmp/
condition: selection

Author

Alejandro Ortuno, oscd.community

Created

2020-10-06

Data Sources

macosProcess Creation Events

Platforms

macos

References

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md

Tags

attack.executionattack.persistenceattack.privilege-escalationattack.t1053.003

Raw Content

title: Scheduled Cron Task/Job - MacOs
id: 7c3b43d8-d794-47d2-800a-d277715aa460
status: test
description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-06
modified: 2022-11-27
tags:
    - attack.execution
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1053.003
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        Image|endswith: '/crontab'
        CommandLine|contains: '/tmp/'
    condition: selection
falsepositives:
    - Legitimate administration activities
level: medium