Detectionmediumtest

Scheduled Cron Task/Job - MacOs

Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Alejandro Ortuno, oscd.communityCreated Tue Oct 06Updated Sun Nov 277c3b43d8-d794-47d2-800a-d277715aa460macos

Log Source

macOSProcess Creation

ProductmacOS← raw: macos

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        Image|endswith: '/crontab'
        CommandLine|contains: '/tmp/'
    condition: selection

False Positives

Legitimate administration activities

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0002 · Execution TA0003 · Persistence TA0004 · Privilege Escalation

Sub-techniques

T1053.003 · Cron

Rule Metadata

Rule ID

7c3b43d8-d794-47d2-800a-d277715aa460

Status

test

Level

medium

Type

Detection

Created

Tue Oct 06

Modified

Sun Nov 27

Author

Alejandro Ortuno, oscd.community

Path

rules/macos/process_creation/proc_creation_macos_schedule_task_job_cron.yml

Raw Tags

attack.executionattack.persistenceattack.privilege-escalationattack.t1053.003

View on GitHub