Detectionmediumtest

Masquerading as Linux Crond Process

Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Timur Zinniatullin, oscd.communityCreated Mon Oct 21Updated Tue Aug 229d4548fa-bba0-4e88-bd66-5d5bf516cda0linux

Log Source

Linuxauditd

ProductLinux← raw: linux

Serviceauditd← raw: auditd

Detection Logic

detection:
    selection:
        type: 'execve'
        a0: 'cp'
        a1: '/bin/sh'
        a2|endswith: '/crond'
    condition: selection

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1036.003 · Rename System Utilities

Rule Metadata

Rule ID

9d4548fa-bba0-4e88-bd66-5d5bf516cda0

Status

test

Level

medium

Type

Detection

Created

Mon Oct 21

Modified

Tue Aug 22

Author

Timur Zinniatullin, oscd.community

Path

rules/linux/auditd/execve/lnx_auditd_masquerading_crond.yml

Raw Tags

attack.defense-evasionattack.t1036.003

View on GitHub