Detectionlowstable

Scheduled Task/Job At

Detects the use of at/atd which are utilities that are used to schedule tasks. They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Ömer Günal, oscd.communityCreated Tue Oct 06Updated Thu Jul 07d2d642d7-b393-43fe-bae4-e81ed5915c4blinux

Log Source

LinuxProcess Creation

ProductLinux← raw: linux

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        Image|endswith:
            - '/at'
            - '/atd'
    condition: selection

False Positives

Legitimate administration activities

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0002 · Execution TA0003 · Persistence

Sub-techniques

T1053.002 · At

Rule Metadata

Rule ID

d2d642d7-b393-43fe-bae4-e81ed5915c4b

Status

stable

Level

low

Type

Detection

Created

Tue Oct 06

Modified

Thu Jul 07

Author

Ömer Günal, oscd.community

Path

rules/linux/process_creation/proc_creation_lnx_at_command.yml

Raw Tags

attack.privilege-escalationattack.executionattack.persistenceattack.t1053.002

View on GitHub