On Linux and Apple systems, multiple methods are supported for creating pre-scheduled and periodic background jobs: cron, (Citation: Die.net Linux crontab Man Page) at, (Citation: Die.net Linux at Man Page) and launchd. (Citation: AppleDocs Scheduling Timed Jobs) Unlike Scheduled Task on Windows systems, job scheduling on Linux-based systems cannot be done remotely unless used in conjunction within an established remote session, like secure shell (SSH).===cron===
System-wide cron jobs are installed by modifying
/etc/crontabfile,/etc/cron.d/directory or other locations supported by the Cron daemon, while per-user cron jobs are installed using crontab with specifically formatted crontab files. (Citation: AppleDocs Scheduling Timed Jobs) This works on Mac and Linux systems.Those methods allow for commands or scripts to be executed at specific, periodic intervals in the background without user interaction. An adversary may use job scheduling to execute programs at system startup or on a scheduled basis for Persistence, (Citation: Janicab) (Citation: Methods of Mac Malware Persistence) (Citation: Malware Persistence on OS X) (Citation: Avast Linux Trojan Cron Persistence) to conduct Execution as part of Lateral Movement, to gain root privileges, or to run a process under the context of a specific account.
===at===
The at program is another means on Linux-based systems, including Mac, to schedule a program or script job for execution at a later date and/or time, which could also be used for the same purposes.
===launchd===
Each launchd job is described by a different configuration property list (plist) file similar to Launch Daemon or Launch Agent, except there is an additional key called
StartCalendarIntervalwith a dictionary of time values. (Citation: AppleDocs Scheduling Timed Jobs) This only works on macOS and OS X.Detection: Legitimate scheduled jobs may be created during installation of new software or through administration functions. Jobs scheduled with launchd and cron can be monitored from their respective utilities to list out detailed information about the jobs. Monitor process execution resulting from launchd and cron tasks to look for unusual or unknown applications and behavior.
Platforms: Linux, macOS
Data Sources: File monitoring, Process Monitoring
Permissions Required: Administrator, User, root
Contributors: Anastasios Pingios
TODO
Supported Platforms: macOS, CentOS, Ubuntu, Linux
| Name | Description | Type | Default Value |
|---|---|---|---|
| script | Script to execute | path | /tmp/evil.sh |
echo "* * * * * #{script}" > /tmp/persistevil && crontab /tmp/persistevil
TODO
Supported Platforms: macOS, CentOS, Ubuntu, Linux
- Place this file in /etc/emond.d/rules/atomicredteam.plist
-
Place an empty file in /private/var/db/emondClients/
-
sudo touch /private/var/db/emondClients/randomflag