
Summary
This detection rule targets masquerading techniques specific to Linux environments, where an executable's name or location is manipulated to avoid detection. The focus is on processes that attempt to imitate the Linux crond (cron daemon) process by using the command 'execve' with the intention of executing '/bin/sh' as part of a covert operation. The detection is triggered when the command 'cp' is used to create an executable that masquerades as crond, specifically when its name ends with 'crond'. This method aims to evade existing security measures that monitor for the actual crond process, making it essential for security practitioners to monitor such behavior to uncover potential threats. The rule is set at a medium severity level, indicating a moderate threat where further investigation may be warranted.
Categories
- Linux
- Endpoint
- Infrastructure
Data Sources
- Process
- File
- Logon Session
ATT&CK Techniques
- T1036.003
Created: 2019-10-21