Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. The at command within Linux operating systems enables administrators to schedule tasks.(Citation: Kifarunix - Task Scheduling in Linux)
An adversary may use at in Linux environments to execute programs at system startup or on a scheduled basis for persistence. at can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
AC-2 | Account Management | Protects | T1053.001 | At (Linux) | |
AC-3 | Access Enforcement | Protects | T1053.001 | At (Linux) | |
AC-5 | Separation of Duties | Protects | T1053.001 | At (Linux) | |
AC-6 | Least Privilege | Protects | T1053.001 | At (Linux) | |
CA-8 | Penetration Testing | Protects | T1053.001 | At (Linux) | |
CM-5 | Access Restrictions for Change | Protects | T1053.001 | At (Linux) | |
IA-2 | Identification and Authentication (organizational Users) | Protects | T1053.001 | At (Linux) | |
RA-5 | Vulnerability Monitoring and Scanning | Protects | T1053.001 | At (Linux) | |
SI-4 | System Monitoring | Protects | T1053.001 | At (Linux) | |
action.hacking.variety.Abuse of functionality | Abuse of functionality | related-to | T1053.001 | Scheduled Task/Job: At (Linux) | |
amazon_inspector | Amazon Inspector | technique_scores | T1053.001 | At (Linux) |
Comments
The Amazon Inspector Best Practices assessment package can assess security control "Configure permissions for system directories" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal.
References
|