DC0005 Scheduled Job Metadata
| Item | Value |
|---|---|
| ID | DC0005 |
| Version | 2.0 |
| Created | 20 October 2021 |
| Last Modified | 12 November 2025 |
Log Sources
| Name | Channel |
|---|---|
| esxi:syslog | /var/log/vpxa.log task invocations tied to time configuration |
| fs:fileevents | /Library/LaunchDaemons/.plist, ~/Library/LaunchAgents/.plist |
| linux:cron | cron activity |
| macos:launchd | launchd.plist and logs |
| macos:unifiedlog | New/modified launchd plist (persistence/scheduling) within TimeWindow after time query |
| Scheduled Job | None |
| WinEventLog:System | EventCode=106, 200 |
| WinEventLog:TaskScheduler | Task registration/execution shortly after a time discovery event |
Detection Strategy
| ID | Name | Technique Detected |
|---|---|---|
| DET0151 | Behavior-chain, platform-aware detection strategy for T1124 System Time Discovery | T1124 |
| DET0117 | Detection of Masqueraded Tasks or Services with Suspicious Naming and Execution | T1036.004 |
| DET0399 | Detection Strategy for Scheduled Transfer and Recurrent Exfiltration Patterns | T1029 |