Cron Job Created or Changed by Previously Unknown Process
Linux cron jobs are scheduled tasks that can be leveraged by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/06/09"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term"
6min_stack_version = "8.6.0"
7updated_date = "2023/07/31"
8
9[rule]
10author = ["Elastic"]
11description = """
12Linux cron jobs are scheduled tasks that can be leveraged by malicious actors for persistence, privilege escalation and
13command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts
14at predefined intervals, ensuring their continued presence and enabling unauthorized activities.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.*", "endgame-*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Cron Job Created or Changed by Previously Unknown Process"
21references = [
22 "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"
23]
24risk_score = 47
25rule_id = "ff10d4d8-fea7-422d-afb1-e5a2702369a9"
26severity = "medium"
27tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
28timestamp_override = "event.ingested"
29type = "new_terms"
30
31query = '''
32host.os.type : "linux" and event.action : ("change" or "file_modify_event" or "creation" or "file_create_event") and
33file.path : (/etc/cron.allow or /etc/cron.deny or /etc/cron.d/* or /etc/cron.hourly/* or /etc/cron.daily/* or
34/etc/cron.weekly/* or /etc/cron.monthly/* or /etc/crontab or /usr/sbin/cron or /usr/sbin/anacron)
35and not (process.name : ("dpkg" or "dockerd" or "rpm" or "snapd" or "yum" or "exe" or "dnf" or "5") or
36file.extension : ("swp" or "swx"))
37'''
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41
42[[rule.threat.technique]]
43id = "T1053"
44name = "Scheduled Task/Job"
45reference = "https://attack.mitre.org/techniques/T1053/"
46
47[[rule.threat.technique.subtechnique]]
48id = "T1053.003"
49name = "Cron"
50reference = "https://attack.mitre.org/techniques/T1053/003/"
51
52[rule.threat.tactic]
53id = "TA0003"
54name = "Persistence"
55reference = "https://attack.mitre.org/tactics/TA0003/"
56
57[[rule.threat]]
58framework = "MITRE ATT&CK"
59
60[[rule.threat.technique]]
61id = "T1053"
62name = "Scheduled Task/Job"
63reference = "https://attack.mitre.org/techniques/T1053/"
64
65[[rule.threat.technique.subtechnique]]
66id = "T1053.003"
67name = "Cron"
68reference = "https://attack.mitre.org/techniques/T1053/003/"
69
70[rule.threat.tactic]
71id = "TA0004"
72name = "Privilege Escalation"
73reference = "https://attack.mitre.org/tactics/TA0004/"
74
75[[rule.threat]]
76framework = "MITRE ATT&CK"
77
78[[rule.threat.technique]]
79id = "T1053"
80name = "Scheduled Task/Job"
81reference = "https://attack.mitre.org/techniques/T1053/"
82
83[[rule.threat.technique.subtechnique]]
84id = "T1053.003"
85name = "Cron"
86reference = "https://attack.mitre.org/techniques/T1053/003/"
87
88[rule.threat.tactic]
89id = "TA0002"
90name = "Execution"
91reference = "https://attack.mitre.org/tactics/TA0002/"
92
93[rule.new_terms]
94field = "new_terms_fields"
95value = ["file.path", "process.name"]
96
97[[rule.new_terms.history_window_start]]
98field = "history_window_start"
99value = "now-7d"
References
Related rules
- New Systemd Service Created by Previously Unknown Process
- Potential Sudo Hijacking Detected
- BPF filter applied using TC
- Binary Executed from Shared Memory Directory
- Chkconfig Service Add