Cron Job Created or Changed by Previously Unknown Process

Linux cron jobs are scheduled tasks that can be leveraged by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/06/09"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term"
 6min_stack_version = "8.6.0"
 7updated_date = "2023/07/31"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Linux cron jobs are scheduled tasks that can be leveraged by malicious actors for persistence, privilege escalation and
13command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts
14at predefined intervals, ensuring their continued presence and enabling unauthorized activities.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.*", "endgame-*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Cron Job Created or Changed by Previously Unknown Process"
21references = [
22    "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"
23]
24risk_score = 47
25rule_id = "ff10d4d8-fea7-422d-afb1-e5a2702369a9"
26severity = "medium"
27tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
28timestamp_override = "event.ingested"
29type = "new_terms"
30
31query = '''
32host.os.type : "linux" and event.action : ("change" or "file_modify_event" or "creation" or "file_create_event") and 
33file.path : (/etc/cron.allow or /etc/cron.deny or /etc/cron.d/* or /etc/cron.hourly/* or /etc/cron.daily/* or 
34/etc/cron.weekly/* or /etc/cron.monthly/* or /etc/crontab or /usr/sbin/cron or /usr/sbin/anacron) 
35and not (process.name : ("dpkg" or "dockerd" or "rpm" or "snapd" or "yum" or "exe" or "dnf" or "5") or 
36file.extension : ("swp" or "swx"))
37'''
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41
42[[rule.threat.technique]]
43id = "T1053"
44name = "Scheduled Task/Job"
45reference = "https://attack.mitre.org/techniques/T1053/"
46
47[[rule.threat.technique.subtechnique]]
48id = "T1053.003"
49name = "Cron"
50reference = "https://attack.mitre.org/techniques/T1053/003/"
51
52[rule.threat.tactic]
53id = "TA0003"
54name = "Persistence"
55reference = "https://attack.mitre.org/tactics/TA0003/"
56
57[[rule.threat]]
58framework = "MITRE ATT&CK"
59
60[[rule.threat.technique]]
61id = "T1053"
62name = "Scheduled Task/Job"
63reference = "https://attack.mitre.org/techniques/T1053/"
64
65[[rule.threat.technique.subtechnique]]
66id = "T1053.003"
67name = "Cron"
68reference = "https://attack.mitre.org/techniques/T1053/003/"
69
70[rule.threat.tactic]
71id = "TA0004"
72name = "Privilege Escalation"
73reference = "https://attack.mitre.org/tactics/TA0004/"
74
75[[rule.threat]]
76framework = "MITRE ATT&CK"
77
78[[rule.threat.technique]]
79id = "T1053"
80name = "Scheduled Task/Job"
81reference = "https://attack.mitre.org/techniques/T1053/"
82
83[[rule.threat.technique.subtechnique]]
84id = "T1053.003"
85name = "Cron"
86reference = "https://attack.mitre.org/techniques/T1053/003/"
87
88[rule.threat.tactic]
89id = "TA0002"
90name = "Execution"
91reference = "https://attack.mitre.org/tactics/TA0002/"
92
93[rule.new_terms]
94field = "new_terms_fields"
95value = ["file.path", "process.name"]
96
97[[rule.new_terms.history_window_start]]
98field = "history_window_start"
99value = "now-7d"

References

Related rules

to-top