Suspicious CronTab Creation or Modification
Identifies attempts to create or modify a crontab via a process that is not crontab (i.e python, osascript, etc.). This activity should not be highly prevalent and could indicate the use of cron as a persistence mechanism by a threat actor.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/04/25"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies attempts to create or modify a crontab via a process that is not crontab (i.e python, osascript, etc.). This
13activity should not be highly prevalent and could indicate the use of cron as a persistence mechanism by a threat actor.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Suspicious CronTab Creation or Modification"
20references = [
21 "https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf",
22 "https://theevilbit.github.io/beyond/beyond_0004/",
23]
24risk_score = 47
25rule_id = "530178da-92ea-43ce-94c2-8877a826783d"
26severity = "medium"
27tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"]
28timestamp_override = "event.ingested"
29type = "eql"
30
31query = '''
32file where host.os.type == "macos" and event.type != "deletion" and process.name != null and
33 file.path : "/private/var/at/tabs/*" and not process.executable == "/usr/bin/crontab"
34'''
35
36
37[[rule.threat]]
38framework = "MITRE ATT&CK"
39[[rule.threat.technique]]
40id = "T1053"
41name = "Scheduled Task/Job"
42reference = "https://attack.mitre.org/techniques/T1053/"
43[[rule.threat.technique.subtechnique]]
44id = "T1053.003"
45name = "Cron"
46reference = "https://attack.mitre.org/techniques/T1053/003/"
47
48
49
50[rule.threat.tactic]
51id = "TA0003"
52name = "Persistence"
53reference = "https://attack.mitre.org/tactics/TA0003/"
References
Related rules
- Attempt to Enable the Root Account
- Authorization Plugin Modification
- Bash Shell Profile Modification
- Creation of Hidden Launch Agent or Daemon
- Creation of Hidden Login Item via Apple Script