Suspicious CronTab Creation or Modification

calendar Sep 5, 2023 · Domain: Endpoint OS: macOS Use Case: Threat Detection Tactic: Persistence Data Source: Elastic Defend  ·
Share on: linkedin copy

Identifies attempts to create or modify a crontab via a process that is not crontab (i.e python, osascript, etc.). This activity should not be highly prevalent and could indicate the use of cron as a persistence mechanism by a threat actor.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2022/04/25"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies attempts to create or modify a crontab via a process that is not crontab (i.e python, osascript, etc.). This
13activity should not be highly prevalent and could indicate the use of cron as a persistence mechanism by a threat actor.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Suspicious CronTab Creation or Modification"
20references = [
21    "https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf",
22    "https://theevilbit.github.io/beyond/beyond_0004/",
23]
24risk_score = 47
25rule_id = "530178da-92ea-43ce-94c2-8877a826783d"
26severity = "medium"
27tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"]
28timestamp_override = "event.ingested"
29type = "eql"
30
31query = '''
32file where host.os.type == "macos" and event.type != "deletion" and process.name != null and
33  file.path : "/private/var/at/tabs/*" and not process.executable == "/usr/bin/crontab"
34'''
35
36
37[[rule.threat]]
38framework = "MITRE ATT&CK"
39[[rule.threat.technique]]
40id = "T1053"
41name = "Scheduled Task/Job"
42reference = "https://attack.mitre.org/techniques/T1053/"
43[[rule.threat.technique.subtechnique]]
44id = "T1053.003"
45name = "Cron"
46reference = "https://attack.mitre.org/techniques/T1053/003/"
47
48
49
50[rule.threat.tactic]
51id = "TA0003"
52name = "Persistence"
53reference = "https://attack.mitre.org/tactics/TA0003/"

References

  • H¹¥Bàn:@Pé¡ÍWqï å Þ÷•”(‡C!þÑfÆ‹¥hÞ²ãKÏô^Hn$¨ƒô˜dÁ*z/$°ë‹\¿4ÈAãÈʼ/»®³Ör¹gzrïõ€2û#ä*�öQ2@v1 � „p~á•%ç>;¿OZx+ÿc¬ˆ>¼ôK«™Î…´Zͬ‰‰v•Á?¾�P•ŽÂ…¨´› wבU¶}CM†É¥KwÞÒmÉšö‹Z6J©Þ±9i=ºÝǶ`...


    Read More

  • Beyond the good ol' LaunchAgents - 4 - cron jobs

    This is part 4 in the series of “Beyond the good ol’ LaunchAgents”, where I try to collect various persistence techniques for macOS. For more background check the introduction. cron is probably one of the most well known persistence mechanisms for macOS and basically any *nix operating system. It was originally developed for Unix back in 1975, and made its way to most platforms, which has Unix origins, like Linux, FreeBSD and thus macOS.


    Read More

Related rules

to-top