Privilege Escalation via Root Crontab File Modification
Identifies modifications to the root crontab file. Adversaries may overwrite this file to gain code execution with root privileges by exploiting privileged file write or move related vulnerabilities.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/27"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies modifications to the root crontab file. Adversaries may overwrite this file to gain code execution with root
11privileges by exploiting privileged file write or move related vulnerabilities.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.*"]
15language = "kuery"
16license = "Elastic License v2"
17name = "Privilege Escalation via Root Crontab File Modification"
18references = [
19 "https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc",
20 "https://www.exploit-db.com/exploits/42146",
21]
22risk_score = 73
23rule_id = "0ff84c42-873d-41a2-a4ed-08d74d352d01"
24setup = """## Setup
25
26This rule requires data coming in from Elastic Defend.
27
28### Elastic Defend Integration Setup
29Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
30
31#### Prerequisite Requirements:
32- Fleet is required for Elastic Defend.
33- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
34
35#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
36- Go to the Kibana home page and click "Add integrations".
37- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
38- Click "Add Elastic Defend".
39- Configure the integration name and optionally add a description.
40- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
41- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
42- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
43- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
44For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
45- Click "Save and Continue".
46- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
47For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
48"""
49severity = "high"
50tags = [
51 "Domain: Endpoint",
52 "OS: macOS",
53 "Use Case: Threat Detection",
54 "Tactic: Privilege Escalation",
55 "Data Source: Elastic Defend",
56 "Resources: Investigation Guide",
57]
58timestamp_override = "event.ingested"
59type = "query"
60
61query = '''
62event.category:file and host.os.type:macos and not event.type:deletion and
63 file.path:/private/var/at/tabs/root and not process.executable:/usr/bin/crontab
64'''
65note = """## Triage and analysis
66
67> **Disclaimer**:
68> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
69
70### Investigating Privilege Escalation via Root Crontab File Modification
71
72Crontab files in macOS are used to schedule tasks, often requiring elevated privileges for execution. Adversaries exploit this by modifying the root crontab file, enabling unauthorized code execution with root access. The detection rule identifies suspicious modifications to this file, excluding legitimate crontab processes, to flag potential privilege escalation attempts.
73
74### Possible investigation steps
75
76- Review the alert details to confirm the file path involved is /private/var/at/tabs/root, as this is the specific file path targeted by the rule.
77- Examine the process that modified the root crontab file by checking the process executable path. Ensure it is not /usr/bin/crontab, which is excluded as a legitimate process.
78- Investigate the user account associated with the process that made the modification to determine if it has legitimate access or if it might be compromised.
79- Check for any recent changes or anomalies in user account activity or permissions that could indicate unauthorized access or privilege escalation attempts.
80- Correlate this event with other security alerts or logs from the same host to identify any patterns or additional suspicious activities that might suggest a broader attack campaign.
81- Assess the risk and impact of the modification by determining if any unauthorized or malicious tasks have been scheduled in the crontab file.
82
83### False positive analysis
84
85- System maintenance tasks or updates may modify the root crontab file. To handle these, users can create exceptions for known maintenance processes that are verified as safe.
86- Administrative scripts that require scheduled tasks might trigger this rule. Users should document and exclude these scripts if they are part of regular, authorized operations.
87- Backup or monitoring software that interacts with crontab files could cause false positives. Verify these applications and exclude their processes if they are legitimate and necessary for system operations.
88- Custom automation tools used by IT departments might modify crontab files. Ensure these tools are reviewed and whitelisted if they are part of approved workflows.
89
90### Response and remediation
91
92- Immediately isolate the affected system from the network to prevent further unauthorized access or execution of malicious tasks.
93- Review the modified root crontab file to identify any unauthorized or suspicious entries and remove them to stop any malicious scheduled tasks.
94- Conduct a thorough investigation to determine how the crontab file was modified, focusing on identifying any exploited vulnerabilities or unauthorized access points.
95- Reset credentials and review permissions for any accounts that may have been compromised or used in the attack to prevent further unauthorized access.
96- Apply security patches and updates to the operating system and any vulnerable applications to close exploited vulnerabilities.
97- Monitor the system and network for any signs of continued unauthorized activity or attempts to modify crontab files, using enhanced logging and alerting mechanisms.
98- Escalate the incident to the appropriate internal security team or external cybersecurity experts if the threat persists or if there is evidence of a broader compromise."""
99
100
101[[rule.threat]]
102framework = "MITRE ATT&CK"
103[[rule.threat.technique]]
104id = "T1053"
105name = "Scheduled Task/Job"
106reference = "https://attack.mitre.org/techniques/T1053/"
107[[rule.threat.technique.subtechnique]]
108id = "T1053.003"
109name = "Cron"
110reference = "https://attack.mitre.org/techniques/T1053/003/"
111
112
113
114[rule.threat.tactic]
115id = "TA0004"
116name = "Privilege Escalation"
117reference = "https://attack.mitre.org/tactics/TA0004/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Privilege Escalation via Root Crontab File Modification
Crontab files in macOS are used to schedule tasks, often requiring elevated privileges for execution. Adversaries exploit this by modifying the root crontab file, enabling unauthorized code execution with root access. The detection rule identifies suspicious modifications to this file, excluding legitimate crontab processes, to flag potential privilege escalation attempts.
Possible investigation steps
- Review the alert details to confirm the file path involved is /private/var/at/tabs/root, as this is the specific file path targeted by the rule.
- Examine the process that modified the root crontab file by checking the process executable path. Ensure it is not /usr/bin/crontab, which is excluded as a legitimate process.
- Investigate the user account associated with the process that made the modification to determine if it has legitimate access or if it might be compromised.
- Check for any recent changes or anomalies in user account activity or permissions that could indicate unauthorized access or privilege escalation attempts.
- Correlate this event with other security alerts or logs from the same host to identify any patterns or additional suspicious activities that might suggest a broader attack campaign.
- Assess the risk and impact of the modification by determining if any unauthorized or malicious tasks have been scheduled in the crontab file.
False positive analysis
- System maintenance tasks or updates may modify the root crontab file. To handle these, users can create exceptions for known maintenance processes that are verified as safe.
- Administrative scripts that require scheduled tasks might trigger this rule. Users should document and exclude these scripts if they are part of regular, authorized operations.
- Backup or monitoring software that interacts with crontab files could cause false positives. Verify these applications and exclude their processes if they are legitimate and necessary for system operations.
- Custom automation tools used by IT departments might modify crontab files. Ensure these tools are reviewed and whitelisted if they are part of approved workflows.
Response and remediation
- Immediately isolate the affected system from the network to prevent further unauthorized access or execution of malicious tasks.
- Review the modified root crontab file to identify any unauthorized or suspicious entries and remove them to stop any malicious scheduled tasks.
- Conduct a thorough investigation to determine how the crontab file was modified, focusing on identifying any exploited vulnerabilities or unauthorized access points.
- Reset credentials and review permissions for any accounts that may have been compromised or used in the attack to prevent further unauthorized access.
- Apply security patches and updates to the operating system and any vulnerable applications to close exploited vulnerabilities.
- Monitor the system and network for any signs of continued unauthorized activity or attempts to modify crontab files, using enhanced logging and alerting mechanisms.
- Escalate the incident to the appropriate internal security team or external cybersecurity experts if the threat persists or if there is evidence of a broader compromise.
References
Related rules
- Apple Scripting Execution with Administrator Privileges
- Execution with Explicit Credentials via Scripting
- Potential Admin Group Account Addition
- Potential Privacy Control Bypass via Localhost Secure Copy
- Potential Privilege Escalation via Sudoers File Modification