Potential Redis CONFIG SET Cron Directory Persistence (RedisRaider)

  1[metadata]
  2creation_date = "2026/06/11"
  3integration = ["network_traffic"]
  4maturity = "production"
  5updated_date = "2026/06/11"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule detects attempts to abuse Redis CONFIG SET commands to redirect the database save directory to a cron
 11directory on Linux hosts. Attackers issue CONFIG SET dir to a cron path such as /etc/cron.d or /var/spool/cron,
 12set a filename via CONFIG SET dbfilename, write a cron payload via SET, and then call BGSAVE to flush it to
 13disk, establishing persistence for execution of an XMRig cryptominer.
 14"""
 15from = "now-9m"
 16index = ["logs-network_traffic.redis*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Potential Redis CONFIG SET Cron Directory Persistence (RedisRaider)"
 20note = """## Triage and analysis
 21
 22> **Disclaimer**:
 23> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 24
 25### Investigating Potential Redis CONFIG SET Cron Directory Persistence (RedisRaider)
 26
 27Redis's CONFIG SET command allows runtime reconfiguration of the server, including the working directory (`dir`) and database filename (`dbfilename`). Attackers exploit this to redirect Redis's BGSAVE output into system directories such as `/etc/cron.d` or `/var/spool/cron`, writing attacker-controlled content as a cron job. The RedisRaider campaign used this technique to deploy XMRig cryptominers at scale by mass-scanning IPv4 blocks for unauthenticated Redis instances.
 28
 29A related variant (not specific to RedisRaider) targets SSH key injection using `CONFIG SET dir /root/.ssh` and `CONFIG SET dbfilename authorized_keys`. Consider a companion rule for that pattern if your Redis instances are internet-exposed.
 30
 31### Possible investigation steps
 32
 33- Identify the source IP and determine whether it is an expected Redis client or an external/unknown address. Internet-sourced CONFIG SET to a cron path is almost certainly malicious.
 34- Check whether the destination Redis instance requires authentication (`requirepass` or ACL). Unauthenticated instances are the primary target of RedisRaider-style campaigns.
 35- Review subsequent Redis commands from the same source IP for `SET` (cron payload write) and `BGSAVE` (flush to disk), which complete the persistence chain.
 36- Examine the Redis host for new or modified files under `/etc/cron.d`, `/etc/cron.daily`, `/etc/cron.hourly`, `/var/spool/cron`, or `/var/spool/cron/crontabs` at or after the alert time.
 37- Check for XMRig or other cryptominer process execution and unexplained CPU spikes on the host.
 38- Review outbound network connections from the Redis host for connections to known mining pools or C2 infrastructure.
 39
 40### False positive analysis
 41
 42- `CONFIG SET dir` is a legitimate administrative command used during backup configuration, data migration, or operational changes. Verify whether the directory is a known backup or data path rather than a system directory.
 43- Legitimate Redis usage will never set `dir` to `/etc/cron.d`, `/var/spool/cron`, or any other system cron directory. A match on this pattern has an extremely low false positive rate.
 44- Automated deployment or configuration management tools (Ansible, Chef, Puppet) may issue CONFIG SET as part of Redis setup — verify the source IP and timing against known deployment windows.
 45
 46### Response and remediation
 47
 48- Immediately check the target cron directories for newly created files written by the Redis process (owner: redis, unusual content).
 49- If a cron file was written, delete it and terminate any spawned miner processes before remediating.
 50- Require authentication on all Redis instances (`requirepass` or ACL). Unauthenticated Redis exposed to any network is the root cause of this attack class.
 51- Restrict `CONFIG SET` permissions using Redis ACLs: `ACL SETUSER <user> -config`.
 52- Block inbound access to Redis port 6379 from untrusted networks at the host firewall or perimeter.
 53- Consider enabling Redis's protected mode, which rejects connections from non-loopback addresses when no authentication is configured.
 54"""
 55references = [
 56    "https://securitylabs.datadoghq.com/articles/redisraider-mining-campaign/",
 57    "https://attack.mitre.org/techniques/T1053/003/",
 58    "https://attack.mitre.org/techniques/T1496/",
 59]
 60risk_score = 73
 61rule_id = "29e57265-d358-420a-b1cd-845e8a1fd70d"
 62setup = """## Setup
 63
 64This rule requires the Elastic **network_traffic** integration (Packetbeat via Elastic Agent) with the Redis
 65protocol module enabled.
 66
 67### Enabling the Redis module
 68
 69In the Elastic Agent `network_traffic` integration policy:
 701. Add or confirm **Redis** in the protocols list with `enabled: true`.
 712. Set **ports** to include `6379` (or the custom port your Redis instances listen on).
 723. Deploy the sensor on the Redis host, on a SPAN/mirror port, or on a gateway that receives Redis traffic.
 73
 74### TLS limitation
 75
 76This rule requires unencrypted Redis traffic. Redis uses plaintext by default (port 6379). If TLS is configured,
 77Packetbeat cannot inspect the payload without TLS decryption.
 78"""
 79severity = "high"
 80tags = [
 81    "Domain: Network",
 82    "Use Case: Threat Detection",
 83    "Tactic: Persistence",
 84    "Tactic: Impact",
 85    "Data Source: Network Packet Capture",
 86    "Resources: Investigation Guide",
 87]
 88timestamp_override = "event.ingested"
 89type = "eql"
 90
 91query = '''
 92network where data_stream.dataset == "network_traffic.redis" and
 93  network_traffic.redis.query like~ "*CONFIG SET dir*" and
 94  (
 95    network_traffic.redis.query like~ "*/etc/cron*" or
 96    network_traffic.redis.query like~ "*/var/spool/cron*"
 97  )
 98'''
 99
100
101[[rule.threat]]
102framework = "MITRE ATT&CK"
103[[rule.threat.technique]]
104id = "T1053"
105name = "Scheduled Task/Job"
106reference = "https://attack.mitre.org/techniques/T1053/"
107[[rule.threat.technique.subtechnique]]
108id = "T1053.003"
109name = "Cron"
110reference = "https://attack.mitre.org/techniques/T1053/003/"
111
112[rule.threat.tactic]
113id = "TA0003"
114name = "Persistence"
115reference = "https://attack.mitre.org/tactics/TA0003/"
116
117[[rule.threat]]
118framework = "MITRE ATT&CK"
119[[rule.threat.technique]]
120id = "T1496"
121name = "Resource Hijacking"
122reference = "https://attack.mitre.org/techniques/T1496/"
123
124[rule.threat.tactic]
125id = "TA0040"
126name = "Impact"
127reference = "https://attack.mitre.org/tactics/TA0040/"