Persistence Via Cron Files

Aug 12, 2024 · attack.persistence attack.t1053.003 ·

Detects creation of cron file or files in Cron directories which could indicates potential persistence.

Sigma rule (View on GitHub)

 1title: Persistence Via Cron Files
 2id: 6c4e2f43-d94d-4ead-b64d-97e53fa2bd05
 3status: test
 4description: Detects creation of cron file or files in Cron directories which could indicates potential persistence.
 5references:
 6    - https://github.com/microsoft/MSTIC-Sysmon/blob/f1477c0512b0747c1455283069c21faec758e29d/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml
 7author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
 8date: 2021-10-15
 9modified: 2022-12-31
10tags:
11    - attack.persistence
12    - attack.t1053.003
13logsource:
14    product: linux
15    category: file_event
16detection:
17    selection1:
18        TargetFilename|startswith:
19            - '/etc/cron.d/'
20            - '/etc/cron.daily/'
21            - '/etc/cron.hourly/'
22            - '/etc/cron.monthly/'
23            - '/etc/cron.weekly/'
24            - '/var/spool/cron/crontabs/'
25    selection2:
26        TargetFilename|contains:
27            - '/etc/cron.allow'
28            - '/etc/cron.deny'
29            - '/etc/crontab'
30    condition: 1 of selection*
31falsepositives:
32    - Any legitimate cron file.
33level: medium

References

MSTIC-Sysmon/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml at f1477c0512b0747c1455283069c21faec758e29d · microsoft/MSTIC-Sysmon

Anything Sysmon related from the MSTIC R&D team. Contribute to microsoft/MSTIC-Sysmon development by creating an account on GitHub.

Read More

Persistence Via Cron Files

Sigma rule (View on GitHub)

References

MSTIC-Sysmon/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml at f1477c0512b0747c1455283069c21faec758e29d · microsoft/MSTIC-Sysmon

Related rules