Persistence Via Cron Files

calendar Oct 23, 2025 · attack.privilege-escalation attack.execution attack.persistence attack.t1053.003  ·
Share on: linkedin copy

Detects creation of cron file or files in Cron directories which could indicates potential persistence.

Sigma rule (View on GitHub)

 1title: Persistence Via Cron Files
 2id: 6c4e2f43-d94d-4ead-b64d-97e53fa2bd05
 3status: test
 4description: Detects creation of cron file or files in Cron directories which could indicates potential persistence.
 5references:
 6    - https://github.com/microsoft/MSTIC-Sysmon/blob/f1477c0512b0747c1455283069c21faec758e29d/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml
 7author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
 8date: 2021-10-15
 9modified: 2022-12-31
10tags:
11    - attack.privilege-escalation
12    - attack.execution
13    - attack.persistence
14    - attack.t1053.003
15logsource:
16    product: linux
17    category: file_event
18detection:
19    selection1:
20        TargetFilename|startswith:
21            - '/etc/cron.d/'
22            - '/etc/cron.daily/'
23            - '/etc/cron.hourly/'
24            - '/etc/cron.monthly/'
25            - '/etc/cron.weekly/'
26            - '/var/spool/cron/crontabs/'
27    selection2:
28        TargetFilename|contains:
29            - '/etc/cron.allow'
30            - '/etc/cron.deny'
31            - '/etc/crontab'
32    condition: 1 of selection*
33falsepositives:
34    - Any legitimate cron file.
35level: medium

References

Related rules

to-top