Persistence Via Cron Files
Detects creation of cron file or files in Cron directories which could indicates potential persistence.
Sigma rule (View on GitHub)
1title: Persistence Via Cron Files
2id: 6c4e2f43-d94d-4ead-b64d-97e53fa2bd05
3status: test
4description: Detects creation of cron file or files in Cron directories which could indicates potential persistence.
5references:
6 - https://github.com/microsoft/MSTIC-Sysmon/blob/f1477c0512b0747c1455283069c21faec758e29d/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml
7author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
8date: 2021/10/15
9modified: 2022/12/31
10tags:
11 - attack.persistence
12 - attack.t1053.003
13logsource:
14 product: linux
15 category: file_event
16detection:
17 selection1:
18 TargetFilename|startswith:
19 - '/etc/cron.d/'
20 - '/etc/cron.daily/'
21 - '/etc/cron.hourly/'
22 - '/etc/cron.monthly/'
23 - '/etc/cron.weekly/'
24 - '/var/spool/cron/crontabs/'
25 selection2:
26 TargetFilename|contains:
27 - '/etc/cron.allow'
28 - '/etc/cron.deny'
29 - '/etc/crontab'
30 condition: 1 of selection*
31falsepositives:
32 - Any legitimate cron file.
33level: medium
References
-
Anything Sysmon related from the MSTIC R&D team. Contribute to microsoft/MSTIC-Sysmon development by creating an account on GitHub.
Read More
Related rules
- Scheduled Cron Task/Job - Linux
- Scheduled Cron Task/Job - MacOs
- UAC Bypass With Fake DLL
- Webshell Remote Command Execution
- Creation Of An User Account