New Cron File Created

calendar Apr 27, 2026 · attack.privilege-escalation attack.execution attack.persistence attack.t1053.003  ·
Share on: linkedin copy

Detects the creation of cron files in Cron directories, which could indicate potential persistence mechanisms being established by an attacker. Note that not all cron file creations are malicious - legitimate system administration activities and software installations may also create cron files. This detection should be investigated in context, considering factors such as the user creating the file, the timing of creation, and the contents of the cron job. Focus investigation on unexpected cron files created by non-administrative users or during suspicious timeframes. Additionally, it is recommended to review the contents of the newly created cron files to assess their intent. Furthermore, it is suggested to baseline normal cron file creation and apply additional filters to reduce false positives based on the specific environment.

Sigma rule (View on GitHub)

 1title: New Cron File Created
 2id: 6c4e2f43-d94d-4ead-b64d-97e53fa2bd05
 3status: experimental
 4description: |
 5    Detects the creation of cron files in Cron directories, which could indicate potential persistence mechanisms being established by an attacker.
 6    Note that not all cron file creations are malicious - legitimate system administration activities and software installations may also create cron files.
 7    This detection should be investigated in context, considering factors such as the user creating the file, the timing of creation, and the contents of the cron job.
 8    Focus investigation on unexpected cron files created by non-administrative users or during suspicious timeframes.
 9    Additionally, it is recommended to review the contents of the newly created cron files to assess their intent.
10    Furthermore, it is suggested to baseline normal cron file creation and apply additional filters to reduce false positives based on the specific environment.    
11references:
12    - https://github.com/microsoft/MSTIC-Sysmon/blob/f1477c0512b0747c1455283069c21faec758e29d/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml
13    - https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/
14    - https://www.elastic.co/security-labs/primer-on-persistence-mechanisms
15    - https://snehbavarva.medium.com/privilege-escalation-techniques-series-linux-cron-jobs-a5b797b424b4
16author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
17date: 2021-10-15
18modified: 2026-04-28
19tags:
20    - attack.privilege-escalation
21    - attack.execution
22    - attack.persistence
23    - attack.t1053.003
24logsource:
25    product: linux
26    category: file_event
27detection:
28    selection_cron_dirs:
29        TargetFilename|startswith:
30            - '/etc/cron.d/'
31            - '/etc/cron.daily/'
32            - '/etc/cron.hourly/'
33            - '/etc/cron.monthly/'
34            - '/etc/cron.weekly/'
35            - '/var/spool/cron/crontabs/'
36            - '/var/spool/cron/root'
37    selection_cron_special_files:
38        TargetFilename|contains:
39            - '/etc/cron.allow'
40            - '/etc/cron.deny'
41            - '/etc/crontab'
42    filter_optional_legit_cron:
43        # Note: FPs on docker images: golang, postgres, python, redis, ruby
44        TargetFilename:
45            - '/etc/cron.daily/apt'
46            - '/etc/cron.daily/dpkg'
47            - '/etc/cron.daily/passwd'
48            - '/etc/crontabs/root'
49    condition: 1 of selection_* and not 1 of filter_optional_*
50falsepositives:
51    - Legitimate administrative tasks, package managers, containers, configuration management tools, cloud agents, or system maintenance operations might cause false positives. Apply baselining before deployment.
52level: low

References

Related rules

to-top