Remove Scheduled Cron Task/Job
Detects usage of the 'crontab' utility to remove the current crontab. This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible
Sigma rule (View on GitHub)
1title: Remove Scheduled Cron Task/Job
2id: c2e234de-03a3-41e1-b39a-1e56dc17ba67
3status: test
4description: |
5 Detects usage of the 'crontab' utility to remove the current crontab.
6 This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible
7references:
8 - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022-09-15
11tags:
12 - attack.defense-evasion
13logsource:
14 category: process_creation
15 product: linux
16detection:
17 selection:
18 Image|endswith: 'crontab'
19 CommandLine|contains: ' -r'
20 condition: selection
21falsepositives:
22 - Unknown
23level: medium
References
-
Through our honeypots and telemetry, we were able to observe instances in which malicious actors abused native Linux tools to launch attacks on Linux environments. In this blog entry, we discuss how these utilities were used and provide recommendations on how to minimize their impact.
Read More
Related rules
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity