Scheduled Cron Task/Job - Linux
Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
Sigma rule (View on GitHub)
1title: Scheduled Cron Task/Job - Linux
2id: 6b14bac8-3e3a-4324-8109-42f0546a347f
3status: test
4description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md
7author: Alejandro Ortuno, oscd.community
8date: 2020-10-06
9modified: 2022-11-27
10tags:
11 - attack.execution
12 - attack.persistence
13 - attack.privilege-escalation
14 - attack.t1053.003
15logsource:
16 category: process_creation
17 product: linux
18detection:
19 selection:
20 Image|endswith: 'crontab'
21 CommandLine|contains: '/tmp/'
22 condition: selection
23falsepositives:
24 - Legitimate administration activities
25level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Azure Kubernetes CronJob
- Scheduled Cron Task/Job - MacOs
- Google Cloud Kubernetes CronJob
- HackTool - CrackMapExec Execution
- HackTool - Default PowerSploit/Empire Scheduled Task Creation