Scheduled Cron Task/Job - Linux
Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
Sigma rule (View on GitHub)
1title: Scheduled Cron Task/Job - Linux
2id: 6b14bac8-3e3a-4324-8109-42f0546a347f
3status: test
4description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md
7author: Alejandro Ortuno, oscd.community
8date: 2020/10/06
9modified: 2022/11/27
10tags:
11 - attack.execution
12 - attack.persistence
13 - attack.privilege_escalation
14 - attack.t1053.003
15logsource:
16 category: process_creation
17 product: linux
18detection:
19 selection:
20 Image|endswith: 'crontab'
21 CommandLine|contains: '/tmp/'
22 condition: selection
23falsepositives:
24 - Legitimate administration activities
25level: medium
References
Related rules
- Scheduled Cron Task/Job - MacOs
- Command Shell Unusual or Suspicious Process Ancestry
- Windows Scheduled Task Behaving Improperly or Suspiciously
- Windows Scheduled Task Create Shell
- Windows Scheduled Task Making Suspicious Network Connection