administrator or network operator can create file in crontab folders for automation purposes. please update the filter macros to remove false positives.

Techniques

T1053.003

Sample rules

Linux Add Files In Known Crontab Directories

source: splunk
technicques:
- T1053.003

Description

The following analytic detects unauthorized file creation in known crontab directories on Unix-based systems. It leverages filesystem data to identify new files in directories such as /etc/cron* and /var/spool/cron/*. This activity is significant as it may indicate an attempt by threat actors or malware to establish persistence on a compromised host. If confirmed malicious, this could allow attackers to execute arbitrary code at scheduled intervals, potentially leading to further system compromise and unauthorized access to sensitive information.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem
  WHERE Filesystem.file_path IN ("*/etc/cron*", "*/var/spool/cron/*")
  BY Filesystem.action Filesystem.dest Filesystem.file_access_time
     Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time
     Filesystem.file_name Filesystem.file_path Filesystem.file_acl
     Filesystem.file_size Filesystem.process_guid Filesystem.process_id
     Filesystem.user Filesystem.vendor_product

| `drop_dm_object_name(Filesystem)`

| `security_content_ctime(lastTime)`

| `security_content_ctime(firstTime)`

| `linux_add_files_in_known_crontab_directories_filter`