LoFP / administrator or network operator can create file in crontab folders for automation purposes. please update the filter macros to remove false positives.

Techniques

• T1053
• T1053.003

Sample rules

Linux Add Files In Known Crontab Directories

• source: splunk
• technicques:
  • T1053.003
  • T1053

Description

The following analytic aims to detect unauthorized activities through suspicious file creation in recognized cron table directories, prevalent Unix-based locations for scheduling tasks. This behavior is often exploited by nefarious entities like malware or threat actors, including red teamers, to establish persistence on a targeted or compromised host. The analogy to Windows-based scheduled tasks helps explain the utility of a crontab or cron job. To enhance clarity and actionable intelligence, the anomaly query flags the anomaly, urging further investigation into the added file’s details. A cybersecurity analyst should consider additional data points such as the user identity involved, the file’s nature and purpose, file origin, timestamp, and any changes in system behavior post file execution. This comprehensive understanding aids in accurately determining the file’s legitimacy, facilitating prompt and effective response actions.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*/etc/cron*", "*/var/spool/cron/*") by Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.process_guid Filesystem.file_path 
| `drop_dm_object_name(Filesystem)` 
| `security_content_ctime(lastTime)` 
| `security_content_ctime(firstTime)` 
| `linux_add_files_in_known_crontab_directories_filter`