Techniques
Sample rules
Persistence Via Cron Files
- source: sigma
- technicques:
- t1053
- t1053.003
Description
Detects creation of cron file or files in Cron directories which could indicates potential persistence.
Detection logic
condition: 1 of selection*
selection1:
TargetFilename|startswith:
- /etc/cron.d/
- /etc/cron.daily/
- /etc/cron.hourly/
- /etc/cron.monthly/
- /etc/cron.weekly/
- /var/spool/cron/crontabs/
selection2:
TargetFilename|contains:
- /etc/cron.allow
- /etc/cron.deny
- /etc/crontab