LoFP / false positives may arise from legitimate actions by administrators or network operators who may use these commands for automation purposes. therefore, it's recommended to adjust filter macros to eliminate such false positives.

Techniques

• T1053
• T1053.003

Sample rules

Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File

• source: splunk
• technicques:
  • T1053.003
  • T1053

Description

The following analytic detects potential tampering with cronjob files on a Linux system by identifying ’echo’ commands that append code to existing cronjob files. It leverages logs from Linux Auditd, focusing on process names, parent processes, and command-line executions. This activity is significant because adversaries often use it for persistence or privilege escalation. If confirmed malicious, this could allow attackers to execute unauthorized code automatically, leading to system compromises and unauthorized data access, thereby impacting business operations and data integrity.

Detection logic

`linux_auditd` type=PATH name IN("*/etc/cron*", "*/var/spool/cron/*", "*/etc/anacrontab*") 
| rename host as dest 
| stats count min(_time) as firstTime max(_time) as lastTime by name nametype OGID  dest 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file_filter`

Linux Possible Append Cronjob Entry on Existing Cronjob File

• source: splunk
• technicques:
  • T1053.003
  • T1053

Description

The following analytic detects potential tampering with cronjob files on a Linux system by identifying ’echo’ commands that append code to existing cronjob files. It leverages logs from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because adversaries often use it for persistence or privilege escalation. If confirmed malicious, this could allow attackers to execute unauthorized code automatically, leading to system compromises and unauthorized data access, thereby impacting business operations and data integrity.

Detection logic

| tstats `security_content_summariesonly` count from datamodel=Endpoint.Processes where Processes.process = "*echo*" AND Processes.process IN("*/etc/cron*", "*/var/spool/cron/*", "*/etc/anacrontab*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `linux_possible_append_cronjob_entry_on_existing_cronjob_file_filter`