Techniques
Sample rules
New Cron File Created
- source: sigma
- technicques:
- t1053
- t1053.003
Description
Detects the creation of cron files in Cron directories, which could indicate potential persistence mechanisms being established by an attacker. Note that not all cron file creations are malicious - legitimate system administration activities and software installations may also create cron files. This detection should be investigated in context, considering factors such as the user creating the file, the timing of creation, and the contents of the cron job. Focus investigation on unexpected cron files created by non-administrative users or during suspicious timeframes. Additionally, it is recommended to review the contents of the newly created cron files to assess their intent. Furthermore, it is suggested to baseline normal cron file creation and apply additional filters to reduce false positives based on the specific environment.
Detection logic
condition: 1 of selection_* and not 1 of filter_optional_*
filter_optional_legit_cron:
TargetFilename:
- /etc/cron.daily/apt
- /etc/cron.daily/dpkg
- /etc/cron.daily/passwd
- /etc/crontabs/root
selection_cron_dirs:
TargetFilename|startswith:
- /etc/cron.d/
- /etc/cron.daily/
- /etc/cron.hourly/
- /etc/cron.monthly/
- /etc/cron.weekly/
- /var/spool/cron/crontabs/
- /var/spool/cron/root
selection_cron_special_files:
TargetFilename|contains:
- /etc/cron.allow
- /etc/cron.deny
- /etc/crontab