LoFP / legitimate modification of crontab

Techniques

• t1053
• t1053.003

Sample rules

Modifying Crontab

• source: sigma
• technicques:
  • t1053
  • t1053.003

Description

Detects suspicious modification of crontab file.

Detection logic

condition: keywords
keywords:
- REPLACE