legitimate software or scripts using cron jobs for recurring tasks.

t1053
_deprecated
elastic

Techniques

T1053

Sample rules

Potential Persistence via Cron Job

source: elastic
technicques:
- T1053

Description

Identifies the creation or execution of a cron job. Adversaries may abuse cron jobs to perform task scheduling for initial or recurring execution of malicious code.

Detection logic

event.category:process and event.type:(start or process_started or info) and
  not user.name:root and
  ((process.name:crontab and not process.args:("-l" or "-r" or "-e" or "-help" or "-h")) or
    (process.parent.name:cron and not process.name:"running job" and
       not process.executable:(/Applications/Docker.app/Contents/Resources/bin/docker or
                               /usr/bin/killall or
                               /usr/sbin/sendmail or
                               /usr/bin/env or
                               /usr/bin/timeshift or
                               /bin/rm)))