security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update lnx_crontab_file_modification.yml

Browse Source
This commit is contained in:
zakibro
2022-04-19 19:47:12 +02:00
committed by GitHub
parent 4212e24424
commit 0bb96b323d
1 changed files with 12 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/builtin/lnx_crontab_file_modification.yml
+12 -12
View File
@@ -1,22 +1,22 @@
title: Modifying Crontab With File
title: Modifying Crontab
id: af202fd3-7bff-4212-a25a-fb34606cfcbe
status: experimental
description: Detects suspicious replacement of crontab file with potentially malicious file.
# log example: Apr 16 11:18:18 localhost CROND[3333]: (pawel) REPLACE (pawel)
description: Detects suspicious modification of crontab file.
# log example: Apr 16 11:18:18 localhost CROND[3333]: (user) REPLACE (user)
author: Pawel Mazur
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md
date: 2022/04/16
logsource:
product: linux
service: cron
product: linux
service: cron
detection:
selection:
keyword: 'REPLACE'
condition: selection
keyword:
- 'REPLACE'
condition: keyword
falsepositives:
- Legitimate modification of crontab
- Legitimate modification of crontab
level: medium
tags:
- attack.persistence
- attack.t1053.003
- attack.persistence
- attack.t1053.003