From 0bb96b323db4e4830b4667ea69b10e81726ea000 Mon Sep 17 00:00:00 2001
From: zakibro <48967550+zakibro@users.noreply.github.com>
Date: Tue, 19 Apr 2022 19:47:12 +0200
Subject: [PATCH] Update lnx_crontab_file_modification.yml

---
 .../builtin/lnx_crontab_file_modification.yml | 24 +++++++++----------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/rules/linux/builtin/lnx_crontab_file_modification.yml b/rules/linux/builtin/lnx_crontab_file_modification.yml
index d088b5037..63c0f965d 100644
--- a/rules/linux/builtin/lnx_crontab_file_modification.yml
+++ b/rules/linux/builtin/lnx_crontab_file_modification.yml
@@ -1,22 +1,22 @@
-title: Modifying Crontab With File
+title: Modifying Crontab
 id: af202fd3-7bff-4212-a25a-fb34606cfcbe
 status: experimental
-description: Detects suspicious replacement of crontab file with potentially malicious file.
-# log example: Apr 16 11:18:18 localhost CROND[3333]: (pawel) REPLACE (pawel)
+description: Detects suspicious modification of crontab file.
+# log example: Apr 16 11:18:18 localhost CROND[3333]: (user) REPLACE (user)
 author: Pawel Mazur
 references:
-  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md
 date: 2022/04/16
 logsource:
-  product: linux
-  service: cron
+    product: linux
+    service: cron
 detection:
-  selection:
-    keyword: 'REPLACE'
-  condition: selection
+    keyword: 
+        - 'REPLACE'
+    condition: keyword
 falsepositives:
-  - Legitimate modification of crontab
+   - Legitimate modification of crontab
 level: medium
 tags:
-  - attack.persistence
-  - attack.t1053.003
+   - attack.persistence
+   - attack.t1053.003