Roberto Rodriguez
33 lines
1005 B
YAML
33 lines
1005 B
YAML
title: Cron Files
|
|
id: 6c4e2f43-d94d-4ead-b64d-97e53fa2bd05
|
|
status: experimental
|
|
description: Detects creation of cron files or files in Cron directories. Potential persistence.
|
|
date: 2021/10/15
|
|
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
|
|
tags:
|
|
- attack.persistence
|
|
- attack.t1053.003
|
|
references:
|
|
- https://github.com/microsoft/MSTIC-Sysmon/blob/main/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml
|
|
logsource:
|
|
product: linux
|
|
category: file_create
|
|
detection:
|
|
selection1:
|
|
TargetFilename|startswith:
|
|
- '/etc/cron.d/'
|
|
- '/etc/cron.daily/'
|
|
- '/etc/cron.hourly/'
|
|
- '/etc/cron.monthly/'
|
|
- '/etc/cron.weekly/'
|
|
- '/var/spool/cron/crontabs/'
|
|
selection2:
|
|
TargetFilename|contains:
|
|
- '/etc/cron.allow'
|
|
- '/etc/cron.deny'
|
|
- '/etc/crontab'
|
|
condition: selection1 or selection2
|
|
falsepositives:
|
|
- Any legitimate cron file.
|
|
level: medium
|
|
|