[metadata] creation_date = "2023/06/09" integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term" min_stack_version = "8.6.0" updated_date = "2023/06/09" [rule] author = ["Elastic"] description = """ Linux cron jobs are scheduled tasks that can be leveraged by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] language = "kuery" license = "Elastic License v2" name = "Cron Job Created or Changed by Previously Unknown Process" references = [ "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" ] risk_score = 47 rule_id = "ff10d4d8-fea7-422d-afb1-e5a2702369a9" severity = "medium" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Privilege Escalation", "Execution", "Elastic Endgame"] timestamp_override = "event.ingested" type = "new_terms" query = ''' host.os.type : "linux" and event.action : ("change" or "file_modify_event" or "creation" or "file_create_event") and file.path : (/etc/cron.allow or /etc/cron.deny or /etc/cron.d/* or /etc/cron.hourly/* or /etc/cron.daily/* or /etc/cron.weekly/* or /etc/cron.monthly/* or /etc/crontab or /var/spool/cron/* or /usr/sbin/cron or /usr/sbin/anacron) and not (process.name : ("dpkg" or "dockerd" or "rpm" or "snapd") or file.extension : "swp") ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" [rule.new_terms] field = "new_terms_fields" value = ["file.path", "process.name"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d"