Detectionmediumtest

Scheduled Cron Task/Job - Linux

Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Alejandro Ortuno, oscd.communityCreated Tue Oct 06Updated Sun Nov 276b14bac8-3e3a-4324-8109-42f0546a347flinux

Log Source

LinuxProcess Creation

ProductLinux← raw: linux

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        Image|endswith: 'crontab'
        CommandLine|contains: '/tmp/'
    condition: selection

False Positives

Legitimate administration activities

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0002 · Execution TA0003 · Persistence TA0004 · Privilege Escalation

Sub-techniques

T1053.003 · Cron

Rule Metadata

Rule ID

6b14bac8-3e3a-4324-8109-42f0546a347f

Status

test

Level

medium

Type

Detection

Created

Tue Oct 06

Modified

Sun Nov 27

Author

Alejandro Ortuno, oscd.community

Path

rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml

Raw Tags

attack.executionattack.persistenceattack.privilege-escalationattack.t1053.003

View on GitHub