Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Persistence Via Cron Files

Detects creation of cron file or files in Cron directories which could indicates potential persistence.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTICCreated Fri Oct 15Updated Sat Dec 316c4e2f43-d94d-4ead-b64d-97e53fa2bd05linux
Log Source
LinuxFile Event
ProductLinux← raw: linux
CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic
Detection Logic2 selectors
detection:
    selection1:
        TargetFilename|startswith:
            - '/etc/cron.d/'
            - '/etc/cron.daily/'
            - '/etc/cron.hourly/'
            - '/etc/cron.monthly/'
            - '/etc/cron.weekly/'
            - '/var/spool/cron/crontabs/'
    selection2:
        TargetFilename|contains:
            - '/etc/cron.allow'
            - '/etc/cron.deny'
            - '/etc/crontab'
    condition: 1 of selection*
False Positives

Any legitimate cron file.

References
1
Resolving title…
github.com
MITRE ATT&CK

Sub-techniques

T1053.003 · Cron
Rule Metadata
Rule ID
6c4e2f43-d94d-4ead-b64d-97e53fa2bd05
Status
test
Level
medium
Type
Detection
Created
Fri Oct 15
Modified
Sat Dec 31
Author
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
Path
rules/linux/file_event/file_event_lnx_persistence_cron_files.yml
Raw Tags
attack.privilege-escalationattack.executionattack.persistenceattack.t1053.003
View on GitHub