New Cron File Created
Detects the creation of cron files in Cron directories, which could indicate potential persistence mechanisms being established by an attacker. Note that not all cron file creations are malicious - legitimate system administration activities and software installations may also create cron files. This detection should be investigated in context, considering factors such as the user creating the file, the timing of creation, and the contents of the cron job. Focus investigation on unexpected cron files created by non-administrative users or during suspicious timeframes. Additionally, it is recommended to review the contents of the newly created cron files to assess their intent. Furthermore, it is suggested to baseline normal cron file creation and apply additional filters to reduce false positives based on the specific environment.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Events for file system activity including creation, modification, and deletion.
detection:
selection_cron_dirs:
TargetFilename|startswith:
- '/etc/cron.d/'
- '/etc/cron.daily/'
- '/etc/cron.hourly/'
- '/etc/cron.monthly/'
- '/etc/cron.weekly/'
- '/var/spool/cron/crontabs/'
- '/var/spool/cron/root'
selection_cron_special_files:
TargetFilename|contains:
- '/etc/cron.allow'
- '/etc/cron.deny'
- '/etc/crontab'
filter_optional_legit_cron:
# Note: FPs on docker images: golang, postgres, python, redis, ruby
TargetFilename:
- '/etc/cron.daily/apt'
- '/etc/cron.daily/dpkg'
- '/etc/cron.daily/passwd'
- '/etc/crontabs/root'
condition: 1 of selection_* and not 1 of filter_optional_*Legitimate administrative tasks, package managers, containers, configuration management tools, cloud agents, or system maintenance operations might cause false positives. Apply baselining before deployment.
Sub-techniques