SigmaHQ/rules/linux/lnx_schedule_task_job_cron.yml

title: Scheduled Cron Task/Job
id: 6b14bac8-3e3a-4324-8109-42f0546a347f
status: experimental
description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
author: Alejandro Ortuno, oscd.community
date: 2020/10/06
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    Image|endswith:
      - 'crontab'
    CommandLine|contains:
      - '/tmp/'
  condition: selection
falsepositives:
    - Legitimate administration activities
level: medium
tags:
    - attack.execution
    - attack.persistence
    - attack.privilege_escalation
    - attack.t1053.003
Scheduled Cron Task/Job sigma rule 2020-10-08 11:15:02 +00:00			`title: Scheduled Cron Task/Job`
			`id: 6b14bac8-3e3a-4324-8109-42f0546a347f`
			`status: experimental`
Use process_creation for the detection 2020-10-13 08:41:50 +00:00			`description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.`
Scheduled Cron Task/Job sigma rule 2020-10-08 11:15:02 +00:00			`author: Alejandro Ortuno, oscd.community`
			`date: 2020/10/06`
			`references:`
			`- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md`
			`logsource:`
Use process_creation for the detection 2020-10-13 08:41:50 +00:00			`category: process_creation`
			`product: linux`
Scheduled Cron Task/Job sigma rule 2020-10-08 11:15:02 +00:00			`detection:`
Use process_creation for the detection 2020-10-13 08:41:50 +00:00			`selection:`
Renamed ProcessName field to Image for the process_creation category. 2021-02-24 22:57:26 +00:00			`Image\|endswith:`
Update lnx_schedule_task_job_cron.yml to trigger a test once again) 2020-10-17 20:25:52 +00:00			`- 'crontab'`
Use process_creation for the detection 2020-10-13 08:41:50 +00:00			`CommandLine\|contains:`
			`- '/tmp/'`
			`condition: selection`
Scheduled Cron Task/Job sigma rule 2020-10-08 11:15:02 +00:00			`falsepositives:`
			`- Legitimate administration activities`
Use process_creation for the detection 2020-10-13 08:41:50 +00:00			`level: medium`
Scheduled Cron Task/Job sigma rule 2020-10-08 11:15:02 +00:00			`tags:`
			`- attack.execution`
			`- attack.persistence`
			`- attack.privilege_escalation`
Use process_creation for the detection 2020-10-13 08:41:50 +00:00			`- attack.t1053.003`