[metadata] creation_date = "2021/01/15" deprecation_date = "2021/04/15" maturity = "deprecated" updated_date = "2021/04/15" [rule] author = ["Elastic"] description = """ Identifies the creation or execution of a cron job. Adversaries may abuse cron jobs to perform task scheduling for initial or recurring execution of malicious code. """ false_positives = ["Legitimate software or scripts using cron jobs for recurring tasks."] from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License v2" name = "Potential Persistence via Cron Job" references = ["https://archive.f-secure.com/weblog/archives/00002576.html", "https://ss64.com/osx/crontab.html"] risk_score = 21 rule_id = "b1c14366-f4f8-49a0-bcbb-51d2de8b0bb8" severity = "low" tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Persistence"] timestamp_override = "event.ingested" type = "query" query = ''' event.category:process and event.type:(start or process_started or info) and not user.name:root and ((process.name:crontab and not process.args:("-l" or "-r" or "-e" or "-help" or "-h")) or (process.parent.name:cron and not process.name:"running job" and not process.executable:(/Applications/Docker.app/Contents/Resources/bin/docker or /usr/bin/killall or /usr/sbin/sendmail or /usr/bin/env or /usr/bin/timeshift or /bin/rm))) ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/"