The Crontab Enumeration rule detects an adversary listing scheduled tasks using the crontab command, which may indicate reconnaissance or persistence efforts. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise of user accounts or systems.
Detection Rule
title: Crontab Enumeration
id: 403ed92c-b7ec-4edd-9947-5b535ee12d46
status: test
description: Detects usage of crontab to list the tasks of the user
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.discovery
- attack.t1007
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/crontab'
CommandLine|contains: ' -l'
condition: selection
falsepositives:
- Legitimate use of crontab
level: low
imProcessCreate
| where TargetProcessName endswith "/crontab" and TargetProcessCommandLine contains " -l"Scenario: System administrator is using crontab -l to review scheduled jobs for a specific user.
Filter/Exclusion: Check for presence of crontab -l in known admin command history or within a script used for routine job review.
Scenario: A legitimate scheduled job is being created or modified using crontab -e, such as a backup script or system maintenance task.
Filter/Exclusion: Filter by user context (e.g., root or backup user) and check for known legitimate job names or paths.
Scenario: A developer is using crontab -l to verify if a cron job they configured is present, as part of a deployment or testing process.
Filter/Exclusion: Exclude commands executed from known development environments or CI/CD pipelines (e.g., jenkins, git, or docker).
Scenario: A system monitoring tool or log analysis script is using crontab -l to gather cron job information for auditing or reporting purposes.
Filter/Exclusion: Exclude processes running under known monitoring tools (e.g., splunk, logstash, or datadog) or check for script execution paths in monitored directories.
Scenario: A user is troubleshooting cron job issues by listing their own cron jobs using crontab -l.
Filter/Exclusion: Exclude commands executed by non-root users and check for presence of crontab -l in user-specific command history or logs.