Adversaries may leverage cron files to establish persistence by scheduling malicious commands to run at specific intervals. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential long-term access and maintain system integrity.
Detection Rule
title: Persistence Via Cron Files
id: 6c4e2f43-d94d-4ead-b64d-97e53fa2bd05
status: test
description: Detects creation of cron file or files in Cron directories which could indicates potential persistence.
references:
- https://github.com/microsoft/MSTIC-Sysmon/blob/f1477c0512b0747c1455283069c21faec758e29d/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-10-15
modified: 2022-12-31
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.003
logsource:
product: linux
category: file_event
detection:
selection1:
TargetFilename|startswith:
- '/etc/cron.d/'
- '/etc/cron.daily/'
- '/etc/cron.hourly/'
- '/etc/cron.monthly/'
- '/etc/cron.weekly/'
- '/var/spool/cron/crontabs/'
selection2:
TargetFilename|contains:
- '/etc/cron.allow'
- '/etc/cron.deny'
- '/etc/crontab'
condition: 1 of selection*
falsepositives:
- Any legitimate cron file.
level: medium
imFileEvent
| where (TargetFileName startswith "/etc/cron.d/" or TargetFileName startswith "/etc/cron.daily/" or TargetFileName startswith "/etc/cron.hourly/" or TargetFileName startswith "/etc/cron.monthly/" or TargetFileName startswith "/etc/cron.weekly/" or TargetFileName startswith "/var/spool/cron/crontabs/") or (TargetFileName contains "/etc/cron.allow" or TargetFileName contains "/etc/cron.deny" or TargetFileName contains "/etc/crontab")Scenario: System administrator schedules a legitimate backup job using cron
Filter/Exclusion: Check for known backup tools (e.g., rsync, tar, borgbackup) and filter by user (e.g., root or backup user) and job names containing “backup” or “snapshot”
Scenario: DevOps team deploys a CI/CD pipeline with scheduled job via cron
Filter/Exclusion: Filter for jobs owned by ci, jenkins, or gitlab-runner and check for job names containing “deploy”, “build”, or “pipeline”
Scenario: IT team configures a system monitoring tool (e.g., Nagios, Zabbix) to run scheduled checks via cron
Filter/Exclusion: Filter for cron jobs owned by monitoring users (e.g., nagios, zabbix) and job names containing “check”, “monitor”, or “status”
Scenario: Admin configures a log rotation tool (e.g., logrotate) via cron
Filter/Exclusion: Filter for cron jobs owned by root or logrotate user and job names containing “rotate”, “logrotate”, or “clean”
Scenario: Scheduled system updates via yum-cron or apticron
Filter/Exclusion: Filter for cron jobs related to package managers (e.g., yum-cron, apticron) and check for job names containing “update”, “upgrade”, or “dist-upgrade”