Adversaries may leverage scheduled cron tasks to execute malicious payloads persistently or at specific intervals, often by uploading malicious scripts to the tmp directory. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential initial access or persistence mechanisms used by threat actors.
Detection Rule
title: Scheduled Cron Task/Job - Linux
id: 6b14bac8-3e3a-4324-8109-42f0546a347f
status: test
description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-06
modified: 2022-11-27
tags:
- attack.execution
- attack.persistence
- attack.privilege-escalation
- attack.t1053.003
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: 'crontab'
CommandLine|contains: '/tmp/'
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
imProcessCreate
| where TargetProcessName endswith "crontab" and TargetProcessCommandLine contains "/tmp/"Scenario: System Administrator Updates Crontab via /tmp for Legitimate Job Scheduling
Description: An admin may temporarily store a crontab file in /tmp as part of a deployment or configuration process before replacing the actual crontab file.
Filter/Exclusion: Check for presence of admin user (e.g., root, admin, sudo) and presence of known legitimate job names (e.g., backup_script.sh, log_cleanup.sh).
Example Filter: user_id = root OR user_id = admin AND job_name NOT LIKE '%malicious%'
Scenario: Temporary Cron Job for System Maintenance Tool (e.g., logrotate)
Description: A legitimate system maintenance tool may generate a temporary crontab entry in /tmp during its setup or configuration phase.
Filter/Exclusion: Check for presence of known system tools (e.g., logrotate, rsyslog, systemd-tmpfiles) and check if the job is associated with a known service or package.
Example Filter: command_line LIKE '%logrotate%' OR command_line LIKE '%rsyslog%'
Scenario: Cron Job for Scheduled Backup Using /tmp as a Temporary Storage Location
Description: A backup script may use /tmp to store intermediate files before moving them to a permanent location. The cron job may be configured to run from /tmp.
Filter/Exclusion: Check for presence of backup-related commands (e.g., tar, rsync, cp) and verify that the job is associated with a known backup tool or process.
Example Filter: command_line LIKE '%tar -cvf%' OR command_line LIKE '%rsync%'
Scenario: Cron Job for Automated Testing or CI/CD Pipeline Using /tmp
*