← Library
splApache-2.0from splunk/security_content

Linux Auditd Edit Cron Table Parameter

The following analytic detects the suspicious editing of cron jobs in Linux using the crontab command-line parameter (-e). It identifies this activity by monitoring command-line executions involving 'crontab' and the edit parameter. This behavior is significant for a SOC as cron job manipulations can indicate unauthorized persistence attempts or scheduled malicious actions. If confirmed malicious, this activity could lead to system compromise, unauthorized access, or broader network compromise.

Quality
59
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/linux_auditd_edit_cron_table_parameter.yml
`linux_auditd` type=SYSCALL syscall IN ("rename", "execve") (comm IN ("crontab") OR exe IN ("*/crontab")) success=yes AND NOT (UID IN("daemon"))
  | rename host as dest
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY comm exe syscall
       uid ppid pid
       dest
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `linux_auditd_edit_cron_table_parameter_filter`