Detects creation or modification of crontab entries by non-root users or from abnormal parent processes, followed by the execution of uncommon binaries at scheduled intervals.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | auditd:SYSCALL | write |
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Field | Description |
|---|---|
| CronFilePath | System-specific crontab paths may vary across distros or deployments. |
| RunUser | Define if only root or specific admin users are allowed to schedule jobs. |
| ExecutionFrequency | Threshold for suspicious repetition (e.g., every minute jobs). |
Detects crontab job additions or modifications via crontab utility or direct edits, especially those created by interactive users executing hidden or renamed scripts.
| Data Component | Name | Channel |
|---|---|---|
| Scheduled Job Creation (DC0001) | macos:unifiedlog | process: crontab edits, launch of cron job |
| File Modification (DC0061) | fs:fsusage | file access to /usr/lib/cron/tabs/ and cron output files |
| Field | Description |
|---|---|
| ScriptPath | Match scheduled binary path to trusted directory baseline. |
| CronScheduleSyntax | Flags excessive frequency or wildcard-heavy cron expressions. |
| InteractiveUserContext | Limit cron job writes from interactive shells. |
Detects direct modification of crontab entries in /var/spool/cron/crontabs/root or /etc/rc.local.d/local.sh followed by execution of scripts linked to lateral movement or malware persistence.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | esxi:hostd | modification of crontab or local.sh entries |
| Scheduled Job Creation (DC0001) | esxi:cron | execution of scheduled job |
| Process Creation (DC0032) | esxi:vmkernel | spawned shell or execution environment activity |
| Field | Description |
|---|---|
| CrontabFileMonitored | Admins may customize paths in hardened deployments. |
| ShellCommandPayload | Flag shell-based persistence indicators in local.sh or cron payloads. |
| JobInterval | Time interval of task repetition for outlier identification. |