New Cron File Created

Status: experimental
Severity: low
Log source: product linux, category file_event
Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
Source: github.com/SigmaHQ/sigma

Detects the creation of cron files in Cron directories, which could indicate potential persistence mechanisms being established by an attacker. Note that not all cron file creations are malicious - legitimate system administration activities and software installations may also create cron files. This detection should be investigated in context, considering factors such as the user creating the file, the timing of creation, and the contents of the cron job. Focus investigation on unexpected cron files created by non-administrative users or during suspicious timeframes. Additionally, it is recommended to review the contents of the newly created cron files to assess their intent. Furthermore, it is suggested to baseline normal cron file creation and apply additional filters to reduce false positives based on the specific environment.

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1053.003` Scheduled Task/Job: Cron
Persistence	`T1053.003` Scheduled Task/Job: Cron
Privilege Escalation	`T1053.003` Scheduled Task/Job: Cron

Event coverage

Provider	Event
Sysmon-for-Linux	Event ID 11

Rule body yaml

title: New Cron File Created
id: 6c4e2f43-d94d-4ead-b64d-97e53fa2bd05
status: experimental
description: |
    Detects the creation of cron files in Cron directories, which could indicate potential persistence mechanisms being established by an attacker.
    Note that not all cron file creations are malicious - legitimate system administration activities and software installations may also create cron files.
    This detection should be investigated in context, considering factors such as the user creating the file, the timing of creation, and the contents of the cron job.
    Focus investigation on unexpected cron files created by non-administrative users or during suspicious timeframes.
    Additionally, it is recommended to review the contents of the newly created cron files to assess their intent.
    Furthermore, it is suggested to baseline normal cron file creation and apply additional filters to reduce false positives based on the specific environment.
references:
    - https://github.com/microsoft/MSTIC-Sysmon/blob/f1477c0512b0747c1455283069c21faec758e29d/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml
    - https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/
    - https://www.elastic.co/security-labs/primer-on-persistence-mechanisms
    - https://snehbavarva.medium.com/privilege-escalation-techniques-series-linux-cron-jobs-a5b797b424b4
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-10-15
modified: 2026-04-28
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1053.003
logsource:
    product: linux
    category: file_event
detection:
    selection_cron_dirs:
        TargetFilename|startswith:
            - '/etc/cron.d/'
            - '/etc/cron.daily/'
            - '/etc/cron.hourly/'
            - '/etc/cron.monthly/'
            - '/etc/cron.weekly/'
            - '/var/spool/cron/crontabs/'
            - '/var/spool/cron/root'
    selection_cron_special_files:
        TargetFilename|contains:
            - '/etc/cron.allow'
            - '/etc/cron.deny'
            - '/etc/crontab'
    filter_optional_legit_cron:
        # Note: FPs on docker images: golang, postgres, python, redis, ruby
        TargetFilename:
            - '/etc/cron.daily/apt'
            - '/etc/cron.daily/dpkg'
            - '/etc/cron.daily/passwd'
            - '/etc/crontabs/root'
    condition: 1 of selection_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate administrative tasks, package managers, containers, configuration management tools, cloud agents, or system maintenance operations might cause false positives. Apply baselining before deployment.
level: low

Stages and Predicates

Stage 0: `condition`

1 of selection_* and not 1 of filter_optional_*

Stage 1: `selection_cron_dirs`

selection_cron_dirs:
    TargetFilename|startswith:
        - '/etc/cron.d/'
        - '/etc/cron.daily/'
        - '/etc/cron.hourly/'
        - '/etc/cron.monthly/'
        - '/etc/cron.weekly/'
        - '/var/spool/cron/crontabs/'
        - '/var/spool/cron/root'

Stage 2: `selection_cron_special_files`

selection_cron_special_files:
    TargetFilename|contains:
        - '/etc/cron.allow'
        - '/etc/cron.deny'
        - '/etc/crontab'

Stage 3: `not filter_optional_legit_cron`

filter_optional_legit_cron:
    TargetFilename:
        - '/etc/cron.daily/apt'
        - '/etc/cron.daily/dpkg'
        - '/etc/cron.daily/passwd'
        - '/etc/crontabs/root'

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

Field	Kind	Excluded values
`TargetFilename`	eq	`/etc/cron.daily/apt`
`TargetFilename`	eq	`/etc/cron.daily/dpkg`
`TargetFilename`	eq	`/etc/cron.daily/passwd`
`TargetFilename`	eq	`/etc/crontabs/root`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`TargetFilename`	match	`/etc/cron.allow` `/etc/cron.deny` `/etc/crontab`
`TargetFilename`	starts_with	`/etc/cron.d/` `/etc/cron.daily/` `/etc/cron.hourly/` `/etc/cron.monthly/` `/etc/cron.weekly/` `/var/spool/cron/crontabs/` `/var/spool/cron/root`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

New Cron File Created

MITRE ATT&CK coverage

Event coverage

Rule body yaml

Stages and Predicates

Stage 0: `condition`

Stage 1: `selection_cron_dirs`

Stage 2: `selection_cron_special_files`

Stage 3: `not filter_optional_legit_cron`

Exclusions

Indicators

Keyboard shortcuts

Search operators

New Cron File Created

MITRE ATT&CK coverage

Event coverage

Rule body yaml

Stages and Predicates

Stage 0: condition

Stage 1: selection_cron_dirs

Stage 2: selection_cron_special_files

Stage 3: not filter_optional_legit_cron

Exclusions

Indicators

Stage 0: `condition`

Stage 1: `selection_cron_dirs`

Stage 2: `selection_cron_special_files`

Stage 3: `not filter_optional_legit_cron`