This rule detects abuse of Redis CONFIG SET commands to repoint Redis’s operational directory to a Linux cron directory and persist attacker-controlled payloads. Specifically, it looks for an unauthorized sequence where a Redis.CONFIG SET dir targets a cron path (for example, /etc/cron.d or /var/spool/cron), followed by CONFIG SET dbfilename to specify a filename, a subsequent SET payload, and a BGSAVE to flush the payload to disk. The technique enables persistence and execution of mining activity (notably XMRig) by writing a cron job and persisting it via Redis. The detection relies on unencrypted Redis traffic captured in the network_traffic.redis dataset and triggers when the Redis query contains CONFIG SET dir and references cron-related paths. The rule maps to MITRE ATT&CK persistence technique T1053.003 (Cron) and impact technique T1496 (Resource Hijacking). It notes that TLS encryption can hinder payload inspection, so the rule assumes unencrypted traffic. The setup requires the Elastic network_traffic integration with the Redis protocol module enabled and monitoring on port 6379 (or a custom port). Recommended mitigations include enforcing authentication on Redis (requirepass or ACLs), restricting CONFIG SET permissions, blocking Redis access from untrusted networks, and enabling protected mode. The rule has a high severity (risk_score 73) and references public intel and MITRE resources for context.