
Summary
This detection rule is designed to identify suspicious modifications to the crontab file on Linux systems, which could indicate an attempt to maintain persistence by an unauthorized user. The crontab file is critical for scheduling automated tasks, so unauthorized changes may be indicative of malicious activity, such as the addition of backdoors or other persistent threats. The rule targets events where specific keywords associated with modifications to the crontab are detected. False positives can occur due to legitimate administrative changes to the crontab by system administrators.
Categories
- Linux
- Endpoint
Data Sources
- File
ATT&CK Techniques
- T1053.003
Created: 2022-04-16