This rule detects unauthorized file creation in common crontab directories on Unix-like operating systems. It primarily monitors locations such as `/etc/cron*` and `/var/spool/cron/*` by utilizing Sysmon for Linux EventID 11 data. The creation of new files in these paths may indicate an attacker's attempt to establish persistence via scheduled jobs, enabling potential execution of malicious code, which poses a substantial risk of further compromises. The detection logic employs a search that queries the underlying filesystem data model to retrieve instances of file creation, including corresponding timestamps and the processes associated with these changes. An implementation requires proper ingestion of these logs, typically achieved through the Sysmon for Linux add-on from Splunkbase. Administrators need to be mindful of legitimate use cases, as the creation of files in crontab directories may also occur during normal administrative tasks. Therefore, it is essential to customize detection filters to mitigate false positives.