This detection rule identifies the creation of cron jobs on Unix systems through the crontab command, targeting persistence mechanisms often leveraged by threat actors. Cron jobs can be utilized to execute tasks at scheduled intervals, which can include malicious scripts if compromised. The logic leverages Splunk queries to search for instances where the crontab command is invoked or where output is redirected to cron-related directories, indicating potential unauthorized manipulations. Moreover, the detection is linked to several ATT&CK techniques, highlighting its relevance in identifying malicious activity associated with process creation and unintended privilege escalation behavior in Unix environments.