{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/cron/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["cron"],"_cs_severities":["medium"],"_cs_tags":["persistence","privilege-escalation","linux"],"_cs_type":"advisory","_cs_vendors":["Linux"],"content_html":"\u003cp\u003eAttackers can leverage cron jobs to schedule malicious tasks for persistence, privilege escalation, and execution of arbitrary code on compromised Linux systems. This involves creating or modifying cron files in specific directories such as \u003ccode\u003e/etc/cron.d/\u003c/code\u003e, \u003ccode\u003e/etc/cron.daily/\u003c/code\u003e, \u003ccode\u003e/var/spool/cron/crontabs/\u003c/code\u003e, and others. The creation of unexpected cron files by non-administrative users or during suspicious timeframes warrants investigation. While not all cron file creations are malicious, the potential for abuse necessitates monitoring for anomalous activity. Detecting the creation of new cron files can help identify potential persistence mechanisms being deployed by malicious actors.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Linux system, potentially through exploiting a vulnerability or using compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies cron job directories, such as \u003ccode\u003e/etc/cron.d/\u003c/code\u003e or \u003ccode\u003e/var/spool/cron/crontabs/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new cron file within one of these directories.\u003c/li\u003e\n\u003cli\u003eThe cron file contains malicious commands or scripts designed to execute at a specific time or interval. This could include commands to download and execute malware or establish a reverse shell.\u003c/li\u003e\n\u003cli\u003eThe cron daemon automatically executes the commands specified in the newly created cron file according to the defined schedule.\u003c/li\u003e\n\u003cli\u003eThe attacker gains persistent access to the system, allowing them to maintain control even after reboots.\u003c/li\u003e\n\u003cli\u003eThe attacker may escalate privileges by scheduling commands that run with elevated permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the persistent access to perform further malicious activities, such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can grant attackers persistent access to compromised Linux systems, potentially leading to privilege escalation and unauthorized execution of arbitrary code. This can lead to data breaches, system compromise, and disruption of services. The impact is magnified if the compromised system has access to sensitive information or critical infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect New Cron File Creation\u0026quot; to your SIEM to detect the creation of cron files in cron directories and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events in cron directories such as \u003ccode\u003e/etc/cron.d/\u003c/code\u003e, \u003ccode\u003e/etc/cron.daily/\u003c/code\u003e, \u003ccode\u003e/etc/cron.hourly/\u003c/code\u003e, \u003ccode\u003e/etc/cron.monthly/\u003c/code\u003e, \u003ccode\u003e/etc/cron.weekly/\u003c/code\u003e, \u003ccode\u003e/var/spool/cron/crontabs/\u003c/code\u003e, and \u003ccode\u003e/var/spool/cron/root\u003c/code\u003e using file_event logs.\u003c/li\u003e\n\u003cli\u003eBaseline normal cron file creation activity and apply additional filters to reduce false positives based on the specific environment, as mentioned in the rule description.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-linux-cron-persistence/","summary":"An attacker may create new cron files in cron directories to establish persistence on a Linux system, potentially leading to privilege escalation and arbitrary code execution.","title":"Linux Cron File Creation for Persistence","url":"https://feed.craftedsignal.io/briefs/2024-01-03-linux-cron-persistence/"}],"language":"en","title":"CraftedSignal Threat Feed - Cron","version":"https://jsonfeed.org/version/1.1"}