<  Back to rules search

Cron job modified





Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.


Detect the creation or modification of new cron jobs on a system.


Cron is a task scheduling system that runs tasks on a time-based schedule. Attackers can use cron jobs to gain persistence on a system, or even to run malicious code at system-boot. Cron jobs can also be used for remote code execution, or to run a process under a different user-context.

Triage and response

  1. Check to see which cron task was created or modified.
  2. Check whether the cron task was created or modified by a known user or process.
  3. If these changes are not acceptable, roll back the host or container in question to an acceptable configuration.

Requires Agent version 7.27 or greater