Redis modified cron job directory to execute commands
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect when a cron job is created by Redis.
Strategy
Cron is a task scheduling system that runs tasks on a time-based schedule. Attackers can use cron jobs to gain persistence on a system, or even to run malicious code at system boot. Cron jobs can also be used for remote code execution, or to run a process under a different user context. An attacker could use the CONFIG SET
command to write Redis keys to the cron directory in order to obtain code execution, a known tactic for further compromising Redis clusters.
Triage and response
- Verify whether or not Redis writing to the cron directory is expected.
- If not expected, identify what is being exceuted by the created cron job.
- Isolate the compromised container, and initiate the incident response plan.
Requires Agent version 7.27 or greater