---
title: Redis modified cron job directory to execute commands
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Redis modified cron job directory to
  execute commands
---

# Redis modified cron job directory to execute commands
Classification:attackTactic:[TA0004-privilege-escalation](https://attack.mitre.org/tactics/TA0004)Technique:[T1053-scheduled-task-or-job](https://attack.mitre.org/techniques/T1053) 
## What happened{% #what-happened %}

The cron file `{{ @file.path }}` was modified by `{{ @process.comm }}`, potentially to establish persistence.

## Goal{% #goal %}

Detect when a cron job is created by Redis.

## Strategy{% #strategy %}

Cron is a task scheduling system that runs tasks on a time-based schedule. Attackers can use cron jobs to gain persistence on a system, or even to run malicious code at system boot. Cron jobs can also be used for remote code execution, or to run a process under a different user context. An attacker could use the `CONFIG SET` command to write Redis keys to the cron directory in order to obtain code execution, a known tactic for further compromising Redis clusters.

## Triage and response{% #triage-and-response %}

1. Verify whether or not Redis writing to the cron directory is expected.
1. If not expected, identify what is being executed by the created cron job.
1. Isolate the compromised container, and initiate the incident response plan.

*Requires Agent version 7.27 or greater*