[New Rule] Suspicious Execution by Cron

[DefSecSentinel]

Description

Detects the execution of a binary in an abnormal or suspicious location by a specific set of processes
that have the parent process of cron or the execution of a suspicious binary, like osascript and curl, by cron.
This activity is highly abnormal and should not occur. This is a strong indication of malware persisting via a cron job.

Target indexes

logs-*

Target Operating Systems

macOS

Tested ECS Version

1.11.0

Query

process where event.type == "start" and event.action == "exec" and 
process.parent.name : "cron" and 
((((process.name : ("sh", "bash", "zsh", "tclsh*") and process.args : "-c") or (process.name : "python*")) and 
process.args_count <= 3 and
process.args : ("/tmp/*", 
                "/var/tmp/*", 
                "/var/folders/*", 
                "/Users/Shared/*", 
                "/Library/Containers/*", 
                "/Users/*/Library/Containers/*", 
                "/var/root/*", 
                "*/lib/python*/site-packages/*", 
                "/private/etc/*", 
                "/Library/Fonts/*", 
                "/Library/WebServer/*", 
                "/usr/local/bin/*") and not 
process.args : "/usr/local/bin/python* /Users/*/PycharmProjects/* > /Users/*/PycharmProjects/*") or 
(process.name : ("osascript", "curl")))

References

https://objective-see.org/blog/blog_0x5B.html
https://github.com/elastic/endpoint-rules/blob/c3d745dded34ff824a5a16b1c29ad4a4f9d260e7/rules/execution_suspicious_cron_execution.toml#L10

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[DefSecSentinel]

Noisy, need to refactor and test.