Find sigma rule 
Attack: Scheduled Task/Job: Cron
Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS Common Tools and Techniques) The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths.
An adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for Persistence.
MITRE
Tactic
- execution
- persistence
- privilege-escalation
technique
- T1053.003
Test : Cron - Add script to /etc/cron.d folder
OS
- linux
Description:
This test adds a script to /etc/cron.d folder configured to execute on a schedule.
Executor
sh