Find sigma rule 
Attack: Scheduled Task/Job: Cron
Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS Common Tools and Techniques) The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths.
An adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for Persistence.
MITRE
Tactic
- privilege-escalation
- persistence
- execution
technique
- T1053.003
Test : Cron - Add script to /var/spool/cron/crontabs/ folder
OS
- linux
Description:
This test adds a script to a /var/spool/cron/crontabs folder configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers.
Executor
bash