Find sigma rule 
Attack: Scheduled Task/Job: Cron
Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS Common Tools and Techniques) The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths.
An adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for Persistence.
MITRE
Tactic
- privilege-escalation
- persistence
- execution
technique
- T1053.003
Test : Cron - Replace crontab with referenced file
OS
- linux
- macos
Description:
This test replaces the current user’s crontab file with the contents of the referenced file. This technique was used by numerous IoT automated exploitation attacks.
Executor
sh