Skip to content

T1053 Local Job Scheduling-File Write

T1053

Required Tables

  • file_events

Returned Fields

Field Description
path paths for scheduled file writes

Query

SELECT 
    path
FROM file_events 
WHERE file_events.path LIKE '/etc/cron%' 
    OR file_events.path LIKE '/var/spool/cron/%' 
    AND file_events.event_type != 3