Potential Redis CONFIG SET Cron Directory Persistence (RedisRaider)

This rule detects attempts to abuse Redis CONFIG SET commands to redirect the database save directory to a cron directory on Linux hosts. Attackers issue CONFIG SET dir to a cron path such as /etc/cron.d or /var/spool/cron, set a filename via CONFIG SET dbfilename, write a cron payload via SET, and then call BGSAVE to flush it to disk, establishing persistence for execution of an XMRig cryptominer.

Rule type: eql
Rule indices:

• logs-network_traffic.redis*

Rule Severity: high
Risk Score: 73
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: 100
References:

• https://securitylabs.datadoghq.com/articles/redisraider-mining-campaign/
• https://attack.mitre.org/techniques/T1053/003/
• https://attack.mitre.org/techniques/T1496/

Tags:

• Domain: Network
• Use Case: Threat Detection
• Tactic: Persistence
• Tactic: Impact
• Data Source: Network Packet Capture
• Resources: Investigation Guide

Version: 1
Rule authors:

• Elastic

Rule license: Elastic License v2

This rule requires the Elastic network_traffic integration (Packetbeat via Elastic Agent) with the Redis protocol module enabled.

In the Elastic Agent network_traffic integration policy:

1. Add or confirm Redis in the protocols list with enabled: true.
2. Set ports to include 6379 (or the custom port your Redis instances listen on).
3. Deploy the sensor on the Redis host, on a SPAN/mirror port, or on a gateway that receives Redis traffic.

This rule requires unencrypted Redis traffic. Redis uses plaintext by default (port 6379). If TLS is configured, Packetbeat cannot inspect the payload without TLS decryption.

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Redis's CONFIG SET command allows runtime reconfiguration of the server, including the working directory (dir) and database filename (dbfilename). Attackers exploit this to redirect Redis's BGSAVE output into system directories such as /etc/cron.d or /var/spool/cron, writing attacker-controlled content as a cron job. The RedisRaider campaign used this technique to deploy XMRig cryptominers at scale by mass-scanning IPv4 blocks for unauthenticated Redis instances.

A related variant (not specific to RedisRaider) targets SSH key injection using CONFIG SET dir /root/.ssh and CONFIG SET dbfilename authorized_keys. Consider a companion rule for that pattern if your Redis instances are internet-exposed.

• Identify the source IP and determine whether it is an expected Redis client or an external/unknown address. Internet-sourced CONFIG SET to a cron path is almost certainly malicious.
• Check whether the destination Redis instance requires authentication (requirepass or ACL). Unauthenticated instances are the primary target of RedisRaider-style campaigns.
• Review subsequent Redis commands from the same source IP for SET (cron payload write) and BGSAVE (flush to disk), which complete the persistence chain.
• Examine the Redis host for new or modified files under /etc/cron.d, /etc/cron.daily, /etc/cron.hourly, /var/spool/cron, or /var/spool/cron/crontabs at or after the alert time.
• Check for XMRig or other cryptominer process execution and unexplained CPU spikes on the host.
• Review outbound network connections from the Redis host for connections to known mining pools or C2 infrastructure.

• CONFIG SET dir is a legitimate administrative command used during backup configuration, data migration, or operational changes. Verify whether the directory is a known backup or data path rather than a system directory.
• Legitimate Redis usage will never set dir to /etc/cron.d, /var/spool/cron, or any other system cron directory. A match on this pattern has an extremely low false positive rate.
• Automated deployment or configuration management tools (Ansible, Chef, Puppet) may issue CONFIG SET as part of Redis setup — verify the source IP and timing against known deployment windows.

• Immediately check the target cron directories for newly created files written by the Redis process (owner: redis, unusual content).
• If a cron file was written, delete it and terminate any spawned miner processes before remediating.
• Require authentication on all Redis instances (requirepass or ACL). Unauthenticated Redis exposed to any network is the root cause of this attack class.
• Restrict CONFIG SET permissions using Redis ACLs: ACL SETUSER <user> -config.
• Block inbound access to Redis port 6379 from untrusted networks at the host firewall or perimeter.
• Consider enabling Redis's protected mode, which rejects connections from non-loopback addresses when no authentication is configured.

network where data_stream.dataset == "network_traffic.redis" and
  network_traffic.redis.query like~ "*CONFIG SET dir*" and
  (
    network_traffic.redis.query like~ "*/etc/cron*" or
    network_traffic.redis.query like~ "*/var/spool/cron*"
  )
		

Framework: MITRE ATT&CK

• Tactic:

  • Name: Persistence
  • Id: TA0003
  • Reference URL: https://attack.mitre.org/tactics/TA0003/

• Technique:

  • Name: Scheduled Task/Job
  • Id: T1053
  • Reference URL: https://attack.mitre.org/techniques/T1053/

• Sub Technique:

  • Name: Cron
  • Id: T1053.003
  • Reference URL: https://attack.mitre.org/techniques/T1053/003/

Framework: MITRE ATT&CK

• Tactic:

  • Name: Impact
  • Id: TA0040
  • Reference URL: https://attack.mitre.org/tactics/TA0040/

• Technique:

  • Name: Resource Hijacking
  • Id: T1496
  • Reference URL: https://attack.mitre.org/techniques/T1496/