Potential Redis CONFIG SET Cron Directory Persistence (RedisRaider)

Last updated 11 days ago on 2026-06-11

Created 11 days ago on 2026-06-11

About

This rule detects attempts to abuse Redis CONFIG SET commands to redirect the database save directory to a cron directory on Linux hosts. Attackers issue CONFIG SET dir to a cron path such as /etc/cron.d or /var/spool/cron, set a filename via CONFIG SET dbfilename, write a cron payload via SET, and then call BGSAVE to flush it to disk, establishing persistence for execution of an XMRig cryptominer.

Tags

Domain: NetworkUse Case: Threat DetectionTactic: PersistenceTactic: ImpactData Source: Network Packet CaptureLanguage: eql

Severity

high

Risk Score

MITRE ATT&CK™

Persistence (TA0003)(external, opens in a new tab or window)

↳ Scheduled Task/Job (T1053)(external, opens in a new tab or window)

Impact (TA0040)(external, opens in a new tab or window)

↳ Resource Hijacking (T1496)(external, opens in a new tab or window)

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: Event Correlation Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-network_traffic.redis*
Related Integrations: network_traffic(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗network where data_stream.dataset == "network_traffic.redis" and
  network_traffic.redis.query like~ "*CONFIG SET dir*" and
  (
    network_traffic.redis.query like~ "*/etc/cron*" or
    network_traffic.redis.query like~ "*/var/spool/cron*"
  )

Install detection rules in Elastic Security

Detect Potential Redis CONFIG SET Cron Directory Persistence (RedisRaider) in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).