Home/ATT&CK Technique/Cron
ATT&CK Technique

Cron

T1053.003 · execution, persistence, privilege-escalation

Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code. The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution.

Any crontab files are stored in operating system-specific file paths. An adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for Persistence. In ESXi environments, cron jobs must be created directly via the crontab file (e.g., /var/spool/cron/crontabs/root).

LinuxmacOSESXi

Actors Using This

14
china_state_sponsored_mandiant_canonical_microsoft_mulberry_typhoonAPT5 (UNC2630 / UNC2717 / Mulberry Typhoon)
iran_linked_dragos_tracked_ics_activity_group_cyberav3ngers_persona_2024_disclosedBAUXITE
spainCareto / The Mask
chinaDaggerfly
north_koreaJade Sleet / TraderTraitor / UNC4899 / Pressure Chollima
state_actor_dragos_tracked_oracle_isupplier_specialist_2023_disclosedLAURIONITE
israel_commercial_cyber_mercenaryNSO Group / Pegasus
turkeySea Turtle
chinaTAG-100
financially_motivated_cybercrime_cloud_native_cryptojacking_specialist_german_speaking_indicatorsTeamTNT (Cloud Cryptojacking Operator)
china_state_sponsored_mandiant_unc3886_virtualization_firewall_zero_day_specialistUNC3886
china_state_sponsored_mandiant_unc4841_barracuda_esg_zero_day_specialistUNC4841
china_nexus_suspected_mandiant_unc5325_ivanti_2024_zero_day_specialistUNC5325 (Ivanti Connect Secure 2024 Operator)
chinaVelvet Ant

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
resource-development earlier
T1584.004 · Server ×2.76T1587.004 · Exploits ×2.57
execution same
T1574.006 · Dynamic Linker Hijacking ×11.33T1059.004 · Unix Shell ×11.05T1059.006 · Python ×5.10
persistence later
T1543.002 · Systemd Service ×15.58T1543.001 · Launch Agent ×6.18T1543.004 · Launch Daemon ×5.67T1556 · Modify Authentication Process ×3.40
credential-access later
T1003.008 · /etc/passwd and /etc/shadow ×3.92
discovery later
T1046 · Network Service Discovery ×2.55
lateral-movement later
T1021.004 · SSH ×3.82
other same
T1070.002 · Clear Linux or Mac System Logs ×13.22T1562.003 · Impair Command History Logging ×12.75T1553.002 · Code Signing ×3.73

Atomic Tests

4
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
shlinux, macosCron - Replace crontab with referenced file
This test replaces the current user's crontab file with the contents of the referenced file. This technique was used by numerous IoT automated exploitation attacks. 
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
bashelevatedmacos, linuxCron - Add script to all cron subfolders
This test adds a script to /etc/cron.hourly, /etc/cron.daily, /etc/cron.monthly and /etc/cron.weekly folders configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. 
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
shelevatedlinuxCron - Add script to /etc/cron.d folder
This test adds a script to /etc/cron.d folder configured to execute on a schedule. 
echo "#{command}" > /etc/cron.d/#{cron_script_name}
bashelevatedlinuxCron - Add script to /var/spool/cron/crontabs/ folder
This test adds a script to a /var/spool/cron/crontabs folder configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. 
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}

Mitigations

2
MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.
M1018User Account Management

User Account Management involves implementing and enforcing policies for the lifecycle of user accounts, including creation, modification, and deactivation. Proper account management reduces the attack surface by limiting unauthorized access, managing account privileges, and ensuring accounts are used according to organizational policies.

Enforcing the Principle of Least Privilege
  • Implementation: Assign users only the minimum permissions required to perform their job functions. Regularly audit accounts to ensure no excess permissions are granted.
  • Use Case: Reduces the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions. Implementing Strong Password Policies.
  • Implementation: Enforce password complexity requirements (e.g., length, character types). Require password expiration every 90 days and disallow password reuse.
  • Use Case: Prevents adversaries from gaining unauthorized access through password guessing or brute force attacks. Managing Dormant and Orphaned Accounts.
  • Implementation: Implement automated workflows to disable accounts after a set period of inactivity (e.g., 30 days). Remove orphaned accounts (e.g., accounts without an assigned owner) during regular account audits.
  • Use Case: Eliminates dormant accounts that could be exploited by attackers. Account Lockout Policies.
  • Implementation: Configure account lockout thresholds (e.g., lock accounts after five failed login attempts). Set lockout durations to a minimum of 15 minutes.
  • Use Case: Mitigates automated attack techniques that rely on repeated login attempts. Multi-Factor Authentication (MFA) for High-Risk Accounts.
  • Implementation: Require MFA for all administrative accounts and high-risk users. Use MFA mechanisms like hardware tokens, authenticator apps, or biometrics.
  • Use Case: Prevents unauthorized access, even if credentials are stolen. Restricting Interactive Logins.
  • Implementation: Restrict interactive logins for privileged accounts to specific secure systems or management consoles. Use group policies to enforce logon restrictions.
  • Use Case: Protects sensitive accounts from misuse or exploitation.
Tools for Implementation Built-in Tools
  • Microsoft Active Directory (AD): Centralized account management and RBAC enforcement.
  • Group Policy Object (GPO): Enforce password policies, logon restrictions, and account lockout policies.
Identity and Access Management (IAM) Tools
  • Okta: Centralized user provisioning, MFA, and SSO integration.
  • Microsoft Azure Active Directory: Provides advanced account lifecycle management, role-based access, and conditional access policies.
Privileged Account Management (PAM)
  • CyberArk, BeyondTrust, Thycotic: Manage and monitor privileged account usage, enforce session recording, and JIT access.
M1047Audit

Auditing is the process of recording activity and systematically reviewing and analyzing the activity and system configurations. The primary purpose of auditing is to detect anomalies and identify potential threats or weaknesses in the environment. Proper auditing configurations can also help to meet compliance requirements.

The process of auditing encompasses regular analysis of user behaviors and system logs in support of proactive security measures. Auditing is applicable to all systems used within an organization, from the front door of a building to accessing a file on a fileserver. It is considered more critical for regulated industries such as, healthcare, finance and government where compliance requirements demand stringent tracking of user and system activates.

System Audit
  • Use Case: Regularly assess system configurations to ensure compliance with organizational security policies.
  • Implementation: Use tools to scan for deviations from established benchmarks.
Permission Audits
  • Use Case: Review file and folder permissions to minimize the risk of unauthorized access or privilege escalation.
  • Implementation: Run access reviews to identify users or groups with excessive permissions.
Software Audits
  • Use Case: Identify outdated, unsupported, or insecure software that could serve as an attack vector.
  • Implementation: Use inventory and vulnerability scanning tools to detect outdated versions and recommend secure alternatives.
Configuration Audits
  • Use Case: Evaluate system and network configurations to ensure secure settings (e.g., disabled SMBv1, enabled MFA).
  • Implementation: Implement automated configuration scanning tools like SCAP (Security Content Automation Protocol) to identify non-compliant systems.
Network Audits
  • Use Case: Examine network traffic, firewall rules, and endpoint communications to identify unauthorized or insecure connections.
  • Implementation: Utilize tools such as Wireshark, or Zeek to monitor and log suspicious network behavior.

Detection Coverage

2/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 6
Analytics (MITRE CAR) none
Runtime / container (Falco) 1
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

Falco Runtime Rules

1
Container / Linux runtime detections that fire on this technique.
NOTICESchedule Cron Jobs
Detect scheduled cron jobs; this is a highly generic detection and certainly needs adjustments and profiling in your environment before operationalization. Simultaneously, exploiting the functionality of cron jobs is among one of the oldest TTPs used by adversaries.
view condition
((open_write and fd.name startswith /etc/cron) or
 (spawned_process and proc.name = "crontab"))
and not user_known_cron_jobs

Comply & Defend

NIST 800-53AC-02, AC-03, AC-05, AC-06, CM-02, CM-05, IA-02, RA-05, SI-04
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin