Scheduled Task/Job: Cron

Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code. The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths.

An adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for persistence. cron can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account.

ID: T1053.003
Sub-technique of:  T1053
Tactics: Execution, Persistence, Privilege Escalation
Platforms: Linux, macOS
Permissions Required: User
Data Sources: Process command-line parameters, Process monitoring
Version: 1.0
Created: 03 December 2019
Last Modified: 23 March 2020

Procedure Examples

Name Description
Exaramel for Linux

Exaramel for Linux uses crontab for persistence if it does not have root privileges.[4]

Janicab

Janicab used a cron job for persistence on Mac devices.[1]

Rocke

Rocke installed a cron job that downloaded and executed files from the C2.[6][7][8]

Skidmap

Skidmap has installed itself via crontab.[5]

SpeakUp

SpeakUp uses cron tasks to ensure persistence. [3]

Xbash

Xbash can create a cronjob for persistence if it determines it is on a Linux system.[2]

Mitigations

Mitigation Description
Audit

Review changes to the cron schedule. cron execution can be reviewed within the /var/log directory. To validate the location of the cron log file, check the syslog config at /etc/rsyslog.conf or /etc/syslog.conf

User Account Management

cron permissions are controlled by /etc/cron.allow and /etc/cron.deny. If there is a cron.allow file, then the user or users that need to use cron will need to be listed in the file. cron.deny is used to explicitly disallow users from using cron. If neither files exist, then only the super user is allowed to run cron.

Detection

Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc.

Suspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.

References