Adversaries may abuse the
cron utility to perform task scheduling for initial or recurring execution of malicious code. The
cron utility is a time-based job scheduler for Unix-like operating systems. The
crontab file contains the schedule of cron entries to be run and the specified times for execution. Any
crontab files are stored in operating system-specific file paths.
An adversary may use
cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for Persistence.
|S0401||Exaramel for Linux|
Review changes to the
|M1018||User Account Management||
|ID||Data Source||Data Component||Detects|
Monitor executed atq command and ensure IP addresses stored in the SSH_CONNECTION and SSH_CLIENT variables, machines that created the jobs, are trusted hosts. All at jobs are stored in /var/spool/cron/atjobs/.
Monitor for changes made to files for unexpected modifications to access permissions and attributes
Monitor for newly constructed processes and/or command-lines that executed through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.
|DS0003||Scheduled Job||Scheduled Job Creation||
Monitor for newly constructed scheduled jobs. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc.