Local Job Scheduling
On Linux and macOS systems, multiple methods are supported for creating pre-scheduled and periodic background jobs: cron,  at,  and launchd.  Unlike Scheduled Task on Windows systems, job scheduling on Linux-based systems cannot be done remotely unless used in conjunction within an established remote session, like secure shell (SSH).
System-wide cron jobs are installed by modifying
/etc/cron.d/ directory or other locations supported by the Cron daemon, while per-user cron jobs are installed using crontab with specifically formatted crontab files.  This works on macOS and Linux systems.
Those methods allow for commands or scripts to be executed at specific, periodic intervals in the background without user interaction. An adversary may use job scheduling to execute programs at system startup or on a scheduled basis for Persistence,     to conduct Execution as part of Lateral Movement, to gain root privileges, or to run a process under the context of a specific account.
The at program is another means on POSIX-based systems, including macOS and Linux, to schedule a program or script job for execution at a later date and/or time, which could also be used for the same purposes.
Each launchd job is described by a different configuration property list (plist) file similar to Launch Daemon or Launch Agent, except there is an additional key called
StartCalendarInterval with a dictionary of time values.  This only works on macOS and OS X.
|Exaramel||Exaramel uses crontab for persistence. |
|Janicab||Janicab used a cron job for persistence on Mac devices. |
|SpeakUp||SpeakUp uses cron tasks to ensure persistence. |
|Xbash||Xbash can create a cronjob for persistence if it determines it is on a Linux system. |
|User Account Management||Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized users can create scheduled jobs.|
Legitimate scheduled jobs may be created during installation of new software or through administration functions. Jobs scheduled with launchd and cron can be monitored from their respective utilities to list out detailed information about the jobs. Monitor process execution resulting from launchd and cron tasks to look for unusual or unknown applications and behavior.
- Paul Vixie. (n.d.). crontab(5) - Linux man page. Retrieved December 19, 2017.
- Thomas Koenig. (n.d.). at(1) - Linux man page. Retrieved December 19, 2017.
- Apple. (n.d.). Retrieved July 17, 2017.
- Thomas. (2013, July 15). New signed malware called Janicab. Retrieved July 17, 2017.
- Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.
- Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. Retrieved July 10, 2017.
- Threat Intelligence Team. (2015, January 6). Linux DDoS Trojan hiding itself with an embedded rootkit. Retrieved January 8, 2018.
- Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
- Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.
- Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019.