Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS Common Tools and Techniques) The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems. The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths.
An adversary may use <code>cron</code> in Linux or Unix environments to execute programs at system startup or on a scheduled basis for persistence.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1053.003 | Cron | |
| AC-3 | Access Enforcement | Protects | T1053.003 | Cron | |
| AC-5 | Separation of Duties | Protects | T1053.003 | Cron | |
| AC-6 | Least Privilege | Protects | T1053.003 | Cron | |
| CA-8 | Penetration Testing | Protects | T1053.003 | Cron | |
| CM-5 | Access Restrictions for Change | Protects | T1053.003 | Cron | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1053.003 | Cron | |
| RA-5 | Vulnerability Monitoring and Scanning | Protects | T1053.003 | Cron | |
| SI-4 | System Monitoring | Protects | T1053.003 | Cron |