Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code. The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems. The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths.
An adversary may use <code>cron</code> in Linux or Unix environments to execute programs at system startup or on a scheduled basis for persistence. <code>cron</code> can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1053.003 | Cron | |
| AC-3 | Access Enforcement | Protects | T1053.003 | Cron | |
| AC-5 | Separation of Duties | Protects | T1053.003 | Cron | |
| AC-6 | Least Privilege | Protects | T1053.003 | Cron | |
| CA-8 | Penetration Testing | Protects | T1053.003 | Cron | |
| CM-5 | Access Restrictions for Change | Protects | T1053.003 | Cron | |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1053.003 | Cron | |
| RA-5 | Vulnerability Monitoring and Scanning | Protects | T1053.003 | Cron | |
| SI-4 | System Monitoring | Protects | T1053.003 | Cron |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_security_center_recommendations | Azure Security Center Recommendations | technique_scores | T1053.003 | Cron |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the addition or modification of config files in Kubernetes containers required to implement the behaviors described in these sub-techniques. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
|
| azure_sentinel | Azure Sentinel | technique_scores | T1053.003 | Cron |
Comments
The Azure Sentinel Hunting "Editing Linux scheduled tasks through Crontab" query can detect potentially malicious modification of cron jobs.
References
|
| file_integrity_monitoring | File Integrity Monitoring | technique_scores | T1053.003 | Cron |
Comments
This control may detect changes to the Windows registry upon creation or modification of scheduled tasks. This control may also detect changes to files used by cron or systemd to create/modify scheduled tasks. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|