T1053.003 Cron Mappings

Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code. The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems. The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths.

An adversary may use <code>cron</code> in Linux or Unix environments to execute programs at system startup or on a scheduled basis for persistence. <code>cron</code> can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account.



Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1053.003 Cron
AC-3 Access Enforcement Protects T1053.003 Cron
AC-5 Separation of Duties Protects T1053.003 Cron
AC-6 Least Privilege Protects T1053.003 Cron
CA-8 Penetration Testing Protects T1053.003 Cron
CM-5 Access Restrictions for Change Protects T1053.003 Cron
IA-2 Identification and Authentication (organizational Users) Protects T1053.003 Cron
RA-5 Vulnerability Monitoring and Scanning Protects T1053.003 Cron
SI-4 System Monitoring Protects T1053.003 Cron
azure_security_center_recommendations Azure Security Center Recommendations technique_scores T1053.003 Cron
azure_sentinel Azure Sentinel technique_scores T1053.003 Cron
file_integrity_monitoring File Integrity Monitoring technique_scores T1053.003 Cron