T1053.003 Cron Mappings

Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code. The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems. The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths.

An adversary may use <code>cron</code> in Linux or Unix environments to execute programs at system startup or on a scheduled basis for persistence. <code>cron</code> can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-2 Account Management Protects T1053.003 Cron
AC-3 Access Enforcement Protects T1053.003 Cron
AC-5 Separation of Duties Protects T1053.003 Cron
AC-6 Least Privilege Protects T1053.003 Cron
CA-8 Penetration Testing Protects T1053.003 Cron
CM-5 Access Restrictions for Change Protects T1053.003 Cron
IA-2 Identification and Authentication (organizational Users) Protects T1053.003 Cron
RA-5 Vulnerability Monitoring and Scanning Protects T1053.003 Cron
SI-4 System Monitoring Protects T1053.003 Cron
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1053.003 Scheduled Task/Job: Cron
amazon_inspector Amazon Inspector technique_scores T1053.003 Cron
Comments
The Amazon Inspector Best Practices assessment package can assess security control "Configure permissions for system directories" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal.
References