Scheduled Task/Job: Cron (T1053.003)

Tactics: Execution, Persistence, Privilege Escalation · Platforms: Linux, macOS, ESXi

The interactive view maps 1 detection strategy, 2 mitigations, 3 threat groups, 12 software entries, 1 campaign to this technique, alongside D3FEND countermeasures and data-component coverage.

Sub-technique of Scheduled Task/Job (T1053).

Overview

Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code. The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths.

An adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for Persistence. In ESXi environments, cron jobs must be created directly via the crontab file (e.g., `/var/spool/cron/crontabs/root`).

Explore