Technique on mitre.org

T1053.003: Cron

Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code. The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths.

An adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for Persistence.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

unix_mitre_attck_persistence: PT-CR-1672: Unix_New_Cron_Job: A job in cron job scheduler was created or changed

Detection

ID	DS0009	Data source and component	Process: Process Creation	Description	Create a baseline of cron jobs and the processes that they spawn in your environment. Monitor for newly spawned outlier processes that are executed through cron jobs that have not been seen before when compared against the baseline data. Analytic 1 - Unusual Cron Job Creation `source="Linux:" Image= “crontab” OR Image= “cron” AND CommandLine LIKE “crontab -e” OR CommandLine LIKE “cron”` Analytic 2 - Unusual Execution Frequency `source="Linux:" Image= “crond” OR Image= “cron” AND ImageCount >= “100”`

ID	DS0003	Data source and component	Scheduled Job: Scheduled Job Creation	Description	Monitor for newly constructed scheduled jobs. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc.

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed atq command and ensure IP addresses stored in the SSH_CONNECTION and SSH_CLIENT variables, machines that created the jobs, are trusted hosts. All at jobs are stored in /var/spool/cron/atjobs/.

ID	DS0022	Data source and component	File: File Modification	Description	Monitor for changes made to files for unexpected modifications to access permissions and attributes. Analytic 1 - Modified Files in Linux Cron Directories `source="Linux:" (Path LIKE "/etc/cron.allow.d" OR Path LIKE "/etc/cron.d/" OR Path LIKE "/etc/cron.hourly" OR Path LIKE "/etc/cron.daily" OR Path LIKE "/etc/cron.weeky" OR Path LIKE "/etc/cron.monthly")`

ID	Data source and component	Description
DS0009	Process: Process Creation	Create a baseline of cron jobs and the processes that they spawn in your environment. Monitor for newly spawned outlier processes that are executed through cron jobs that have not been seen before when compared against the baseline data. Analytic 1 - Unusual Cron Job Creation `source="Linux:" Image= “crontab” OR Image= “cron” AND CommandLine LIKE “crontab -e” OR CommandLine LIKE “cron”` Analytic 2 - Unusual Execution Frequency `source="Linux:" Image= “crond” OR Image= “cron” AND ImageCount >= “100”`
DS0003	Scheduled Job: Scheduled Job Creation	Monitor for newly constructed scheduled jobs. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc.
DS0017	Command: Command Execution	Monitor executed atq command and ensure IP addresses stored in the SSH_CONNECTION and SSH_CLIENT variables, machines that created the jobs, are trusted hosts. All at jobs are stored in /var/spool/cron/atjobs/.
DS0022	File: File Modification	Monitor for changes made to files for unexpected modifications to access permissions and attributes. Analytic 1 - Modified Files in Linux Cron Directories `source="Linux:" (Path LIKE "/etc/cron.allow.d" OR Path LIKE "/etc/cron.d/" OR Path LIKE "/etc/cron.hourly" OR Path LIKE "/etc/cron.daily" OR Path LIKE "/etc/cron.weeky" OR Path LIKE "/etc/cron.monthly")`

Mitigation

ID	M1047	Name	Audit	Description	Review changes to the `cron` schedule. `cron` execution can be reviewed within the `/var/log` directory. To validate the location of the `cron` log file, check the syslog config at `/etc/rsyslog.conf` or `/etc/syslog.conf`

ID	M1018	Name	User Account Management	Description	`cron` permissions are controlled by `/etc/cron.allow and /etc/cron.deny`. If there is a `cron.allow` file, then the user or users that need to use `cron` will need to be listed in the file. `cron.deny` is used to explicitly disallow users from using cron. If neither files exist, then only the super user is allowed to run cron.

ID	Name	Description
M1047	Audit	Review changes to the `cron` schedule. `cron` execution can be reviewed within the `/var/log` directory. To validate the location of the `cron` log file, check the syslog config at `/etc/rsyslog.conf` or `/etc/syslog.conf`
M1018	User Account Management	`cron` permissions are controlled by `/etc/cron.allow and /etc/cron.deny`. If there is a `cron.allow` file, then the user or users that need to use `cron` will need to be listed in the file. `cron.deny` is used to explicitly disallow users from using cron. If neither files exist, then only the super user is allowed to run cron.