T1053.003 - Cron#
Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS Common Tools and Techniques) The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths.
An adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for Persistence.
Atomic Tests#
Atomic Test #1 - Cron - Replace crontab with referenced fileThis test replaces the current user’s crontab file with the contents of the referenced file. This technique was used by numerous IoT automated exploitation attacks.#
Supported Platforms: linux, macos#### Attack Commands: Run with sh
crontab -l > /tmp/notevil
echo "* * * * * /tmp/evil.sh" > /tmp/persistevil && crontab /tmp/persistevil
Invoke-AtomicTest T1053.003 -TestNumbers 1
Cleanup:#
crontab /tmp/notevil
Invoke-AtomicTest T1053.003 -TestNumbers 1 -Cleanup
Atomic Test #2 - Cron - Add script to all cron subfoldersThis test adds a script to /etc/cron.hourly, /etc/cron.daily, /etc/cron.monthly and /etc/cron.weekly folders configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers.#
Supported Platforms: macos, linux
Elevation Required (e.g. root or admin)#### Attack Commands: Run with bash
echo "echo 'Hello from Atomic Red Team' > /tmp/atomic.log" > /etc/cron.daily/persistevil
echo "echo 'Hello from Atomic Red Team' > /tmp/atomic.log" > /etc/cron.hourly/persistevil
echo "echo 'Hello from Atomic Red Team' > /tmp/atomic.log" > /etc/cron.monthly/persistevil
echo "echo 'Hello from Atomic Red Team' > /tmp/atomic.log" > /etc/cron.weekly/persistevil
Invoke-AtomicTest T1053.003 -TestNumbers 2
Cleanup:#
rm /etc/cron.daily/persistevil
rm /etc/cron.hourly/persistevil
rm /etc/cron.monthly/persistevil
rm /etc/cron.weekly/persistevil
Invoke-AtomicTest T1053.003 -TestNumbers 2 -Cleanup
Atomic Test #3 - Cron - Add script to /etc/cron.d folderThis test adds a script to /etc/cron.d folder configured to execute on a schedule.#
Supported Platforms: linux
Elevation Required (e.g. root or admin)#### Attack Commands: Run with sh
echo "echo '*/5 * * * * root echo "Hello from Atomic Red Team"' > /tmp/atomic.log" > /etc/cron.d/persistevil
Invoke-AtomicTest T1053.003 -TestNumbers 3
Cleanup:#
rm /etc/cron.d/persistevil
Invoke-AtomicTest T1053.003 -TestNumbers 3 -Cleanup
Atomic Test #4 - Cron - Add script to /var/spool/cron/crontabs/ folderThis test adds a script to a /var/spool/cron/crontabs folder configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers.#
Supported Platforms: linux
Elevation Required (e.g. root or admin)#### Attack Commands: Run with bash
echo "echo 'Hello from Atomic Red Team' > /tmp/atomic.log" >> /var/spool/cron/crontabs/persistevil
Invoke-AtomicTest T1053.003 -TestNumbers 4
Cleanup:#
rm /var/spool/cron/crontabs/persistevil
Invoke-AtomicTest T1053.003 -TestNumbers 4 -Cleanup
Detection#
Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc.
Suspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.