| Item |
Value |
| ID |
DET0290 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1053.003 (Cron)
Analytics
Linux
AN0805
Detects creation or modification of crontab entries by non-root users or from abnormal parent processes, followed by the execution of uncommon binaries at scheduled intervals.
Log Sources
Mutable Elements
| Field |
Description |
| CronFilePath |
System-specific crontab paths may vary across distros or deployments. |
| RunUser |
Define if only root or specific admin users are allowed to schedule jobs. |
| ExecutionFrequency |
Threshold for suspicious repetition (e.g., every minute jobs). |
macOS
AN0806
Detects crontab job additions or modifications via crontab utility or direct edits, especially those created by interactive users executing hidden or renamed scripts.
Log Sources
Mutable Elements
| Field |
Description |
| ScriptPath |
Match scheduled binary path to trusted directory baseline. |
| CronScheduleSyntax |
Flags excessive frequency or wildcard-heavy cron expressions. |
| InteractiveUserContext |
Limit cron job writes from interactive shells. |
ESXi
AN0807
Detects direct modification of crontab entries in /var/spool/cron/crontabs/root or /etc/rc.local.d/local.sh followed by execution of scripts linked to lateral movement or malware persistence.
Log Sources
Mutable Elements
| Field |
Description |
| CrontabFileMonitored |
Admins may customize paths in hardened deployments. |
| ShellCommandPayload |
Flag shell-based persistence indicators in local.sh or cron payloads. |
| JobInterval |
Time interval of task repetition for outlier identification. |