T1053.003 Cron
Adversaries may abuse the cron
utility to perform task scheduling for initial or recurring execution of malicious code.1 The cron
utility is a time-based job scheduler for Unix-like operating systems. The crontab
file contains the schedule of cron entries to be run and the specified times for execution. Any crontab
files are stored in operating system-specific file paths.
An adversary may use cron
in Linux or Unix environments to execute programs at system startup or on a scheduled basis for Persistence.
Item | Value |
---|---|
ID | T1053.003 |
Sub-techniques | T1053.002, T1053.003, T1053.005, T1053.006, T1053.007 |
Tactics | TA0002, TA0003, TA0004 |
Platforms | Linux, macOS |
Permissions required | User |
Version | 1.1 |
Created | 03 December 2019 |
Last Modified | 24 March 2022 |
Procedure Examples
ID | Name | Description |
---|---|---|
S0504 | Anchor | Anchor can install itself as a cron job.8 |
G0082 | APT38 | APT38 has used cron to create pre-scheduled and periodic background jobs on a Linux system.16 |
S0401 | Exaramel for Linux | Exaramel for Linux uses crontab for persistence if it does not have root privileges.56 |
S0588 | GoldMax | The GoldMax Linux variant has used a crontab entry with a @reboot line to gain persistence.3 |
S0163 | Janicab | Janicab used a cron job for persistence on Mac devices.4 |
S0599 | Kinsing | Kinsing has used crontab to download and run shell scripts every minute to ensure persistence.2 |
S0198 | NETWIRE | NETWIRE can use crontabs to establish persistence.11 |
S0587 | Penquin | Penquin can use Cron to create periodic and pre-scheduled background jobs.12 |
G0106 | Rocke | Rocke installed a cron job that downloaded and executed files from the C2.131415 |
S0468 | Skidmap | Skidmap has installed itself via crontab.9 |
S0374 | SpeakUp | SpeakUp uses cron tasks to ensure persistence. 7 |
S0341 | Xbash | Xbash can create a cronjob for persistence if it determines it is on a Linux system.10 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1047 | Audit | Review changes to the cron schedule. cron execution can be reviewed within the /var/log directory. To validate the location of the cron log file, check the syslog config at /etc/rsyslog.conf or /etc/syslog.conf |
M1018 | User Account Management | cron permissions are controlled by /etc/cron.allow and /etc/cron.deny . If there is a cron.allow file, then the user or users that need to use cron will need to be listed in the file. cron.deny is used to explicitly disallow users from using cron. If neither files exist, then only the super user is allowed to run cron. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0022 | File | File Modification |
DS0009 | Process | Process Creation |
DS0003 | Scheduled Job | Scheduled Job Creation |
References
-
Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021. ↩
-
Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021. ↩
-
CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022. ↩
-
Thomas. (2013, July 15). New signed malware called Janicab. Retrieved July 17, 2017. ↩
-
Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018. ↩
-
ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021. ↩
-
Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019. ↩
-
Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020. ↩
-
Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020. ↩
-
Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018. ↩
-
Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021. ↩
-
Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021. ↩
-
Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020. ↩
-
Xingyu, J.. (2019, January 17). Malware Used by Rocke Group Evolves to Evade Detection by Cloud Security Products. Retrieved May 26, 2020. ↩
-
Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019. ↩
-
DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks. Retrieved September 29, 2021. ↩