T1053.003

Cron

Execution Persistence Privilege Escalation

Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code. The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Adversaries use cron in Linux, macOS, and ESXi environments to execute programs at system startup or on a scheduled basis for persistence, privilege escalation, or execution. Real-world malware families including Kinsing, Skidmap, GoldMax, NKAbuse, Rocke, and Anchor have all leveraged cron for persistence. In ESXi environments, cron jobs must be created directly via the crontab file (e.g., /var/spool/cron/crontabs/root).

Microsoft Sentinel / Defender

kusto

let SuspiciousCronPaths = dynamic([
  "/etc/crontab",
  "/var/spool/cron",
  "/etc/cron.d/",
  "/etc/cron.daily/",
  "/etc/cron.hourly/",
  "/etc/cron.weekly/",
  "/etc/cron.monthly/",
  "/var/cron/tabs/"
]);
let SuspiciousDownloadTools = dynamic([
  "wget", "curl", "nc ", "ncat", "netcat",
  "bash -i", "/dev/tcp", "python -c", "perl -e",
  "base64 -d", "base64 --decode", "openssl enc",
  "chmod +x", "chmod 777", ".sh", "tmp/"
]);
let TimeWindow = 24h;
union
(
  // Detect crontab command execution
  DeviceProcessEvents
  | where Timestamp > ago(TimeWindow)
  | where FileName in~ ("crontab", "cron")
      or ProcessCommandLine has "crontab"
  | extend CronActivity = "crontab_command"
  | extend SuspiciousIndicator = ProcessCommandLine has_any (SuspiciousDownloadTools)
  | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
            InitiatingProcessFileName, InitiatingProcessCommandLine,
            InitiatingProcessAccountName, CronActivity, SuspiciousIndicator
),
(
  // Detect direct writes to cron-related files
  DeviceFileEvents
  | where Timestamp > ago(TimeWindow)
  | where FolderPath has_any (SuspiciousCronPaths)
      or FileName =~ "crontab"
  | extend CronActivity = "cron_file_write"
  | extend SuspiciousIndicator = FolderPath has_any ("/tmp", "/dev/shm", "/var/tmp")
  | project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
            FileName, ProcessCommandLine=InitiatingProcessCommandLine,
            InitiatingProcessFileName, InitiatingProcessCommandLine,
            InitiatingProcessAccountName, CronActivity, SuspiciousIndicator,
            FolderPath
)
| sort by Timestamp desc
| extend RiskScore = case(
    SuspiciousIndicator == true and CronActivity == "cron_file_write", 3,
    SuspiciousIndicator == true, 2,
    CronActivity == "cron_file_write", 1,
    0
  )

high severity medium confidence

Data Sources

Process: Process Creation File: File Modification Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

System administrators legitimately scheduling maintenance tasks (log rotation, backups, updates) via crontab
Configuration management tools (Ansible, Chef, Puppet, SaltStack) writing cron jobs as part of authorized playbook execution
Software packages that install cron jobs during setup (e.g., package manager hooks, monitoring agents like Datadog, Prometheus node_exporter)
DevOps pipelines and CI/CD systems that schedule deployment or cleanup tasks using cron
Database maintenance jobs (MySQL, PostgreSQL) installed by DBAs using crontab

Splunk

spl

index=linux_secure OR index=syslog OR index=auditd sourcetype IN ("linux_secure", "syslog", "auditd")
(
  ("crontab" AND ("-e" OR "-l" OR "-r" OR "cron.d" OR "cron.daily" OR "cron.hourly"))
  OR ("/etc/crontab" OR "/var/spool/cron" OR "/etc/cron.d" OR "/var/cron/tabs")
)
| eval is_crontab_edit = if(match(_raw, "crontab\s+-[elr]"), 1, 0)
| eval is_cron_file_write = if(match(_raw, "(/etc/crontab|/var/spool/cron|/etc/cron\.d/|/etc/cron\.daily|/etc/cron\.hourly|/etc/cron\.weekly|/etc/cron\.monthly|/var/cron/tabs)"), 1, 0)
| eval has_download_tool = if(match(_raw, "(wget|curl|nc\s|ncat|netcat|/dev/tcp|base64\s+-d|openssl\s+enc)"), 1, 0)
| eval has_shell_cmd = if(match(_raw, "(bash\s+-i|python\s+-c|perl\s+-e|sh\s+-c|/bin/sh|/bin/bash)"), 1, 0)
| eval has_tmp_path = if(match(_raw, "(/tmp/|/dev/shm/|/var/tmp/)"), 1, 0)
| eval has_chmod = if(match(_raw, "(chmod\s+[0-9]{3,4}|chmod\s+\+x)"), 1, 0)
| eval has_reboot_persistence = if(match(_raw, "@reboot"), 1, 0)
| eval SuspicionScore = is_crontab_edit + is_cron_file_write + has_download_tool + has_shell_cmd + has_tmp_path + has_chmod + has_reboot_persistence
| where SuspicionScore > 0
| eval RiskLevel = case(
    SuspicionScore >= 4, "CRITICAL",
    SuspicionScore >= 3, "HIGH",
    SuspicionScore >= 2, "MEDIUM",
    1=1, "LOW"
  )
| table _time, host, user, _raw, is_crontab_edit, is_cron_file_write, has_download_tool, has_shell_cmd, has_tmp_path, has_chmod, has_reboot_persistence, SuspicionScore, RiskLevel
| sort - SuspicionScore, - _time

high severity medium confidence

Data Sources

Process: Process Creation File: File Modification Command: Command Execution Linux auditd Linux syslog

Required Sourcetypes

linux_secure syslog auditd

False Positives

System administrators legitimately scheduling maintenance tasks (log rotation, backups, updates) via crontab
Configuration management tools (Ansible, Chef, Puppet, SaltStack) writing cron jobs as part of authorized playbook execution
Software packages that install cron jobs during setup (e.g., package manager hooks, monitoring agents)
DevOps pipelines and CI/CD systems that schedule deployment or cleanup tasks using cron
Database maintenance jobs (MySQL, PostgreSQL) installed by DBAs using crontab

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [process where event.type == "start" and
   (process.name in ("crontab", "cron") or process.args : "crontab") and
   not process.parent.name in ("crond", "systemd", "init")]
  [file where event.type in ("creation", "change") and
   (file.path : ("/etc/crontab", "/var/spool/cron/*", "/etc/cron.d/*", "/etc/cron.daily/*", "/etc/cron.hourly/*", "/etc/cron.weekly/*", "/etc/cron.monthly/*", "/var/cron/tabs/*"))]

OR

process where event.type == "start" and
(
  (process.name in ("crontab", "cron") and
   process.args : ("-e", "-l", "-r")) and
  (
    process.command_line : ("*wget*", "*curl*", "*nc *", "*ncat*", "*netcat*",
                             "*bash -i*", "*/dev/tcp*", "*python -c*", "*perl -e*",
                             "*base64 -d*", "*base64 --decode*", "*openssl enc*",
                             "*chmod +x*", "*chmod 777*", "*.sh*", "*/tmp/*")
    or process.parent.command_line : ("*wget*", "*curl*", "*nc *", "*/dev/tcp*",
                                       "*/tmp/*", "*/dev/shm/*", "*base64*")
  )
)

OR

file where event.type in ("creation", "change") and
  file.path : ("/etc/crontab", "/var/spool/cron/*", "/etc/cron.d/*",
               "/etc/cron.daily/*", "/etc/cron.hourly/*",
               "/etc/cron.weekly/*", "/etc/cron.monthly/*", "/var/cron/tabs/*") and
  process.name not in ("dpkg", "apt", "apt-get", "yum", "rpm", "ansible", "puppet", "chef-client", "salt-minion")

high severity high confidence

Data Sources

Elastic Endpoint Auditbeat Fleet-managed Elastic Agent

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* auditbeat-*

False Positives

Legitimate system administrators using crontab -e to schedule authorized maintenance tasks during change windows
Configuration management tools (Ansible, Chef, Puppet, SaltStack) writing to /etc/cron.d/ as part of automated provisioning
Package managers (apt, yum, rpm) installing software that includes cron job definitions in /etc/cron.d/ or /etc/cron.daily/

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  hostname,
  "QIDNAME"(qid) AS event_name,
  CATEGORYNAME(category) AS category_name,
  payload,
  CASE
    WHEN payload ILIKE '%crontab%-%e%' OR payload ILIKE '%crontab%-%r%' THEN 1
    ELSE 0
  END +
  CASE
    WHEN payload ILIKE '%/etc/crontab%' OR payload ILIKE '%/var/spool/cron%'
      OR payload ILIKE '%/etc/cron.d%' OR payload ILIKE '%/var/cron/tabs%' THEN 1
    ELSE 0
  END +
  CASE
    WHEN payload ILIKE '%wget%' OR payload ILIKE '%curl%'
      OR payload ILIKE '%/dev/tcp%' OR payload ILIKE '%base64 -d%'
      OR payload ILIKE '%openssl enc%' THEN 1
    ELSE 0
  END +
  CASE
    WHEN payload ILIKE '%bash -i%' OR payload ILIKE '%python -c%'
      OR payload ILIKE '%perl -e%' OR payload ILIKE '%sh -c%' THEN 1
    ELSE 0
  END +
  CASE
    WHEN payload ILIKE '%/tmp/%' OR payload ILIKE '%/dev/shm/%'
      OR payload ILIKE '%/var/tmp/%' THEN 1
    ELSE 0
  END +
  CASE
    WHEN payload ILIKE '%chmod +x%' OR payload ILIKE '%chmod 777%'
      OR payload ILIKE '%chmod 755%' THEN 1
    ELSE 0
  END +
  CASE
    WHEN payload ILIKE '%@reboot%' THEN 1
    ELSE 0
  END AS suspicion_score,
  CASE
    WHEN (
      CASE WHEN payload ILIKE '%crontab%-%e%' OR payload ILIKE '%crontab%-%r%' THEN 1 ELSE 0 END +
      CASE WHEN payload ILIKE '%/etc/crontab%' OR payload ILIKE '%/var/spool/cron%' OR payload ILIKE '%/etc/cron.d%' THEN 1 ELSE 0 END +
      CASE WHEN payload ILIKE '%wget%' OR payload ILIKE '%curl%' OR payload ILIKE '%/dev/tcp%' OR payload ILIKE '%base64 -d%' THEN 1 ELSE 0 END +
      CASE WHEN payload ILIKE '%bash -i%' OR payload ILIKE '%python -c%' OR payload ILIKE '%perl -e%' THEN 1 ELSE 0 END +
      CASE WHEN payload ILIKE '%/tmp/%' OR payload ILIKE '%/dev/shm/%' THEN 1 ELSE 0 END +
      CASE WHEN payload ILIKE '%chmod +x%' OR payload ILIKE '%chmod 777%' THEN 1 ELSE 0 END +
      CASE WHEN payload ILIKE '%@reboot%' THEN 1 ELSE 0 END
    ) >= 4 THEN 'CRITICAL'
    WHEN (
      CASE WHEN payload ILIKE '%crontab%-%e%' THEN 1 ELSE 0 END +
      CASE WHEN payload ILIKE '%/etc/crontab%' OR payload ILIKE '%/var/spool/cron%' THEN 1 ELSE 0 END +
      CASE WHEN payload ILIKE '%wget%' OR payload ILIKE '%curl%' OR payload ILIKE '%/dev/tcp%' THEN 1 ELSE 0 END +
      CASE WHEN payload ILIKE '%bash -i%' OR payload ILIKE '%python -c%' THEN 1 ELSE 0 END +
      CASE WHEN payload ILIKE '%/tmp/%' OR payload ILIKE '%/dev/shm/%' THEN 1 ELSE 0 END +
      CASE WHEN payload ILIKE '%chmod +x%' THEN 1 ELSE 0 END +
      CASE WHEN payload ILIKE '%@reboot%' THEN 1 ELSE 0 END
    ) >= 3 THEN 'HIGH'
    WHEN (
      CASE WHEN payload ILIKE '%crontab%-%e%' THEN 1 ELSE 0 END +
      CASE WHEN payload ILIKE '%/etc/crontab%' OR payload ILIKE '%/var/spool/cron%' THEN 1 ELSE 0 END +
      CASE WHEN payload ILIKE '%wget%' OR payload ILIKE '%curl%' THEN 1 ELSE 0 END +
      CASE WHEN payload ILIKE '%bash -i%' THEN 1 ELSE 0 END +
      CASE WHEN payload ILIKE '%/tmp/%' THEN 1 ELSE 0 END
    ) >= 2 THEN 'MEDIUM'
    ELSE 'LOW'
  END AS risk_level
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Linux OS', 'Universal DSM', 'Syslog')
  AND (
    payload ILIKE '%crontab%'
    OR payload ILIKE '%/etc/crontab%'
    OR payload ILIKE '%/var/spool/cron%'
    OR payload ILIKE '%/etc/cron.d%'
    OR payload ILIKE '%/etc/cron.daily%'
    OR payload ILIKE '%/etc/cron.hourly%'
    OR payload ILIKE '%/etc/cron.weekly%'
    OR payload ILIKE '%/etc/cron.monthly%'
    OR payload ILIKE '%/var/cron/tabs%'
  )
  AND starttime > NOW() - 86400 SECONDS
HAVING suspicion_score > 0
ORDER BY suspicion_score DESC, starttime DESC
LIMIT 500

high severity medium confidence

Data Sources

QRadar SIEM Linux OS log source Syslog DSM Universal DSM

Required Tables

events

False Positives

Scheduled maintenance scripts installed by system administrators that write to /etc/cron.d/ during patch cycles
Monitoring agents (Datadog, New Relic, Splunk UF) that install cron jobs during initial deployment and may reference temp paths
CI/CD pipelines running on Linux build agents that use crontab to schedule build or cleanup jobs

Sumo Logic CSE

sql

_sourceCategory=linux* OR _sourceCategory=*syslog* OR _sourceCategory=*auditd*
| where (
    _raw matches "*crontab*" OR
    _raw matches "*/etc/crontab*" OR
    _raw matches "*/var/spool/cron*" OR
    _raw matches "*/etc/cron.d*" OR
    _raw matches "*/etc/cron.daily*" OR
    _raw matches "*/etc/cron.hourly*" OR
    _raw matches "*/etc/cron.weekly*" OR
    _raw matches "*/etc/cron.monthly*" OR
    _raw matches "*/var/cron/tabs*"
  )
| parse regex field=_raw "user=(?<username>\S+)" nodrop
| parse regex field=_raw "cmd=(?<command>.+?)(?=\s*type=|$)" nodrop
| parse regex field=_raw "(?:CMD|CRON)\s*\((?<cron_user>[^)]+)\)" nodrop
| parse regex field=_raw "(?<filepath>/(?:etc/crontab|var/spool/cron[^\s]*|etc/cron\.(?:d|daily|hourly|weekly|monthly)[^\s]*|var/cron/tabs[^\s]*))" nodrop
| eval is_crontab_edit = if(matches(_raw, "crontab\s+-[elr]"), 1, 0)
| eval is_cron_file_write = if(matches(_raw, "/etc/crontab|/var/spool/cron|/etc/cron\\.d/|/etc/cron\\.daily|/etc/cron\\.hourly|/etc/cron\\.weekly|/etc/cron\\.monthly|/var/cron/tabs"), 1, 0)
| eval has_download_tool = if(matches(_raw, "wget|curl|nc\s|ncat|netcat|/dev/tcp|base64\s+-d|openssl\s+enc"), 1, 0)
| eval has_shell_cmd = if(matches(_raw, "bash\s+-i|python\s+-c|perl\s+-e|sh\s+-c"), 1, 0)
| eval has_tmp_path = if(matches(_raw, "/tmp/|/dev/shm/|/var/tmp/"), 1, 0)
| eval has_chmod = if(matches(_raw, "chmod\s+[0-9]{3,4}|chmod\s+\\+x"), 1, 0)
| eval has_reboot_persistence = if(matches(_raw, "@reboot"), 1, 0)
| eval suspicion_score = is_crontab_edit + is_cron_file_write + has_download_tool + has_shell_cmd + has_tmp_path + has_chmod + has_reboot_persistence
| where suspicion_score > 0
| eval risk_level = if(suspicion_score >= 4, "CRITICAL",
    if(suspicion_score >= 3, "HIGH",
      if(suspicion_score >= 2, "MEDIUM", "LOW")))
| fields _messageTime, _sourceHost, username, cron_user, command, filepath, is_crontab_edit, is_cron_file_write, has_download_tool, has_shell_cmd, has_tmp_path, has_chmod, has_reboot_persistence, suspicion_score, risk_level
| sort by suspicion_score desc, _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM Linux syslog collector Auditd log collector

Required Tables

_sourceCategory=linux* _sourceCategory=*syslog* _sourceCategory=*auditd*

False Positives

Automated deployment pipelines writing application-specific cron jobs to /etc/cron.d/ as part of software installation
Security scanning tools (Lynis, Aide, Tripwire) that read and audit cron directories during scheduled compliance checks
Container orchestration systems that use crontab to schedule health checks or cleanup jobs inside container images

Google Chronicle / SecOps

yaral

rule t1053_003_cron_persistence {
  meta:
    author = "Detection Engineering"
    description = "Detects T1053.003 - Cron persistence abuse via crontab commands and direct cron file writes with suspicious payload indicators"
    mitre_attack_tactic = "Persistence, Privilege Escalation, Execution"
    mitre_attack_technique = "T1053.003"
    severity = "HIGH"
    priority = "HIGH"

  events:
    (
      // Pattern 1: crontab command execution with suspicious args
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and (
        $e1.principal.process.file.full_path = "/usr/bin/crontab"
        or $e1.principal.process.file.full_path = "/bin/crontab"
        or re.regex($e1.target.process.command_line, `(?i)crontab\s+-[elr]`)
      )
      and (
        re.regex($e1.target.process.command_line, `(?i)(wget|curl|nc\s|ncat|netcat|/dev/tcp|base64\s+-d|openssl\s+enc|bash\s+-i|python\s+-c|perl\s+-e|/tmp/|/dev/shm/|chmod\s+\+x|chmod\s+777|@reboot)`)
        or re.regex($e1.principal.process.command_line, `(?i)(wget|curl|/dev/tcp|base64|/tmp/|/dev/shm/)`)
      )
    )
    or
    (
      // Pattern 2: direct file write to cron directories
      $e1.metadata.event_type = "FILE_CREATION"
      and (
        re.regex($e1.target.file.full_path, `/etc/crontab`)
        or re.regex($e1.target.file.full_path, `/var/spool/cron/`)
        or re.regex($e1.target.file.full_path, `/etc/cron\.d/`)
        or re.regex($e1.target.file.full_path, `/etc/cron\.(daily|hourly|weekly|monthly)/`)
        or re.regex($e1.target.file.full_path, `/var/cron/tabs/`)
      )
      and not (
        $e1.principal.process.file.full_path = "/usr/bin/dpkg"
        or $e1.principal.process.file.full_path = "/usr/bin/apt"
        or $e1.principal.process.file.full_path = "/usr/bin/yum"
        or $e1.principal.process.file.full_path = "/usr/bin/rpm"
        or re.regex($e1.principal.process.file.full_path, `(?i)(ansible|puppet|chef|salt)`)
      )
    )
    or
    (
      // Pattern 3: file modification to cron directories with suspicious content indicators
      $e1.metadata.event_type = "FILE_MODIFICATION"
      and (
        re.regex($e1.target.file.full_path, `/etc/crontab`)
        or re.regex($e1.target.file.full_path, `/var/spool/cron/`)
        or re.regex($e1.target.file.full_path, `/etc/cron\.d/`)
      )
    )

  condition:
    $e1

high severity high confidence

Data Sources

Google Chronicle SIEM Chronicle Unified Data Model (UDM) Linux endpoint telemetry via Chronicle forwarder

Required Tables

UDM events: PROCESS_LAUNCH, FILE_CREATION, FILE_MODIFICATION

False Positives

Package managers (apt, yum, rpm, dpkg) writing cron job files to /etc/cron.d/ during software installation or upgrade
Infrastructure-as-code tools (Ansible playbooks, Puppet manifests, Chef recipes) creating cron entries as part of configuration management
Backup and monitoring software (Bacula, Nagios, Zabbix) that installs its own scheduled tasks in cron directories during initial setup

CrowdStrike LogScale (CQL)

cql

// T1053.003 - Cron Persistence Detection
// Pattern 1: crontab process execution with suspicious indicators
#event_simpleName = ProcessRollup2
| CommandLine = /(?i)crontab/
| CommandLine = /(?i)(wget|curl|nc\s|ncat|netcat|\/dev\/tcp|base64\s+-d|openssl\s+enc|bash\s+-i|python\s+-c|perl\s+-e|\/tmp\/|\/dev\/shm\/|chmod\s+\+x|chmod\s+777|\.sh|@reboot)/
| groupBy([aid, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine], function=count(aid, as=event_count))
| sort(event_count, order=desc)

// Pattern 2: file writes to cron directories from suspicious parent processes
// (Run as separate query or union)
#event_simpleName = SyntheticProcessRollup2 OR #event_simpleName = ProcessRollup2
| TargetFileName = /(?i)(\/etc\/crontab|\/var\/spool\/cron|\/etc\/cron\.d\/|\/etc\/cron\.(daily|hourly|weekly|monthly)|\/var\/cron\/tabs)/
| NOT FileName IN ["dpkg", "apt", "apt-get", "yum", "rpm", "ansible", "puppet", "chef-client"]
| eval cron_path = TargetFileName
| eval has_tmp_write = if(TargetFileName = /\/tmp\/|\/dev\/shm\//, "true", "false")
| eval is_crontab_cmd = if(FileName = "crontab", "true", "false")
| eval has_download_tool = if(CommandLine = /wget|curl|\/dev\/tcp|base64\s+-d/, "true", "false")
| eval has_shell_payload = if(CommandLine = /bash\s+-i|python\s+-c|perl\s+-e|sh\s+-c/, "true", "false")
| eval suspicion_score =
    if(is_crontab_cmd = "true", 1, 0) +
    if(has_download_tool = "true", 1, 0) +
    if(has_shell_payload = "true", 1, 0) +
    if(has_tmp_write = "true", 1, 0)
| where suspicion_score > 0
| eval risk_level = if(suspicion_score >= 3, "CRITICAL",
    if(suspicion_score >= 2, "HIGH",
      if(suspicion_score >= 1, "MEDIUM", "LOW")))
| table([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, cron_path, has_download_tool, has_shell_payload, suspicion_score, risk_level])
| sort(suspicion_score, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR Falcon LogScale (Humio) Falcon sensor on Linux/macOS endpoints

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

Legitimate DevOps engineers running crontab -e interactively on Linux servers during scheduled maintenance windows
Automated provisioning scripts executed by cloud-init or userdata on newly launched Linux instances that configure application cron jobs
Monitoring and observability agents that use cron scheduling for metric collection and may reference paths in /tmp/ for temporary data storage

Last updated: 2026-04-17 Research depth: deep

References (13)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1053.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1053Scheduled Task/Job

Related Sub-techniques

T1053.002At T1053.005Scheduled Task T1053.006Systemd Timers T1053.007Container Orchestration Job

Cron

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Execution

Popular Detections