Detect Cron in Google Chronicle
Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code. The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Adversaries use cron in Linux, macOS, and ESXi environments to execute programs at system startup or on a scheduled basis for persistence, privilege escalation, or execution. Real-world malware families including Kinsing, Skidmap, GoldMax, NKAbuse, Rocke, and Anchor have all leveraged cron for persistence. In ESXi environments, cron jobs must be created directly via the crontab file (e.g., /var/spool/cron/crontabs/root).
MITRE ATT&CK
- Technique
- T1053 Scheduled Task/Job
- Sub-technique
- T1053.003 Cron
- Canonical reference
- https://attack.mitre.org/techniques/T1053/003/
YARA-L Detection Query
rule t1053_003_cron_persistence {
meta:
author = "Detection Engineering"
description = "Detects T1053.003 - Cron persistence abuse via crontab commands and direct cron file writes with suspicious payload indicators"
mitre_attack_tactic = "Persistence, Privilege Escalation, Execution"
mitre_attack_technique = "T1053.003"
severity = "HIGH"
priority = "HIGH"
events:
(
// Pattern 1: crontab command execution with suspicious args
$e1.metadata.event_type = "PROCESS_LAUNCH"
and (
$e1.principal.process.file.full_path = "/usr/bin/crontab"
or $e1.principal.process.file.full_path = "/bin/crontab"
or re.regex($e1.target.process.command_line, `(?i)crontab\s+-[elr]`)
)
and (
re.regex($e1.target.process.command_line, `(?i)(wget|curl|nc\s|ncat|netcat|/dev/tcp|base64\s+-d|openssl\s+enc|bash\s+-i|python\s+-c|perl\s+-e|/tmp/|/dev/shm/|chmod\s+\+x|chmod\s+777|@reboot)`)
or re.regex($e1.principal.process.command_line, `(?i)(wget|curl|/dev/tcp|base64|/tmp/|/dev/shm/)`)
)
)
or
(
// Pattern 2: direct file write to cron directories
$e1.metadata.event_type = "FILE_CREATION"
and (
re.regex($e1.target.file.full_path, `/etc/crontab`)
or re.regex($e1.target.file.full_path, `/var/spool/cron/`)
or re.regex($e1.target.file.full_path, `/etc/cron\.d/`)
or re.regex($e1.target.file.full_path, `/etc/cron\.(daily|hourly|weekly|monthly)/`)
or re.regex($e1.target.file.full_path, `/var/cron/tabs/`)
)
and not (
$e1.principal.process.file.full_path = "/usr/bin/dpkg"
or $e1.principal.process.file.full_path = "/usr/bin/apt"
or $e1.principal.process.file.full_path = "/usr/bin/yum"
or $e1.principal.process.file.full_path = "/usr/bin/rpm"
or re.regex($e1.principal.process.file.full_path, `(?i)(ansible|puppet|chef|salt)`)
)
)
or
(
// Pattern 3: file modification to cron directories with suspicious content indicators
$e1.metadata.event_type = "FILE_MODIFICATION"
and (
re.regex($e1.target.file.full_path, `/etc/crontab`)
or re.regex($e1.target.file.full_path, `/var/spool/cron/`)
or re.regex($e1.target.file.full_path, `/etc/cron\.d/`)
)
)
condition:
$e1Chronicle YARA-L 2.0 rule detecting T1053.003 cron persistence via three patterns: (1) crontab command execution combined with suspicious payload indicators (downloaders, reverse shells, temp paths), (2) direct file creation in cron directories from non-package-manager processes, and (3) modification of core cron configuration files. Uses UDM fields for process and file events with regex matching against known malicious patterns used by Kinsing, Skidmap, and GoldMax malware families.
Data Sources
Required Tables
False Positives & Tuning
- Package managers (apt, yum, rpm, dpkg) writing cron job files to /etc/cron.d/ during software installation or upgrade
- Infrastructure-as-code tools (Ansible playbooks, Puppet manifests, Chef recipes) creating cron entries as part of configuration management
- Backup and monitoring software (Bacula, Nagios, Zabbix) that installs its own scheduled tasks in cron directories during initial setup
Other platforms for T1053.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Add Persistent Cron Job via crontab Command
Expected signal: Auditd: syscall write/open on /var/spool/cron/crontabs/<username>. Syslog/cron log: CMD (/tmp/argus_test.sh) entries every minute. Process creation event for crontab command. File creation event for /tmp/argus_test.sh.
- Test 2Add @reboot Persistence Entry to Crontab
Expected signal: Auditd: write to /var/spool/cron/crontabs/<username> with @reboot content. Syslog: crontab modification event. Process creation for crontab command. File creation for /tmp/argus_backdoor_test.sh with chmod +x.
- Test 3Direct Write to /etc/cron.d/ for System-Wide Persistence
Expected signal: Auditd: file creation syscall on /etc/cron.d/argus-test-job. File creation event with initiating process bash/sudo. Syslog: within 5 minutes, CRON execution of curl command will appear in /var/log/cron or /var/log/syslog.
- Test 4Cron Job with Base64-Encoded Payload Download
Expected signal: File creation event on /etc/cron.d/argus-encoded-test. Cron execution logs showing base64 and bash commands. If wget succeeds (requires listener), process creation for wget and the payload. Auditd syscall records for file write.
References (13)
- https://attack.mitre.org/techniques/T1053/003/
- https://www.cloudsek.com/blog/analysis-of-files-used-in-esxiargs-ransomware-attack-against-vmware-esxi-servers
- https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
- https://research.checkpoint.com/2019/speakup-a-new-undetected-backdoor-linux-threat/
- https://blog.aquasec.com/threat-alert-kinsing-malware-container
- https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html
- https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html
- https://www.crowdstrike.com/blog/carbon-spider-skeleton-spider-target-esxi-servers-with-novel-ransomware/
- https://www.welivesecurity.com/2022/01/11/signed-sealed-delivered-securing-operational-technology/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd
- https://linux.die.net/man/5/crontab
- https://www.sans.org/white-papers/1693/
Unlock Pro Content
Get the full detection package for T1053.003 including response playbook, investigation guide, and atomic red team tests.