T1053.003 Elastic Security · Elastic

Detect Cron in Elastic Security

Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code. The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Adversaries use cron in Linux, macOS, and ESXi environments to execute programs at system startup or on a scheduled basis for persistence, privilege escalation, or execution. Real-world malware families including Kinsing, Skidmap, GoldMax, NKAbuse, Rocke, and Anchor have all leveraged cron for persistence. In ESXi environments, cron jobs must be created directly via the crontab file (e.g., /var/spool/cron/crontabs/root).

MITRE ATT&CK

Tactic
Execution Persistence Privilege Escalation
Technique
T1053 Scheduled Task/Job
Sub-technique
T1053.003 Cron
Canonical reference
https://attack.mitre.org/techniques/T1053/003/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name with maxspan=5m
  [process where event.type == "start" and
   (process.name in ("crontab", "cron") or process.args : "crontab") and
   not process.parent.name in ("crond", "systemd", "init")]
  [file where event.type in ("creation", "change") and
   (file.path : ("/etc/crontab", "/var/spool/cron/*", "/etc/cron.d/*", "/etc/cron.daily/*", "/etc/cron.hourly/*", "/etc/cron.weekly/*", "/etc/cron.monthly/*", "/var/cron/tabs/*"))]

OR

process where event.type == "start" and
(
  (process.name in ("crontab", "cron") and
   process.args : ("-e", "-l", "-r")) and
  (
    process.command_line : ("*wget*", "*curl*", "*nc *", "*ncat*", "*netcat*",
                             "*bash -i*", "*/dev/tcp*", "*python -c*", "*perl -e*",
                             "*base64 -d*", "*base64 --decode*", "*openssl enc*",
                             "*chmod +x*", "*chmod 777*", "*.sh*", "*/tmp/*")
    or process.parent.command_line : ("*wget*", "*curl*", "*nc *", "*/dev/tcp*",
                                       "*/tmp/*", "*/dev/shm/*", "*base64*")
  )
)

OR

file where event.type in ("creation", "change") and
  file.path : ("/etc/crontab", "/var/spool/cron/*", "/etc/cron.d/*",
               "/etc/cron.daily/*", "/etc/cron.hourly/*",
               "/etc/cron.weekly/*", "/etc/cron.monthly/*", "/var/cron/tabs/*") and
  process.name not in ("dpkg", "apt", "apt-get", "yum", "rpm", "ansible", "puppet", "chef-client", "salt-minion")
high severity high confidence

Detects T1053.003 cron persistence abuse via three correlated signals: (1) a crontab command followed by a cron file write within 5 minutes, (2) crontab editing with suspicious command payloads (downloaders, reverse shells, temp paths), and (3) direct file writes to cron directories from non-package-manager processes. Covers Linux and macOS cron abuse patterns used by Kinsing, Skidmap, GoldMax, and similar malware families.

Data Sources

Elastic EndpointAuditbeatFleet-managed Elastic Agent

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.file-*auditbeat-*

False Positives & Tuning

  • Legitimate system administrators using crontab -e to schedule authorized maintenance tasks during change windows
  • Configuration management tools (Ansible, Chef, Puppet, SaltStack) writing to /etc/cron.d/ as part of automated provisioning
  • Package managers (apt, yum, rpm) installing software that includes cron job definitions in /etc/cron.d/ or /etc/cron.daily/
Download portable Sigma rule (.yml)

Other platforms for T1053.003

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Add Persistent Cron Job via crontab Command

    Expected signal: Auditd: syscall write/open on /var/spool/cron/crontabs/<username>. Syslog/cron log: CMD (/tmp/argus_test.sh) entries every minute. Process creation event for crontab command. File creation event for /tmp/argus_test.sh.

  2. Test 2Add @reboot Persistence Entry to Crontab

    Expected signal: Auditd: write to /var/spool/cron/crontabs/<username> with @reboot content. Syslog: crontab modification event. Process creation for crontab command. File creation for /tmp/argus_backdoor_test.sh with chmod +x.

  3. Test 3Direct Write to /etc/cron.d/ for System-Wide Persistence

    Expected signal: Auditd: file creation syscall on /etc/cron.d/argus-test-job. File creation event with initiating process bash/sudo. Syslog: within 5 minutes, CRON execution of curl command will appear in /var/log/cron or /var/log/syslog.

  4. Test 4Cron Job with Base64-Encoded Payload Download

    Expected signal: File creation event on /etc/cron.d/argus-encoded-test. Cron execution logs showing base64 and bash commands. If wget succeeds (requires listener), process creation for wget and the payload. Auditd syscall records for file write.

Last updated: 2026-04-17 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1053.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1053Scheduled Task/Job

Related Sub-techniques

T1053.002AtT1053.005Scheduled TaskT1053.006Systemd TimersT1053.007Container Orchestration Job

Related Techniques

T1053Scheduled Task/JobT1053.005Scheduled TaskT1059.004Unix ShellT1105Ingress Tool TransferT1496Resource HijackingT1070.004File DeletionT1027Obfuscated Files or InformationT1548.001Setuid and SetgidT1136.001Local AccountT1190Exploit Public-Facing Application

Same Tactic: Execution

Popular Detections