Detect Cron in Microsoft Sentinel
Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code. The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Adversaries use cron in Linux, macOS, and ESXi environments to execute programs at system startup or on a scheduled basis for persistence, privilege escalation, or execution. Real-world malware families including Kinsing, Skidmap, GoldMax, NKAbuse, Rocke, and Anchor have all leveraged cron for persistence. In ESXi environments, cron jobs must be created directly via the crontab file (e.g., /var/spool/cron/crontabs/root).
MITRE ATT&CK
- Technique
- T1053 Scheduled Task/Job
- Sub-technique
- T1053.003 Cron
- Canonical reference
- https://attack.mitre.org/techniques/T1053/003/
KQL Detection Query
let SuspiciousCronPaths = dynamic([
"/etc/crontab",
"/var/spool/cron",
"/etc/cron.d/",
"/etc/cron.daily/",
"/etc/cron.hourly/",
"/etc/cron.weekly/",
"/etc/cron.monthly/",
"/var/cron/tabs/"
]);
let SuspiciousDownloadTools = dynamic([
"wget", "curl", "nc ", "ncat", "netcat",
"bash -i", "/dev/tcp", "python -c", "perl -e",
"base64 -d", "base64 --decode", "openssl enc",
"chmod +x", "chmod 777", ".sh", "tmp/"
]);
let TimeWindow = 24h;
union
(
// Detect crontab command execution
DeviceProcessEvents
| where Timestamp > ago(TimeWindow)
| where FileName in~ ("crontab", "cron")
or ProcessCommandLine has "crontab"
| extend CronActivity = "crontab_command"
| extend SuspiciousIndicator = ProcessCommandLine has_any (SuspiciousDownloadTools)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessAccountName, CronActivity, SuspiciousIndicator
),
(
// Detect direct writes to cron-related files
DeviceFileEvents
| where Timestamp > ago(TimeWindow)
| where FolderPath has_any (SuspiciousCronPaths)
or FileName =~ "crontab"
| extend CronActivity = "cron_file_write"
| extend SuspiciousIndicator = FolderPath has_any ("/tmp", "/dev/shm", "/var/tmp")
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
FileName, ProcessCommandLine=InitiatingProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessAccountName, CronActivity, SuspiciousIndicator,
FolderPath
)
| sort by Timestamp desc
| extend RiskScore = case(
SuspiciousIndicator == true and CronActivity == "cron_file_write", 3,
SuspiciousIndicator == true, 2,
CronActivity == "cron_file_write", 1,
0
)Detects cron-based persistence and execution using Microsoft Defender for Endpoint DeviceProcessEvents and DeviceFileEvents tables. Monitors for crontab command execution with suspicious payloads (download tools, reverse shells, base64-encoded commands), direct writes to cron directories (/etc/crontab, /var/spool/cron, /etc/cron.d/, ESXi /var/cron/tabs/), and assigns a risk score based on combined indicators. Covers Linux, macOS, and ESXi environments.
Data Sources
Required Tables
False Positives & Tuning
- System administrators legitimately scheduling maintenance tasks (log rotation, backups, updates) via crontab
- Configuration management tools (Ansible, Chef, Puppet, SaltStack) writing cron jobs as part of authorized playbook execution
- Software packages that install cron jobs during setup (e.g., package manager hooks, monitoring agents like Datadog, Prometheus node_exporter)
- DevOps pipelines and CI/CD systems that schedule deployment or cleanup tasks using cron
- Database maintenance jobs (MySQL, PostgreSQL) installed by DBAs using crontab
Other platforms for T1053.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Add Persistent Cron Job via crontab Command
Expected signal: Auditd: syscall write/open on /var/spool/cron/crontabs/<username>. Syslog/cron log: CMD (/tmp/argus_test.sh) entries every minute. Process creation event for crontab command. File creation event for /tmp/argus_test.sh.
- Test 2Add @reboot Persistence Entry to Crontab
Expected signal: Auditd: write to /var/spool/cron/crontabs/<username> with @reboot content. Syslog: crontab modification event. Process creation for crontab command. File creation for /tmp/argus_backdoor_test.sh with chmod +x.
- Test 3Direct Write to /etc/cron.d/ for System-Wide Persistence
Expected signal: Auditd: file creation syscall on /etc/cron.d/argus-test-job. File creation event with initiating process bash/sudo. Syslog: within 5 minutes, CRON execution of curl command will appear in /var/log/cron or /var/log/syslog.
- Test 4Cron Job with Base64-Encoded Payload Download
Expected signal: File creation event on /etc/cron.d/argus-encoded-test. Cron execution logs showing base64 and bash commands. If wget succeeds (requires listener), process creation for wget and the payload. Auditd syscall records for file write.
References (13)
- https://attack.mitre.org/techniques/T1053/003/
- https://www.cloudsek.com/blog/analysis-of-files-used-in-esxiargs-ransomware-attack-against-vmware-esxi-servers
- https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
- https://research.checkpoint.com/2019/speakup-a-new-undetected-backdoor-linux-threat/
- https://blog.aquasec.com/threat-alert-kinsing-malware-container
- https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html
- https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html
- https://www.crowdstrike.com/blog/carbon-spider-skeleton-spider-target-esxi-servers-with-novel-ransomware/
- https://www.welivesecurity.com/2022/01/11/signed-sealed-delivered-securing-operational-technology/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd
- https://linux.die.net/man/5/crontab
- https://www.sans.org/white-papers/1693/
Unlock Pro Content
Get the full detection package for T1053.003 including response playbook, investigation guide, and atomic red team tests.