Detect Cron in Splunk
Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code. The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Adversaries use cron in Linux, macOS, and ESXi environments to execute programs at system startup or on a scheduled basis for persistence, privilege escalation, or execution. Real-world malware families including Kinsing, Skidmap, GoldMax, NKAbuse, Rocke, and Anchor have all leveraged cron for persistence. In ESXi environments, cron jobs must be created directly via the crontab file (e.g., /var/spool/cron/crontabs/root).
MITRE ATT&CK
- Technique
- T1053 Scheduled Task/Job
- Sub-technique
- T1053.003 Cron
- Canonical reference
- https://attack.mitre.org/techniques/T1053/003/
SPL Detection Query
index=linux_secure OR index=syslog OR index=auditd sourcetype IN ("linux_secure", "syslog", "auditd")
(
("crontab" AND ("-e" OR "-l" OR "-r" OR "cron.d" OR "cron.daily" OR "cron.hourly"))
OR ("/etc/crontab" OR "/var/spool/cron" OR "/etc/cron.d" OR "/var/cron/tabs")
)
| eval is_crontab_edit = if(match(_raw, "crontab\s+-[elr]"), 1, 0)
| eval is_cron_file_write = if(match(_raw, "(/etc/crontab|/var/spool/cron|/etc/cron\.d/|/etc/cron\.daily|/etc/cron\.hourly|/etc/cron\.weekly|/etc/cron\.monthly|/var/cron/tabs)"), 1, 0)
| eval has_download_tool = if(match(_raw, "(wget|curl|nc\s|ncat|netcat|/dev/tcp|base64\s+-d|openssl\s+enc)"), 1, 0)
| eval has_shell_cmd = if(match(_raw, "(bash\s+-i|python\s+-c|perl\s+-e|sh\s+-c|/bin/sh|/bin/bash)"), 1, 0)
| eval has_tmp_path = if(match(_raw, "(/tmp/|/dev/shm/|/var/tmp/)"), 1, 0)
| eval has_chmod = if(match(_raw, "(chmod\s+[0-9]{3,4}|chmod\s+\+x)"), 1, 0)
| eval has_reboot_persistence = if(match(_raw, "@reboot"), 1, 0)
| eval SuspicionScore = is_crontab_edit + is_cron_file_write + has_download_tool + has_shell_cmd + has_tmp_path + has_chmod + has_reboot_persistence
| where SuspicionScore > 0
| eval RiskLevel = case(
SuspicionScore >= 4, "CRITICAL",
SuspicionScore >= 3, "HIGH",
SuspicionScore >= 2, "MEDIUM",
1=1, "LOW"
)
| table _time, host, user, _raw, is_crontab_edit, is_cron_file_write, has_download_tool, has_shell_cmd, has_tmp_path, has_chmod, has_reboot_persistence, SuspicionScore, RiskLevel
| sort - SuspicionScore, - _timeDetects cron-based persistence and execution using Linux syslog and auditd logs. Evaluates events for crontab editing commands, writes to cron directories (including ESXi /var/cron/tabs), download tool usage (wget, curl, netcat), reverse shell patterns, temporary directory references, chmod operations, and @reboot persistence entries. Assigns a cumulative suspicion score and risk level to help analysts prioritize alerts.
Data Sources
Required Sourcetypes
False Positives & Tuning
- System administrators legitimately scheduling maintenance tasks (log rotation, backups, updates) via crontab
- Configuration management tools (Ansible, Chef, Puppet, SaltStack) writing cron jobs as part of authorized playbook execution
- Software packages that install cron jobs during setup (e.g., package manager hooks, monitoring agents)
- DevOps pipelines and CI/CD systems that schedule deployment or cleanup tasks using cron
- Database maintenance jobs (MySQL, PostgreSQL) installed by DBAs using crontab
Other platforms for T1053.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Add Persistent Cron Job via crontab Command
Expected signal: Auditd: syscall write/open on /var/spool/cron/crontabs/<username>. Syslog/cron log: CMD (/tmp/argus_test.sh) entries every minute. Process creation event for crontab command. File creation event for /tmp/argus_test.sh.
- Test 2Add @reboot Persistence Entry to Crontab
Expected signal: Auditd: write to /var/spool/cron/crontabs/<username> with @reboot content. Syslog: crontab modification event. Process creation for crontab command. File creation for /tmp/argus_backdoor_test.sh with chmod +x.
- Test 3Direct Write to /etc/cron.d/ for System-Wide Persistence
Expected signal: Auditd: file creation syscall on /etc/cron.d/argus-test-job. File creation event with initiating process bash/sudo. Syslog: within 5 minutes, CRON execution of curl command will appear in /var/log/cron or /var/log/syslog.
- Test 4Cron Job with Base64-Encoded Payload Download
Expected signal: File creation event on /etc/cron.d/argus-encoded-test. Cron execution logs showing base64 and bash commands. If wget succeeds (requires listener), process creation for wget and the payload. Auditd syscall records for file write.
References (13)
- https://attack.mitre.org/techniques/T1053/003/
- https://www.cloudsek.com/blog/analysis-of-files-used-in-esxiargs-ransomware-attack-against-vmware-esxi-servers
- https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
- https://research.checkpoint.com/2019/speakup-a-new-undetected-backdoor-linux-threat/
- https://blog.aquasec.com/threat-alert-kinsing-malware-container
- https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html
- https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html
- https://www.crowdstrike.com/blog/carbon-spider-skeleton-spider-target-esxi-servers-with-novel-ransomware/
- https://www.welivesecurity.com/2022/01/11/signed-sealed-delivered-securing-operational-technology/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd
- https://linux.die.net/man/5/crontab
- https://www.sans.org/white-papers/1693/
Unlock Pro Content
Get the full detection package for T1053.003 including response playbook, investigation guide, and atomic red team tests.