Detect Cron in Sumo Logic CSE
Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code. The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Adversaries use cron in Linux, macOS, and ESXi environments to execute programs at system startup or on a scheduled basis for persistence, privilege escalation, or execution. Real-world malware families including Kinsing, Skidmap, GoldMax, NKAbuse, Rocke, and Anchor have all leveraged cron for persistence. In ESXi environments, cron jobs must be created directly via the crontab file (e.g., /var/spool/cron/crontabs/root).
MITRE ATT&CK
- Technique
- T1053 Scheduled Task/Job
- Sub-technique
- T1053.003 Cron
- Canonical reference
- https://attack.mitre.org/techniques/T1053/003/
Sumo Detection Query
_sourceCategory=linux* OR _sourceCategory=*syslog* OR _sourceCategory=*auditd*
| where (
_raw matches "*crontab*" OR
_raw matches "*/etc/crontab*" OR
_raw matches "*/var/spool/cron*" OR
_raw matches "*/etc/cron.d*" OR
_raw matches "*/etc/cron.daily*" OR
_raw matches "*/etc/cron.hourly*" OR
_raw matches "*/etc/cron.weekly*" OR
_raw matches "*/etc/cron.monthly*" OR
_raw matches "*/var/cron/tabs*"
)
| parse regex field=_raw "user=(?<username>\S+)" nodrop
| parse regex field=_raw "cmd=(?<command>.+?)(?=\s*type=|$)" nodrop
| parse regex field=_raw "(?:CMD|CRON)\s*\((?<cron_user>[^)]+)\)" nodrop
| parse regex field=_raw "(?<filepath>/(?:etc/crontab|var/spool/cron[^\s]*|etc/cron\.(?:d|daily|hourly|weekly|monthly)[^\s]*|var/cron/tabs[^\s]*))" nodrop
| eval is_crontab_edit = if(matches(_raw, "crontab\s+-[elr]"), 1, 0)
| eval is_cron_file_write = if(matches(_raw, "/etc/crontab|/var/spool/cron|/etc/cron\\.d/|/etc/cron\\.daily|/etc/cron\\.hourly|/etc/cron\\.weekly|/etc/cron\\.monthly|/var/cron/tabs"), 1, 0)
| eval has_download_tool = if(matches(_raw, "wget|curl|nc\s|ncat|netcat|/dev/tcp|base64\s+-d|openssl\s+enc"), 1, 0)
| eval has_shell_cmd = if(matches(_raw, "bash\s+-i|python\s+-c|perl\s+-e|sh\s+-c"), 1, 0)
| eval has_tmp_path = if(matches(_raw, "/tmp/|/dev/shm/|/var/tmp/"), 1, 0)
| eval has_chmod = if(matches(_raw, "chmod\s+[0-9]{3,4}|chmod\s+\\+x"), 1, 0)
| eval has_reboot_persistence = if(matches(_raw, "@reboot"), 1, 0)
| eval suspicion_score = is_crontab_edit + is_cron_file_write + has_download_tool + has_shell_cmd + has_tmp_path + has_chmod + has_reboot_persistence
| where suspicion_score > 0
| eval risk_level = if(suspicion_score >= 4, "CRITICAL",
if(suspicion_score >= 3, "HIGH",
if(suspicion_score >= 2, "MEDIUM", "LOW")))
| fields _messageTime, _sourceHost, username, cron_user, command, filepath, is_crontab_edit, is_cron_file_write, has_download_tool, has_shell_cmd, has_tmp_path, has_chmod, has_reboot_persistence, suspicion_score, risk_level
| sort by suspicion_score desc, _messageTime descDetects T1053.003 cron persistence in Sumo Logic by searching Linux syslog and auditd sources for cron-related paths and commands, then applying a multi-factor suspicion scoring model. Extracts usernames, commands, and cron file paths using regex parsing, and classifies events from LOW to CRITICAL based on accumulation of suspicious indicators including download tools, reverse shells, temp directory usage, and @reboot persistence markers.
Data Sources
Required Tables
False Positives & Tuning
- Automated deployment pipelines writing application-specific cron jobs to /etc/cron.d/ as part of software installation
- Security scanning tools (Lynis, Aide, Tripwire) that read and audit cron directories during scheduled compliance checks
- Container orchestration systems that use crontab to schedule health checks or cleanup jobs inside container images
Other platforms for T1053.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Add Persistent Cron Job via crontab Command
Expected signal: Auditd: syscall write/open on /var/spool/cron/crontabs/<username>. Syslog/cron log: CMD (/tmp/argus_test.sh) entries every minute. Process creation event for crontab command. File creation event for /tmp/argus_test.sh.
- Test 2Add @reboot Persistence Entry to Crontab
Expected signal: Auditd: write to /var/spool/cron/crontabs/<username> with @reboot content. Syslog: crontab modification event. Process creation for crontab command. File creation for /tmp/argus_backdoor_test.sh with chmod +x.
- Test 3Direct Write to /etc/cron.d/ for System-Wide Persistence
Expected signal: Auditd: file creation syscall on /etc/cron.d/argus-test-job. File creation event with initiating process bash/sudo. Syslog: within 5 minutes, CRON execution of curl command will appear in /var/log/cron or /var/log/syslog.
- Test 4Cron Job with Base64-Encoded Payload Download
Expected signal: File creation event on /etc/cron.d/argus-encoded-test. Cron execution logs showing base64 and bash commands. If wget succeeds (requires listener), process creation for wget and the payload. Auditd syscall records for file write.
References (13)
- https://attack.mitre.org/techniques/T1053/003/
- https://www.cloudsek.com/blog/analysis-of-files-used-in-esxiargs-ransomware-attack-against-vmware-esxi-servers
- https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
- https://research.checkpoint.com/2019/speakup-a-new-undetected-backdoor-linux-threat/
- https://blog.aquasec.com/threat-alert-kinsing-malware-container
- https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html
- https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html
- https://www.crowdstrike.com/blog/carbon-spider-skeleton-spider-target-esxi-servers-with-novel-ransomware/
- https://www.welivesecurity.com/2022/01/11/signed-sealed-delivered-securing-operational-technology/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd
- https://linux.die.net/man/5/crontab
- https://www.sans.org/white-papers/1693/
Unlock Pro Content
Get the full detection package for T1053.003 including response playbook, investigation guide, and atomic red team tests.