T1053.003SubTechniqueexecutionpersistenceprivilege-escalationagent-callable

T1053.003Cron

Sub-technique of T1053

Platforms: Linux · macOS

ATT&CK version: 14.1

What it is

Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS Common Tools and Techniques) The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems. The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths. An adversary may use <code>cron</code> in Linux or Unix environments to execute programs at system startup or on a scheduled basis for [Persistence](https://attack.mitre.org/tactics/TA0003).

ATT&CK tactics· 3

ExecutionPersistencePrivilege Escalation

References

  1. https://attack.mitre.org/techniques/T1053/003
  2. https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.