Scheduled Task/Job: Cron
Other sub-techniques of Scheduled Task/Job (6)
ID | Name |
---|---|
T1053.001 | At (Linux) |
T1053.002 | At (Windows) |
T1053.003 | Cron |
T1053.004 | Launchd |
T1053.005 | Scheduled Task |
T1053.006 | Systemd Timers |
Adversaries may abuse the cron
utility to perform task scheduling for initial or recurring execution of malicious code. The cron
utility is a time-based job scheduler for Unix-like operating systems. The crontab
file contains the schedule of cron entries to be run and the specified times for execution. Any crontab
files are stored in operating system-specific file paths.
An adversary may use cron
in Linux or Unix environments to execute programs at system startup or on a scheduled basis for persistence. cron
can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account.
Procedure Examples
Name | Description |
---|---|
Anchor | |
Exaramel for Linux |
Exaramel for Linux uses crontab for persistence if it does not have root privileges.[2] |
Janicab | |
Rocke |
Rocke installed a cron job that downloaded and executed files from the C2.[4][5][6] |
Skidmap | |
SpeakUp | |
Xbash |
Xbash can create a cronjob for persistence if it determines it is on a Linux system.[9] |
Mitigations
Mitigation | Description |
---|---|
Audit |
Review changes to the |
User Account Management |
|
Detection
Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc.
Suspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.
References
- Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020.
- Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
- Thomas. (2013, July 15). New signed malware called Janicab. Retrieved July 17, 2017.
- Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.
- Xingyu, J.. (2019, January 17). Malware Used by Rocke Group Evolves to Evade Detection by Cloud Security Products. Retrieved May 26, 2020.
- Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
- Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.
- Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019.
- Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.