Cron job modified

Classification:

attack

Tactic:

TA0002-execution

Technique:

T1053-scheduled-task-or-job

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect the creation or modification of new cron jobs on a system.

Strategy

Cron is a task scheduling system that runs tasks on a time-based schedule. Attackers can use cron jobs to gain persistence on a system, or even to run malicious code at system-boot. Cron jobs can also be used for remote code execution, or to run a process under a different user-context.

Triage and response

  1. Check to see which cron task was created or modified.
  2. Check whether the cron task was created or modified by a known user or process.
  3. If these changes are not acceptable, roll back the host or container in question to an acceptable configuration.

Requires Agent version 7.27 or greater