Adversaries may abuse thecronutility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS Common Tools and Techniques) Thecronutility is a time-based job scheduler for Unix-like operating systems. Thecrontabfile contains the schedule of cron entries to be run and the specified times for execution. Anycrontabfiles are stored in operating system-specific file paths. An adversary may usecronin Linux or Unix environments to execute programs at system startup or on a scheduled basis for [Persistence](https://attack.mitre.org/tactics/TA0003).
Atomic Test #1 - Cron - Replace crontab with referenced file
Atomic Test #4 - Cron - Add script to /var/spool/cron/crontabs/ folder
This test replaces the current user’s crontab file with the contents of the referenced file. This technique was used by numerous IoT automated exploitation attacks.
Supported Platforms: Linux, macOS
auto_generated_guid: 435057fb-74b1-410e-9403-d81baf194f75
| Name | Description | Type | Default Value | |——|————-|——|—————| | command | Command to execute | string | /tmp/evil.sh| | tmp_cron | Temporary reference file to hold evil cron schedule | path | /tmp/persistevil|
1
sh
1
2
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
1
crontab /tmp/notevil
This test adds a script to /etc/cron.hourly, /etc/cron.daily, /etc/cron.monthly and /etc/cron.weekly folders configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers.
Supported Platforms: macOS, Linux
auto_generated_guid: b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0
| Name | Description | Type | Default Value | |——|————-|——|—————| | command | Command to execute | string | echo ‘Hello from Atomic Red Team’ > /tmp/atomic.log| | cron_script_name | Name of file to store in cron folder | string | persistevil|
1
bash
1
2
3
4
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
1
2
3
4
rm /etc/cron.daily/#{cron_script_name} -f
rm /etc/cron.hourly/#{cron_script_name} -f
rm /etc/cron.monthly/#{cron_script_name} -f
rm /etc/cron.weekly/#{cron_script_name} -f
This test adds a script to /etc/cron.d folder configured to execute on a schedule.
Supported Platforms: Linux
auto_generated_guid: 078e69eb-d9fb-450e-b9d0-2e118217c846
| Name | Description | Type | Default Value | |——|————-|——|—————| | command | Command to execute | string | echo ‘*/5 * * * * root echo “Hello from Atomic Red Team”’ > /tmp/atomic.log| | cron_script_name | Name of file to store in cron folder | string | persistevil|
1
sh
1
echo "#{command}" > /etc/cron.d/#{cron_script_name}
1
rm /etc/cron.d/#{cron_script_name} -f
This test adds a script to a /var/spool/cron/crontabs folder configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers.
Supported Platforms: Linux
auto_generated_guid: 2d943c18-e74a-44bf-936f-25ade6cccab4
| Name | Description | Type | Default Value | |——|————-|——|—————| | command | Command to execute | string | echo ‘Hello from Atomic Red Team’ > /tmp/atomic.log| | cron_script_name | Name of file to store in /var/spool/cron/crontabs folder | string | persistevil|
1
bash
1
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
1
rm /var/spool/cron/crontabs/#{cron_script_name} -f