Adversaries may abuse thecronutility to perform task scheduling for initial or recurring execution of malicious code. Thecronutility is a time-based job scheduler for Unix-like operating systems. Thecrontabfile contains the schedule of cron entries to be run and the specified times for execution. Anycrontabfiles are stored in operating system-specific file paths.An adversary may use
cronin Linux or Unix environments to execute programs at system startup or on a scheduled basis for persistence.croncan also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account.
This test replaces the current user's crontab file with the contents of the referenced file. This technique was used by numerous IoT automated exploitation attacks.
Supported Platforms: macOS, Linux
| Name | Description | Type | Default Value |
|---|---|---|---|
| command | Command to execute | string | /tmp/evil.sh |
| tmp_cron | Temporary reference file to hold evil cron schedule | path | /tmp/persistevil |
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}crontab /tmp/notevilThis test adds a script to a cron folder configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers.
Supported Platforms: macOS, Linux
| Name | Description | Type | Default Value |
|---|---|---|---|
| command | Command to execute | string | echo 'Hello from Atomic Red Team' > /tmp/atomic.log |
| cron_script_name | Name of file to store in cron folder | string | persistevil |
echo "#{command}" > /etc/cron.daily/#{cron_script_name}rm /etc/cron.daily/#{cron_script_name}