AN0259: Analytic 0259
Detects creation or modification of cron jobs via crontab, /etc/cron.* directories, or systemd timer units with execution by unusual users or non-standard intervals.
Analyst context for executives and security teams
AN0259 is a Linux detection analytic focused on spotting creation or modification of scheduled execution mechanisms: cron jobs through crontab or /etc/cron.* directories, and systemd timer units. Its business value is persistence and operational assurance: unauthorized scheduled tasks can quietly re-run code, survive restarts, or create recurring execution outside normal change windows. Leaders should treat this as a control-validation point for Linux server hygiene, SOC visibility, and incident response readiness rather than as proof of any specific threat activity.
Executive priority
Prioritize this analytic where Linux systems support critical services, regulated workloads, or administrative automation. The key decision is whether the organization can prove who changed scheduled execution, when it changed, and whether the schedule and executing user are expected. This supports incident triage, audit evidence for change control, and resilience planning because unmanaged scheduled tasks can undermine recovery and reintroduce unwanted activity after remediation.
Technical view
Validate monitoring for Linux cron and systemd timer changes. The analytic scope includes crontab usage, writes under /etc/cron.* paths, and creation or modification of systemd timer units, especially when execution occurs under unusual users or at non-standard intervals. SOC and detection engineers should baseline expected automation accounts, approved maintenance windows, common schedules, and known timer unit locations before alerting broadly. Because no official detection logic is supplied, teams must implement local logic from available host telemetry and tune it against administrative automation patterns.
Likely telemetry
- Linux process execution involving crontab or related scheduling utilities
- File creation or modification events for /etc/cron.* directories
- File creation or modification events for systemd timer unit files
- User/account context for the scheduled task owner and executing user
- Command line or file content metadata sufficient to identify schedule intervals where collected
Detection direction
- Confirm host telemetry covers cron and systemd timer persistence locations on Linux systems.
- Baseline expected scheduled jobs, service accounts, administrators, and maintenance intervals before setting severity.
- Prioritize alerts where the user is unusual for the host, the interval is uncommon, or the change lacks corresponding change-control evidence.
- Tune for legitimate automation tools and configuration management activity to reduce false positives.
- Review both creation and modification events; unauthorized changes to existing jobs may be as important as new entries.
Mitigation priorities
- Establish ownership and change-control requirements for Linux scheduled tasks and timer units.
- Restrict permission to create or modify cron entries and systemd timer units to approved administrative roles.
- Maintain an inventory or baseline of approved scheduled jobs on critical Linux systems.
- Ensure incident response playbooks include review of cron and systemd timers during Linux host containment and recovery.
- Use centralized logging or endpoint telemetry so scheduled task changes can be reconstructed during investigations.
Analyst notes and limits
This take is based only on the supplied ATT&CK analytic fields. The object is a detection analytic for Linux and describes cron and systemd timer job creation or modification with emphasis on unusual users or non-standard intervals. No ATT&CK tactics, related techniques, procedures, adversary relationships, or official detection logic were supplied.
The official detection field is not provided, and no relationship context is supplied. Environment-specific baselines are required to define what counts as an unusual user or non-standard interval. This summary does not assert active exploitation, attribution, impact, or guaranteed detection coverage.
Analytic 0259
Detects creation or modification of cron jobs via crontab, /etc/cron.* directories, or systemd timer units with execution by unusual users or non-standard intervals.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a30fb91229f4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0259Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.