AN0805: Analytic 0805
Detects creation or modification of crontab entries by non-root users or from abnormal parent processes, followed by the execution of uncommon binaries at scheduled intervals.
Analyst context for executives and security teams
This analytic matters because scheduled jobs are a common way for Linux activity to persist or recur without an interactive user session. The business value is not simply spotting crontab edits; it is validating whether the organization can distinguish normal user scheduling from suspicious changes followed by uncommon binaries running on a timer.
Executive priority
Prioritize this where Linux systems support critical applications, administrative workflows, or compliance-sensitive operations. Leaders should ask whether SOC and IR teams can prove visibility into non-root crontab changes, abnormal process ancestry, and scheduled execution patterns. The control decision is whether Linux endpoint telemetry and alert triage are mature enough to catch recurring unauthorized execution before it becomes an operational resilience or audit issue.
Technical view
For Linux environments, validate detection logic around creation or modification of crontab entries by non-root users, crontab changes launched from abnormal parent processes, and subsequent execution of uncommon binaries at scheduled intervals. Because no ATT&CK tactics or formal detection logic are supplied, teams should treat this as a detection-validation requirement rather than a complete rule. Baseline legitimate cron usage by users, service accounts, and administrative tools before alerting aggressively.
Likely telemetry
- Linux process creation events with parent-child process context
- Crontab file creation and modification events
- User and account context for crontab changes, especially non-root users
- Command-line arguments associated with crontab editing or scheduled execution
- File path and binary reputation or prevalence data for binaries launched by cron
Detection direction
- Confirm that endpoint or host telemetry captures both the crontab modification event and the later scheduled process execution.
- Tune for non-root crontab changes, abnormal parent processes, and uncommon binaries rather than any cron activity alone.
- Build allowlists or baselines for known administrative automation, backup jobs, monitoring agents, and application maintenance tasks to reduce false positives.
- Correlate crontab changes with later process execution at expected intervals; isolated file modification events may be insufficient for high-confidence alerting.
- Review blind spots on Linux servers without process telemetry, file integrity monitoring, or centralized logs.
Mitigation priorities
- Inventory legitimate cron usage on Linux systems and document expected owners, schedules, and binaries.
- Restrict crontab modification permissions where operationally feasible and review non-root scheduling rights.
- Monitor integrity of user and system crontab locations with centralized alerting.
- Use least privilege for service and user accounts that can create scheduled jobs.
- Ensure IR playbooks include review of cron entries and scheduled execution history during Linux investigations.
Analyst notes and limits
This object is a detection analytic, not a technique description. The only supported platform is Linux. The supplied description emphasizes non-root crontab creation or modification, abnormal parent processes, and uncommon binaries executing on a schedule. No relationship context, tactics, aliases, or detailed detection implementation were supplied.
Official detection content is not provided, and no relationships were supplied. This take cannot assert ATT&CK tactic mapping, adversary use, impact, or guaranteed coverage. Local baselines are required to define abnormal parent processes and uncommon binaries.
Analytic 0805
Detects creation or modification of crontab entries by non-root users or from abnormal parent processes, followed by the execution of uncommon binaries at scheduled intervals.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6a89b3f81782… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0805Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.