Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0806: Analytic 0806

Detects crontab job additions or modifications via `crontab` utility or direct edits, especially those created by interactive users executing hidden or renamed scripts.

EnterpriseAN0806AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because unauthorized or unexpected cron changes on macOS can create recurring execution that survives reboots and normal user activity cycles. For leaders, the decision value is whether the organization can prove it sees changes to scheduled jobs made by interactive users, especially when those jobs point to hidden or unusually named scripts.

Executive priority

Prioritize this as a resilience and audit-readiness question for macOS environments: can security teams identify who changed cron configuration, what command or script was scheduled, and whether the change was expected? Coverage depends less on a single alert and more on endpoint logging, file-change visibility, and SOC procedures for distinguishing approved administration from suspicious persistence-like behavior.

Technical view

Validate monitoring for macOS crontab additions and modifications through both the `crontab` utility and direct edits to cron-related files. Because the ATT&CK object highlights interactive users, hidden scripts, and renamed scripts, SOC and IR teams should correlate cron changes with user session context, process execution, file paths, script metadata, and recent file creation or rename activity. No official detection logic or tactic mapping was supplied, so teams should treat this as a detection-validation requirement rather than a complete rule.

Likely telemetry

  • macOS endpoint process execution events for use of the `crontab` utility
  • File creation, modification, and permission-change events for user cron entries and related cron configuration locations
  • User logon/session context showing whether activity came from an interactive user
  • Command-line arguments and parent process information for cron-related changes
  • File metadata for scheduled scripts, including hidden paths, recent renames, ownership, and permissions

Detection direction

  • Confirm that macOS hosts generate and forward telemetry for both `crontab` command usage and direct cron file edits; many gaps occur when only process execution is monitored.
  • Tune detections to compare cron additions or modifications against approved administrative activity, software management processes, and known maintenance jobs to reduce false positives.
  • Add context checks for hidden script paths, recently renamed scripts, unusual ownership, unexpected interpreter usage, or cron entries created during interactive user sessions.
  • Ensure alerts preserve enough evidence for incident response: user, host, parent process, modified file, scheduled command, timestamp, and relevant script path.
  • Because no relationship context or official detection logic was supplied, validate locally against the organization’s macOS build, logging configuration, and administrative workflows.

Mitigation priorities

  • Establish an approved baseline for legitimate macOS cron jobs and administrative procedures for modifying them.
  • Restrict and monitor who can create or modify scheduled jobs on managed macOS systems according to role and operational need.
  • Ensure endpoint logging and EDR policies capture cron-related process and file activity before relying on alerting.
  • Review hidden or renamed scripts referenced by cron jobs during investigations, including ownership, permissions, and recent change history.
  • Use change-management or compliance evidence to distinguish sanctioned scheduled tasks from unexplained persistence-like changes.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for macOS focused on crontab job additions or modifications, especially by interactive users and where hidden or renamed scripts are involved. There are no supplied tactics, related techniques, relationship context, or official detection query, so this take emphasizes validation of telemetry and operational triage rather than asserting a specific ATT&CK behavior chain.

This summary is limited to the official STIX fields, external reference, and lack of relationships provided. It does not establish active exploitation, adversary attribution, impact, or guaranteed detection coverage. Local macOS logging configuration, EDR capabilities, administrative practices, and approved cron usage are required to determine actual risk and coverage.

Official MITRE ATT&CK definition

Analytic 0806

Detects crontab job additions or modifications via `crontab` utility or direct edits, especially those created by interactive users executing hidden or renamed scripts.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
97405c546c138a18...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 97405c546c13…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0806
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use