AN0807: Analytic 0807
Detects direct modification of crontab entries in /var/spool/cron/crontabs/root or /etc/rc.local.d/local.sh followed by execution of scripts linked to lateral movement or malware persistence.
Analyst context for executives and security teams
This analytic matters because it focuses on persistence-related file changes on ESXi: direct edits to root crontab or local startup scripts followed by script execution associated with lateral movement or malware persistence. For leaders, the value is not just detecting a file edit; it is validating whether ESXi hosts have enough monitoring to show when startup or scheduled execution paths are changed in ways that could threaten virtualization availability and recovery confidence.
Executive priority
Prioritize this as an ESXi resilience and incident-readiness question: can the organization prove when privileged startup or scheduled task locations on ESXi are modified, by whom, and what executed afterward? This supports business continuity, audit evidence for critical infrastructure controls, and faster incident decisions when virtualization hosts are suspected of persistence or lateral movement activity.
Technical view
SOC and IR teams should validate monitoring around ESXi file changes to /var/spool/cron/crontabs/root and /etc/rc.local.d/local.sh, then correlate those changes with subsequent script execution. Because ATT&CK provides no official detection logic and no tactic mapping for this analytic, teams should treat it as a detection engineering requirement rather than a ready-to-run rule. The key validation point is whether host, file integrity, command execution, and administrative activity evidence can be joined reliably on ESXi systems.
Likely telemetry
- ESXi file modification events for /var/spool/cron/crontabs/root
- ESXi file modification events for /etc/rc.local.d/local.sh
- Script or command execution evidence following those file changes
- Administrative login or privileged session records on ESXi hosts
- File integrity monitoring or configuration monitoring records for ESXi startup and scheduled execution paths
Detection direction
- Build or validate correlation between direct modification of the specified crontab/startup files and later script execution.
- Tune for authorized maintenance activity, because legitimate administrators may edit startup or scheduled task files during controlled operations.
- Confirm whether ESXi telemetry is actually collected centrally; many environments have weaker logging on hypervisors than on standard servers.
- Preserve enough context to determine actor, timestamp, changed file, executed script, and host identity.
- Because no relationship context is supplied, do not assume a specific technique, actor, malware family, or campaign; use the analytic as behavior-focused coverage.
Mitigation priorities
- Restrict and monitor privileged access to ESXi hosts.
- Baseline expected contents and change windows for root crontab and local startup scripts on ESXi.
- Use file integrity or configuration monitoring for the specified paths where operationally feasible.
- Ensure ESXi administrative actions and relevant execution evidence are forwarded to the SOC or retained for IR.
- Include these paths in incident response collection plans for suspected ESXi persistence or lateral movement investigations.
Analyst notes and limits
This Glexia take is based only on the supplied ATT&CK analytic AN0807. The object identifies ESXi as the platform and describes detection of direct modifications to root crontab or local startup script locations followed by execution of scripts linked to lateral movement or malware persistence. No tactics, relationships, aliases, labels, or official detection logic were supplied.
Coverage depends on local ESXi logging, file integrity monitoring, and the ability to correlate file changes with execution. The supplied ATT&CK fields do not provide a rule query, data source list, false-positive guidance, related techniques, threat actors, or evidence of active exploitation.
Analytic 0807
Detects direct modification of crontab entries in /var/spool/cron/crontabs/root or /etc/rc.local.d/local.sh followed by execution of scripts linked to lateral movement or malware persistence.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 120e27ce8fed… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0807Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.