DET0290: Cross-Platform Detection of Cron Job Abuse for Persistence and Execution
This detection strategy matters because cron abuse can give an intruder a simple, durable way to run code again later on Unix-like systems. Even though the...
Analyst context for executives and security teams
This detection strategy matters because cron abuse can give an intruder a simple, durable way to run code again later on Unix-like systems. Even though the strategy object itself does not include MITRE detection text, its relationship to ATT&CK technique T1053.003 shows the defensive focus: finding suspicious scheduled task activity tied to execution, persistence, and privilege escalation on Linux, macOS, and ESXi environments.
Executive priority
Leaders should treat cron monitoring as an operational resilience and incident readiness issue, not just a Linux administration detail. If critical servers, macOS fleets, or ESXi hosts are in scope, confirm whether security teams can prove who created or changed scheduled jobs, when they changed, and what those jobs execute. This supports incident scoping, audit evidence, and prioritization of logging/control gaps around persistence mechanisms.
Technical view
SOC, detection engineering, and IR teams should validate coverage around the related ATT&CK technique T1053.003: Cron. The key question is whether the environment records cron/crontab file changes, scheduled command execution, relevant process creation, user context, and privilege context across Linux, macOS, and ESXi where applicable. Because the official detection strategy has no supplied detection logic, teams should build local validation from ATT&CK relationship context and baseline normal administrative scheduling behavior before alerting on anomalies.
Likely telemetry
- Crontab and cron-related file creation, modification, and deletion events
- Process creation events for scheduled commands launched by cron
- User and privilege context for crontab edits and scheduled execution
- File path monitoring for operating-system-specific cron storage locations
- Authentication or session context around users who modify scheduled jobs
Detection direction
- Validate that telemetry exists before assuming coverage; the MITRE object provides no official detection text or analytics.
- Baseline legitimate administrative cron usage to reduce false positives from routine maintenance, backups, monitoring agents, and software updates.
- Prioritize detection of new or modified cron entries that execute unusual commands, run from unusual paths, or appear under unexpected user or privileged contexts.
- Correlate crontab changes with subsequent process execution to distinguish configuration change from actual scheduled execution.
- Check for platform blind spots: Linux, macOS, and ESXi may expose cron activity through different paths and logging sources.
Mitigation priorities
- Inventory systems where cron is used, especially critical Linux, macOS, and ESXi assets.
- Restrict who can create or modify scheduled jobs and review privileged cron usage.
- Enable and retain host telemetry that can support incident reconstruction of cron changes and executions.
- Establish change-management expectations for legitimate scheduled tasks so unexpected entries can be investigated quickly.
- Include cron persistence checks in incident response triage and recovery validation.
Analyst notes and limits
The supplied ATT&CK object is a detection strategy named DET0290, but it does not include an official description, detection text, tactics, or platforms. The practical guidance here is therefore derived from the object name and its supplied relationship to T1053.003 Cron, whose related tactics are execution, persistence, and privilege escalation and whose related platforms are Linux, macOS, and ESXi.
This take does not assert active exploitation, actor attribution, guaranteed detection coverage, or vendor-specific controls. Local operating system versions, logging configuration, endpoint tooling, and administrative practices are required to determine actual coverage and alert fidelity.
Cross-Platform Detection of Cron Job Abuse for Persistence and Execution
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e6fa398102e6… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0290Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.