MITRE ATT&CK Technique
Description
Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS Common Tools and Techniques) The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems. The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths. An adversary may use <code>cron</code> in Linux or Unix environments to execute programs at system startup or on a scheduled basis for [Persistence](https://attack.mitre.org/tactics/TA0003). In ESXi environments, cron jobs must be created directly via the crontab file (e.g., `/var/spool/cron/crontabs/root`).(Citation: CloudSEK ESXiArgs 2023)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2019-12-03T14:25:00.538Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may abuse the <code>cron</code> utility to '
'perform task scheduling for initial or recurring execution of '
'malicious code.(Citation: 20 macOS Common Tools and '
'Techniques) The <code>cron</code> utility is a time-based job '
'scheduler for Unix-like operating systems. The <code> '
'crontab</code> file contains the schedule of cron entries to '
'be run and the specified times for execution. Any '
'<code>crontab</code> files are stored in operating '
'system-specific file paths.\n'
'\n'
'An adversary may use <code>cron</code> in Linux or Unix '
'environments to execute programs at system startup or on a '
'scheduled basis for '
'[Persistence](https://attack.mitre.org/tactics/TA0003). In '
'ESXi environments, cron jobs must be created directly via the '
'crontab file (e.g., '
'`/var/spool/cron/crontabs/root`).(Citation: CloudSEK ESXiArgs '
'2023)',
'external_references': [{'external_id': 'T1053.003',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1053/003'},
{'description': 'Mehardeep Singh Sawhney. (2023, '
'February 9). Analysis of Files Used '
'in ESXiArgs Ransomware Attack '
'Against VMware ESXi Servers. '
'Retrieved March 26, 2025.',
'source_name': 'CloudSEK ESXiArgs 2023',
'url': 'https://www.cloudsek.com/blog/analysis-of-files-used-in-esxiargs-ransomware-attack-against-vmware-esxi-servers'},
{'description': 'Phil Stokes. (2021, February 16). 20 '
'Common Tools & Techniques Used by '
'macOS Threat Actors & Malware. '
'Retrieved August 23, 2021.',
'source_name': '20 macOS Common Tools and Techniques',
'url': 'https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/'}],
'id': 'attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'execution'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'}],
'modified': '2025-10-24T17:48:33.856Z',
'name': 'Cron',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'macOS', 'ESXi'],
'x_mitre_version': '1.3'}