MITRE ATT&CK Technique
Description
On Linux and macOS systems, multiple methods are supported for creating pre-scheduled and periodic background jobs: cron, (Citation: Die.net Linux crontab Man Page) at, (Citation: Die.net Linux at Man Page) and launchd. (Citation: AppleDocs Scheduling Timed Jobs) Unlike [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) on Windows systems, job scheduling on Linux-based systems cannot be done remotely unless used in conjunction within an established remote session, like secure shell (SSH). ### cron System-wide cron jobs are installed by modifying <code>/etc/crontab</code> file, <code>/etc/cron.d/</code> directory or other locations supported by the Cron daemon, while per-user cron jobs are installed using crontab with specifically formatted crontab files. (Citation: AppleDocs Scheduling Timed Jobs) This works on macOS and Linux systems. Those methods allow for commands or scripts to be executed at specific, periodic intervals in the background without user interaction. An adversary may use job scheduling to execute programs at system startup or on a scheduled basis for Persistence, (Citation: Janicab) (Citation: Methods of Mac Malware Persistence) (Citation: Malware Persistence on OS X) (Citation: Avast Linux Trojan Cron Persistence) to conduct Execution as part of Lateral Movement, to gain root privileges, or to run a process under the context of a specific account. ### at The at program is another means on POSIX-based systems, including macOS and Linux, to schedule a program or script job for execution at a later date and/or time, which could also be used for the same purposes. ### launchd Each launchd job is described by a different configuration property list (plist) file similar to [Launch Daemon](https://attack.mitre.org/techniques/T1160) or [Launch Agent](https://attack.mitre.org/techniques/T1159), except there is an additional key called <code>StartCalendarInterval</code> with a dictionary of time values. (Citation: AppleDocs Scheduling Timed Jobs) This only works on macOS and OS X.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-12-14T16:46:06.044Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'On Linux and macOS systems, multiple methods are supported '
'for creating pre-scheduled and periodic background jobs: '
'cron, (Citation: Die.net Linux crontab Man Page) at, '
'(Citation: Die.net Linux at Man Page) and launchd. (Citation: '
'AppleDocs Scheduling Timed Jobs) Unlike [Scheduled '
'Task/Job](https://attack.mitre.org/techniques/T1053) on '
'Windows systems, job scheduling on Linux-based systems cannot '
'be done remotely unless used in conjunction within an '
'established remote session, like secure shell (SSH).\n'
'\n'
'### cron\n'
'\n'
'System-wide cron jobs are installed by modifying '
'<code>/etc/crontab</code> file, <code>/etc/cron.d/</code> '
'directory or other locations supported by the Cron daemon, '
'while per-user cron jobs are installed using crontab with '
'specifically formatted crontab files. (Citation: AppleDocs '
'Scheduling Timed Jobs) This works on macOS and Linux '
'systems.\n'
'\n'
'Those methods allow for commands or scripts to be executed at '
'specific, periodic intervals in the background without user '
'interaction. An adversary may use job scheduling to execute '
'programs at system startup or on a scheduled basis for '
'Persistence, (Citation: Janicab) (Citation: Methods of Mac '
'Malware Persistence) (Citation: Malware Persistence on OS X) '
'(Citation: Avast Linux Trojan Cron Persistence) to conduct '
'Execution as part of Lateral Movement, to gain root '
'privileges, or to run a process under the context of a '
'specific account.\n'
'\n'
'### at\n'
'\n'
'The at program is another means on POSIX-based systems, '
'including macOS and Linux, to schedule a program or script '
'job for execution at a later date and/or time, which could '
'also be used for the same purposes.\n'
'\n'
'### launchd\n'
'\n'
'Each launchd job is described by a different configuration '
'property list (plist) file similar to [Launch '
'Daemon](https://attack.mitre.org/techniques/T1160) or [Launch '
'Agent](https://attack.mitre.org/techniques/T1159), except '
'there is an additional key called '
'<code>StartCalendarInterval</code> with a dictionary of time '
'values. (Citation: AppleDocs Scheduling Timed Jobs) This only '
'works on macOS and OS X.',
'external_references': [{'external_id': 'T1168',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1168'},
{'description': 'Paul Vixie. (n.d.). crontab(5) - '
'Linux man page. Retrieved December '
'19, 2017.',
'source_name': 'Die.net Linux crontab Man Page',
'url': 'https://linux.die.net/man/5/crontab'},
{'description': 'Thomas Koenig. (n.d.). at(1) - Linux '
'man page. Retrieved December 19, '
'2017.',
'source_name': 'Die.net Linux at Man Page',
'url': 'https://linux.die.net/man/1/at'},
{'description': 'Apple. (n.d.). Retrieved July 17, '
'2017.',
'source_name': 'AppleDocs Scheduling Timed Jobs',
'url': 'https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/ScheduledJobs.html'},
{'description': 'Thomas. (2013, July 15). New signed '
'malware called Janicab. Retrieved '
'July 17, 2017.',
'source_name': 'Janicab',
'url': 'http://www.thesafemac.com/new-signed-malware-called-janicab/'},
{'description': 'Patrick Wardle. (2014, September). '
'Methods of Malware Persistence on '
'Mac OS X. Retrieved July 5, 2017.',
'source_name': 'Methods of Mac Malware Persistence',
'url': 'https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf'},
{'description': 'Patrick Wardle. (2015). Malware '
'Persistence on OS X Yosemite. '
'Retrieved July 10, 2017.',
'source_name': 'Malware Persistence on OS X',
'url': 'https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf'},
{'description': 'Threat Intelligence Team. (2015, '
'January 6). Linux DDoS Trojan hiding '
'itself with an embedded rootkit. '
'Retrieved January 8, 2018.',
'source_name': 'Avast Linux Trojan Cron Persistence',
'url': 'https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/'}],
'id': 'attack-pattern--c0a384a4-9a25-40e1-97b6-458388474bc8',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'execution'}],
'modified': '2025-10-24T17:49:19.508Z',
'name': 'Local Job Scheduling',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Anastasios Pingios'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'macOS'],
'x_mitre_version': '1.1'}