at Jobs & Anacron Scheduled Tasks

Location

Description

One-time scheduled execution via at command (jobs stored in /var/spool/at/) and periodic task scheduling via anacron for systems that are not continuously running. at jobs execute once at a specified time and are deleted after execution.

Forensic Value

at jobs provide one-time delayed execution that attackers use for time-delayed payload deployment and deferred persistence activation. Unlike cron, at jobs execute once and are automatically removed, making them harder to detect. Checking /var/spool/at/ for pending jobs reveals scheduled attacks not yet executed. Anacron jobs in /etc/anacrontab execute periodic tasks that catch up after system downtime, providing another persistence avenue. Both are often overlooked during cron-focused persistence sweeps.

Tools Required

Collection Commands

tar czf /forensics/output/at_jobs.tar.gz /var/spool/at/ /var/spool/cron/atjobs/

atq > /forensics/output/pending_at_jobs.txt

find /var/spool/at/ -type f -exec cat {} \; > /forensics/output/at_job_contents.txt

cat /etc/anacrontab > /forensics/output/anacrontab.txt

Collection Constraints

• •Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.

MITRE ATT&CK Techniques

References