at Jobs & Anacron Scheduled Tasks

linuxPersistence MechanismsDisk Image

Location

/var/spool/at/, /var/spool/cron/atjobs/, /etc/anacrontab, /var/spool/anacron/

Description

One-time scheduled execution via at command (jobs stored in /var/spool/at/) and periodic task scheduling via anacron for systems that are not continuously running. at jobs execute once at a specified time and are deleted after execution.

Forensic Value

at jobs provide one-time delayed execution that attackers use for time-delayed payload deployment and deferred persistence activation. Unlike cron, at jobs execute once and are automatically removed, making them harder to detect. Checking /var/spool/at/ for pending jobs reveals scheduled attacks not yet executed. Anacron jobs in /etc/anacrontab execute periodic tasks that catch up after system downtime, providing another persistence avenue. Both are often overlooked during cron-focused persistence sweeps.

Tools Required

atqat -ccatfindls -la

Acquisition Methods

dd / dc3dd Raw Disk Image

linux — physical

dcfldd Forensic Disk Image

linux — physical

ewfacquire E01 Disk Image

linux — physical

Guymager Full Disk Image

linux — physical

tar Logical Collection

linux — logical