Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-Exfiltration-LinuxCronScheduledExfil.
Upgrade to ProScheduled Transfer — Scheduled Data Exfiltration via Linux Cron Jobs
Adversaries who compromise Linux servers, containers, or cloud instances frequently use cron — the native Linux job scheduler — to establish recurring, low-and-slow data exfiltration rather than a single large transfer. A malicious crontab entry or drop file in /etc/cron.d/ can invoke curl, wget, scp, rsync, or nc at a fixed interval to stage and transmit archived data (tar/zip of /home, /var/www, database dump directories, or cloud instance metadata) to an external destination, blending with legitimate scheduled maintenance jobs. This pattern is common on internet-facing Linux servers, self-managed databases, and container hosts, and is frequently paired with cron-based persistence mechanisms. The existing T1029 baseline detection in this platform is written entirely against Windows/Microsoft Defender for Endpoint telemetry (DeviceNetworkEvents beaconing, Task Scheduler) and does not address the Linux cron equivalent, leaving a platform gap for organizations running Linux infrastructure.
What is THREAT-Exfiltration-LinuxCronScheduledExfil Scheduled Data Exfiltration via Linux Cron Jobs?
Scheduled Data Exfiltration via Linux Cron Jobs (THREAT-Exfiltration-LinuxCronScheduledExfil) is a sub-technique of Scheduled Transfer (T1029) in the MITRE ATT&CK framework. It maps to the Exfiltration tactic — the adversary is trying to steal data.
This page provides production-ready detection logic for Scheduled Data Exfiltration via Linux Cron Jobs, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint for Linux (DeviceProcessEvents), Process: Process Creation (Linux), Scheduled Job: Scheduled Job Creation. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
- Tactic
- Exfiltration
// THREAT: Linux Cron Scheduled Exfiltration
// Requires Microsoft Defender for Endpoint on Linux (DeviceProcessEvents populated for Linux devices)
let ExfilTools = dynamic(["curl", "wget", "scp", "rsync", "nc", "ncat", "socat"]);
let ArchiveTools = dynamic(["tar", "zip", "gzip", "7z"]);
// Signal 1: crontab / cron drop-in file modification
let CrontabEdits = DeviceProcessEvents
| where Timestamp > ago(24h)
| where DeviceOS =~ "Linux"
| where FileName =~ "crontab" and ProcessCommandLine has_any ("-e", "-l", "-u")
| extend Signal = "CrontabModified"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, Signal;
// Signal 2: cron/crond spawning a network transfer tool
let CronSpawnedExfil = DeviceProcessEvents
| where Timestamp > ago(24h)
| where DeviceOS =~ "Linux"
| where InitiatingProcessFileName in~ ("cron", "crond", "anacron")
| where FileName in~ (ExfilTools)
| extend Signal = "CronSpawnedTransferTool"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, Signal;
// Signal 3: cron-spawned archive-then-transfer chain (staging pattern)
let CronStaging = DeviceProcessEvents
| where Timestamp > ago(24h)
| where DeviceOS =~ "Linux"
| where InitiatingProcessFileName in~ ("cron", "crond", "anacron")
| where FileName in~ (ArchiveTools)
| where ProcessCommandLine has_any ("/home", "/var/www", "/etc/shadow", "/var/lib/mysql", "pg_dump", "/root")
| extend Signal = "CronArchiveStaging"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, Signal;
CrontabEdits
| union CronSpawnedExfil, CronStaging
| sort by Timestamp desc Detects Linux cron-based scheduled exfiltration using Microsoft Defender for Endpoint's Linux process telemetry. Signal 1 flags crontab command invocations that add/edit/list a user's crontab. Signal 2 flags cron/crond/anacron directly spawning a network transfer utility (curl, wget, scp, rsync, nc, ncat, socat) — a pattern with no common legitimate ad-hoc use outside scheduled backup jobs. Signal 3 flags cron spawning an archive tool (tar/zip/gzip/7z) targeting sensitive paths (/home, /var/www, /etc/shadow, MySQL/Postgres data directories), the staging step that typically precedes the transfer in the same or a chained cron entry.
Data Sources
Required Tables
False Positives
- Legitimate cron-driven backup jobs (rsync/scp to a backup server, mysqldump piped to a remote host) that are already known and documented IT operations
- Configuration management tools (Ansible, Puppet, Chef) that use cron for scheduled convergence runs and may invoke curl/wget to fetch configuration
- Log shipping or monitoring agents scheduled via cron to curl a metrics endpoint
- Certificate renewal scripts (certbot/acme.sh) scheduled via cron that use curl for ACME challenge validation
Sigma rule & cross-platform mapping
The detection logic for Scheduled Data Exfiltration via Linux Cron Jobs (THREAT-Exfiltration-LinuxCronScheduledExfil) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: process_creation
product: windows Browse the community-maintained Sigma rules for this technique:
Platform-specific guides for THREAT-Exfiltration-LinuxCronScheduledExfil
References (4)
- https://attack.mitre.org/techniques/T1029/
- https://attack.mitre.org/techniques/T1053/003/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md
- https://www.cisa.gov/news-events/cybersecurity-advisories (general guidance on Linux cloud worm cron persistence patterns)
Testing Methodology
Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Add Cron Job Spawning curl to External Host
Expected signal: auditd EXECVE record for crontab with '-' (replace) argument. Subsequent auditd EXECVE record for curl spawned with comm=cron/crond as parent, invoking the httpbin.org POST.
- Test 2Cron-Triggered Archive and Stage of Home Directory
Expected signal: auditd EXECVE record for tar with comm=cron/crond as parent, arguments including '/home' as the target path.
Unlock playbooks & atomic tests with Pro
Get the full detection package for THREAT-Exfiltration-LinuxCronScheduledExfil — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month
Related Detections
Tactic Hub
Detection Variants (3)
Different telemetry and tradecraft for the same technique — pick the one that matches the data you collect.
- THREAT-ArchiveStaging-ScheduledExfilScheduled Batch Exfiltration of Compressed Archive StagingUse for archive staging — rar/7z multi-volume splitting ahead of a timed transfer, typical of ransomware double-extortion.
- THREAT-CloudCLI-ScheduledExfilScheduled Transfer via Cloud Sync/Backup CLI ToolsUse for cloud CLI LOLBins — rclone, restic or azcopy launched by a scheduler rather than a human.
- THREAT-Exfil-ScheduledBulkTransferScheduled Off-Hours Bulk Data TransferUse for network-side detection — off-hours bulk-volume NetFlow, when you have no endpoint scheduler visibility.