Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-Exfiltration-LinuxCronScheduledExfil.

Upgrade to Pro
THREAT-Exfiltration-LinuxCronScheduledExfil Google Chronicle · YARA-L

Detect Scheduled Data Exfiltration via Linux Cron Jobs in Google Chronicle

Adversaries who compromise Linux servers, containers, or cloud instances frequently use cron — the native Linux job scheduler — to establish recurring, low-and-slow data exfiltration rather than a single large transfer. A malicious crontab entry or drop file in /etc/cron.d/ can invoke curl, wget, scp, rsync, or nc at a fixed interval to stage and transmit archived data (tar/zip of /home, /var/www, database dump directories, or cloud instance metadata) to an external destination, blending with legitimate scheduled maintenance jobs. This pattern is common on internet-facing Linux servers, self-managed databases, and container hosts, and is frequently paired with cron-based persistence mechanisms. The existing T1029 baseline detection in this platform is written entirely against Windows/Microsoft Defender for Endpoint telemetry (DeviceNetworkEvents beaconing, Task Scheduler) and does not address the Linux cron equivalent, leaving a platform gap for organizations running Linux infrastructure.

MITRE ATT&CK

Tactic
Exfiltration

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral
rule linux_cron_scheduled_exfil {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects Linux cron-based scheduled data exfiltration via crontab modification or cron spawning transfer/archive tools"
    severity = "HIGH"
    mitre_attack_tactic = "Exfiltration"
    mitre_attack_technique = "T1029"
    created = "2026-07-14"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.platform = "LINUX"
    (
      re.regex($e.target.process.file.full_path, `(?i)crontab$`)
      or (
        re.regex($e.principal.process.file.full_path, `(?i)(cron|crond|anacron)$`) and
        re.regex($e.target.process.file.full_path, `(?i)(curl|wget|scp|rsync|nc|ncat|socat)$`)
      )
      or (
        re.regex($e.principal.process.file.full_path, `(?i)(cron|crond|anacron)$`) and
        re.regex($e.target.process.file.full_path, `(?i)(tar|zip|gzip|7z)$`) and
        re.regex($e.target.process.command_line, `(?i)(/home|/var/www|shadow|mysql|/root)`)
      )
    )

  condition:
    $e
}
high severity medium confidence

Chronicle YARA-L 2.0 rule matching PROCESS_LAUNCH UDM events on Linux hosts for crontab modification, cron/crond/anacron spawning network transfer tools, and cron spawning archive tools targeting sensitive directories. Covers the stage-then-transfer cron exfiltration pattern common to compromised Linux servers and cloud instances.

Data Sources

Google Chronicle SIEMChronicle UDM (PROCESS_LAUNCH, principal.platform = LINUX)Auditd/Sysmon for Linux via Chronicle forwarder

Required Tables

UDM events (metadata.event_type = PROCESS_LAUNCH)

False Positives & Tuning

  • Documented cron-driven backup jobs using rsync/scp to a known backup host
  • Configuration management or certificate renewal jobs invoking curl/wget from cron

Other platforms for THREAT-Exfiltration-LinuxCronScheduledExfil


Testing Methodology

Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Add Cron Job Spawning curl to External Host

    Expected signal: auditd EXECVE record for crontab with '-' (replace) argument. Subsequent auditd EXECVE record for curl spawned with comm=cron/crond as parent, invoking the httpbin.org POST.

  2. Test 2Cron-Triggered Archive and Stage of Home Directory

    Expected signal: auditd EXECVE record for tar with comm=cron/crond as parent, arguments including '/home' as the target path.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-Exfiltration-LinuxCronScheduledExfil — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections