Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-Exfiltration-LinuxCronScheduledExfil.
Upgrade to ProDetect Scheduled Data Exfiltration via Linux Cron Jobs in IBM QRadar
Adversaries who compromise Linux servers, containers, or cloud instances frequently use cron — the native Linux job scheduler — to establish recurring, low-and-slow data exfiltration rather than a single large transfer. A malicious crontab entry or drop file in /etc/cron.d/ can invoke curl, wget, scp, rsync, or nc at a fixed interval to stage and transmit archived data (tar/zip of /home, /var/www, database dump directories, or cloud instance metadata) to an external destination, blending with legitimate scheduled maintenance jobs. This pattern is common on internet-facing Linux servers, self-managed databases, and container hosts, and is frequently paired with cron-based persistence mechanisms. The existing T1029 baseline detection in this platform is written entirely against Windows/Microsoft Defender for Endpoint telemetry (DeviceNetworkEvents beaconing, Task Scheduler) and does not address the Linux cron equivalent, leaving a platform gap for organizations running Linux infrastructure.
MITRE ATT&CK
- Tactic
- Exfiltration
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
hostname AS Hostname,
username AS Username,
"exe" AS Executable,
"comm" AS ParentComm,
"a0" AS Arg0,
CASE
WHEN LOWER("exe") LIKE '%crontab%' THEN 'CrontabModified'
WHEN LOWER("comm") IN ('cron','crond','anacron') AND LOWER("exe") LIKE ANY ('%curl%','%wget%','%scp%','%rsync%','%nc%','%ncat%','%socat%') THEN 'CronSpawnedTransferTool'
WHEN LOWER("comm") IN ('cron','crond','anacron') AND LOWER("exe") LIKE ANY ('%tar%','%zip%','%gzip%','%7z%') THEN 'CronArchiveStaging'
ELSE 'Other'
END AS Signal
FROM events
WHERE
LOGSOURCETYPENAME(logsourceid) IN ('Linux OS', 'Linux Audit')
AND QIDNAME(qid) LIKE '%EXECVE%'
AND (
LOWER("exe") LIKE '%crontab%'
OR (LOWER("comm") IN ('cron','crond','anacron'))
)
AND starttime > NOW() - 86400000
ORDER BY EventTime DESC QRadar AQL query over Linux auditd EXECVE events (ingested via a Universal DSM or the Linux Audit DSM) detecting crontab modifications and cron/crond/anacron spawning network transfer or archive utilities. Requires custom event properties 'exe', 'comm', and 'a0' extracted from the auditd EXECVE payload.
Data Sources
Required Tables
False Positives & Tuning
- Documented cron-driven backup jobs using rsync/scp to a known backup host
- Configuration management or certificate renewal cron jobs invoking curl/wget
Other platforms for THREAT-Exfiltration-LinuxCronScheduledExfil
Testing Methodology
Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Add Cron Job Spawning curl to External Host
Expected signal: auditd EXECVE record for crontab with '-' (replace) argument. Subsequent auditd EXECVE record for curl spawned with comm=cron/crond as parent, invoking the httpbin.org POST.
- Test 2Cron-Triggered Archive and Stage of Home Directory
Expected signal: auditd EXECVE record for tar with comm=cron/crond as parent, arguments including '/home' as the target path.
References (4)
Unlock playbooks & atomic tests with Pro
Get the full detection package for THREAT-Exfiltration-LinuxCronScheduledExfil — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month
Related Detections
Tactic Hub
Detection Variants (3)
Different telemetry and tradecraft for the same technique — pick the one that matches the data you collect.
- THREAT-ArchiveStaging-ScheduledExfilScheduled Batch Exfiltration of Compressed Archive StagingUse for archive staging — rar/7z multi-volume splitting ahead of a timed transfer, typical of ransomware double-extortion.
- THREAT-CloudCLI-ScheduledExfilScheduled Transfer via Cloud Sync/Backup CLI ToolsUse for cloud CLI LOLBins — rclone, restic or azcopy launched by a scheduler rather than a human.
- THREAT-Exfil-ScheduledBulkTransferScheduled Off-Hours Bulk Data TransferUse for network-side detection — off-hours bulk-volume NetFlow, when you have no endpoint scheduler visibility.