Adversaries may remove scheduled cron tasks to eliminate competing malware or clean up their own persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential malware removal or persistence evasion tactics.
Detection Rule
title: Remove Scheduled Cron Task/Job
id: c2e234de-03a3-41e1-b39a-1e56dc17ba67
status: test
description: |
Detects usage of the 'crontab' utility to remove the current crontab.
This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible
references:
- https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
tags:
- attack.defense-evasion
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: 'crontab'
CommandLine|contains: ' -r'
condition: selection
falsepositives:
- Unknown
level: medium
imProcessCreate
| where TargetProcessName endswith "crontab" and TargetProcessCommandLine contains " -r"Scenario: System Maintenance Task to Clean Old Cron Jobs
Description: A system administrator runs crontab -r as part of a routine maintenance script to remove outdated or unused cron jobs.
Filter/Exclusion: Check for presence of a known maintenance script or user (e.g., root, sysadmin, or a specific user with maintenance privileges). Use a filter like:
user == "root" || user == "sysadmin"Scenario: Scheduled Job to Reset Cron Configuration
Description: A legitimate scheduled job (e.g., using cron or systemd-timedatectl) is configured to reset the crontab to a clean state during system updates.
Filter/Exclusion: Exclude events where the command is part of a known update or configuration reset process. Use a filter like:
command_line contains "cron-reset" || command_line contains "systemd-timedatectl"Scenario: User-Initiated Cron Cleanup via Terminal
Description: A user manually runs crontab -r to remove their own scheduled tasks after completing a task or during troubleshooting.
Filter/Exclusion: Exclude events where the user is the owner of the crontab file. Use a filter like:
user == "target_user" || user == "admin_user"Scenario: Cron Job to Remove Temporary Cron Entries
Description: A temporary cron job (e.g., created by a deployment tool like Ansible or Terraform) is configured to remove its own entry after execution.
Filter/Exclusion: Exclude commands that match known deployment tools or temporary job patterns. Use a filter like:
command_line contains "ansible" || command_line contains "terraform