Remove Cron Job CM0120
Remove Cron Job (CM0120)
In PlaybookDetails
- ID: CM0120
- Version: 1.0
- Created: 14 March 2025
- Modified: 14 March 2025
- Type: Eliminate
- Status: Active
Intended Outcome
Removing a malicious or manipulated Cron job prevents adversarial objectives of execution, persistence, and privilege escalation.Introduction
The cron daemon is a time-based job scheduler in Unix-like operating systems, including Linux. It is commonly used for automating system maintenance, running scripts, and executing commands at scheduled intervals. However, adversaries can abuse the cron service to establish persistence, escalate privileges, and execute malicious payloads. This countermeasure aims to inform the process of removing a cron job that has been created or manipulated to fulfill an adversary's campaign.Preparation
- Take inventory of all Linux systems and note the presence of the Cron utility.
- Document all Cron jobs currently scheduled on enterprise systems. Identify the user accounts associated with existing Cron jobs and the scripts or commands being executed.
- Ensure that the Cron job configurations are backed up before making any changes.
Risks
- Modifying Cron job configurations may disrupt scheduled tasks and impact previously automated system operations.
- Failure to restrict Cron jobs by following the principle of least privilege creates system vulnerabilities that enable potential execution and persistence objectives by an adversary.
Guidance
Removing Malicious Cron Jobs
- Identify suspicious or unauthorized cron jobs by cross-referencing with documented and approved Cron jobs.
- Remove the Cron jobs that are identified to be malicious or manipulated using the following commands:
- To remove Cron jobs that run at a user level `crontab -r -u <username>`
- To remove system-wide/universal Cron jobs:
- `sudo rm /etc/cron.d/<malicious_cron_jobs>`
- `sudo sed -i '/<malicious_cron_job>/d' /etc/crontab`
- Verify Cron jobs have been removed by listing Cron jobs and reviewing crontabs:
- `ls /var/spool/cron/crontabs`
- List Cron jobs for all users:
- `crontab -l`
- `sudo cat /etc/crontab`
- `sudo ls -la /etc/cron.d/`
References
- Removing crontab Files | https://docs.oracle.com/cd/E18752_01/html/817-0403/sysrescron-17.html
- ID: CM0120
- Version: 1.0
- Created: 13 March 2025
- Modified: 13 March 2025
- Type: Eliminate