How cron jobs can be con jobs

Routines like data backups, cache clearing, and other tasks can easily be managed with task automation tools. Task schedulers, cron jobs, and similar automation utilities help administrators achieve just that. Once these automations are scheduled, an array of administrative tasks are executed without missing a beat.

However, as a security manager, you always need to remember that legitimate automation utilities can also attract threat actors. Attackers can manipulate these utilities into running con scripts on your network. It then becomes imperative that scheduling tools in any environment must be audited.

This blog discusses how all cron job/scheduled task utilities can be manipulated for a threat actor's benefit. You'll also learn how to defend your network against the threats that task automation tools present.

How cron jobs are misused

This section discusses common ways that administrative cron jobs can be abused to benefit the attacker's goals.

System maintenance:

Use: Most IT administrators are probably using cron jobs and task schedulers to schedule routine backups as part of their data recovery strategy. Along with this, cron jobs are also used to schedule automatic software updates, disk space cleanups, and sometimes even scans for system integrity checkups.

Abuse: Your backup routines can be injected with malicious code through maintenance hooks (shortcuts developers use to enter their development codes without authentication). These maintenance hooks can be abused by attackers to enter into the code and wreck havoc on your environment. Hackers can push plugins with code that can steal data, disrupt system behavior, or launch further attacks through maintenance hooks.

Other malicious cron jobs can also be scheduled along with your legitimate tasks, such as routines that can overwhelm your systems or scripts that allow malware installations.

Data Management:

Use: Network administrators often rely on automation utilities to schedule routine data management activities like data ingestion and data archiving at specific intervals and data synchronization activities across multiple systems.

Abuse: If you aren't properly monitoring your cron jobs and other automation utilities, you may find that malicious tasks have been scheduled on your systems for data exfiltration or to corrupt the data on your systems. This is easy to accomplish by an attacker, as cron job scripts are fairly easy to craft. Threat actors may set the cron job to run during non-business hours, when there's less chance of someone noticing the data transfer, modifications, or replacement of files.

Web applications:

Use: Cron jobs can be used to schedule automatic updates to website content (example: automatic updates to the date and time on a subscription page) or to schedule the publication of content at specific times. Other ways cron jobs can assist administrators is by clearing out cache and sending automated emails and notifications.

Abuse: Yet again, hackers can find a way to spoil things when it comes to web applications. Imagine how bad it would be for your brand if your home page or feature page said something unsavory. Attackers can abuse cron jobs to deface your web content, and can go a step further and schedule cron jobs to steal user session cookies or gain unauthorized access to accounts. As a security manager, you need to use the right tools to get insight into whether attackers have scheduled tasks that inject malicious code into websites.

Also, keep in mind that cryptojacking attacks have been conducted through the use of cron jobs to execute malicious scripts that utilize the victim's system processing power to mine cryptocurrency for the attacker.

Best practices to protect your cron jobs:

• Cron job review: Monitor and ensure that only authorized cron jobs are scheduled and executed. This is an ongoing process, and we recommend that you do a periodic review of all your automation utilities.
• Control access to cron jobs: Following a policy of least privilege where only authorized personnel can create, use, and modify cron jobs will definitely make the management and review of scheduled tasks easier and more secure.
• Protect cron job servers: Use strong password policies for user accounts with access to servers on which cron jobs are run.
• Investing in the right security tools: A good SIEM solution can bring all these best practices into a single platform that makes it easy to audit and manage task automation utilities.

How Log360 can help:

ManageEngine's Log360 is a powerful SIEM solution that offers security teams enhanced log management, detection, and incident response. With Log360 a security manager can leverage different capabilities, like AD management and auditing, DLP, CASB and UEBA available on a single platform to secure different aspects of their network. Log360 offers security practitioners extensive reporting styles that offer in-depth insights on every nook and cranny of an organization's network for possible threat occurrences.

In this specific case of cron job or scheduled task monitoring, several prebuilt analytics in Log360 will help you track automated tasks in your network.

• Leverage insights from the cron-job category of reports in Log360 that track all modifications, creations, and deletions of cron jobs. Figure 1 shows this category of reports.

Figure 1: Log360 has a category of reports on cron job creations, modifications, and deletions.

• View everything related to tasks scheduled on the Windows Task scheduler, new processes created, or deleted under the Process Tacking reports. Figure 2a and 2b show these categories of reports.

Figure 2a: Log360 also gives you a category of reports on task creations, deletions, and modifications on Windows Task Scheduler.

Figure 2b: You can also track process creations and deletions and the users associated with these events in Log360.

• Track any suspicious commands being executed on Powershell through Powershell auditing reports. Figure 3 shows this category of reports.

Figure 3: With Log360 you can also audit Powershell to see if any suspicious commands are being executed.

• Track all changes to your important files through file server audit reports. Figure 4 shows the list of built-in reports under the File audit category of reports along with a dashboard setup for easy viewing of file changes.

Figure 4: Log360 helps you audit all changes to your files through the File Audit category of reports.

Interested in these features of Log360? Then sign up for a personalized demo to learn about all the different SIEM capabilities Log360 can offer your security team.