-
Notifications
You must be signed in to change notification settings - Fork 518
/
Copy pathpersistence_via_cron.toml
98 lines (97 loc) · 3.97 KB
/
persistence_via_cron.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
[hunt]
author = "Elastic"
description = """
This hunt identifies potential persistence mechanisms via cron on Linux systems. It monitors for file creation or modification events related to cron configurations and processes spawned by cron, fcron, or atd. These activities can indicate attempts to establish persistence through scheduled tasks.
"""
integration = ["endpoint"]
uuid = "e1cffb7c-4acf-4e7a-8d72-b8b7657cf7b8"
name = "Persistence via Cron"
language = ["ES|QL", "SQL"]
license = "Elastic License v2"
notes = [
"This hunt includes multiple ES|QL and OSQuery queries to identify potential persistence mechanisms via cron on Linux systems.",
"Detects file creation or modification events in directories and files associated with cron configurations, such as /etc/cron.allow, /etc/cron.deny, /etc/crontab, all /etc/cron.* directories and various /var/spool directories.",
"Excludes common legitimate processes and file types to minimize false positives.",
"Uses EVAL to tag potential persistence events and counts occurrences to identify unusual activity.",
"Monitors processes started by cron, fcron, or atd to detect potential persistence mechanisms.",
"OSQuery queries are provided to complement the detection by retrieving detailed file information and crontab entries."
]
mitre = ["T1053.003", "T1053.005"]
query = [
'''
from logs-endpoint.events.file-*
| where @timestamp > now() - 30 day
| where host.os.type == "linux" and event.type in ("creation", "change") and (
file.path in ("/etc/cron.allow", "/etc/cron.deny", "/etc/crontab") or
file.path like "/etc/cron.*/*" or
file.path like "/var/spool/cron/crontabs/*" or
file.path like "/var/spool/anacron/*" or
file.path like "/var/spool/cron/atjobs/*" or
file.path like "/var/spool/fcron/*" or
file.path like "/home/*/.tsp/*"
) and not (
process.name in ("dpkg", "dockerd", "yum", "dnf", "snapd", "pacman", "pamac-daemon", "anacron") or
file.extension in ("dpkg-remove", "swx", "swp") or
file.name like "tmp.*"
)
| eval persistence = case(
file.path in ("/etc/cron.allow", "/etc/cron.deny", "/etc/crontab") or
file.path like "/etc/cron.*/*" or
file.path like "/var/spool/cron/crontabs/*" or
file.path like "/var/spool/anacron/*" or
file.path like "/var/spool/cron/atjobs/*" or
file.path like "/var/spool/fcron/*" or
file.path like "/home/*/.tsp/*",
process.name,
null
)
| stats pers_count = count(persistence), agent_count = count_distinct(agent.id) by process.executable, file.path
| where pers_count > 0 and pers_count <= 20 and agent_count <= 3
| sort pers_count asc
| limit 100
''',
'''
from logs-endpoint.events.process-*
| where @timestamp > now() - 30 day
| where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.parent.name in ("cron", "fcron", "atd")
| stats cc = count(), host_count = count_distinct(host.id) by process.command_line
| where host_count <= 3
| sort cc asc
| limit 100
''',
'''
SELECT
f.filename,
f.path,
u.username AS file_owner,
g.groupname AS group_owner,
datetime(f.atime, 'unixepoch') AS file_last_access_time,
datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,
datetime(f.btime, 'unixepoch') AS file_created_time,
f.size AS size_bytes
FROM
file f
LEFT JOIN
users u ON f.uid = u.uid
LEFT JOIN
groups g ON f.gid = g.gid
WHERE
f.path IN ("/etc/cron.allow", "/etc/cron.deny", "/etc/crontab")
OR f.path LIKE "/etc/cron.%/*"
OR f.path LIKE "/var/spool/cron/crontabs/%"
OR f.path LIKE "/var/spool/anacron/%"
OR f.path LIKE "/var/spool/cron/atjobs/%"
OR f.path LIKE "/var/spool/fcron/%"
OR f.path LIKE "/home/%/.tsp/%"
OR f.path LIKE "/etc/cron.allow.d/%"
OR f.path LIKE "/etc/cron.d/%"
OR f.path LIKE "/etc/cron.hourly/%"
OR f.path LIKE "/etc/cron.daily/%"
OR f.path LIKE "/etc/cron.weekly/%"
OR f.path LIKE "/etc/cron.monthly/%"
''',
'''
SELECT * FROM crontab
'''
]