adam/atomic-red-team-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
62a85c12b51a6d903a8357cb91b555ff1b203fd3
atomic-red-team-gs/atomics/T1053.003/T1053.003.yaml
T
Hare Sudhan 62a85c12b5 FreeBSD changes (#2585) 
* freebsd changes

* renaming freebsd to linux
2023-11-06 17:41:43 -05:00

100 lines
3.7 KiB
YAML
Raw Blame History

attack_technique: T1053.003
display_name: 'Scheduled Task/Job: Cron'
atomic_tests:
- name: Cron - Replace crontab with referenced file
auto_generated_guid: 435057fb-74b1-410e-9403-d81baf194f75
description: |
This test replaces the current user's crontab file with the contents of the referenced file. This technique was used by numerous IoT automated exploitation attacks.
supported_platforms:
- linux
- macos
input_arguments:
command:
description: Command to execute
type: string
default: /tmp/evil.sh
tmp_cron:
description: Temporary reference file to hold evil cron schedule
type: path
default: /tmp/persistevil
executor:
name: sh
command: |
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
cleanup_command: |
crontab /tmp/notevil
- name: Cron - Add script to all cron subfolders
auto_generated_guid: b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0
description: |
This test adds a script to /etc/cron.hourly, /etc/cron.daily, /etc/cron.monthly and /etc/cron.weekly folders configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers.
supported_platforms:
- macos
- linux
input_arguments:
command:
description: Command to execute
type: string
default: echo 'Hello from Atomic Red Team' > /tmp/atomic.log
cron_script_name:
description: Name of file to store in cron folder
type: string
default: persistevil
executor:
elevation_required: true
name: bash
command: |
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
cleanup_command: |
rm /etc/cron.daily/#{cron_script_name}
rm /etc/cron.hourly/#{cron_script_name}
rm /etc/cron.monthly/#{cron_script_name}
rm /etc/cron.weekly/#{cron_script_name}
- name: Cron - Add script to /etc/cron.d folder
auto_generated_guid: 078e69eb-d9fb-450e-b9d0-2e118217c846
description: |
This test adds a script to /etc/cron.d folder configured to execute on a schedule.
supported_platforms:
- linux
input_arguments:
command:
description: Command to execute
type: string
default: echo '*/5 * * * * root echo "Hello from Atomic Red Team"' > /tmp/atomic.log
cron_script_name:
description: Name of file to store in cron folder
type: string
default: persistevil
executor:
elevation_required: true
name: sh
command: |
echo "#{command}" > /etc/cron.d/#{cron_script_name}
cleanup_command: |
rm /etc/cron.d/#{cron_script_name}
- name: Cron - Add script to /var/spool/cron/crontabs/ folder
auto_generated_guid: 2d943c18-e74a-44bf-936f-25ade6cccab4
description: |
This test adds a script to a /var/spool/cron/crontabs folder configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers.
supported_platforms:
- linux
input_arguments:
command:
description: Command to execute
type: string
default: echo 'Hello from Atomic Red Team' > /tmp/atomic.log
cron_script_name:
description: Name of file to store in /var/spool/cron/crontabs folder
type: string
default: persistevil
executor:
elevation_required: true
name: bash
command: |
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
cleanup_command: |
rm /var/spool/cron/crontabs/#{cron_script_name}
Reference in New Issue View Git Blame Copy Permalink