security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1663bf7d524b6fc8a9a39104feb2949b36368dfc
atomic-red-team/atomics/T1168/T1168.md
T
CircleCI Atomic Red Team doc generator 159697cc2e Generate docs from job=validate_atomics_generate_docs branch=master
2019-09-03 15:21:17 +00:00

124 lines
5.1 KiB
Markdown
Raw Blame History

# T1168 - Local Job Scheduling
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1168)
<blockquote>On Linux and macOS systems, multiple methods are supported for creating pre-scheduled and periodic background jobs: cron, (Citation: Die.net Linux crontab Man Page) at, (Citation: Die.net Linux at Man Page) and launchd. (Citation: AppleDocs Scheduling Timed Jobs) Unlike [Scheduled Task](https://attack.mitre.org/techniques/T1053) on Windows systems, job scheduling on Linux-based systems cannot be done remotely unless used in conjunction within an established remote session, like secure shell (SSH).
### cron
System-wide cron jobs are installed by modifying <code>/etc/crontab</code> file, <code>/etc/cron.d/</code> directory or other locations supported by the Cron daemon, while per-user cron jobs are installed using crontab with specifically formatted crontab files. (Citation: AppleDocs Scheduling Timed Jobs) This works on macOS and Linux systems.
Those methods allow for commands or scripts to be executed at specific, periodic intervals in the background without user interaction. An adversary may use job scheduling to execute programs at system startup or on a scheduled basis for Persistence, (Citation: Janicab) (Citation: Methods of Mac Malware Persistence) (Citation: Malware Persistence on OS X) (Citation: Avast Linux Trojan Cron Persistence) to conduct Execution as part of Lateral Movement, to gain root privileges, or to run a process under the context of a specific account.
### at
The at program is another means on POSIX-based systems, including macOS and Linux, to schedule a program or script job for execution at a later date and/or time, which could also be used for the same purposes.
### launchd
Each launchd job is described by a different configuration property list (plist) file similar to [Launch Daemon](https://attack.mitre.org/techniques/T1160) or [Launch Agent](https://attack.mitre.org/techniques/T1159), except there is an additional key called <code>StartCalendarInterval</code> with a dictionary of time values. (Citation: AppleDocs Scheduling Timed Jobs) This only works on macOS and OS X.</blockquote>
## Atomic Tests
- [Atomic Test #1 - Cron - Replace crontab with referenced file](#atomic-test-1---cron---replace-crontab-with-referenced-file)
- [Atomic Test #2 - Cron - Add script to cron folder](#atomic-test-2---cron---add-script-to-cron-folder)
- [Atomic Test #3 - Event Monitor Daemon Persistence](#atomic-test-3---event-monitor-daemon-persistence)
<br/>
## Atomic Test #1 - Cron - Replace crontab with referenced file
This test replaces the current user's crontab file with the contents of the referenced file. This technique was used by numerous IoT automated exploitation attacks.
**Supported Platforms:** macOS, CentOS, Ubuntu, Linux
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| command | Command to execute | string | /tmp/evil.sh|
| tmp_cron | Temporary reference file to hold evil cron schedule | path | /tmp/persistevil|
#### Run it with `bash`!
```
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
```
<br/>
<br/>
## Atomic Test #2 - Cron - Add script to cron folder
This test adds a script to a cron folder configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers.
**Supported Platforms:** macOS, CentOS, Ubuntu, Linux
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| command | Command to execute | string | echo 'Hello from Atomic Red Team' > /tmp/atomic.log|
| cron_script_name | Name of file to store in cron folder | string | persistevil|
#### Run it with `bash`!
```
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
```
<br/>
<br/>
## Atomic Test #3 - Event Monitor Daemon Persistence
This test adds persistence via a plist to execute via the macOS Event Monitor Daemon.
**Supported Platforms:** macOS, CentOS, Ubuntu, Linux
#### Run it with these steps!
1. Place this file in /etc/emond.d/rules/atomicredteam.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
<dict>
<key>name</key>
<string>atomicredteam</string>
<key>enabled</key>
<true/>
<key>eventTypes</key>
<array>
<string>startup</string>
</array>
<key>actions</key>
<array>
<dict>
<key>command</key>
<string>/usr/bin/say</string>
<key>user</key>
<string>root</string>
<key>arguments</key>
<array>
<string>-v Tessa</string>
<string>I am a persistent startup item.</string>
</array>
<key>type</key>
<string>RunCommand</string>
</dict>
</array>
</dict>
</array>
</plist>
2. Place an empty file in /private/var/db/emondClients/
3. sudo touch /private/var/db/emondClients/randomflag
<br/>
Reference in New Issue View Git Blame Copy Permalink