security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1663bf7d524b6fc8a9a39104feb2949b36368dfc
atomic-red-team/atomics/T1168/T1168.yaml
T
Tony M Lambert 8c7abb226e T1168 Improve Cron tests, add additional one (#445) 
* initial commit

* modified output style

* final url changes

* Update rocke-and-roll-stage-01.sh

* T1168 - Improvements and additional cron tests
2019-02-05 13:04:36 -08:00

106 lines
3.0 KiB
YAML
Raw Blame History

---
attack_technique: T1168
display_name: Local Job Scheduling
atomic_tests:
- name: Cron - Replace crontab with referenced file
description: |
This test replaces the current user's crontab file with the contents of the referenced file. This technique was used by numerous IoT automated exploitation attacks.
supported_platforms:
- macos
- centos
- ubuntu
- linux
input_arguments:
command:
description: Command to execute
type: string
default: /tmp/evil.sh
tmp_cron:
description: Temporary reference file to hold evil cron schedule
type: path
default: /tmp/persistevil
executor:
name: bash
command: |
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
- name: Cron - Add script to cron folder
description: |
This test adds a script to a cron folder configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers.
supported_platforms:
- macos
- centos
- ubuntu
- linux
input_arguments:
command:
description: Command to execute
type: string
default: echo 'Hello from Atomic Red Team' > /tmp/atomic.log
cron_script_name:
description: Name of file to store in cron folder
type: string
default: persistevil
executor:
name: bash
command: |
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
- name: Event Monitor Daemon Persistence
description: |
This test adds persistence via a plist to execute via the macOS Event Monitor Daemon.
supported_platforms:
- macos
- centos
- ubuntu
- linux
executor:
name: manual
steps: |
1. Place this file in /etc/emond.d/rules/atomicredteam.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
<dict>
<key>name</key>
<string>atomicredteam</string>
<key>enabled</key>
<true/>
<key>eventTypes</key>
<array>
<string>startup</string>
</array>
<key>actions</key>
<array>
<dict>
<key>command</key>
<string>/usr/bin/say</string>
<key>user</key>
<string>root</string>
<key>arguments</key>
<array>
<string>-v Tessa</string>
<string>I am a persistent startup item.</string>
</array>
<key>type</key>
<string>RunCommand</string>
</dict>
</array>
</dict>
</array>
</plist>
2. Place an empty file in /private/var/db/emondClients/
3. sudo touch /private/var/db/emondClients/randomflag
Reference in New Issue View Git Blame Copy Permalink