Terrance DeJesus
f0b2cb7c87
* added 'Uncommon Process Execution from Suspicious Directory' hunt * adds all linux hunting files * moves linux hunting files to queries folder * adds generated docs * fixing windows hunts * fixing windows hunts * updated README * Removed 2, updated a few, changed some names/descriptions and added list of str * updated windows for language schema changes, regenerated docs; updated README and index * changed UUIDs to hex only with standard hyphen format * removing unecessary docs * Fixed queries based on Samir feedback * ++ * regenerating linux docs * Update hunting/linux/queries/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/defense_evasion_via_hidden_process_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/command_and_control_via_unusual_file_downloads_from_source_addresses.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/defense_evasion_via_capitalized_process_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/defense_evasion_via_hidden_process_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Updates * Update * Update hunting/linux/queries/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Updates * regenerating linux docs --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
99 lines
4.0 KiB
TOML
99 lines
4.0 KiB
TOML
[hunt]
|
|
author = "Elastic"
|
|
description = """
|
|
This hunt identifies potential persistence mechanisms via cron on Linux systems. It monitors for file creation or modification events related to cron configurations and processes spawned by cron, fcron, or atd. These activities can indicate attempts to establish persistence through scheduled tasks.
|
|
"""
|
|
integration = ["endpoint"]
|
|
uuid = "e1cffb7c-4acf-4e7a-8d72-b8b7657cf7b8"
|
|
name = "Persistence via Cron"
|
|
language = ["ES|QL", "SQL"]
|
|
license = "Elastic License v2"
|
|
notes = [
|
|
"This hunt includes multiple ES|QL and OSQuery queries to identify potential persistence mechanisms via cron on Linux systems.",
|
|
"Detects file creation or modification events in directories and files associated with cron configurations, such as /etc/cron.allow, /etc/cron.deny, /etc/crontab, all /etc/cron.* directories and various /var/spool directories.",
|
|
"Excludes common legitimate processes and file types to minimize false positives.",
|
|
"Uses EVAL to tag potential persistence events and counts occurrences to identify unusual activity.",
|
|
"Monitors processes started by cron, fcron, or atd to detect potential persistence mechanisms.",
|
|
"OSQuery queries are provided to complement the detection by retrieving detailed file information and crontab entries."
|
|
]
|
|
mitre = ["T1053.003", "T1053.005"]
|
|
|
|
query = [
|
|
'''
|
|
from logs-endpoint.events.file-*
|
|
| where @timestamp > now() - 30 day
|
|
| where host.os.type == "linux" and event.type in ("creation", "change") and (
|
|
file.path in ("/etc/cron.allow", "/etc/cron.deny", "/etc/crontab") or
|
|
file.path like "/etc/cron.*/*" or
|
|
file.path like "/var/spool/cron/crontabs/*" or
|
|
file.path like "/var/spool/anacron/*" or
|
|
file.path like "/var/spool/cron/atjobs/*" or
|
|
file.path like "/var/spool/fcron/*" or
|
|
file.path like "/home/*/.tsp/*"
|
|
) and not (
|
|
process.name in ("dpkg", "dockerd", "yum", "dnf", "snapd", "pacman", "pamac-daemon", "anacron") or
|
|
file.extension in ("dpkg-remove", "swx", "swp") or
|
|
file.name like "tmp.*"
|
|
)
|
|
| eval persistence = case(
|
|
file.path in ("/etc/cron.allow", "/etc/cron.deny", "/etc/crontab") or
|
|
file.path like "/etc/cron.*/*" or
|
|
file.path like "/var/spool/cron/crontabs/*" or
|
|
file.path like "/var/spool/anacron/*" or
|
|
file.path like "/var/spool/cron/atjobs/*" or
|
|
file.path like "/var/spool/fcron/*" or
|
|
file.path like "/home/*/.tsp/*",
|
|
process.name,
|
|
null
|
|
)
|
|
| stats pers_count = count(persistence), agent_count = count_distinct(agent.id) by process.executable, file.path
|
|
| where pers_count > 0 and pers_count <= 20 and agent_count <= 3
|
|
| sort pers_count asc
|
|
| limit 100
|
|
''',
|
|
'''
|
|
from logs-endpoint.events.process-*
|
|
| where @timestamp > now() - 30 day
|
|
| where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.parent.name in ("cron", "fcron", "atd")
|
|
| stats cc = count(), host_count = count_distinct(host.id) by process.command_line
|
|
| where host_count <= 3
|
|
| sort cc asc
|
|
| limit 100
|
|
''',
|
|
'''
|
|
SELECT
|
|
f.filename,
|
|
f.path,
|
|
u.username AS file_owner,
|
|
g.groupname AS group_owner,
|
|
datetime(f.atime, 'unixepoch') AS file_last_access_time,
|
|
datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
|
|
datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,
|
|
datetime(f.btime, 'unixepoch') AS file_created_time,
|
|
f.size AS size_bytes
|
|
FROM
|
|
file f
|
|
LEFT JOIN
|
|
users u ON f.uid = u.uid
|
|
LEFT JOIN
|
|
groups g ON f.gid = g.gid
|
|
WHERE
|
|
f.path IN ("/etc/cron.allow", "/etc/cron.deny", "/etc/crontab")
|
|
OR f.path LIKE "/etc/cron.%/*"
|
|
OR f.path LIKE "/var/spool/cron/crontabs/%"
|
|
OR f.path LIKE "/var/spool/anacron/%"
|
|
OR f.path LIKE "/var/spool/cron/atjobs/%"
|
|
OR f.path LIKE "/var/spool/fcron/%"
|
|
OR f.path LIKE "/home/%/.tsp/%"
|
|
OR f.path LIKE "/etc/cron.allow.d/%"
|
|
OR f.path LIKE "/etc/cron.d/%"
|
|
OR f.path LIKE "/etc/cron.hourly/%"
|
|
OR f.path LIKE "/etc/cron.daily/%"
|
|
OR f.path LIKE "/etc/cron.weekly/%"
|
|
OR f.path LIKE "/etc/cron.monthly/%"
|
|
''',
|
|
'''
|
|
SELECT * FROM crontab
|
|
'''
|
|
]
|