Cronjobs Entry

Date: 2021-12-17 ID: e5ff2d94-5f51-11ec-ba52-acde48001122 Author: Teoderick Contreras Environment: attack_range Directory: cronjobs_entry

Description

Generated datasets for cronjobs entry in attack range.

ID	Technique	Tactic
T1053.003	Cron	Execution, Persistence, Privilege Escalation

The following datasets were collected during this attack simulation:

Path: /datasets/attack_techniques/T1053.003/cronjobs_entry/sysmon_linux_cron_append.log
Sourcetype: sysmon:linux
Source: Syslog:Linux-Sysmon/Operational

Path: /datasets/attack_techniques/T1053.003/cronjobs_entry/sysmon_linux.log
Sourcetype: sysmon:linux
Source: Syslog:Linux-Sysmon/Operational

The following detections in our security content repository use this attack data for testing:

Detection Name	Type	Source	MITRE ATT&CK	Analytic Story
Linux Possible Append Cronjob Entry on Existing Cronjob File	`Hunting`	Endpoint	T1053.003	XorDDos, Linux Living Off The Land, Linux Privilege Escalation, Scheduled Tasks, Linux Persistence Techniques
Linux Possible Cronjob Modification With Editor	`Hunting`	Endpoint	T1053.003	XorDDos, Linux Living Off The Land, Linux Privilege Escalation, Scheduled Tasks, Linux Persistence Techniques
Linux Add Files In Known Crontab Directories	`Anomaly`	Endpoint	T1053.003	XorDDos, Linux Living Off The Land, Linux Privilege Escalation, Scheduled Tasks, Linux Persistence Techniques

Replay attack data with replay.py from Splunk Attack Data.

1python replay.py --dataset /datasets/attack_techniques/T1053.003/cronjobs_entry/sysmon_linux_cron_append.log --index attack_data

Find more detections and analytics for this attack technique in our security content repository.

Source: GitHub | Version: 1.0