Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Утилита cron
Сертификаты СЗИ
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Утилита cron
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Scheduled Task/Job:  Утилита cron

ID Название
.001 At (Linux)
.002 Утилита at
.003 Утилита cron
.004 Launchd
.005 Планировщик заданий Windows
.006 Таймеры systemd
.007 Задания по компоновке контейнеров

Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS Common Tools and Techniques) The cron utility is a time-based job scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run and the specified times for execution. Any crontab files are stored in operating system-specific file paths. An adversary may use cron in Linux or Unix environments to execute programs at system startup or on a scheduled basis for Persistence.

ID: T1053.003
Относится к технике:  T1053
Тактика(-и): Execution, Persistence, Privilege Escalation
Платформы: Linux, macOS
Требуемые разрешения: User
Источники данных: Command: Command Execution, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Версия: 1.2
Дата создания: 03 Dec 2019
Последнее изменение: 15 Oct 2024

Примеры процедур
Название Описание
SpeakUp

SpeakUp uses cron tasks to ensure persistence. (Citation: CheckPoint SpeakUp Feb 2019)
Anchor

Anchor can install itself as a cron job.(Citation: Medium Anchor DNS July 2020)
Janicab

Janicab used a cron job for persistence on Mac devices.(Citation: Janicab)
Skidmap

Skidmap has installed itself via crontab.(Citation: Trend Micro Skidmap)
Rocke

Rocke installed a cron job that downloaded and executed files from the C2.(Citation: Talos Rocke August 2018)(Citation: Unit 42 Rocke January 2019)(Citation: Anomali Rocke March 2019)
Xbash

Xbash can create a cronjob for persistence if it determines it is on a Linux system.(Citation: Unit42 Xbash Sept 2018)
NETWIRE

NETWIRE can use crontabs to establish persistence.(Citation: Red Canary NETWIRE January 2020)
GoldMax

The GoldMax Linux variant has used a crontab entry with a @reboot line to gain persistence.(Citation: CrowdStrike StellarParticle January 2022)
Penquin

Penquin can use Cron to create periodic and pre-scheduled background jobs.(Citation: Leonardo Turla Penquin May 2020)
APT5

APT5 has made modifications to the crontab file including in `/var/cron/tabs/`.(Citation: NSA APT5 Citrix Threat Hunting December 2022)
Kinsing

Kinsing has used crontab to download and run shell scripts every minute to ensure persistence.(Citation: Aqua Kinsing April 2020)
APT38

APT38 has used cron to create pre-scheduled and periodic background jobs on a Linux system.(Citation: CISA AA20-239A BeagleBoyz August 2020)
Exaramel for Linux

Exaramel for Linux uses crontab for persistence if it does not have root privileges.(Citation: ESET TeleBots Oct 2018)(Citation: ANSSI Sandworm January 2021)
NKAbuse

NKAbuse uses a Cron job to establish persistence when infecting Linux hosts.(Citation: NKAbuse SL)

Контрмеры
Контрмера Описание
Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.
User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.

Обнаружение

Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc. Suspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.

Ссылки

  1. Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
  2. Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019.
  3. Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020.
  4. Thomas. (2013, July 15). New signed malware called Janicab. Retrieved July 17, 2017.
  5. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.
  6. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
  7. Xingyu, J.. (2019, January 17). Malware Used by Rocke Group Evolves to Evade Detection by Cloud Security Products. Retrieved May 26, 2020.
  8. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.
  9. Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.
  10. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
  11. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
  12. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021.
  13. National Security Agency. (2022, December). APT5: Citrix ADC Threat Hunting Guidance. Retrieved February 5, 2024.
  14. Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021.
  15. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.
  16. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.
  17. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
  18. KASPERSKY GERT. (2023, December 14). Unveiling NKAbuse: a new multiplatform threat abusing the NKN protocol. Retrieved February 8, 2024.
Навигация

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.