32 строки
1.4 KiB
YAML
32 строки
1.4 KiB
YAML
id: 6f0f1821-5981-408a-930b-8b2ca60e9e6c
|
|
name: Editing Linux scheduled tasks through Crontab
|
|
description: |
|
|
'This query shows when users have edited or replaced the scheduled tasks using crontab. The events are bucketed into 10 minute intervals
|
|
and all the actions that a particular used took are collected into the List of Actions. Default query is for seven days.'
|
|
requiredDataConnectors:
|
|
- connectorId: Syslog
|
|
dataTypes:
|
|
- Syslog
|
|
tactics:
|
|
- Persistence
|
|
- Execution
|
|
relevantTechniques:
|
|
- T1059
|
|
- T1053
|
|
- T1037
|
|
query: |
|
|
|
|
// Pull messages from Syslog-cron logs where the process is crontab and the severity level is "info". Extract the User and Action information from the SyslogMessage
|
|
Syslog
|
|
| where Facility =~ "cron"
|
|
| where ProcessName =~ "crontab"
|
|
| where SeverityLevel =~ "info"
|
|
| project TimeGenerated, Computer, SeverityLevel, ProcessName, SyslogMessage
|
|
| parse SyslogMessage with * "(" user ") " Action " (" *
|
|
// Only look for messages that contain edit or replace
|
|
| where Action contains "EDIT" or Action contains "REPLACE"
|
|
//| summarize all the actions into a single set based on 10 minute time intervals
|
|
| summarize ListOfActions = makeset(Action) by EventTime10MinInterval = bin(TimeGenerated, 10m), Computer, user
|
|
| order by Computer asc nulls last, EventTime10MinInterval asc
|
|
| extend timestamp = EventTime10MinInterval, AccountCustomEntity = user, HostCustomEntity = Computer
|
|
|