2022-10-14 18:19:13 +00:00
|
|
|
-- Unexpected crontab entries
|
|
|
|
|
--
|
|
|
|
|
-- references:
|
2022-10-19 20:56:32 +00:00
|
|
|
-- * https://attack.mitre.org/techniques/T1053/003/ (Scheduled Task/Job: Cron)
|
2022-10-14 18:19:13 +00:00
|
|
|
--
|
|
|
|
|
-- false positives:
|
|
|
|
|
-- * crontab entries added by the user
|
|
|
|
|
--
|
2022-10-14 18:26:49 +00:00
|
|
|
-- tags: persistent filesystem state
|
2022-10-14 18:19:13 +00:00
|
|
|
-- platform: posix
|
2022-09-24 15:12:23 +00:00
|
|
|
SELECT
|
|
|
|
|
*
|
|
|
|
|
FROM
|
|
|
|
|
crontab
|
|
|
|
|
WHERE
|
2022-10-13 18:59:32 +00:00
|
|
|
command NOT LIKE 'root%run-parts%'
|
2024-07-02 01:56:28 +00:00
|
|
|
AND command NOT LIKE '%/usr/lib/php/sessionclean%'
|
|
|
|
|
AND command NOT LIKE '%anacron start%'
|
2022-10-13 18:59:32 +00:00
|
|
|
AND command NOT LIKE '%clamscan%'
|
|
|
|
|
AND command NOT LIKE '%e2scrub%'
|
2024-07-02 01:56:28 +00:00
|
|
|
AND command NOT LIKE '%freshclam%'
|
|
|
|
|
AND command NOT LIKE '%gcloud compute instances stop%'
|
2024-01-18 22:15:37 +00:00
|
|
|
AND command NOT LIKE '%git commit%'
|
2024-07-02 01:56:28 +00:00
|
|
|
AND command NOT LIKE '%rsync%'
|
|
|
|
|
AND command NOT LIKE '%zfs-linux%'
|
2024-03-29 14:12:36 +00:00
|
|
|
AND command NOT LIKE 'docker run amouat/jocko%'
|
2024-07-02 01:56:28 +00:00
|
|
|
AND command NOT LIKE 'gsutil %'
|
|
|
|
|
AND command NOT LIKE 'root command -v debian-sa1%'
|
2024-09-23 15:07:53 +00:00
|
|
|
AND command NOT LIKE 'root test -x /usr/bin/geoipupdate % && /usr/bin/geoipupdate'
|
2024-11-18 21:16:52 +00:00
|
|
|
AND command NOT LIKE 'root [ -d "/run/systemd/system" ] || /usr/share/atop/atop%'
|
|
|
|
|
AND command NOT IN ("ps -A | grep at.obdev.littlesnitch.networkextension | grep -v 'grep' | awk '{print $1}' | xargs kill")
|
