Class: Cron

Inherits:
Detectors::Detector show all
Defined in:
lib/persistence_detector/detector_implementations/cron.rb

Overview

Cron detects cron job persistence

Instance Attribute Summary

Attributes inherited from Detectors::Detector

#description, #name, #platforms, #references, #ttp_id

Instance Method Summary collapse

Methods inherited from Detectors::Detector

#display_metadata

Constructor Details

#initializeCron

Returns a new instance of Cron.



15
16
17
18
19
20
21
22
 
# File 'lib/persistence_detector/detector_implementations/cron.rb', line 15

def initialize
  super
  @ttp_id = 'T1053.003'
  @platforms = %w[cygwin darwin freebsd linux macruby openbsd solaris]
  @name = 'Scheduled Task/Job: Cron'
  @description = 'Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of malicious code.'
  @references = ['https://attack.mitre.org/techniques/T1053/003/']
end

Instance Method Details

#detect_persistenceObject 



24
25
26
27
28
29
30
31
32
33
34
 
# File 'lib/persistence_detector/detector_implementations/cron.rb', line 24

def detect_persistence
  $logger.info('scanning for cron job persistence'.blue)

  # TODO: if root, check everything, else check current user
  
  if system('crontab -l > /dev/null')
    $logger.warn('Possible cron job persistence identified:'.red)
    out = `crontab -l`
    puts(out.red)
  end
end