-
Notifications
You must be signed in to change notification settings - Fork 0
/
process_cron_credential_leak.json
69 lines (69 loc) · 2.31 KB
/
process_cron_credential_leak.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
{
"name": "process_cron_credential_leak",
"tags": [
"attack.id.T1552",
"attack.tactic.persistence",
"process"
],
"type": "process",
"active": true,
"author": "Tor Houghton <[email protected]>",
"custom": true,
"format": "4.0",
"comment": "",
"options": {
"cron": {
"search_paths": [
"/var/spool/cron",
"/var/spool/cron/crontabs",
"/var/spool/cron/tabs",
"/var/spool/cron/atjobs",
"/var/spool/cron/atspool",
"/etc/cron.d"
],
"search_paths_patterns": [
".*"
],
"search_paths_individual": [
"/etc/crontab"
],
"search_paths_patterns_ignore": []
},
"rules": [
"cron.entry matches '://\\\\S+:\\\\S+@'",
"cron.entry matches '(?i)authorization:\\\\s+bearer\\\\s+\\\\S+'",
"cron.entry matches '(?i)(password|passwd)=\\\\S+'",
"cron.entry matches 'AWS_(ACCESS|SECRET)_ACCESS_KEY=\\\\S+'",
"cron.entry matches 'AZURE_CLIENT_SECRET=\\\\S+'",
"cron.entry matches 'GITHUB_TOKEN=\\\\S+'",
"cron.entry matches 'MYSQL_PWD=\\\\S+'",
"cron.entry matches 'RABBITMQ_DEFAULT_PASS=\\\\S+'",
"cron.entry matches 'SQLCONNECT=.*PWD=\\\\S+'",
"cron.entry matches 'sshpass.*\\\\s+-p\\\\s+\\\\S+'",
"cron.entry matches 'curl\\\\s+.*(-u\\\\s+\\\\S+:\\\\S+|-d\\\\s+\\\\S+)'",
"cron.entry matches '-auth'",
"cron.entry matches '--http(_|-)auth'",
"cron.entry matches 'bcp\\\\s+.*-P\\\\S+'",
"cron.entry matches 'isql\\\\s+.*-P\\\\s+\\\\S+'",
"cron.entry matches 'dbping\\\\s+.*-c\\\\s+.*PWD=\\\\S+'",
"cron.entry matches 'mongo\\\\s+.*-p\\\\S+'",
"cron.entry matches 'sqlplus\\\\s+.*\\\\S+/\\\\S+@//'",
"cron.entry matches '(-U|--user)\\\\s+\\\\S+:\\\\S+'",
"cron.entry matches 'ldapsearch\\\\s+.*-w\\\\s+\\\\S+'",
"cron.entry matches 'redis-cli\\\\s+.*-a\\\\s+\\\\S+'"
],
"engines": [
"sandfly_engine_cron"
],
"rule_op": "or",
"response": {},
"explanation": "The cronfile '{cron.path}' appears to contain an entry ('{cron.entry}') that leaks credentials."
},
"version": "1.11",
"severity": 3,
"date_added": "2023-06-12T19:59:14.528381Z",
"description": "Checks crontabs and at jobs for commands that leak credentials.",
"max_timeout": 360,
"max_cpu_load": 1,
"max_disk_load": 1
}