This artifact collects various autorun files for upload. Based on TriagePersistence from forensicartifacts.com
name: Linux.Collection.Autoruns
author: alternate
description: |
This artifact collects various autorun files for upload.
Based on TriagePersistence from forensicartifacts.com
reference:
- https://github.com/ForensicArtifacts/artifacts/blob/main/data/triage.yaml
precondition: SELECT OS FROM info() WHERE OS = 'linux'
parameters:
- name: AnacronFiles
default: |
["/etc/anacrontab,/etc/cron.daily/*","/etc/cron.hourly/*","/etc/cron.monthly/*",
"/etc/cron.weekly/*","/var/spool/anacron/cron.daily","/var/spool/anacron/cron.hourly",
"/var/spool/anacron/cron.monthly","/var/spool/anacron/cron.weekly"]
- name: LinuxAtJobs
default: /var/spool/at/*
- name: LinuxCronTabs
default: |
["/etc/crontab","/etc/cron.d/*","/var/spool/cron"]
- name: LinuxSystemdServices
default: |
["/etc/systemd/system.control/*.service","/etc/systemd/systemd.attached/*.service",
"/etc/systemd/system/*.service","/etc/systemd/user/*.service",
"/lib/systemd/system/*.service","/lib/systemd/user/*.service",
"/run/systemd/generator.early/*.service","/run/systemd/generator.late/*.service",
"/run/systemd/generator/*.service","/run/systemd/system.control/*.service",
"/run/systemd/systemd.attached/*.service","/run/systemd/system/*.service",
"/run/systemd/transient/*.service","/run/systemd/user/*.service",
"/run/user/*/systemd/generator.early/*.service","/run/user/*/systemd/generator.late/*.service",
"/run/user/*/systemd/generator/*.service","/run/user/*/systemd/transient/*.service",
"/run/user/*/systemd/user.control/*.service","/run/user/*/systemd/user/*.service",
"/usr/lib/systemd/system/*.service","/usr/lib/systemd/user/*.service",
"/{root,home/*}/.config/systemd/user.control/*.service","/{root,home/*}/.config/systemd/user/*.service",
"/{root,home/*}/.local/share/systemd/user/*.service"]
- name: LinuxSystemdTimers
default: |
["/etc/systemd/system.control/*.timer","/etc/systemd/systemd.attached/*.timer",
"/etc/systemd/system/*.timer","/etc/systemd/user/*.timer","/lib/systemd/system/*.timer",
"/lib/systemd/user/*.timer","/run/systemd/generator.early/*.timer",
"/run/systemd/generator.late/*.timer","/run/systemd/generator/*.timer",
"/run/systemd/system.control/*.timer","/run/systemd/systemd.attached/*.timer",
"/run/systemd/system/*.timer,/run/systemd/transient/*.timer","/run/systemd/user/*.timer",
"/run/user/*/systemd/generator.early/*.timer","/run/user/*/systemd/generator.late/*.timer",
"/run/user/*/systemd/generator/*.timer","/run/user/*/systemd/transient/*.timer",
"/run/user/*/systemd/user.control/*.timer","/run/user/*/systemd/user/*.timer",
"/usr/lib/systemd/system/*.timer","/usr/lib/systemd/user/*.timer",
"/{root,home/*}/.config/systemd/user.control/*.timer",
"/{root,home/*}/.config/systemd/user/*.timer",
"/{root,home/*}/.local/share/systemd/user/*.timer"]
- name: LinuxSysVInit
default: |
["/etc/rc.local","/etc/rc*.d","/etc/rc*.d/*","/etc/rc.d/rc*.d/*","/etc/rc.d/init.d/*"]
- name: XDGAutostartEntries
default: |
["/etc/rc.local","/etc/rc*.d","/etc/rc*.d/*","/etc/rc.d/rc*.d/*","/etc/rc.d/init.d/*"]
sources:
- name: uploadAnacronFiles
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=AnacronFiles))
- name: uploadLinuxAtJobs
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=LinuxAtJobs)
- name: uploadLinuxSystemdServices
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=LinuxSystemdServices))
- name: uploadLinuxSystemdTimers
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=LinuxSystemdTimers))
- name: uploadLinuxSysVInit
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=LinuxSysVInit))
- name: uploadXDGAutostartEntries
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=XDGAutostartEntries))