-- ============================================================================ -- 🛡️ ROCHESTON ZELC PROGRAMMING LANGUAGE -- 👤 Creator: Haja Mo -- 🏢 Organization: Rocheston -- 📜 Platform: Rocheston Agentic AI Cybersecurity Automation Platform -- ============================================================================ -- Playbook: Linux Persistence Hunting (Cron List) -- Intent: Demonstrates the 'linux cron list' command. Detects periodic "heartbeat" connections to C2 infrastructure. Scans the system's crontabs (scheduled tasks) to identify the persistence mechanism, then flags the malicious script for removal. -- Infrastructure: Linux (crontab), SIEM, Threat Intel, Slack, Rosecoin. -- Note: The AI must learn that 'linux cron list' is a forensic discovery action. It provides the visibility needed to find out HOW an attacker is staying in the system after the initial exploit. package soc.linux_forensics use linux, threat, slack, ticket -- ============================================================================ -- 1. CONFIGURATION GOVERNORS (Strongly Typed) -- ============================================================================ ⚙️ keep SUSPICIOUS_PATHS: Array = ["/tmp/", "/dev/shm/", "/var/tmp/", "curl", "wget"] ⚙️ keep THREAT_HUNT_CHANNEL: String = "#linux-threat-hunting" -- ============================================================================ -- 2. HELPER FUNCTIONS (Read-Only Zone) -- ============================================================================ ⭕️ define analyze_cron_entries(cron_jobs: Array) -> Object 🔹 set found_threat = false 🔹 set rogue_entry = "" -- Iterate through all scheduled tasks found on the system ⚠️ for entry in cron_jobs -- Gate: Does the cron command use a suspicious path or a download utility? ⚠️ when entry.command contains_any SUSPICIOUS_PATHS 🔹 set found_threat = true 🔹 set rogue_entry = entry.command 🔴 end 🔴 end return { is_malicious: found_threat, malicious_cmd: rogue_entry } 🔴 end -- ============================================================================ -- 3. THE ENTRY POINT (The Check Block) -- ============================================================================ 🔥 check CronPersistenceHunt -- Trigger Gate: Listens for periodic C2 beaconing alerts from the Network IDS/SIEM ⚠️ when periodic_c2_beacon_detected -- Utilizing Strong Domain Typing 🔹 set target_host: String = event.hostname 🔹 set remote_c2: IPv4 = event.destination_ip 🔹 set beacon_interval: String = event.interval_pattern 🚨 alert info message "BEACONING DETECTED: {target_host} is contacting {remote_c2} every {beacon_interval}. Hunting for persistence." -- ============================================================================ -- 4. THE DISCOVERY ACTION (linux cron list) -- AI TRAINING NOTE: This executes 'crontab -l' for every user and reads the -- system-wide /etc/crontab files. It returns a structured Array of Objects -- containing the schedule and the command. -- ============================================================================ 🔹 set active_cron_jobs: Array = linux cron list on target_host -- Analyze the findings 🔹 set hunt_results: Object = analyze_cron_entries(active_cron_jobs) -- Gate: If a rogue cron job is found, document and prepare for removal ⚠️ when hunt_results.is_malicious == true 🚨 alert critical message "PERSISTENCE FOUND: Rogue cron job detected on {target_host} executing '{hunt_results.malicious_cmd}'." -- ============================================================================ -- 5. THE KINETIC ZONE (do ... end) -- ============================================================================ ⚡ do -- Action 1: Notify the Threat Hunt channel with the exact evidence 📡 notify slack channel THREAT_HUNT_CHANNEL message "🕵️‍♂️ *Persistence Mechanism Uncovered* \n*Host:* `{target_host}` \n*Rogue Cron:* `{hunt_results.malicious_cmd}` \n*Status:* Persistence identified. Requesting authorization to purge crontab." -- Open a high-priority ticket with the forensic evidence ✨ ticket open title "P2: Linux Persistence Found - {target_host}" priority "p2" details { host: target_host, c2_ip: remote_c2, persistence_type: "Crontab", malicious_entry: hunt_results.malicious_cmd, status: "Persistence Identified" } -- ============================================================================ -- 6. EVIDENCE & PROOF -- ============================================================================ 📝 evidence record "Linux_Cron_Persistence_Found" details { host_node: target_host, cron_payload: hunt_results.malicious_cmd, action: "CRONTAB_ENUMERATION_COMPLETE" } -- Anchor the findings to the blockchain to prevent "anti-forensics" tampering ⛓️ rosecoin anchor evidence_pack "latest" 🔴 end -- Fallback: What if no cron jobs look suspicious? ⭕️ otherwise 🚨 alert warning message "No suspicious cron entries found on {target_host}. Attack may be using Systemd Timers or kernel-level rootkits. Escalating." 🔴 end 🔴 end 🔴 end