command error in "New Cron Jobs" ability of "Task Hunter" adversary

[shiracamus]

Describe the bug When I ran "Task Hunter" adversary as a blue team, found the following error message in the command output.

cat: /tmp/cron_jobs: No such file or directory

The adversary file that caused the error:

plugins/response/data/abilities/detection/ee54384f-cfbc-4228-9dc1-cc5632307afb.yml

part of the script:

for user in $(getent passwd | cut -f1 -d:); do
  $(crontab -u $user -l 2>/dev/null | grep -v '\#' | while read -r job; do
    echo "${user}>${job}" >> /tmp/cron_jobs;
  done);
done;

If no one has defined a crontab, /tmp/cron_jobs file will not be created and an error will occur. I think the following script is needed before the above script.

echo -n > /tmp/cron_jobs;

To Reproduce Steps to reproduce the behavior:

1. run a sandcat agent on a Linux
2. web login to CALDERA as a blue team
3. create an operation
4. select adversary "Task Hunter"
5. click start button
6. wait to run an ability "New Cron Jobs"
7. move your mouse cursor on "command output", you will find the error message

Expected behavior There are no errors.

Screenshots

Desktop (please complete the following information):

• OS: Kali
• Browser Firefox
• Version 115.8.0esr (64-bit)

Additional context The script for MacOS (darwin) needs to be modified as well.

[elegantmoose]

Could the ability just extra logic to handle the case if there is no cron job file?

[shiracamus]

I have added that logic and confirmed that there is no error.

set -f;
echo -n > /tmp/cron_jobs;
for user in $(getent passwd | cut -f1 -d:); do
  $(crontab -u $user -l 2>/dev/null | grep -v '\#' | while read -r job; do
    echo "${user}>${job}" >> /tmp/cron_jobs;
  done);
done;
cat /tmp/cron_jobs | sort > /tmp/new_cronjobs_list.txt;
new_jobs=$(comm -13 /tmp/baseline_cronjobs_list.txt /tmp/new_cronjobs_list.txt);
rm -f /tmp/cron_jobs;
rm -f /tmp/new_cronjobs_list.txt;
IFS=$(echo '\n');
echo $new_jobs;