[Hunt Tuning] Persistence via SSH Configurations and/or Keys (#4351)

* [Hunt Tuning] Persistence via SSH Configurations and/or Keys

* ++

* Revert "Merge branch 'main' into hunt-update-ssh-authorized-keys"

This reverts commit 2b31a3bb49e51a4c9f4752ad6880c3f398032b4e, reversing
changes made to 263ffd5eb98f53282850b4f777df4091f3f03926.

* ++

* Update pyproject.toml

hunting/linux/docs/persistence_via_ssh_configurations_and_keys.md

@@ -37,7 +37,7 @@ SELECT
     g.groupname AS group_owner,
     datetime(f.atime, 'unixepoch') AS file_last_access_time,
     datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
-    datetime(f.ctime, 'unixepoch') AS file_last_status change_time,
+    datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,
     datetime(f.btime, 'unixepoch') AS file_created_time,
     f.size AS size_bytes
 FROM
@@ -51,7 +51,27 @@ WHERE
     OR f.path LIKE "/home/%/.ssh/%"
     OR f.path LIKE "/etc/ssh/%"
     OR f.path LIKE "/etc/ssh/sshd_config.d/%"
-    OR f.path LIKE "/etc/ssh/ssh_config.d/%"
+    OR f.path LIKE "/usr/sbin/.ssh/%"
+    OR f.path LIKE "/bin/.ssh/%"
+    OR f.path LIKE "/usr/games/.ssh/%"
+    OR f.path LIKE "/var/cache/man/.ssh/%"
+    OR f.path LIKE "/var/mail/.ssh/%"
+    OR f.path LIKE "/var/spool/news/.ssh/%"
+    OR f.path LIKE "/var/spool/lpd/.ssh/%"
+    OR f.path LIKE "/var/backups/.ssh/%"
+    OR f.path LIKE "/var/list/.ssh/%"
+    OR f.path LIKE "/run/ircd/.ssh/%"
+    OR f.path LIKE "/var/lib/gnats/.ssh/%"
+    OR f.path LIKE "/nonexistent/.ssh/%"
+    OR f.path LIKE "/run/systemd/.ssh/%"
+    OR f.path LIKE "/var/cache/pollinate/.ssh/%"
+    OR f.path LIKE "/run/sshd/.ssh/%"
+    OR f.path LIKE "/home/syslog/.ssh/%"
+    OR f.path LIKE "/run/uuidd/.ssh/%"
+    OR f.path LIKE "/var/lib/tpm/.ssh/%"
+    OR f.path LIKE "/var/lib/landscape/.ssh/%"
+    OR f.path LIKE "/var/lib/usbmux/.ssh/%"
+    OR f.path LIKE "/var/snap/lxd/common/lxd/.ssh/%";
 ```
 
 ```sql

hunting/linux/queries/persistence_via_ssh_configurations_and_keys.toml

@@ -37,7 +37,7 @@ SELECT
     g.groupname AS group_owner,
     datetime(f.atime, 'unixepoch') AS file_last_access_time,
     datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
-    datetime(f.ctime, 'unixepoch') AS file_last_status change_time,
+    datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,
     datetime(f.btime, 'unixepoch') AS file_created_time,
     f.size AS size_bytes
 FROM
@@ -51,7 +51,27 @@ WHERE
     OR f.path LIKE "/home/%/.ssh/%"
     OR f.path LIKE "/etc/ssh/%"
     OR f.path LIKE "/etc/ssh/sshd_config.d/%"
-    OR f.path LIKE "/etc/ssh/ssh_config.d/%"
+    OR f.path LIKE "/usr/sbin/.ssh/%"
+    OR f.path LIKE "/bin/.ssh/%"
+    OR f.path LIKE "/usr/games/.ssh/%"
+    OR f.path LIKE "/var/cache/man/.ssh/%"
+    OR f.path LIKE "/var/mail/.ssh/%"
+    OR f.path LIKE "/var/spool/news/.ssh/%"
+    OR f.path LIKE "/var/spool/lpd/.ssh/%"
+    OR f.path LIKE "/var/backups/.ssh/%"
+    OR f.path LIKE "/var/list/.ssh/%"
+    OR f.path LIKE "/run/ircd/.ssh/%"
+    OR f.path LIKE "/var/lib/gnats/.ssh/%"
+    OR f.path LIKE "/nonexistent/.ssh/%"
+    OR f.path LIKE "/run/systemd/.ssh/%"
+    OR f.path LIKE "/var/cache/pollinate/.ssh/%"
+    OR f.path LIKE "/run/sshd/.ssh/%"
+    OR f.path LIKE "/home/syslog/.ssh/%"
+    OR f.path LIKE "/run/uuidd/.ssh/%"
+    OR f.path LIKE "/var/lib/tpm/.ssh/%"
+    OR f.path LIKE "/var/lib/landscape/.ssh/%"
+    OR f.path LIKE "/var/lib/usbmux/.ssh/%"
+    OR f.path LIKE "/var/snap/lxd/common/lxd/.ssh/%";
 ''',
 '''
 from logs-endpoint.events.process-*

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "0.3.14"
+version = "0.3.15"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"