diff --git a/hunting/linux/docs/persistence_via_ssh_configurations_and_keys.md b/hunting/linux/docs/persistence_via_ssh_configurations_and_keys.md index 1d53cae90..f27a8a87d 100644 --- a/hunting/linux/docs/persistence_via_ssh_configurations_and_keys.md +++ b/hunting/linux/docs/persistence_via_ssh_configurations_and_keys.md @@ -37,7 +37,7 @@ SELECT g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, - datetime(f.ctime, 'unixepoch') AS file_last_status change_time, + datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM @@ -51,7 +51,27 @@ WHERE OR f.path LIKE "/home/%/.ssh/%" OR f.path LIKE "/etc/ssh/%" OR f.path LIKE "/etc/ssh/sshd_config.d/%" - OR f.path LIKE "/etc/ssh/ssh_config.d/%" + OR f.path LIKE "/usr/sbin/.ssh/%" + OR f.path LIKE "/bin/.ssh/%" + OR f.path LIKE "/usr/games/.ssh/%" + OR f.path LIKE "/var/cache/man/.ssh/%" + OR f.path LIKE "/var/mail/.ssh/%" + OR f.path LIKE "/var/spool/news/.ssh/%" + OR f.path LIKE "/var/spool/lpd/.ssh/%" + OR f.path LIKE "/var/backups/.ssh/%" + OR f.path LIKE "/var/list/.ssh/%" + OR f.path LIKE "/run/ircd/.ssh/%" + OR f.path LIKE "/var/lib/gnats/.ssh/%" + OR f.path LIKE "/nonexistent/.ssh/%" + OR f.path LIKE "/run/systemd/.ssh/%" + OR f.path LIKE "/var/cache/pollinate/.ssh/%" + OR f.path LIKE "/run/sshd/.ssh/%" + OR f.path LIKE "/home/syslog/.ssh/%" + OR f.path LIKE "/run/uuidd/.ssh/%" + OR f.path LIKE "/var/lib/tpm/.ssh/%" + OR f.path LIKE "/var/lib/landscape/.ssh/%" + OR f.path LIKE "/var/lib/usbmux/.ssh/%" + OR f.path LIKE "/var/snap/lxd/common/lxd/.ssh/%"; ``` ```sql diff --git a/hunting/linux/queries/persistence_via_ssh_configurations_and_keys.toml b/hunting/linux/queries/persistence_via_ssh_configurations_and_keys.toml index 1463ea385..bea237fc5 100644 --- a/hunting/linux/queries/persistence_via_ssh_configurations_and_keys.toml +++ b/hunting/linux/queries/persistence_via_ssh_configurations_and_keys.toml @@ -37,7 +37,7 @@ SELECT g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, - datetime(f.ctime, 'unixepoch') AS file_last_status change_time, + datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM @@ -51,7 +51,27 @@ WHERE OR f.path LIKE "/home/%/.ssh/%" OR f.path LIKE "/etc/ssh/%" OR f.path LIKE "/etc/ssh/sshd_config.d/%" - OR f.path LIKE "/etc/ssh/ssh_config.d/%" + OR f.path LIKE "/usr/sbin/.ssh/%" + OR f.path LIKE "/bin/.ssh/%" + OR f.path LIKE "/usr/games/.ssh/%" + OR f.path LIKE "/var/cache/man/.ssh/%" + OR f.path LIKE "/var/mail/.ssh/%" + OR f.path LIKE "/var/spool/news/.ssh/%" + OR f.path LIKE "/var/spool/lpd/.ssh/%" + OR f.path LIKE "/var/backups/.ssh/%" + OR f.path LIKE "/var/list/.ssh/%" + OR f.path LIKE "/run/ircd/.ssh/%" + OR f.path LIKE "/var/lib/gnats/.ssh/%" + OR f.path LIKE "/nonexistent/.ssh/%" + OR f.path LIKE "/run/systemd/.ssh/%" + OR f.path LIKE "/var/cache/pollinate/.ssh/%" + OR f.path LIKE "/run/sshd/.ssh/%" + OR f.path LIKE "/home/syslog/.ssh/%" + OR f.path LIKE "/run/uuidd/.ssh/%" + OR f.path LIKE "/var/lib/tpm/.ssh/%" + OR f.path LIKE "/var/lib/landscape/.ssh/%" + OR f.path LIKE "/var/lib/usbmux/.ssh/%" + OR f.path LIKE "/var/snap/lxd/common/lxd/.ssh/%"; ''', ''' from logs-endpoint.events.process-* diff --git a/pyproject.toml b/pyproject.toml index e30ccf5b7..3a97802a2 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "0.3.14" +version = "0.3.15" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12"