From e822af47a496084beb698f905e6d28d300488cc9 Mon Sep 17 00:00:00 2001
From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Date: Mon, 13 Jan 2025 16:53:09 +0100
Subject: [PATCH] [Hunt Tuning] Persistence via SSH Configurations and/or Keys
 (#4351)

* [Hunt Tuning] Persistence via SSH Configurations and/or Keys

* ++

* Revert "Merge branch 'main' into hunt-update-ssh-authorized-keys"

This reverts commit 2b31a3bb49e51a4c9f4752ad6880c3f398032b4e, reversing
changes made to 263ffd5eb98f53282850b4f777df4091f3f03926.

* ++

* Update pyproject.toml
---
 ...istence_via_ssh_configurations_and_keys.md | 24 +++++++++++++++++--
 ...tence_via_ssh_configurations_and_keys.toml | 24 +++++++++++++++++--
 pyproject.toml                                |  2 +-
 3 files changed, 45 insertions(+), 5 deletions(-)

diff --git a/hunting/linux/docs/persistence_via_ssh_configurations_and_keys.md b/hunting/linux/docs/persistence_via_ssh_configurations_and_keys.md
index 1d53cae90..f27a8a87d 100644
--- a/hunting/linux/docs/persistence_via_ssh_configurations_and_keys.md
+++ b/hunting/linux/docs/persistence_via_ssh_configurations_and_keys.md
@@ -37,7 +37,7 @@ SELECT
     g.groupname AS group_owner,
     datetime(f.atime, 'unixepoch') AS file_last_access_time,
     datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
-    datetime(f.ctime, 'unixepoch') AS file_last_status change_time,
+    datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,
     datetime(f.btime, 'unixepoch') AS file_created_time,
     f.size AS size_bytes
 FROM
@@ -51,7 +51,27 @@ WHERE
     OR f.path LIKE "/home/%/.ssh/%"
     OR f.path LIKE "/etc/ssh/%"
     OR f.path LIKE "/etc/ssh/sshd_config.d/%"
-    OR f.path LIKE "/etc/ssh/ssh_config.d/%"
+    OR f.path LIKE "/usr/sbin/.ssh/%"
+    OR f.path LIKE "/bin/.ssh/%"
+    OR f.path LIKE "/usr/games/.ssh/%"
+    OR f.path LIKE "/var/cache/man/.ssh/%"
+    OR f.path LIKE "/var/mail/.ssh/%"
+    OR f.path LIKE "/var/spool/news/.ssh/%"
+    OR f.path LIKE "/var/spool/lpd/.ssh/%"
+    OR f.path LIKE "/var/backups/.ssh/%"
+    OR f.path LIKE "/var/list/.ssh/%"
+    OR f.path LIKE "/run/ircd/.ssh/%"
+    OR f.path LIKE "/var/lib/gnats/.ssh/%"
+    OR f.path LIKE "/nonexistent/.ssh/%"
+    OR f.path LIKE "/run/systemd/.ssh/%"
+    OR f.path LIKE "/var/cache/pollinate/.ssh/%"
+    OR f.path LIKE "/run/sshd/.ssh/%"
+    OR f.path LIKE "/home/syslog/.ssh/%"
+    OR f.path LIKE "/run/uuidd/.ssh/%"
+    OR f.path LIKE "/var/lib/tpm/.ssh/%"
+    OR f.path LIKE "/var/lib/landscape/.ssh/%"
+    OR f.path LIKE "/var/lib/usbmux/.ssh/%"
+    OR f.path LIKE "/var/snap/lxd/common/lxd/.ssh/%";
 ```
 
 ```sql
diff --git a/hunting/linux/queries/persistence_via_ssh_configurations_and_keys.toml b/hunting/linux/queries/persistence_via_ssh_configurations_and_keys.toml
index 1463ea385..bea237fc5 100644
--- a/hunting/linux/queries/persistence_via_ssh_configurations_and_keys.toml
+++ b/hunting/linux/queries/persistence_via_ssh_configurations_and_keys.toml
@@ -37,7 +37,7 @@ SELECT
     g.groupname AS group_owner,
     datetime(f.atime, 'unixepoch') AS file_last_access_time,
     datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
-    datetime(f.ctime, 'unixepoch') AS file_last_status change_time,
+    datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,
     datetime(f.btime, 'unixepoch') AS file_created_time,
     f.size AS size_bytes
 FROM
@@ -51,7 +51,27 @@ WHERE
     OR f.path LIKE "/home/%/.ssh/%"
     OR f.path LIKE "/etc/ssh/%"
     OR f.path LIKE "/etc/ssh/sshd_config.d/%"
-    OR f.path LIKE "/etc/ssh/ssh_config.d/%"
+    OR f.path LIKE "/usr/sbin/.ssh/%"
+    OR f.path LIKE "/bin/.ssh/%"
+    OR f.path LIKE "/usr/games/.ssh/%"
+    OR f.path LIKE "/var/cache/man/.ssh/%"
+    OR f.path LIKE "/var/mail/.ssh/%"
+    OR f.path LIKE "/var/spool/news/.ssh/%"
+    OR f.path LIKE "/var/spool/lpd/.ssh/%"
+    OR f.path LIKE "/var/backups/.ssh/%"
+    OR f.path LIKE "/var/list/.ssh/%"
+    OR f.path LIKE "/run/ircd/.ssh/%"
+    OR f.path LIKE "/var/lib/gnats/.ssh/%"
+    OR f.path LIKE "/nonexistent/.ssh/%"
+    OR f.path LIKE "/run/systemd/.ssh/%"
+    OR f.path LIKE "/var/cache/pollinate/.ssh/%"
+    OR f.path LIKE "/run/sshd/.ssh/%"
+    OR f.path LIKE "/home/syslog/.ssh/%"
+    OR f.path LIKE "/run/uuidd/.ssh/%"
+    OR f.path LIKE "/var/lib/tpm/.ssh/%"
+    OR f.path LIKE "/var/lib/landscape/.ssh/%"
+    OR f.path LIKE "/var/lib/usbmux/.ssh/%"
+    OR f.path LIKE "/var/snap/lxd/common/lxd/.ssh/%";
 ''',
 '''
 from logs-endpoint.events.process-*
diff --git a/pyproject.toml b/pyproject.toml
index e30ccf5b7..3a97802a2 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "0.3.14"
+version = "0.3.15"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"