Terrance DeJesus
f0b2cb7c87
* added 'Uncommon Process Execution from Suspicious Directory' hunt * adds all linux hunting files * moves linux hunting files to queries folder * adds generated docs * fixing windows hunts * fixing windows hunts * updated README * Removed 2, updated a few, changed some names/descriptions and added list of str * updated windows for language schema changes, regenerated docs; updated README and index * changed UUIDs to hex only with standard hyphen format * removing unecessary docs * Fixed queries based on Samir feedback * ++ * regenerating linux docs * Update hunting/linux/queries/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/defense_evasion_via_hidden_process_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/command_and_control_via_unusual_file_downloads_from_source_addresses.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/defense_evasion_via_capitalized_process_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/defense_evasion_via_hidden_process_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Updates * Update * Update hunting/linux/queries/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Updates * regenerating linux docs --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
40 lines
1.5 KiB
TOML
40 lines
1.5 KiB
TOML
[hunt]
|
|
author = "Elastic"
|
|
description = """
|
|
This hunt identifies user and group creation or modification activities on Linux systems using OSQuery. It monitors changes to the shadow file, user and group information, and user processes. These activities can indicate potential unauthorized access or privilege escalation attempts. The hunt lists detailed information for further analysis and investigation.
|
|
"""
|
|
integration = ["endpoint"]
|
|
uuid = "f00c9757-d21b-432c-90a6-8372f18075d0"
|
|
name = "Privilege Escalation/Persistence via User/Group Creation and/or Modification"
|
|
language = ["SQL"]
|
|
license = "Elastic License v2"
|
|
notes = [
|
|
"Monitors changes to the shadow file and user/group information using OSQuery to detect potentially unauthorized access or privilege escalation attempts.",
|
|
"Lists detailed information about users, including authentication status and running processes.",
|
|
"Requires additional data analysis and investigation into results to identify malicious or unauthorized user and group modifications."
|
|
]
|
|
mitre = ["T1136", "T1136.001", "T1136.002"]
|
|
|
|
query = [
|
|
'''
|
|
SELECT * FROM shadow
|
|
''',
|
|
'''
|
|
SELECT * FROM shadow
|
|
WHERE password_status != "locked"
|
|
''',
|
|
'''
|
|
SELECT username, gid, uid, shell, description FROM users
|
|
WHERE username != 'root' AND uid LIKE "0"
|
|
''',
|
|
'''
|
|
SELECT * FROM users WHERE username = "newuser"
|
|
''',
|
|
'''
|
|
SELECT * FROM logged_in_users WHERE user = "newuser"
|
|
''',
|
|
'''
|
|
SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username
|
|
'''
|
|
]
|