Terrance DeJesus
f0b2cb7c87
* added 'Uncommon Process Execution from Suspicious Directory' hunt * adds all linux hunting files * moves linux hunting files to queries folder * adds generated docs * fixing windows hunts * fixing windows hunts * updated README * Removed 2, updated a few, changed some names/descriptions and added list of str * updated windows for language schema changes, regenerated docs; updated README and index * changed UUIDs to hex only with standard hyphen format * removing unecessary docs * Fixed queries based on Samir feedback * ++ * regenerating linux docs * Update hunting/linux/queries/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/defense_evasion_via_hidden_process_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/command_and_control_via_unusual_file_downloads_from_source_addresses.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/defense_evasion_via_capitalized_process_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/defense_evasion_via_hidden_process_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Updates * Update * Update hunting/linux/queries/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Updates * regenerating linux docs --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
99 lines
3.7 KiB
TOML
99 lines
3.7 KiB
TOML
[hunt]
|
|
author = "Elastic"
|
|
description = """
|
|
This hunt identifies potential persistence mechanisms via modifications to shell profile files on Linux systems. It monitors file creation or modification events in system-wide and user-specific profile files, which can indicate attempts to establish persistence through shell modifications. It also monitors processes started by SSH daemons to detect suspicious activity related to SSH logins.
|
|
"""
|
|
integration = ["endpoint"]
|
|
uuid = "20a02fad-2a09-44c0-a8ce-ce4502859c8a"
|
|
name = "Shell Modification Persistence"
|
|
language = ["ES|QL", "SQL"]
|
|
license = "Elastic License v2"
|
|
notes = [
|
|
"Monitors for file creation or modification events in system-wide and user-specific profile files, such as /etc/profile, /etc/bash.bashrc, /home/*/.bashrc, and others.",
|
|
"Excludes modifications made by expected update processes such as package managers to reduce false positives.",
|
|
"Uses EVAL to tag potential persistence events and counts occurrences to identify unusual activity.",
|
|
"Monitors processes started by SSH daemons (sshd) to detect suspicious activity related to SSH logins.",
|
|
"OSQuery query is provided to retrieve detailed file information related to profile files."
|
|
]
|
|
mitre = ["T1546.004", "T1053.005"]
|
|
|
|
query = [
|
|
'''
|
|
from logs-endpoint.events.file-*
|
|
| where @timestamp > now() - 30 day
|
|
| where host.os.type == "linux" and event.type in ("creation", "change") and (
|
|
|
|
// System-wide profile files
|
|
file.path in ("/etc/profile", "/etc/bash.bashrc", "/etc/bash.bash_logout") or
|
|
file.path like "/etc/profile.d/*" or
|
|
|
|
// User-specific profile files
|
|
file.path like "/home/*/.profile" or
|
|
file.path like "/home/*/.bash_profile" or
|
|
file.path like "/home/*/.bash_login" or
|
|
file.path like "/home/*/.bash_logout" or
|
|
file.path like "/home/*/.bashrc"
|
|
) and not (
|
|
process.name in (
|
|
"dpkg", "dockerd", "yum", "dnf", "snapd", "pacman", "pamac-daemon", "microdnf", "podman", "apk"
|
|
) or
|
|
process.executable == "/proc/self/exe" or
|
|
process.executable like "/dev/fd/*" or
|
|
file.extension in ("dpkg-remove", "swx", "swp")
|
|
)
|
|
| eval persistence = case(
|
|
// System-wide profile files
|
|
file.path in ("/etc/profile", "/etc/bash.bashrc", "/etc/bash.bash_logout") or
|
|
file.path like "/etc/profile.d/*" or
|
|
|
|
// User-specific profile files
|
|
file.path like "/home/*/.profile" or
|
|
file.path like "/home/*/.bash_profile" or
|
|
file.path like "/home/*/.bash_login" or
|
|
file.path like "/home/*/.bash_logout" or
|
|
file.path like "/home/*/.bashrc",
|
|
process.name,
|
|
null
|
|
)
|
|
| stats pers_count = count(persistence) by process.executable, file.path
|
|
| where pers_count > 0 and pers_count <= 20
|
|
| sort pers_count asc
|
|
| limit 100
|
|
''',
|
|
'''
|
|
from logs-endpoint.events.process-*
|
|
| where @timestamp > now() - 30 day
|
|
| where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.name == "sshd"
|
|
| stats cc = count(*) by process.command_line
|
|
| where cc <= 20
|
|
| sort cc asc
|
|
| limit 100
|
|
''',
|
|
'''
|
|
SELECT
|
|
f.filename,
|
|
f.path,
|
|
u.username AS file_owner,
|
|
g.groupname AS group_owner,
|
|
datetime(f.atime, 'unixepoch') AS file_last_access_time,
|
|
datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
|
|
datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,
|
|
datetime(f.btime, 'unixepoch') AS file_created_time,
|
|
f.size AS size_bytes
|
|
FROM
|
|
file f
|
|
LEFT JOIN
|
|
users u ON f.uid = u.uid
|
|
LEFT JOIN
|
|
groups g ON f.gid = g.gid
|
|
WHERE
|
|
f.path IN ("/etc/profile", "/etc/bash.bashrc", "/etc/bash.bash_logout")
|
|
OR f.path LIKE "/etc/profile.d/%"
|
|
OR f.path LIKE "/home/%/.profile"
|
|
OR f.path LIKE "/home/%/.bash_profile"
|
|
OR f.path LIKE "/home/%/.bash_login"
|
|
OR f.path LIKE "/home/%/.bash_logout"
|
|
OR f.path LIKE "/home/%/.bashrc"
|
|
'''
|
|
]
|