conflict resolution for upstream pull

hunting/index.md

@@ -30,6 +30,7 @@ Here are the queries currently available:
 - [Defense Evasion via Capitalized Process Execution](./linux/docs/defense_evasion_via_capitalized_process_execution.md) (ES|QL)
 - [Drivers Load with Low Occurrence Frequency](./linux/docs/persistence_via_driver_load_with_low_occurrence_frequency.md) (ES|QL)
 - [Excessive SSH Network Activity to Unique Destinations](./linux/docs/excessive_ssh_network_activity_unique_destinations.md) (ES|QL)
+- [General Kernel Manipulation](./linux/docs/persistence_general_kernel_manipulation.md) (ES|QL)
 - [Git Hook/Pager Persistence](./linux/docs/persistence_via_git_hook_pager.md) (ES|QL)
 - [Hidden Process Execution](./linux/docs/defense_evasion_via_hidden_process_execution.md) (ES|QL)
 - [Logon Activity by Source IP](./linux/docs/login_activity_by_source_address.md) (ES|QL)
@@ -42,6 +43,7 @@ Here are the queries currently available:
 - [Persistence Through Reverse/Bind Shells](./linux/docs/persistence_reverse_bind_shells.md) (ES|QL)
 - [Persistence via Cron](./linux/docs/persistence_via_cron.md) (ES|QL)
 - [Persistence via DPKG/RPM Package](./linux/docs/persistence_via_rpm_dpkg_installer_packages.md) (ES|QL)
+- [Persistence via Desktop Bus (D-Bus)](./linux/docs/persistence_via_desktop_bus.md) (ES|QL)
 - [Persistence via Docker Container](./linux/docs/persistence_via_malicious_docker_container.md) (ES|QL)
 - [Persistence via Dynamic Linker Hijacking](./linux/docs/persistence_via_dynamic_linker_hijacking.md) (ES|QL)
 - [Persistence via GRUB Bootloader](./linux/docs/persistence_via_grub_bootloader.md) (ES|QL)
@@ -50,6 +52,7 @@ Here are the queries currently available:
 - [Persistence via Message-of-the-Day](./linux/docs/persistence_via_message_of_the_day.md) (ES|QL)
 - [Persistence via Package Manager](./linux/docs/persistence_via_package_manager.md) (ES|QL)
 - [Persistence via Pluggable Authentication Modules (PAM)](./linux/docs/persistence_via_pluggable_authentication_module.md) (ES|QL)
+- [Persistence via PolicyKit](./linux/docs/persistence_via_policykit.md) (ES|QL)
 - [Persistence via SSH Configurations and/or Keys](./linux/docs/persistence_via_ssh_configurations_and_keys.md) (ES|QL)
 - [Persistence via System V Init](./linux/docs/persistence_via_sysv_init.md) (ES|QL)
 - [Persistence via Systemd (Timers)](./linux/docs/persistence_via_systemd_timers.md) (ES|QL)

hunting/index.yml

@@ -250,6 +250,21 @@ linux:
     path: ./linux/queries/persistence_via_malicious_docker_container.toml
     mitre:
     - T1610
+  2223bbda-b931-4f33-aeb4-0e0732a370dd:
+    name: Persistence via Desktop Bus (D-Bus)
+    path: ./linux/queries/persistence_via_desktop_bus.toml
+    mitre:
+    - T1543
+  4e8a17d3-9139-4b45-86d5-79e8d1eba71e:
+    name: Persistence via PolicyKit
+    path: ./linux/queries/persistence_via_policykit.toml
+    mitre:
+    - T1543
+  9997c6fb-4e01-477f-9011-fc7fc6b000b6:
+    name: General Kernel Manipulation
+    path: ./linux/queries/persistence_general_kernel_manipulation.toml
+    mitre:
+    - T1542
   1206f5e2-aee6-4e5c-bda0-718fe440b1cf:
     name: Persistence via Initramfs
     path: ./linux/queries/persistence_via_initramfs.toml

hunting/linux/docs/persistence_general_kernel_manipulation.md

@@ -0,0 +1,98 @@
+# General Kernel Manipulation
+
+---
+
+## Metadata
+
+- **Author:** Elastic
+- **Description:** This hunt focuses on detecting general kernel and bootloader manipulations on Linux systems, which are critical for system integrity and security. Attackers may target kernel components, bootloader configurations, or secure boot settings to establish persistence or compromise the system at a low level. By monitoring changes to `/boot/` files, examining kernel and platform information, and detecting processes spawned by `systemd`, this hunt provides visibility into potential kernel and boot-related threats. The combination of ES|QL and OSQuery queries ensures robust detection and hunting capabilities for kernel manipulation and persistence attempts.
+
+- **UUID:** `9997c6fb-4e01-477f-9011-fc7fc6b000b6`
+- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint)
+- **Language:** `[ES|QL, SQL]`
+- **Source File:** [General Kernel Manipulation](../queries/persistence_general_kernel_manipulation.toml)
+
+## Query
+
+```sql
+sql
+from logs-endpoint.events.file-*
+| keep @timestamp, host.os.type, event.type, event.action, file.path, file.extension, process.executable, agent.id
+| where @timestamp > now() - 30 day
+| where host.os.type == "linux" and event.type in ("creation", "change") and file.path like "/boot/*" and
+not file.extension in ("dpkg-new", "swp")
+| stats cc = count(), agent_count = count_distinct(agent.id) by file.path, process.executable
+| where agent_count <= 3 and cc <= 5
+| sort cc asc
+| limit 100
+```
+
+```sql
+sql
+from logs-endpoint.events.process-*
+| keep @timestamp, host.os.type, event.type, event.action, process.parent.name, process.executable, process.command_line, process.parent.executable, agent.id
+| where @timestamp > now() - 30 day
+| where host.os.type == "linux" and event.type == "info" and event.action == "already_running" and process.parent.name == "systemd"
+| stats cc = count(), agent_count = count_distinct(agent.id) by process.executable, process.command_line
+| where agent_count <= 3 and cc < 25
+| sort cc asc
+| limit 100
+```
+
+```sql
+sql
+SELECT
+    f.filename,
+    f.path,
+    u.username AS file_owner,
+    g.groupname AS group_owner,
+    datetime(f.atime, 'unixepoch') AS file_last_access_time,
+    datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
+    datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,
+    datetime(f.btime, 'unixepoch') AS file_created_time,
+    f.size AS size_bytes
+FROM
+    file f
+LEFT JOIN
+    users u ON f.uid = u.uid
+LEFT JOIN
+    groups g ON f.gid = g.gid
+WHERE f.path LIKE '/boot/%'
+AND (mtime > strftime('%s', 'now') - (7 * 86400)); -- Modified in the last 7 days
+```
+
+```sql
+sql
+SELECT * FROM kernel_info;
+```
+
+```sql
+sql
+SELECT * FROM secureboot;
+```
+
+```sql
+sql
+SELECT * FROM platform_info;
+```
+
+```sql
+sql
+SELECT * FROM kernel_keys;
+```
+
+## Notes
+
+- Tracks file creations and modifications within the `/boot/` directory to identify potential tampering with kernel or bootloader files, such as the kernel image, GRUB configuration, or Initramfs.
+- Monitors processes spawned by `systemd` with the `already_running` action to detect unusual behavior linked to kernel manipulations.
+- Retrieves metadata for kernel and boot-related files, including file ownership, last access times, and modification timestamps, to identify unauthorized changes.
+- Leverages OSQuery tables like `kernel_info`, `secureboot`, `platform_info`, and `kernel_keys` to gain insights into the system's boot and kernel integrity, ensuring comprehensive coverage of kernel manipulation activities.
+- Helps identify rare or anomalous events by providing statistics on processes and file activities, enabling analysts to detect subtle signs of compromise or persistence.
+
+## MITRE ATT&CK Techniques
+
+- [T1542](https://attack.mitre.org/techniques/T1542)
+
+## License
+
+- `Elastic License v2`

hunting/linux/docs/persistence_via_desktop_bus.md

@@ -0,0 +1,95 @@
+# Persistence via Desktop Bus (D-Bus)
+
+---
+
+## Metadata
+
+- **Author:** Elastic
+- **Description:** This hunt identifies potential persistence mechanisms leveraging the Desktop Bus (D-Bus) system on Linux. D-Bus is an inter-process communication (IPC) system that facilitates communication between various system components and applications. Attackers can exploit D-Bus by creating or modifying services, configuration files, or system policies to maintain persistence or execute unauthorized actions. This hunt monitors suspicious process activity related to D-Bus, tracks changes to key D-Bus configuration and service files, and retrieves metadata for further analysis. The approach helps analysts identify and respond to persistence techniques targeting D-Bus.
+
+- **UUID:** `2223bbda-b931-4f33-aeb4-0e0732a370dd`
+- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint)
+- **Language:** `[ES|QL, SQL]`
+- **Source File:** [Persistence via Desktop Bus (D-Bus)](../queries/persistence_via_desktop_bus.toml)
+
+## Query
+
+```sql
+sql
+from logs-endpoint.events.process-*
+| keep @timestamp, host.os.type, event.type, event.action, process.name, process.parent.name, process.command_line, process.executable, process.parent.executable, agent.id
+| where @timestamp > now() - 30 day
+| where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
+  process.parent.name == "dbus-daemon" or process.name == "dbus-send"
+)
+| stats cc = count(), agent_count = count_distinct(agent.id) by process.command_line, process.executable, process.parent.executable
+| where agent_count <= 3 and cc < 15
+| sort cc asc
+| limit 100
+```
+
+```sql
+sql
+from logs-endpoint.events.file-*
+| keep @timestamp, host.os.type, event.type, event.action, file.path, file.extension, process.name, process.executable, agent.id
+| where @timestamp > now() - 30 day
+| where host.os.type == "linux" and event.type in ("creation", "change") and (
+  file.path like "/usr/share/dbus-1/*" or
+  file.path like "/usr/local/share/dbus-1/*" or
+  file.path like "/etc/dbus-1/*" or
+  file.path like "/home/*/.local/share/dbus-1/*"
+) and not (
+  file.extension in ("swp", "dpkg-new") or
+  process.name in ("dnf", "yum", "dpkg")
+)
+| stats cc = count(), agent_count = count_distinct(agent.id) by file.path, process.executable
+| where agent_count <= 3
+| sort cc asc
+| limit 100
+```
+
+```sql
+sql
+SELECT
+    f.filename,
+    f.path,
+    u.username AS file_owner,
+    g.groupname AS group_owner,
+    datetime(f.atime, 'unixepoch') AS file_last_access_time,
+    datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
+    datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,
+    datetime(f.btime, 'unixepoch') AS file_created_time,
+    f.size AS size_bytes
+FROM
+    file f
+LEFT JOIN
+    users u ON f.uid = u.uid
+LEFT JOIN
+    groups g ON f.gid = g.gid
+WHERE (
+        f.path LIKE '/usr/share/dbus-1/system-services/%'
+        OR f.path LIKE '/usr/local/share/dbus-1/system-services/%'
+        OR f.path LIKE '/etc/dbus-1/system.d/%'
+        OR f.path LIKE '/usr/share/dbus-1/system.d/%'
+        OR f.path LIKE '/usr/share/dbus-1/session-services/%'
+        OR f.path LIKE '/home/%/.local/share/dbus-1/services/%'
+        OR f.path LIKE '/etc/dbus-1/session.d/%'
+        OR f.path LIKE '/usr/share/dbus-1/session.d/%'
+      )
+AND (mtime > strftime('%s', 'now') - (7 * 86400)); -- Modified in the last 7 days
+```
+
+## Notes
+
+- Monitors processes related to D-Bus, such as `dbus-daemon` and `dbus-send`, to identify unauthorized or anomalous executions indicative of persistence or abuse.
+- Tracks creations and modifications to critical D-Bus directories, including `/usr/share/dbus-1/`, `/usr/local/share/dbus-1/`, `/etc/dbus-1/`, and `~/.local/share/dbus-1/`, which may indicate malicious activity.
+- Retrieves metadata for D-Bus service and configuration files, such as file ownership, access times, and modification timestamps, to detect unauthorized changes.
+- Focuses on recent changes within the last 7 days to identify timely indicators of compromise while maintaining historical context for analysis.
+
+## MITRE ATT&CK Techniques
+
+- [T1543](https://attack.mitre.org/techniques/T1543)
+
+## License
+
+- `Elastic License v2`

hunting/linux/docs/persistence_via_policykit.md

@@ -0,0 +1,79 @@
+# Persistence via PolicyKit
+
+---
+
+## Metadata
+
+- **Author:** Elastic
+- **Description:** This hunt identifies potential persistence mechanisms leveraging PolicyKit (Polkit) on Linux systems. PolicyKit is a system service used to manage system-wide privileges and is often targeted by attackers to escalate privileges or maintain persistence. By monitoring file creations and modifications in key PolicyKit directories and analyzing metadata for Polkit-related files, this hunt helps detect unauthorized changes or suspicious activities that may indicate malicious use of PolicyKit. It provides detailed insights into potentially compromised PolicyKit configurations, enabling analysts to identify and respond to this persistence technique.
+
+- **UUID:** `4e8a17d3-9139-4b45-86d5-79e8d1eba71e`
+- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint)
+- **Language:** `[ES|QL, SQL]`
+- **Source File:** [Persistence via PolicyKit](../queries/persistence_via_policykit.toml)
+
+## Query
+
+```sql
+sql
+from logs-endpoint.events.file-*
+| keep @timestamp, host.os.type, event.type, event.action, file.path, file.extension, process.name, process.executable, agent.id
+| where @timestamp > now() - 30 day
+| where host.os.type == "linux" and event.type in ("creation", "change") and (
+  file.path like "/etc/polkit-1/rules.d/*" or
+  file.path like "/usr/share/polkit-1/rules.d/*" or
+  file.path like "/usr/share/polkit-1/actions/*" or
+  file.path like "/etc/polkit-1/localauthority/*" or
+  file.path like "/var/lib/polkit-1/localauthority/*"
+) and not (
+  file.extension in ("swp", "dpkg-new") or
+  process.name in ("dnf", "yum", "dpkg")
+)
+| stats cc = count(), agent_count = count_distinct(agent.id) by file.path, process.executable
+| where agent_count <= 3
+| sort cc asc
+| limit 100
+```
+
+```sql
+sql
+SELECT
+    f.filename,
+    f.path,
+    u.username AS file_owner,
+    g.groupname AS group_owner,
+    datetime(f.atime, 'unixepoch') AS file_last_access_time,
+    datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
+    datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,
+    datetime(f.btime, 'unixepoch') AS file_created_time,
+    f.size AS size_bytes
+FROM
+    file f
+LEFT JOIN
+    users u ON f.uid = u.uid
+LEFT JOIN
+    groups g ON f.gid = g.gid
+WHERE (
+        f.path = '/etc/polkit-1/rules.d/%'
+        OR f.path LIKE '/usr/share/polkit-1/rules.d/%'
+        OR f.path LIKE '/usr/share/polkit-1/actions/%'
+        OR f.path LIKE '/etc/polkit-1/localauthority/%%'
+        OR f.path LIKE '/var/lib/polkit-1/localauthority/%%'
+      )
+AND (mtime > strftime('%s', 'now') - (7 * 86400)); -- Modified in the last 7 days
+```
+
+## Notes
+
+- Tracks file creations and modifications in PolicyKit-related directories such as `/etc/polkit-1/rules.d/`, `/usr/share/polkit-1/rules.d/`, `/usr/share/polkit-1/actions/`, and others to detect unauthorized additions or tampering.
+- Retrieves metadata for PolicyKit configuration files, including ownership, last access times, and modification timestamps, to identify unauthorized or suspicious changes.
+- Focuses on recent file modifications within the last 7 days to provide timely detection of potential malicious activities.
+- Helps detect rare or anomalous file modifications by correlating process execution with file activities, enabling analysts to identify subtle signs of compromise.
+
+## MITRE ATT&CK Techniques
+
+- [T1543](https://attack.mitre.org/techniques/T1543)
+
+## License
+
+- `Elastic License v2`

hunting/linux/queries/persistence_general_kernel_manipulation.toml

@@ -0,0 +1,73 @@
+[hunt]
+author = "Elastic"
+description = """
+This hunt focuses on detecting general kernel and bootloader manipulations on Linux systems, which are critical for system integrity and security. Attackers may target kernel components, bootloader configurations, or secure boot settings to establish persistence or compromise the system at a low level. By monitoring changes to `/boot/` files, examining kernel and platform information, and detecting processes spawned by `systemd`, this hunt provides visibility into potential kernel and boot-related threats. The combination of ES|QL and OSQuery queries ensures robust detection and hunting capabilities for kernel manipulation and persistence attempts.
+"""
+integration = ["endpoint"]
+uuid = "9997c6fb-4e01-477f-9011-fc7fc6b000b6"
+name = "General Kernel Manipulation"
+language = ["ES|QL", "SQL"]
+license = "Elastic License v2"
+notes = [
+    "Tracks file creations and modifications within the `/boot/` directory to identify potential tampering with kernel or bootloader files, such as the kernel image, GRUB configuration, or Initramfs.",
+    "Monitors processes spawned by `systemd` with the `already_running` action to detect unusual behavior linked to kernel manipulations.",
+    "Retrieves metadata for kernel and boot-related files, including file ownership, last access times, and modification timestamps, to identify unauthorized changes.",
+    "Leverages OSQuery tables like `kernel_info`, `secureboot`, `platform_info`, and `kernel_keys` to gain insights into the system's boot and kernel integrity, ensuring comprehensive coverage of kernel manipulation activities.",
+    "Helps identify rare or anomalous events by providing statistics on processes and file activities, enabling analysts to detect subtle signs of compromise or persistence."
+]
+mitre = ["T1542"]
+query = [
+'''sql
+from logs-endpoint.events.file-*
+| keep @timestamp, host.os.type, event.type, event.action, file.path, file.extension, process.executable, agent.id
+| where @timestamp > now() - 30 day
+| where host.os.type == "linux" and event.type in ("creation", "change") and file.path like "/boot/*" and
+not file.extension in ("dpkg-new", "swp")
+| stats cc = count(), agent_count = count_distinct(agent.id) by file.path, process.executable
+| where agent_count <= 3 and cc <= 5
+| sort cc asc
+| limit 100
+''',
+'''sql
+from logs-endpoint.events.process-*
+| keep @timestamp, host.os.type, event.type, event.action, process.parent.name, process.executable, process.command_line, process.parent.executable, agent.id
+| where @timestamp > now() - 30 day
+| where host.os.type == "linux" and event.type == "info" and event.action == "already_running" and process.parent.name == "systemd"
+| stats cc = count(), agent_count = count_distinct(agent.id) by process.executable, process.command_line
+| where agent_count <= 3 and cc < 25
+| sort cc asc
+| limit 100
+''',
+'''sql
+SELECT
+    f.filename,
+    f.path,
+    u.username AS file_owner,
+    g.groupname AS group_owner,
+    datetime(f.atime, 'unixepoch') AS file_last_access_time,
+    datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
+    datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,
+    datetime(f.btime, 'unixepoch') AS file_created_time,
+    f.size AS size_bytes
+FROM
+    file f
+LEFT JOIN
+    users u ON f.uid = u.uid
+LEFT JOIN
+    groups g ON f.gid = g.gid
+WHERE f.path LIKE '/boot/%'
+AND (mtime > strftime('%s', 'now') - (7 * 86400)); -- Modified in the last 7 days
+''',
+'''sql
+SELECT * FROM kernel_info;
+''',
+'''sql
+SELECT * FROM secureboot;
+''',
+'''sql
+SELECT * FROM platform_info;
+''',
+'''sql
+SELECT * FROM kernel_keys;
+''',
+]