-
Notifications
You must be signed in to change notification settings - Fork 522
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[New Hunt] Persistence via Desktop Bus (D-Bus) (#4407)
(cherry picked from commit 8024191)
- Loading branch information
1 parent
d157c13
commit f854c21
Showing
4 changed files
with
179 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,95 @@ | ||
| # Persistence via Desktop Bus (D-Bus) | ||
|
|
||
| --- | ||
|
|
||
| ## Metadata | ||
|
|
||
| - **Author:** Elastic | ||
| - **Description:** This hunt identifies potential persistence mechanisms leveraging the Desktop Bus (D-Bus) system on Linux. D-Bus is an inter-process communication (IPC) system that facilitates communication between various system components and applications. Attackers can exploit D-Bus by creating or modifying services, configuration files, or system policies to maintain persistence or execute unauthorized actions. This hunt monitors suspicious process activity related to D-Bus, tracks changes to key D-Bus configuration and service files, and retrieves metadata for further analysis. The approach helps analysts identify and respond to persistence techniques targeting D-Bus. | ||
|
|
||
| - **UUID:** `2223bbda-b931-4f33-aeb4-0e0732a370dd` | ||
| - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) | ||
| - **Language:** `[ES|QL, SQL]` | ||
| - **Source File:** [Persistence via Desktop Bus (D-Bus)](../queries/persistence_via_desktop_bus.toml) | ||
|
|
||
| ## Query | ||
|
|
||
| ```sql | ||
| sql | ||
| from logs-endpoint.events.process-* | ||
| | keep @timestamp, host.os.type, event.type, event.action, process.name, process.parent.name, process.command_line, process.executable, process.parent.executable, agent.id | ||
| | where @timestamp > now() - 30 day | ||
| | where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( | ||
| process.parent.name == "dbus-daemon" or process.name == "dbus-send" | ||
| ) | ||
| | stats cc = count(), agent_count = count_distinct(agent.id) by process.command_line, process.executable, process.parent.executable | ||
| | where agent_count <= 3 and cc < 15 | ||
| | sort cc asc | ||
| | limit 100 | ||
| ``` | ||
|
|
||
| ```sql | ||
| sql | ||
| from logs-endpoint.events.file-* | ||
| | keep @timestamp, host.os.type, event.type, event.action, file.path, file.extension, process.name, process.executable, agent.id | ||
| | where @timestamp > now() - 30 day | ||
| | where host.os.type == "linux" and event.type in ("creation", "change") and ( | ||
| file.path like "/usr/share/dbus-1/*" or | ||
| file.path like "/usr/local/share/dbus-1/*" or | ||
| file.path like "/etc/dbus-1/*" or | ||
| file.path like "/home/*/.local/share/dbus-1/*" | ||
| ) and not ( | ||
| file.extension in ("swp", "dpkg-new") or | ||
| process.name in ("dnf", "yum", "dpkg") | ||
| ) | ||
| | stats cc = count(), agent_count = count_distinct(agent.id) by file.path, process.executable | ||
| | where agent_count <= 3 | ||
| | sort cc asc | ||
| | limit 100 | ||
| ``` | ||
|
|
||
| ```sql | ||
| sql | ||
| SELECT | ||
| f.filename, | ||
| f.path, | ||
| u.username AS file_owner, | ||
| g.groupname AS group_owner, | ||
| datetime(f.atime, 'unixepoch') AS file_last_access_time, | ||
| datetime(f.mtime, 'unixepoch') AS file_last_modified_time, | ||
| datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, | ||
| datetime(f.btime, 'unixepoch') AS file_created_time, | ||
| f.size AS size_bytes | ||
| FROM | ||
| file f | ||
| LEFT JOIN | ||
| users u ON f.uid = u.uid | ||
| LEFT JOIN | ||
| groups g ON f.gid = g.gid | ||
| WHERE ( | ||
| f.path LIKE '/usr/share/dbus-1/system-services/%' | ||
| OR f.path LIKE '/usr/local/share/dbus-1/system-services/%' | ||
| OR f.path LIKE '/etc/dbus-1/system.d/%' | ||
| OR f.path LIKE '/usr/share/dbus-1/system.d/%' | ||
| OR f.path LIKE '/usr/share/dbus-1/session-services/%' | ||
| OR f.path LIKE '/home/%/.local/share/dbus-1/services/%' | ||
| OR f.path LIKE '/etc/dbus-1/session.d/%' | ||
| OR f.path LIKE '/usr/share/dbus-1/session.d/%' | ||
| ) | ||
| AND (mtime > strftime('%s', 'now') - (7 * 86400)); -- Modified in the last 7 days | ||
| ``` | ||
|
|
||
| ## Notes | ||
|
|
||
| - Monitors processes related to D-Bus, such as `dbus-daemon` and `dbus-send`, to identify unauthorized or anomalous executions indicative of persistence or abuse. | ||
| - Tracks creations and modifications to critical D-Bus directories, including `/usr/share/dbus-1/`, `/usr/local/share/dbus-1/`, `/etc/dbus-1/`, and `~/.local/share/dbus-1/`, which may indicate malicious activity. | ||
| - Retrieves metadata for D-Bus service and configuration files, such as file ownership, access times, and modification timestamps, to detect unauthorized changes. | ||
| - Focuses on recent changes within the last 7 days to identify timely indicators of compromise while maintaining historical context for analysis. | ||
|
|
||
| ## MITRE ATT&CK Techniques | ||
|
|
||
| - [T1543](https://attack.mitre.org/techniques/T1543) | ||
|
|
||
| ## License | ||
|
|
||
| - `Elastic License v2` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,78 @@ | ||
| [hunt] | ||
| author = "Elastic" | ||
| description = """ | ||
| This hunt identifies potential persistence mechanisms leveraging the Desktop Bus (D-Bus) system on Linux. D-Bus is an inter-process communication (IPC) system that facilitates communication between various system components and applications. Attackers can exploit D-Bus by creating or modifying services, configuration files, or system policies to maintain persistence or execute unauthorized actions. This hunt monitors suspicious process activity related to D-Bus, tracks changes to key D-Bus configuration and service files, and retrieves metadata for further analysis. The approach helps analysts identify and respond to persistence techniques targeting D-Bus. | ||
| """ | ||
| integration = ["endpoint"] | ||
| uuid = "2223bbda-b931-4f33-aeb4-0e0732a370dd" | ||
| name = "Persistence via Desktop Bus (D-Bus)" | ||
| language = ["ES|QL", "SQL"] | ||
| license = "Elastic License v2" | ||
| notes = [ | ||
| "Monitors processes related to D-Bus, such as `dbus-daemon` and `dbus-send`, to identify unauthorized or anomalous executions indicative of persistence or abuse.", | ||
| "Tracks creations and modifications to critical D-Bus directories, including `/usr/share/dbus-1/`, `/usr/local/share/dbus-1/`, `/etc/dbus-1/`, and `~/.local/share/dbus-1/`, which may indicate malicious activity.", | ||
| "Retrieves metadata for D-Bus service and configuration files, such as file ownership, access times, and modification timestamps, to detect unauthorized changes.", | ||
| "Focuses on recent changes within the last 7 days to identify timely indicators of compromise while maintaining historical context for analysis." | ||
| ] | ||
| mitre = ["T1543"] | ||
| query = [ | ||
| '''sql | ||
| from logs-endpoint.events.process-* | ||
| | keep @timestamp, host.os.type, event.type, event.action, process.name, process.parent.name, process.command_line, process.executable, process.parent.executable, agent.id | ||
| | where @timestamp > now() - 30 day | ||
| | where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( | ||
| process.parent.name == "dbus-daemon" or process.name == "dbus-send" | ||
| ) | ||
| | stats cc = count(), agent_count = count_distinct(agent.id) by process.command_line, process.executable, process.parent.executable | ||
| | where agent_count <= 3 and cc < 15 | ||
| | sort cc asc | ||
| | limit 100 | ||
| ''', | ||
| '''sql | ||
| from logs-endpoint.events.file-* | ||
| | keep @timestamp, host.os.type, event.type, event.action, file.path, file.extension, process.name, process.executable, agent.id | ||
| | where @timestamp > now() - 30 day | ||
| | where host.os.type == "linux" and event.type in ("creation", "change") and ( | ||
| file.path like "/usr/share/dbus-1/*" or | ||
| file.path like "/usr/local/share/dbus-1/*" or | ||
| file.path like "/etc/dbus-1/*" or | ||
| file.path like "/home/*/.local/share/dbus-1/*" | ||
| ) and not ( | ||
| file.extension in ("swp", "dpkg-new") or | ||
| process.name in ("dnf", "yum", "dpkg") | ||
| ) | ||
| | stats cc = count(), agent_count = count_distinct(agent.id) by file.path, process.executable | ||
| | where agent_count <= 3 | ||
| | sort cc asc | ||
| | limit 100 | ||
| ''', | ||
| '''sql | ||
| SELECT | ||
| f.filename, | ||
| f.path, | ||
| u.username AS file_owner, | ||
| g.groupname AS group_owner, | ||
| datetime(f.atime, 'unixepoch') AS file_last_access_time, | ||
| datetime(f.mtime, 'unixepoch') AS file_last_modified_time, | ||
| datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, | ||
| datetime(f.btime, 'unixepoch') AS file_created_time, | ||
| f.size AS size_bytes | ||
| FROM | ||
| file f | ||
| LEFT JOIN | ||
| users u ON f.uid = u.uid | ||
| LEFT JOIN | ||
| groups g ON f.gid = g.gid | ||
| WHERE ( | ||
| f.path LIKE '/usr/share/dbus-1/system-services/%' | ||
| OR f.path LIKE '/usr/local/share/dbus-1/system-services/%' | ||
| OR f.path LIKE '/etc/dbus-1/system.d/%' | ||
| OR f.path LIKE '/usr/share/dbus-1/system.d/%' | ||
| OR f.path LIKE '/usr/share/dbus-1/session-services/%' | ||
| OR f.path LIKE '/home/%/.local/share/dbus-1/services/%' | ||
| OR f.path LIKE '/etc/dbus-1/session.d/%' | ||
| OR f.path LIKE '/usr/share/dbus-1/session.d/%' | ||
| ) | ||
| AND (mtime > strftime('%s', 'now') - (7 * 86400)); -- Modified in the last 7 days | ||
| ''' | ||
| ] |