From f854c216860eb663f24be762ed1b50201138058f Mon Sep 17 00:00:00 2001
From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Date: Wed, 5 Feb 2025 16:45:17 +0100
Subject: [PATCH] [New Hunt] Persistence via Desktop Bus (D-Bus) (#4407)

(cherry picked from commit 802419178c0b92f6764de0114e68ecee8515dfb0)
---
 hunting/index.md                              |  1 +
 hunting/index.yml                             |  5 +
 .../linux/docs/persistence_via_desktop_bus.md | 95 +++++++++++++++++++
 .../queries/persistence_via_desktop_bus.toml  | 78 +++++++++++++++
 4 files changed, 179 insertions(+)
 create mode 100644 hunting/linux/docs/persistence_via_desktop_bus.md
 create mode 100644 hunting/linux/queries/persistence_via_desktop_bus.toml

diff --git a/hunting/index.md b/hunting/index.md
index a8a22763c08..e35334f16d7 100644
--- a/hunting/index.md
+++ b/hunting/index.md
@@ -43,6 +43,7 @@ Here are the queries currently available:
 - [Persistence Through Reverse/Bind Shells](./linux/docs/persistence_reverse_bind_shells.md) (ES|QL)
 - [Persistence via Cron](./linux/docs/persistence_via_cron.md) (ES|QL)
 - [Persistence via DPKG/RPM Package](./linux/docs/persistence_via_rpm_dpkg_installer_packages.md) (ES|QL)
+- [Persistence via Desktop Bus (D-Bus)](./linux/docs/persistence_via_desktop_bus.md) (ES|QL)
 - [Persistence via Docker Container](./linux/docs/persistence_via_malicious_docker_container.md) (ES|QL)
 - [Persistence via Dynamic Linker Hijacking](./linux/docs/persistence_via_dynamic_linker_hijacking.md) (ES|QL)
 - [Persistence via GRUB Bootloader](./linux/docs/persistence_via_grub_bootloader.md) (ES|QL)
diff --git a/hunting/index.yml b/hunting/index.yml
index 20430336e6a..dffb81079cb 100644
--- a/hunting/index.yml
+++ b/hunting/index.yml
@@ -250,6 +250,11 @@ linux:
     path: ./linux/queries/persistence_via_malicious_docker_container.toml
     mitre:
     - T1610
+  2223bbda-b931-4f33-aeb4-0e0732a370dd:
+    name: Persistence via Desktop Bus (D-Bus)
+    path: ./linux/queries/persistence_via_desktop_bus.toml
+    mitre:
+    - T1543
   4e8a17d3-9139-4b45-86d5-79e8d1eba71e:
     name: Persistence via PolicyKit
     path: ./linux/queries/persistence_via_policykit.toml
diff --git a/hunting/linux/docs/persistence_via_desktop_bus.md b/hunting/linux/docs/persistence_via_desktop_bus.md
new file mode 100644
index 00000000000..f17b0815726
--- /dev/null
+++ b/hunting/linux/docs/persistence_via_desktop_bus.md
@@ -0,0 +1,95 @@
+# Persistence via Desktop Bus (D-Bus)
+
+---
+
+## Metadata
+
+- **Author:** Elastic
+- **Description:** This hunt identifies potential persistence mechanisms leveraging the Desktop Bus (D-Bus) system on Linux. D-Bus is an inter-process communication (IPC) system that facilitates communication between various system components and applications. Attackers can exploit D-Bus by creating or modifying services, configuration files, or system policies to maintain persistence or execute unauthorized actions. This hunt monitors suspicious process activity related to D-Bus, tracks changes to key D-Bus configuration and service files, and retrieves metadata for further analysis. The approach helps analysts identify and respond to persistence techniques targeting D-Bus.
+
+- **UUID:** `2223bbda-b931-4f33-aeb4-0e0732a370dd`
+- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint)
+- **Language:** `[ES|QL, SQL]`
+- **Source File:** [Persistence via Desktop Bus (D-Bus)](../queries/persistence_via_desktop_bus.toml)
+
+## Query
+
+```sql
+sql
+from logs-endpoint.events.process-*
+| keep @timestamp, host.os.type, event.type, event.action, process.name, process.parent.name, process.command_line, process.executable, process.parent.executable, agent.id
+| where @timestamp > now() - 30 day
+| where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
+  process.parent.name == "dbus-daemon" or process.name == "dbus-send"
+)
+| stats cc = count(), agent_count = count_distinct(agent.id) by process.command_line, process.executable, process.parent.executable
+| where agent_count <= 3 and cc < 15
+| sort cc asc
+| limit 100
+```
+
+```sql
+sql
+from logs-endpoint.events.file-*
+| keep @timestamp, host.os.type, event.type, event.action, file.path, file.extension, process.name, process.executable, agent.id
+| where @timestamp > now() - 30 day
+| where host.os.type == "linux" and event.type in ("creation", "change") and (
+  file.path like "/usr/share/dbus-1/*" or
+  file.path like "/usr/local/share/dbus-1/*" or
+  file.path like "/etc/dbus-1/*" or
+  file.path like "/home/*/.local/share/dbus-1/*"
+) and not (
+  file.extension in ("swp", "dpkg-new") or
+  process.name in ("dnf", "yum", "dpkg")
+)
+| stats cc = count(), agent_count = count_distinct(agent.id) by file.path, process.executable
+| where agent_count <= 3
+| sort cc asc
+| limit 100
+```
+
+```sql
+sql
+SELECT
+    f.filename,
+    f.path,
+    u.username AS file_owner,
+    g.groupname AS group_owner,
+    datetime(f.atime, 'unixepoch') AS file_last_access_time,
+    datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
+    datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,
+    datetime(f.btime, 'unixepoch') AS file_created_time,
+    f.size AS size_bytes
+FROM
+    file f
+LEFT JOIN
+    users u ON f.uid = u.uid
+LEFT JOIN
+    groups g ON f.gid = g.gid
+WHERE (
+        f.path LIKE '/usr/share/dbus-1/system-services/%'
+        OR f.path LIKE '/usr/local/share/dbus-1/system-services/%'
+        OR f.path LIKE '/etc/dbus-1/system.d/%'
+        OR f.path LIKE '/usr/share/dbus-1/system.d/%'
+        OR f.path LIKE '/usr/share/dbus-1/session-services/%'
+        OR f.path LIKE '/home/%/.local/share/dbus-1/services/%'
+        OR f.path LIKE '/etc/dbus-1/session.d/%'
+        OR f.path LIKE '/usr/share/dbus-1/session.d/%'
+      )
+AND (mtime > strftime('%s', 'now') - (7 * 86400)); -- Modified in the last 7 days
+```
+
+## Notes
+
+- Monitors processes related to D-Bus, such as `dbus-daemon` and `dbus-send`, to identify unauthorized or anomalous executions indicative of persistence or abuse.
+- Tracks creations and modifications to critical D-Bus directories, including `/usr/share/dbus-1/`, `/usr/local/share/dbus-1/`, `/etc/dbus-1/`, and `~/.local/share/dbus-1/`, which may indicate malicious activity.
+- Retrieves metadata for D-Bus service and configuration files, such as file ownership, access times, and modification timestamps, to detect unauthorized changes.
+- Focuses on recent changes within the last 7 days to identify timely indicators of compromise while maintaining historical context for analysis.
+
+## MITRE ATT&CK Techniques
+
+- [T1543](https://attack.mitre.org/techniques/T1543)
+
+## License
+
+- `Elastic License v2`
diff --git a/hunting/linux/queries/persistence_via_desktop_bus.toml b/hunting/linux/queries/persistence_via_desktop_bus.toml
new file mode 100644
index 00000000000..ea5157340dd
--- /dev/null
+++ b/hunting/linux/queries/persistence_via_desktop_bus.toml
@@ -0,0 +1,78 @@
+[hunt]
+author = "Elastic"
+description = """
+This hunt identifies potential persistence mechanisms leveraging the Desktop Bus (D-Bus) system on Linux. D-Bus is an inter-process communication (IPC) system that facilitates communication between various system components and applications. Attackers can exploit D-Bus by creating or modifying services, configuration files, or system policies to maintain persistence or execute unauthorized actions. This hunt monitors suspicious process activity related to D-Bus, tracks changes to key D-Bus configuration and service files, and retrieves metadata for further analysis. The approach helps analysts identify and respond to persistence techniques targeting D-Bus.
+"""
+integration = ["endpoint"]
+uuid = "2223bbda-b931-4f33-aeb4-0e0732a370dd"
+name = "Persistence via Desktop Bus (D-Bus)"
+language = ["ES|QL", "SQL"]
+license = "Elastic License v2"
+notes = [
+    "Monitors processes related to D-Bus, such as `dbus-daemon` and `dbus-send`, to identify unauthorized or anomalous executions indicative of persistence or abuse.",
+    "Tracks creations and modifications to critical D-Bus directories, including `/usr/share/dbus-1/`, `/usr/local/share/dbus-1/`, `/etc/dbus-1/`, and `~/.local/share/dbus-1/`, which may indicate malicious activity.",
+    "Retrieves metadata for D-Bus service and configuration files, such as file ownership, access times, and modification timestamps, to detect unauthorized changes.",
+    "Focuses on recent changes within the last 7 days to identify timely indicators of compromise while maintaining historical context for analysis."
+]
+mitre = ["T1543"]
+query = [
+'''sql
+from logs-endpoint.events.process-*
+| keep @timestamp, host.os.type, event.type, event.action, process.name, process.parent.name, process.command_line, process.executable, process.parent.executable, agent.id
+| where @timestamp > now() - 30 day
+| where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
+  process.parent.name == "dbus-daemon" or process.name == "dbus-send"
+)
+| stats cc = count(), agent_count = count_distinct(agent.id) by process.command_line, process.executable, process.parent.executable
+| where agent_count <= 3 and cc < 15
+| sort cc asc
+| limit 100
+''',
+'''sql
+from logs-endpoint.events.file-*
+| keep @timestamp, host.os.type, event.type, event.action, file.path, file.extension, process.name, process.executable, agent.id
+| where @timestamp > now() - 30 day
+| where host.os.type == "linux" and event.type in ("creation", "change") and (
+  file.path like "/usr/share/dbus-1/*" or
+  file.path like "/usr/local/share/dbus-1/*" or
+  file.path like "/etc/dbus-1/*" or
+  file.path like "/home/*/.local/share/dbus-1/*"
+) and not (
+  file.extension in ("swp", "dpkg-new") or
+  process.name in ("dnf", "yum", "dpkg")
+)
+| stats cc = count(), agent_count = count_distinct(agent.id) by file.path, process.executable
+| where agent_count <= 3
+| sort cc asc
+| limit 100
+''',
+'''sql
+SELECT
+    f.filename,
+    f.path,
+    u.username AS file_owner,
+    g.groupname AS group_owner,
+    datetime(f.atime, 'unixepoch') AS file_last_access_time,
+    datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
+    datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,
+    datetime(f.btime, 'unixepoch') AS file_created_time,
+    f.size AS size_bytes
+FROM
+    file f
+LEFT JOIN
+    users u ON f.uid = u.uid
+LEFT JOIN
+    groups g ON f.gid = g.gid
+WHERE (
+        f.path LIKE '/usr/share/dbus-1/system-services/%'
+        OR f.path LIKE '/usr/local/share/dbus-1/system-services/%'
+        OR f.path LIKE '/etc/dbus-1/system.d/%'
+        OR f.path LIKE '/usr/share/dbus-1/system.d/%'
+        OR f.path LIKE '/usr/share/dbus-1/session-services/%'
+        OR f.path LIKE '/home/%/.local/share/dbus-1/services/%'
+        OR f.path LIKE '/etc/dbus-1/session.d/%'
+        OR f.path LIKE '/usr/share/dbus-1/session.d/%'
+      )
+AND (mtime > strftime('%s', 'now') - (7 * 86400)); -- Modified in the last 7 days
+'''
+]