Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[New Hunts] Adding Several Hunting PRs into this Main PR #4342

Merged
merged 23 commits into from
Jan 7, 2025
Merged

[New Hunts] Adding Several Hunting PRs into this Main PR #4342

merged 23 commits into from
Jan 7, 2025

Conversation

Aegrah
Copy link
Contributor

@Aegrah Aegrah commented Jan 7, 2025
edited
Loading

@Aegrah Aegrah added OS: Linux Rule: Hunt bit noisy but useful for hunting Hunt: New threat hunting Related to hunting/ library. Hunting labels Jan 7, 2025
@Aegrah Aegrah self-assigned this Jan 7, 2025
@protectionsmachine
Copy link
Collaborator

Hunt: New - Guidelines

Welcome to the hunting folder within the detection-rules repository! This directory houses a curated collection of threat hunting queries designed to enhance security monitoring and threat detection capabilities using the Elastic Stack.

Documentation and Context

  • Detailed description of the Hunt.
  • Link related issues or PRs.
  • Include references.
  • Field Usage: Ensure standardized fields for compatibility across different data environments and sources.

Hunt Metadata Checks

  • author: The name of the individual or organization authoring the rule.
  • uuid: Unique UUID.
  • name and description are descriptive and typo-free.
  • language: The query language(s) used in the rule, such as KQL, EQL, ES|QL, OsQuery, or YARA.
  • query is inclusive, not overly exclusive, considering performance for diverse environments.
  • integration aligns with the index. Ensure updates if the integration is newly introduced.
  • notes includes additional information regarding data collected from the hunting query.
  • mitre matches appropriate technique and sub-technique IDs that hunting query collect's data for.
  • references are valid URL links that include information relevenat to the hunt or threat.
  • license

Testing and Validation

  • Evidence of testing and valid query usage.
  • Markdown Generated: Run python -m hunting generate-markdown with specific parameters to ensure a markdown version of the hunting TOML files is created.
  • Index Refreshed: Run python -m hunting refresh-index to refresh indexes.
  • Run Unit Tests: Run pytest tests/test_hunt_data.py to run unit tests.

@Aegrah Aegrah added the patch label Jan 7, 2025
@botelastic botelastic bot added the RTA work on RTA framework label Jan 7, 2025
@Aegrah Aegrah changed the title [Hunt Addition] System User Interactive Session [New Hunts] Adding Several Hunting PRs into this Main PR Jan 7, 2025
@Aegrah Aegrah removed the RTA work on RTA framework label Jan 7, 2025
@botelastic botelastic bot added the RTA work on RTA framework label Jan 7, 2025
This was referenced Jan 7, 2025
Closed
Closed
Closed
Closed
Closed
Closed
Closed
eric-forte-elastic
eric-forte-elastic approved these changes Jan 7, 2025
View reviewed changes
Copy link
Contributor

@eric-forte-elastic eric-forte-elastic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟢 Manual review, looks good to me! 👍

@Aegrah Aegrah merged commit a2b280a into main Jan 7, 2025
12 checks passed
@Aegrah Aegrah deleted the new-hunt-unusual-system-user-login branch January 7, 2025 13:29
protectionsmachine pushed a commit that referenced this pull request Jan 7, 2025
@Aegrah @github-actions
[New Hunts] Adding Several Hunting PRs into this Main PR (#4342)
9c8cca0 
* [New Hunt] Linux PAM Persistence

* Fixed notes

* [New Hunt] Persistence via Dynamic Linker Hijacking

* [New Hunt & Tuning] Persistence via LKMs

* [New Hunt] Persistence via Web Shells

* Update query

* [New Rule] Persistence via DPKG/RPM Package

* [New Hunt] Persistence via Container

* Update hunting/linux/queries/persistence_via_pluggable_authentication_module.toml

* [Hunt Addition] System User Interactive Session

* Merge branch 'main' into new-hunts-PAM

* Updates

* ++

* Match RTA bin executor

---------

Co-authored-by: Shashank K S <[email protected]>

(cherry picked from commit a2b280a)
protectionsmachine pushed a commit that referenced this pull request Jan 7, 2025
@Aegrah @github-actions
[New Hunts] Adding Several Hunting PRs into this Main PR (#4342)
f4df685 
* [New Hunt] Linux PAM Persistence

* Fixed notes

* [New Hunt] Persistence via Dynamic Linker Hijacking

* [New Hunt & Tuning] Persistence via LKMs

* [New Hunt] Persistence via Web Shells

* Update query

* [New Rule] Persistence via DPKG/RPM Package

* [New Hunt] Persistence via Container

* Update hunting/linux/queries/persistence_via_pluggable_authentication_module.toml

* [Hunt Addition] System User Interactive Session

* Merge branch 'main' into new-hunts-PAM

* Updates

* ++

* Match RTA bin executor

---------

Co-authored-by: Shashank K S <[email protected]>

(cherry picked from commit a2b280a)
protectionsmachine pushed a commit that referenced this pull request Jan 7, 2025
@Aegrah @github-actions
[New Hunts] Adding Several Hunting PRs into this Main PR (#4342)
a15a626 
* [New Hunt] Linux PAM Persistence

* Fixed notes

* [New Hunt] Persistence via Dynamic Linker Hijacking

* [New Hunt & Tuning] Persistence via LKMs

* [New Hunt] Persistence via Web Shells

* Update query

* [New Rule] Persistence via DPKG/RPM Package

* [New Hunt] Persistence via Container

* Update hunting/linux/queries/persistence_via_pluggable_authentication_module.toml

* [Hunt Addition] System User Interactive Session

* Merge branch 'main' into new-hunts-PAM

* Updates

* ++

* Match RTA bin executor

---------

Co-authored-by: Shashank K S <[email protected]>

(cherry picked from commit a2b280a)
protectionsmachine pushed a commit that referenced this pull request Jan 7, 2025
@Aegrah @github-actions
[New Hunts] Adding Several Hunting PRs into this Main PR (#4342)
2fa1162 
* [New Hunt] Linux PAM Persistence

* Fixed notes

* [New Hunt] Persistence via Dynamic Linker Hijacking

* [New Hunt & Tuning] Persistence via LKMs

* [New Hunt] Persistence via Web Shells

* Update query

* [New Rule] Persistence via DPKG/RPM Package

* [New Hunt] Persistence via Container

* Update hunting/linux/queries/persistence_via_pluggable_authentication_module.toml

* [Hunt Addition] System User Interactive Session

* Merge branch 'main' into new-hunts-PAM

* Updates

* ++

* Match RTA bin executor

---------

Co-authored-by: Shashank K S <[email protected]>

(cherry picked from commit a2b280a)
protectionsmachine pushed a commit that referenced this pull request Jan 7, 2025
@Aegrah @github-actions
[New Hunts] Adding Several Hunting PRs into this Main PR (#4342)
a08da93 
* [New Hunt] Linux PAM Persistence

* Fixed notes

* [New Hunt] Persistence via Dynamic Linker Hijacking

* [New Hunt & Tuning] Persistence via LKMs

* [New Hunt] Persistence via Web Shells

* Update query

* [New Rule] Persistence via DPKG/RPM Package

* [New Hunt] Persistence via Container

* Update hunting/linux/queries/persistence_via_pluggable_authentication_module.toml

* [Hunt Addition] System User Interactive Session

* Merge branch 'main' into new-hunts-PAM

* Updates

* ++

* Match RTA bin executor

---------

Co-authored-by: Shashank K S <[email protected]>

(cherry picked from commit a2b280a)
protectionsmachine pushed a commit that referenced this pull request Jan 7, 2025
@Aegrah @github-actions
[New Hunts] Adding Several Hunting PRs into this Main PR (#4342)
d6f00df 
* [New Hunt] Linux PAM Persistence

* Fixed notes

* [New Hunt] Persistence via Dynamic Linker Hijacking

* [New Hunt & Tuning] Persistence via LKMs

* [New Hunt] Persistence via Web Shells

* Update query

* [New Rule] Persistence via DPKG/RPM Package

* [New Hunt] Persistence via Container

* Update hunting/linux/queries/persistence_via_pluggable_authentication_module.toml

* [Hunt Addition] System User Interactive Session

* Merge branch 'main' into new-hunts-PAM

* Updates

* ++

* Match RTA bin executor

---------

Co-authored-by: Shashank K S <[email protected]>

(cherry picked from commit a2b280a)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eric-forte-elastic eric-forte-elastic eric-forte-elastic approved these changes

@Samirbous Samirbous Samirbous approved these changes

@w0rk3r w0rk3r w0rk3r approved these changes

@shashank-elastic shashank-elastic Awaiting requested review from shashank-elastic

@Mikaayenson Mikaayenson Awaiting requested review from Mikaayenson Mikaayenson is a code owner

@terrancedejesus terrancedejesus Awaiting requested review from terrancedejesus terrancedejesus is a code owner

Assignees

@Aegrah Aegrah

Labels
backport: auto Hunt: New Hunting OS: Linux patch RTA work on RTA framework Rule: Hunt bit noisy but useful for hunting threat hunting Related to hunting/ library.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@Aegrah @protectionsmachine @w0rk3r @Samirbous @eric-forte-elastic @shashank-elastic