Skip to content

[Hunt Tuning] Persistence via SSH Configurations and/or Keys #4351

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Jan 13, 2025
Merged

[Hunt Tuning] Persistence via SSH Configurations and/or Keys #4351

merged 8 commits into from
Jan 13, 2025

Conversation

@Aegrah
Copy link
Contributor

@Aegrah Aegrah commented Jan 8, 2025

Summary

Updating this rule to detect more persistence techniques + fixed a query.
@Aegrah Aegrah self-assigned this Jan 8, 2025
@protectionsmachine
Copy link
Collaborator

Hunt: Tuning - Guidelines

These guidelines serve as a reminder set of considerations when tuning an existing Hunt.

Documentation and Context

  • Detailed description of the suggested changes.
  • Provide example JSON data or screenshots.
  • Evidence of enhancing hunting results by either reducing false-positives or removing false-negatives.
  • Evidence of specific environment factors influencing customized hunt tuning (Contextual Tuning).
  • Evidence of refining hunts to better detect deviations from typical behavior (Behavioral Tuning).
  • Field Usage: Ensure standardized fields for compatibility across different data environments and sources.

Hunt Metadata Checks

  • author: The name of the individual or organization authoring the rule.
  • name and description are descriptive and typo-free.
  • language: The query language(s) used in the rule, such as KQL, EQL, ES|QL, OsQuery, or YARA.
  • query is inclusive, not overly exclusive. Review to ensure the original intent of the hunt is maintained.
  • integration aligns with the index. Ensure updates if the integration is newly introduced.
  • notes includes additional information (e.g., Triage and analysis investigation guides, timeline templates).
  • mitre matches appropriate technique and sub-technique IDs that hunting query collect's data for.
  • references are valid URL links that include information relevenat to the hunt or threat.

Testing and Validation

  • Evidence of testing and valid query usage.
  • Markdown Generated: Run python -m hunting generate-markdown with specific parameters to ensure a markdown version of the hunting TOML files is created.
  • Index Refreshed: Run python -m hunting refresh-index to refresh indexes.
  • Run Unit Tests: Run pytest tests/test_hunt_data.py to run unit tests.
@Aegrah Aegrah added the patch label Jan 8, 2025
terrancedejesus
terrancedejesus reviewed Jan 13, 2025
View reviewed changes
@botelastic botelastic bot added bbr Building Block Rules Domain: Cloud Workloads Domain: Endpoint Integration: Azure azure related rules python Internal python for the repository labels Jan 13, 2025
@Aegrah Aegrah removed Integration: Azure azure related rules Domain: Cloud Workloads Domain: Endpoint python Internal python for the repository bbr Building Block Rules labels Jan 13, 2025
@Aegrah Aegrah merged commit e822af4 into main Jan 13, 2025
27 checks passed
@Aegrah Aegrah deleted the hunt-update-ssh-authorized-keys branch January 13, 2025 15:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backport: auto Hunt: Tuning Hunting OS: Linux patch Team: TRADE

6 participants

@Aegrah @protectionsmachine @w0rk3r @Samirbous @terrancedejesus