elastic · Aegrah · Jan 13, 2025 · Jan 8, 2025 · Jan 13, 2025 · Jan 13, 2025
diff --git a/hunting/linux/docs/persistence_via_ssh_configurations_and_keys.md b/hunting/linux/docs/persistence_via_ssh_configurations_and_keys.md
@@ -37,7 +37,7 @@ SELECT
  g.groupname AS group_owner,
  datetime(f.atime, 'unixepoch') AS file_last_access_time,
  datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
- datetime(f.ctime, 'unixepoch') AS file_last_status change_time,
+ datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,
  datetime(f.btime, 'unixepoch') AS file_created_time,
  f.size AS size_bytes
 FROM
@@ -51,7 +51,27 @@ WHERE
  OR f.path LIKE "/home/%/.ssh/%"
  OR f.path LIKE "/etc/ssh/%"
  OR f.path LIKE "/etc/ssh/sshd_config.d/%"
- OR f.path LIKE "/etc/ssh/ssh_config.d/%"
+ OR f.path LIKE "/usr/sbin/.ssh/%"
+ OR f.path LIKE "/bin/.ssh/%"
+ OR f.path LIKE "/usr/games/.ssh/%"
+ OR f.path LIKE "/var/cache/man/.ssh/%"
+ OR f.path LIKE "/var/mail/.ssh/%"
+ OR f.path LIKE "/var/spool/news/.ssh/%"
+ OR f.path LIKE "/var/spool/lpd/.ssh/%"
+ OR f.path LIKE "/var/backups/.ssh/%"
+ OR f.path LIKE "/var/list/.ssh/%"
+ OR f.path LIKE "/run/ircd/.ssh/%"
+ OR f.path LIKE "/var/lib/gnats/.ssh/%"
+ OR f.path LIKE "/nonexistent/.ssh/%"
+ OR f.path LIKE "/run/systemd/.ssh/%"
+ OR f.path LIKE "/var/cache/pollinate/.ssh/%"
+ OR f.path LIKE "/run/sshd/.ssh/%"
+ OR f.path LIKE "/home/syslog/.ssh/%"
+ OR f.path LIKE "/run/uuidd/.ssh/%"
+ OR f.path LIKE "/var/lib/tpm/.ssh/%"
+ OR f.path LIKE "/var/lib/landscape/.ssh/%"
+ OR f.path LIKE "/var/lib/usbmux/.ssh/%"
+ OR f.path LIKE "/var/snap/lxd/common/lxd/.ssh/%";
 ```
 
 ```sql

diff --git a/hunting/linux/queries/persistence_via_ssh_configurations_and_keys.toml b/hunting/linux/queries/persistence_via_ssh_configurations_and_keys.toml
@@ -37,7 +37,7 @@ SELECT
  g.groupname AS group_owner,
  datetime(f.atime, 'unixepoch') AS file_last_access_time,
  datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
- datetime(f.ctime, 'unixepoch') AS file_last_status change_time,
+ datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,
  datetime(f.btime, 'unixepoch') AS file_created_time,
  f.size AS size_bytes
 FROM
@@ -51,7 +51,27 @@ WHERE
  OR f.path LIKE "/home/%/.ssh/%"
  OR f.path LIKE "/etc/ssh/%"
  OR f.path LIKE "/etc/ssh/sshd_config.d/%"
- OR f.path LIKE "/etc/ssh/ssh_config.d/%"
+ OR f.path LIKE "/usr/sbin/.ssh/%"
+ OR f.path LIKE "/bin/.ssh/%"
+ OR f.path LIKE "/usr/games/.ssh/%"
+ OR f.path LIKE "/var/cache/man/.ssh/%"
+ OR f.path LIKE "/var/mail/.ssh/%"
+ OR f.path LIKE "/var/spool/news/.ssh/%"
+ OR f.path LIKE "/var/spool/lpd/.ssh/%"
+ OR f.path LIKE "/var/backups/.ssh/%"
+ OR f.path LIKE "/var/list/.ssh/%"
+ OR f.path LIKE "/run/ircd/.ssh/%"
+ OR f.path LIKE "/var/lib/gnats/.ssh/%"
+ OR f.path LIKE "/nonexistent/.ssh/%"
+ OR f.path LIKE "/run/systemd/.ssh/%"
+ OR f.path LIKE "/var/cache/pollinate/.ssh/%"
+ OR f.path LIKE "/run/sshd/.ssh/%"
+ OR f.path LIKE "/home/syslog/.ssh/%"
+ OR f.path LIKE "/run/uuidd/.ssh/%"
+ OR f.path LIKE "/var/lib/tpm/.ssh/%"
+ OR f.path LIKE "/var/lib/landscape/.ssh/%"
+ OR f.path LIKE "/var/lib/usbmux/.ssh/%"
+ OR f.path LIKE "/var/snap/lxd/common/lxd/.ssh/%";
 ''',
 '''
 from logs-endpoint.events.process-*

diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "0.3.14"
+version = "0.3.15"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"