Skip to content

[New Hunt] Persistence via Desktop Bus (D-Bus) #4407

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Feb 5, 2025
Merged

[New Hunt] Persistence via Desktop Bus (D-Bus) #4407

merged 2 commits into from
Feb 5, 2025

Conversation

@Aegrah
Copy link
Contributor

@Aegrah Aegrah commented Jan 22, 2025

Summary

This hunt adds several new queries to detect D-Bus persistence techniques.

1

{B7829BA8-40F4-4795-88FC-2895B12CE17E}

2

{A8EEBDF1-A429-4160-9A20-587AA2C9C626}

3

{57CB92D2-E0D8-4ACD-9DD5-30FF9C8D7CFE}
@Aegrah Aegrah added OS: Linux Rule: Hunt bit noisy but useful for hunting Team: TRADE Hunt: New threat hunting Related to hunting/ library. Hunting labels Jan 22, 2025
@Aegrah Aegrah self-assigned this Jan 22, 2025
@github-actions
Copy link
Contributor

Hunt: New - Guidelines

Welcome to the hunting folder within the detection-rules repository! This directory houses a curated collection of threat hunting queries designed to enhance security monitoring and threat detection capabilities using the Elastic Stack.

Documentation and Context

  • Detailed description of the Hunt.
  • Link related issues or PRs.
  • Include references.
  • Field Usage: Ensure standardized fields for compatibility across different data environments and sources.

Hunt Metadata Checks

  • author: The name of the individual or organization authoring the rule.
  • uuid: Unique UUID.
  • name and description are descriptive and typo-free.
  • language: The query language(s) used in the rule, such as KQL, EQL, ES|QL, OsQuery, or YARA.
  • query is inclusive, not overly exclusive, considering performance for diverse environments.
  • integration aligns with the index. Ensure updates if the integration is newly introduced.
  • notes includes additional information regarding data collected from the hunting query.
  • mitre matches appropriate technique and sub-technique IDs that hunting query collect's data for.
  • references are valid URL links that include information relevenat to the hunt or threat.
  • license

Testing and Validation

  • Evidence of testing and valid query usage.
  • Markdown Generated: Run python -m hunting generate-markdown with specific parameters to ensure a markdown version of the hunting TOML files is created.
  • Index Refreshed: Run python -m hunting refresh-index to refresh indexes.
  • Run Unit Tests: Run pytest tests/test_hunt_data.py to run unit tests.
@Aegrah Aegrah added the patch label Jan 24, 2025
@Aegrah Aegrah merged commit 8024191 into main Feb 5, 2025
9 checks passed
@Aegrah Aegrah deleted the new-hunt-dbus-persistence branch February 5, 2025 15:45
r0ot added a commit to VigilantSec/detection-rules that referenced this pull request Feb 5, 2025
@r0ot @Aegrah
@w0rk3r @peterydzynski
conflict resolution for upstream pull (#5)
340d868 
* [Rule Tuning] Port Scan Rules (elastic#4443) * [New Hunt] General Kernel Manipulation (elastic#4403) * [New Hunt] General Kernel Manipulation * Update index.yml * [New Hunt] Persistence via PolicyKit (elastic#4406) * [New Hunt] Persistence via PolicyKit * ++ * [New Hunt] Persistence via Desktop Bus (D-Bus) (elastic#4407) * [Rule Tuning] Remote Execution via File Shares (elastic#4448) * [Rule Tuning] Tighten Up Elastic Defend Indexes - MacOS (elastic#4447) * tags (#4) Co-authored-by: peterydzynski <peter.rydzynski1@gmail.com> --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: peterydzynski <peter.rydzynski1@gmail.com>
@r0ot r0ot mentioned this pull request Feb 5, 2025
Merged
5 tasks
r0ot added a commit to VigilantSec/detection-rules that referenced this pull request Feb 5, 2025
@r0ot @Aegrah
@w0rk3r @peterydzynski
conflict resolution for upstream pull (#5) (#6)
9b58420 
* [Rule Tuning] Port Scan Rules (elastic#4443) * [New Hunt] General Kernel Manipulation (elastic#4403) * [New Hunt] General Kernel Manipulation * Update index.yml * [New Hunt] Persistence via PolicyKit (elastic#4406) * [New Hunt] Persistence via PolicyKit * ++ * [New Hunt] Persistence via Desktop Bus (D-Bus) (elastic#4407) * [Rule Tuning] Remote Execution via File Shares (elastic#4448) * [Rule Tuning] Tighten Up Elastic Defend Indexes - MacOS (elastic#4447) * tags (#4) --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: peterydzynski <peter.rydzynski1@gmail.com>
traut pushed a commit that referenced this pull request Feb 19, 2025
@Aegrah @traut
[New Hunt] Persistence via Desktop Bus (D-Bus) (#4407)
d84f1cb
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backport: auto community Hunt: New Hunting OS: Linux patch Rule: Hunt bit noisy but useful for hunting Team: TRADE threat hunting Related to hunting/ library.

3 participants

@Aegrah @shashank-elastic @terrancedejesus