From eb99fbfbf22fa5cd283f7b2b7c54b08a921e6cbe Mon Sep 17 00:00:00 2001 From: Minoru Kobayashi Date: Tue, 10 Sep 2024 16:08:07 +0900 Subject: [PATCH 1/3] artif: collect Git persistence Add new artifacts to collect Git persistence. Git hooks and Git pager can be used as persistence. --- artifacts/files/applications/git.yaml | 28 +++++++++++++++++++++++++++ profiles/ir_triage.yaml | 2 +- 2 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 artifacts/files/applications/git.yaml diff --git a/artifacts/files/applications/git.yaml b/artifacts/files/applications/git.yaml new file mode 100644 index 0000000..4bb4cf0 --- /dev/null +++ b/artifacts/files/applications/git.yaml @@ -0,0 +1,28 @@ +version: 1.0 +artifacts: +# Git hooks/Git pager can be used to run persistence. +# ref: https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms + - + description: Collect Git hooks under .git/hooks . + supported_os: [linux] + collector: file + path: / + path_pattern: ["*/.git/hooks/*"] + file_type: [f] + - + description: Collect /etc/gitconfig . + supported_os: [linux] + collector: file + path: /etc/gitconfig + - + description: Collect ~/.gitconfig . + supported_os: [linux] + collector: file + path: /%user_home%/.gitconfig + exclude_nologin_users: true + - + description: Collect ~/.config/git/gitconfig . + supported_os: [linux] + collector: file + path: /%user_home%/.config/git/config + exclude_nologin_users: true diff --git a/profiles/ir_triage.yaml b/profiles/ir_triage.yaml index f5b3284..5f731a9 100644 --- a/profiles/ir_triage.yaml +++ b/profiles/ir_triage.yaml @@ -28,9 +28,9 @@ artifacts: - files/applications/lesshst.yaml - files/applications/viminfo.yaml - files/applications/wget.yaml + - files/applications/git.yaml - files/logs/* - files/packages/* - files/shell/* - files/ssh/* - files/system/* - \ No newline at end of file From 4eea0d00d5498d322e21d06748cab8a2ad0bfaa2 Mon Sep 17 00:00:00 2001 From: Thiago Canozzo Lahr Date: Tue, 15 Oct 2024 08:45:09 -0300 Subject: [PATCH 2/3] Update git.yaml --- artifacts/files/applications/git.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/artifacts/files/applications/git.yaml b/artifacts/files/applications/git.yaml index 4bb4cf0..3656e34 100644 --- a/artifacts/files/applications/git.yaml +++ b/artifacts/files/applications/git.yaml @@ -3,25 +3,25 @@ artifacts: # Git hooks/Git pager can be used to run persistence. # ref: https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms - - description: Collect Git hooks under .git/hooks . + description: Collect Git hooks under .git/hooks directory. supported_os: [linux] collector: file path: / path_pattern: ["*/.git/hooks/*"] file_type: [f] - - description: Collect /etc/gitconfig . + description: Collect /etc/gitconfig file. supported_os: [linux] collector: file path: /etc/gitconfig - - description: Collect ~/.gitconfig . + description: Collect ~/.gitconfig file. supported_os: [linux] collector: file path: /%user_home%/.gitconfig exclude_nologin_users: true - - description: Collect ~/.config/git/gitconfig . + description: Collect ~/.config/git/gitconfig file. supported_os: [linux] collector: file path: /%user_home%/.config/git/config From d8966ece63a5bd4f7cb11e42a74559148334d87d Mon Sep 17 00:00:00 2001 From: Thiago Canozzo Lahr Date: Tue, 15 Oct 2024 08:45:48 -0300 Subject: [PATCH 3/3] Update ir_triage.yaml --- profiles/ir_triage.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/profiles/ir_triage.yaml b/profiles/ir_triage.yaml index 5f731a9..f0008c8 100644 --- a/profiles/ir_triage.yaml +++ b/profiles/ir_triage.yaml @@ -25,10 +25,10 @@ artifacts: - live_response/vms/* - chkrootkit/chkrootkit.yaml - hash_executables/hash_executables.yaml + - files/applications/git.yaml - files/applications/lesshst.yaml - files/applications/viminfo.yaml - files/applications/wget.yaml - - files/applications/git.yaml - files/logs/* - files/packages/* - files/shell/*