Merge branch 'main' into lc-linux

EDR_telem_linux.json

@@ -82,7 +82,7 @@
     "CrowdStrike":"Yes",
     "ESET Inspect":"No",
     "Elastic":"No",
-    "LimaCharlie":"Via EnablingTelemetry",
+    "LimaCharlie":"No",
     "MDE":"Yes",
     "Qualys":"No",
     "SentinelOne":"Yes",
@@ -97,7 +97,7 @@
     "CrowdStrike":"Yes",
     "ESET Inspect":"No",
     "Elastic":"No",
-    "LimaCharlie":"Via EnablingTelemetry",
+    "LimaCharlie":"No",
     "MDE":"No",
     "Qualys":"No",
     "SentinelOne":"No",
@@ -112,8 +112,8 @@
     "CrowdStrike":"Yes",
     "ESET Inspect":"No",
     "Elastic":"No",
-    "LimaCharlie":"Via EnablingTelemetry",
-    "MDE":"No",
+    "LimaCharlie":"No",
+    "MDE":"Yes",
     "Qualys":"No",
     "SentinelOne":"Yes",
     "Sysmon":"No",
@@ -128,7 +128,7 @@
     "ESET Inspect":"No",
     "Elastic":"No",
     "LimaCharlie":"No",
-    "MDE":"No",
+    "MDE":"Yes",
     "Qualys":"No",
     "SentinelOne":"No",
     "Sysmon":"No",
@@ -202,7 +202,7 @@
     "CrowdStrike":"No",
     "ESET Inspect":"No",
     "Elastic":"No",
-    "LimaCharlie":"Via EnablingTelemetry",
+    "LimaCharlie":"No",
     "MDE":"No",
     "Qualys":"No",
     "SentinelOne":"Yes",
@@ -217,7 +217,7 @@
     "CrowdStrike":"No",
     "ESET Inspect":"No",
     "Elastic":"No",
-    "LimaCharlie":"Via EnablingTelemetry",
+    "LimaCharlie":"No",
     "MDE":"No",
     "Qualys":"No",
     "SentinelOne":"No",
@@ -232,7 +232,7 @@
     "CrowdStrike":"No",
     "ESET Inspect":"No",
     "Elastic":"No",
-    "LimaCharlie":"Via EnablingTelemetry",
+    "LimaCharlie":"No",
     "MDE":"No",
     "Qualys":"No",
     "SentinelOne":"Yes",
@@ -436,9 +436,9 @@
   },
   {
     "Telemetry Feature Category":null,
-    "Sub-Category":"IMPHASH",
+    "Sub-Category":"Fuzzy Hash",
     "Auditd":"No",
-    "Carbon Black Cloud":"Yes",
+    "Carbon Black Cloud":"No",
     "CrowdStrike":"No",
     "ESET Inspect":"No",
     "Elastic":"No",

EDR_telem_windows.json

@@ -931,7 +931,7 @@
     "CrowdStrike":"Yes",
     "Cybereason":"Yes",
     "ESET Inspect":"No",
-    "Elastic":"No",
+    "Elastic":"Yes",
     "FortiEDR":"Yes",
     "Harfanglab":"Yes",
     "LimaCharlie":"Yes",
@@ -1019,7 +1019,7 @@
     "CrowdStrike":"Yes",
     "Cybereason":"Yes",
     "ESET Inspect":"Yes",
-    "Elastic":"No",
+    "Elastic":"Yes",
     "FortiEDR":"No",
     "Harfanglab":"Yes",
     "LimaCharlie":"Yes",
@@ -1151,7 +1151,7 @@
     "CrowdStrike":"Yes",
     "Cybereason":"No",
     "ESET Inspect":"Yes",
-    "Elastic":"No",
+    "Elastic":"Via EventLogs",
     "FortiEDR":"Via EventLogs",
     "Harfanglab":"Yes",
     "LimaCharlie":"Via EventLogs",

Tools/Telemetry-Generator/Linux/LINUX_TELEMETRY_GENERATOR_GUIDE.md

@@ -8,20 +8,23 @@ This script, `lnx_telem_gen.py`, is designed to generate various telemetry event
 
 The script includes the following functionalities:
 
-1. **File Operations**: Create, modify, and delete files.
-2. **DNS Query**: Perform a DNS query.
-3. **Process Termination**: Create and terminate a process.
-4. **Image Load**: Load a shared library.
-5. **Process Access**: Hijack a process and manipulate its memory and registers.
-6. **Network Connections**: Establish TCP connections and create raw sockets.
-7. **Service Start/Stop**: Start and stop a service using system calls.
-8. **Raw Access Read**: Perform raw read access on a device.
-9. **Driver Load**: Write, compile, and load a Linux kernel module.
-10. **Process Tampering**: Tamper with the memory of a running process.
-11. **Scheduled Task**: Create and remove scheduled tasks using cron.
-12. **User Account Events**: Create, modify, and delete user accounts.
-13. **Network Listening**: Create a listening socket for incoming TCP connections.
-14. **eBPF Events**: Utilizing pamspy, a credential dumper, that is using eBPF thus generating the needed eBPF related events.
+1. **Service Management**: Create, modify, and delete systemd services using D-Bus system calls
+2. **DNS Query**: Perform a DNS query
+3. **Process Termination**: Create and terminate a process
+4. **Image Load**: Load a shared library
+5. **Process Access**: Hijack a process and manipulate its memory and registers
+6. **Network Operations**: 
+   - Establish TCP connections
+   - Create raw sockets
+   - Create listening sockets for incoming connections
+7. **Raw Access Read**: Perform raw read access on a device
+8. **Driver Load**: Write, compile, and load a Linux kernel module
+9. **Process Tampering**: Tamper with the memory of a running process
+10. **Scheduled Task**: Create and remove scheduled tasks using cron
+11. **User Account Events**: Create, modify, and delete user accounts using libuser
+12. **eBPF Events**: Utilize pamspy for credential dumping using eBPF
+13. **File Operations**: Create, modify, and delete files.
+
 
 ## Usage
 

Tools/Telemetry-Generator/Linux/lnx_telem_gen.py

@@ -172,67 +172,60 @@ def run(self):
         time.sleep(2)
         self.delete_user()
 
-# Function to start and stop the service (cron) using system calls (DBus API)
-def start_and_stop_service():
-    service_name = "cron"
-    start_delay = 0  # Start immediately
-    stop_delay = 10  # Stop after 10 seconds
-
-    def start_service():
-        bus = dbus.SystemBus()
-        systemd = bus.get_object('org.freedesktop.systemd1', '/org/freedesktop/systemd1')
-        manager = dbus.Interface(systemd, 'org.freedesktop.systemd1.Manager')
-        try:
-            manager.StartUnit(f"{service_name}.service", 'replace')
-            print(f"{service_name} service started successfully (system API call).")
-        except dbus.DBusException as e:
-            print(f"Failed to start {service_name}: {e}")
-
-    def stop_service():
+def manage_test_service():
+    """
+    Creates, modifies, and deletes a systemd service using D-Bus system calls.
+    """
+    service_name = "test_service"
+    unit_name = f"{service_name}.service"
+
+    try:
+        # Connect to system bus
         bus = dbus.SystemBus()
         systemd = bus.get_object('org.freedesktop.systemd1', '/org/freedesktop/systemd1')
         manager = dbus.Interface(systemd, 'org.freedesktop.systemd1.Manager')
-        try:
-            manager.StopUnit(f"{service_name}.service", 'replace')
-            print(f"{service_name} service stopped successfully (system API call).")
-        except dbus.DBusException as e:
-            print(f"Failed to stop {service_name}: {e}")
-
-    # Schedule service start and stop
-    scheduler.enter(start_delay, 1, start_service)
-    scheduler.enter(stop_delay, 1, stop_service)
-    scheduler.run()
-
-# Function for file creation, modification, and deletion
-def test_file_operations():
-    file_name = "test_file.txt"
-
-    def create_file():
-        with open(file_name, "w") as f:
-            f.write("This is a test file.")
-        print(f"File '{file_name}' created.")
-
-    def modify_file():
-        if os.path.exists(file_name):
-            with open(file_name, "a") as f:
-                f.write("\nFile has been modified.")
-            print(f"File '{file_name}' modified.")
-        else:
-            print(f"File '{file_name}' not found for modification.")
-
-    def delete_file():
-        if os.path.exists(file_name):
-            os.remove(file_name)
-            print(f"File '{file_name}' deleted.")
-        else:
-            print(f"File '{file_name}' not found for deletion.")
-
-    # Perform file operations sequentially
-    create_file()
-    time.sleep(2)
-    modify_file()
-    time.sleep(2)
-    delete_file()
+
+        # Create service unit file
+        unit_content = {
+            "Unit": {
+                "Description": "Test Service for Telemetry"
+            },
+            "Service": {
+                "Type": "simple",
+                "ExecStart": "/bin/sleep 3600"
+            },
+            "Install": {
+                "WantedBy": "multi-user.target"
+            }
+        }
+
+        # Create the service using systemd manager
+        manager.CreateTransientUnit(
+            unit_name,
+            unit_content
+        )
+        print(f"Service '{service_name}' created successfully")
+
+        time.sleep(2)
+
+        # Modify service by reloading its configuration
+        manager.ReloadUnit(
+            unit_name,
+            'replace'
+        )
+        print(f"Service '{service_name}' modified successfully")
+
+        time.sleep(2)
+
+        # Stop and remove the service
+        manager.StopUnit(unit_name, 'replace')
+        manager.DisableUnitFiles([unit_name], False)
+        print(f"Service '{service_name}' deleted successfully")
+
+    except dbus.exceptions.DBusException as e:
+        print(f"D-Bus error: {e}")
+    except Exception as e:
+        print(f"Error managing service: {e}")
 
 # Function to perform a DNS query
 def dns_query():
@@ -297,22 +290,18 @@ def raw_access_read():
 
 # Dictionary mapping event names to functions
 event_functions = {
-    'FileCreated': test_file_operations,
-    'FileModified': test_file_operations,
-    'FileDelete': test_file_operations,
+    'ServiceManagement': manage_test_service,
     'DnsQuery': dns_query,
     'ProcessTerminate': process_terminate,
     'ImageLoad': image_load,
     'NetworkConnect': network_connect,
-    'ServiceStartStop': start_and_stop_service,
     'RawAccessRead': raw_access_read,
     'LoadDriver': loadit,
     'TamperProcess': begin_tamper,
     'ScheduledTask': run_task,
     'UserAccountEvents': UserAccountManager().run,
     'NetworkListen': NetworkSocketManager.network_listen,
     'NetworkRawSocket': NetworkSocketManager.network_raw_socket,
-    'NetworkConnect': NetworkSocketManager.network_connect,
     'eBPFProgram': run_pamspy,
     'ProcessAccess': start_hijacking
 }

Tools/compare.py

@@ -97,7 +97,7 @@
     "Agent Stop": 0.8,
     "MD5": 1,
     "SHA": 1,
-    "IMPHASH": 1
+    "Fuzzy Hash": 1
 }
 
 def determine_categories(filename):