diff --git a/EDR_telem_linux.json b/EDR_telem_linux.json index 1006f54..9854ade 100644 --- a/EDR_telem_linux.json +++ b/EDR_telem_linux.json @@ -82,7 +82,7 @@ "CrowdStrike":"Yes", "ESET Inspect":"No", "Elastic":"No", - "LimaCharlie":"Via EnablingTelemetry", + "LimaCharlie":"No", "MDE":"Yes", "Qualys":"No", "SentinelOne":"Yes", @@ -97,7 +97,7 @@ "CrowdStrike":"Yes", "ESET Inspect":"No", "Elastic":"No", - "LimaCharlie":"Via EnablingTelemetry", + "LimaCharlie":"No", "MDE":"No", "Qualys":"No", "SentinelOne":"No", @@ -112,8 +112,8 @@ "CrowdStrike":"Yes", "ESET Inspect":"No", "Elastic":"No", - "LimaCharlie":"Via EnablingTelemetry", - "MDE":"No", + "LimaCharlie":"No", + "MDE":"Yes", "Qualys":"No", "SentinelOne":"Yes", "Sysmon":"No", @@ -128,7 +128,7 @@ "ESET Inspect":"No", "Elastic":"No", "LimaCharlie":"No", - "MDE":"No", + "MDE":"Yes", "Qualys":"No", "SentinelOne":"No", "Sysmon":"No", @@ -202,7 +202,7 @@ "CrowdStrike":"No", "ESET Inspect":"No", "Elastic":"No", - "LimaCharlie":"Via EnablingTelemetry", + "LimaCharlie":"No", "MDE":"No", "Qualys":"No", "SentinelOne":"Yes", @@ -217,7 +217,7 @@ "CrowdStrike":"No", "ESET Inspect":"No", "Elastic":"No", - "LimaCharlie":"Via EnablingTelemetry", + "LimaCharlie":"No", "MDE":"No", "Qualys":"No", "SentinelOne":"No", @@ -232,7 +232,7 @@ "CrowdStrike":"No", "ESET Inspect":"No", "Elastic":"No", - "LimaCharlie":"Via EnablingTelemetry", + "LimaCharlie":"No", "MDE":"No", "Qualys":"No", "SentinelOne":"Yes", @@ -436,9 +436,9 @@ }, { "Telemetry Feature Category":null, - "Sub-Category":"IMPHASH", + "Sub-Category":"Fuzzy Hash", "Auditd":"No", - "Carbon Black Cloud":"Yes", + "Carbon Black Cloud":"No", "CrowdStrike":"No", "ESET Inspect":"No", "Elastic":"No", diff --git a/EDR_telem_windows.json b/EDR_telem_windows.json index a02aa95..16c8efd 100644 --- a/EDR_telem_windows.json +++ b/EDR_telem_windows.json @@ -931,7 +931,7 @@ "CrowdStrike":"Yes", "Cybereason":"Yes", "ESET Inspect":"No", - "Elastic":"No", + "Elastic":"Yes", "FortiEDR":"Yes", "Harfanglab":"Yes", "LimaCharlie":"Yes", @@ -1019,7 +1019,7 @@ "CrowdStrike":"Yes", "Cybereason":"Yes", "ESET Inspect":"Yes", - "Elastic":"No", + "Elastic":"Yes", "FortiEDR":"No", "Harfanglab":"Yes", "LimaCharlie":"Yes", @@ -1151,7 +1151,7 @@ "CrowdStrike":"Yes", "Cybereason":"No", "ESET Inspect":"Yes", - "Elastic":"No", + "Elastic":"Via EventLogs", "FortiEDR":"Via EventLogs", "Harfanglab":"Yes", "LimaCharlie":"Via EventLogs", diff --git a/Tools/Telemetry-Generator/Linux/LINUX_TELEMETRY_GENERATOR_GUIDE.md b/Tools/Telemetry-Generator/Linux/LINUX_TELEMETRY_GENERATOR_GUIDE.md index 9a3111b..07a8c10 100644 --- a/Tools/Telemetry-Generator/Linux/LINUX_TELEMETRY_GENERATOR_GUIDE.md +++ b/Tools/Telemetry-Generator/Linux/LINUX_TELEMETRY_GENERATOR_GUIDE.md @@ -8,20 +8,23 @@ This script, `lnx_telem_gen.py`, is designed to generate various telemetry event The script includes the following functionalities: -1. **File Operations**: Create, modify, and delete files. -2. **DNS Query**: Perform a DNS query. -3. **Process Termination**: Create and terminate a process. -4. **Image Load**: Load a shared library. -5. **Process Access**: Hijack a process and manipulate its memory and registers. -6. **Network Connections**: Establish TCP connections and create raw sockets. -7. **Service Start/Stop**: Start and stop a service using system calls. -8. **Raw Access Read**: Perform raw read access on a device. -9. **Driver Load**: Write, compile, and load a Linux kernel module. -10. **Process Tampering**: Tamper with the memory of a running process. -11. **Scheduled Task**: Create and remove scheduled tasks using cron. -12. **User Account Events**: Create, modify, and delete user accounts. -13. **Network Listening**: Create a listening socket for incoming TCP connections. -14. **eBPF Events**: Utilizing pamspy, a credential dumper, that is using eBPF thus generating the needed eBPF related events. +1. **Service Management**: Create, modify, and delete systemd services using D-Bus system calls +2. **DNS Query**: Perform a DNS query +3. **Process Termination**: Create and terminate a process +4. **Image Load**: Load a shared library +5. **Process Access**: Hijack a process and manipulate its memory and registers +6. **Network Operations**: + - Establish TCP connections + - Create raw sockets + - Create listening sockets for incoming connections +7. **Raw Access Read**: Perform raw read access on a device +8. **Driver Load**: Write, compile, and load a Linux kernel module +9. **Process Tampering**: Tamper with the memory of a running process +10. **Scheduled Task**: Create and remove scheduled tasks using cron +11. **User Account Events**: Create, modify, and delete user accounts using libuser +12. **eBPF Events**: Utilize pamspy for credential dumping using eBPF +13. **File Operations**: Create, modify, and delete files. + ## Usage diff --git a/Tools/Telemetry-Generator/Linux/lnx_telem_gen.py b/Tools/Telemetry-Generator/Linux/lnx_telem_gen.py index 88f173b..0f62b5d 100644 --- a/Tools/Telemetry-Generator/Linux/lnx_telem_gen.py +++ b/Tools/Telemetry-Generator/Linux/lnx_telem_gen.py @@ -172,67 +172,60 @@ def run(self): time.sleep(2) self.delete_user() -# Function to start and stop the service (cron) using system calls (DBus API) -def start_and_stop_service(): - service_name = "cron" - start_delay = 0 # Start immediately - stop_delay = 10 # Stop after 10 seconds - - def start_service(): - bus = dbus.SystemBus() - systemd = bus.get_object('org.freedesktop.systemd1', '/org/freedesktop/systemd1') - manager = dbus.Interface(systemd, 'org.freedesktop.systemd1.Manager') - try: - manager.StartUnit(f"{service_name}.service", 'replace') - print(f"{service_name} service started successfully (system API call).") - except dbus.DBusException as e: - print(f"Failed to start {service_name}: {e}") - - def stop_service(): +def manage_test_service(): + """ + Creates, modifies, and deletes a systemd service using D-Bus system calls. + """ + service_name = "test_service" + unit_name = f"{service_name}.service" + + try: + # Connect to system bus bus = dbus.SystemBus() systemd = bus.get_object('org.freedesktop.systemd1', '/org/freedesktop/systemd1') manager = dbus.Interface(systemd, 'org.freedesktop.systemd1.Manager') - try: - manager.StopUnit(f"{service_name}.service", 'replace') - print(f"{service_name} service stopped successfully (system API call).") - except dbus.DBusException as e: - print(f"Failed to stop {service_name}: {e}") - - # Schedule service start and stop - scheduler.enter(start_delay, 1, start_service) - scheduler.enter(stop_delay, 1, stop_service) - scheduler.run() - -# Function for file creation, modification, and deletion -def test_file_operations(): - file_name = "test_file.txt" - - def create_file(): - with open(file_name, "w") as f: - f.write("This is a test file.") - print(f"File '{file_name}' created.") - - def modify_file(): - if os.path.exists(file_name): - with open(file_name, "a") as f: - f.write("\nFile has been modified.") - print(f"File '{file_name}' modified.") - else: - print(f"File '{file_name}' not found for modification.") - - def delete_file(): - if os.path.exists(file_name): - os.remove(file_name) - print(f"File '{file_name}' deleted.") - else: - print(f"File '{file_name}' not found for deletion.") - - # Perform file operations sequentially - create_file() - time.sleep(2) - modify_file() - time.sleep(2) - delete_file() + + # Create service unit file + unit_content = { + "Unit": { + "Description": "Test Service for Telemetry" + }, + "Service": { + "Type": "simple", + "ExecStart": "/bin/sleep 3600" + }, + "Install": { + "WantedBy": "multi-user.target" + } + } + + # Create the service using systemd manager + manager.CreateTransientUnit( + unit_name, + unit_content + ) + print(f"Service '{service_name}' created successfully") + + time.sleep(2) + + # Modify service by reloading its configuration + manager.ReloadUnit( + unit_name, + 'replace' + ) + print(f"Service '{service_name}' modified successfully") + + time.sleep(2) + + # Stop and remove the service + manager.StopUnit(unit_name, 'replace') + manager.DisableUnitFiles([unit_name], False) + print(f"Service '{service_name}' deleted successfully") + + except dbus.exceptions.DBusException as e: + print(f"D-Bus error: {e}") + except Exception as e: + print(f"Error managing service: {e}") # Function to perform a DNS query def dns_query(): @@ -297,14 +290,11 @@ def raw_access_read(): # Dictionary mapping event names to functions event_functions = { - 'FileCreated': test_file_operations, - 'FileModified': test_file_operations, - 'FileDelete': test_file_operations, + 'ServiceManagement': manage_test_service, 'DnsQuery': dns_query, 'ProcessTerminate': process_terminate, 'ImageLoad': image_load, 'NetworkConnect': network_connect, - 'ServiceStartStop': start_and_stop_service, 'RawAccessRead': raw_access_read, 'LoadDriver': loadit, 'TamperProcess': begin_tamper, @@ -312,7 +302,6 @@ def raw_access_read(): 'UserAccountEvents': UserAccountManager().run, 'NetworkListen': NetworkSocketManager.network_listen, 'NetworkRawSocket': NetworkSocketManager.network_raw_socket, - 'NetworkConnect': NetworkSocketManager.network_connect, 'eBPFProgram': run_pamspy, 'ProcessAccess': start_hijacking } diff --git a/Tools/compare.py b/Tools/compare.py index f0ab54d..d800c57 100644 --- a/Tools/compare.py +++ b/Tools/compare.py @@ -97,7 +97,7 @@ "Agent Stop": 0.8, "MD5": 1, "SHA": 1, - "IMPHASH": 1 + "Fuzzy Hash": 1 } def determine_categories(filename):