Merge pull request #49 from tstromberg/oflow

More exceptions (whois, go run) + setuid env overflow detection
2025-01-10 07:39:26 +00:00 · 2022-10-30 09:45:50 -04:00 · 2022-10-30 09:45:50 -04:00 · 05350bbd0e
commit 05350bbd0e
parent 5021d24e23 5b6a150f81
5 changed files with 34 additions and 8 deletions
--- a/detection/c2/unexpected-https-client-linux.sql
+++ b/detection/c2/unexpected-https-client-linux.sql
@ -136,5 +136,9 @@ WHERE
    AND s.remote_address LIKE '151.101.%'
    AND s.state = 'ESTABLISHED'
  )
+  AND NOT (
+    exception_key = '500,/tmp/main,500u,500g,main'
+    AND p.path LIKE '/tmp/go-build%/exe/main'
+  )
 GROUP BY
  p.cmdline
--- a/detection/c2/unexpected-talkers-linux.sql
+++ b/detection/c2/unexpected-talkers-linux.sql
@ -88,6 +88,7 @@ WHERE
    '22,6,500,/usr/ssh,0u,0g,ssh',
    '3478,6,500,/opt/chrome,0u,0g,chrome',
    '4070,6,500,/opt/spotify,0u,0g,spotify',
+    '43,6,500,/usr/whois,0u,0g,whois',
    '5228,6,500,/opt/chrome,0u,0g,chrome',
    '5228,6,500,/usr/chrome,0u,0g,chrome',
    '8000,6,500,/opt/chrome,0u,0g,chrome',
@ -97,7 +98,6 @@ WHERE
    '80,6,0,/usr/packagekitd,0u,0g,packagekitd',
    '80,6,0,/usr/pacman,0u,0g,pacman',
    '80,6,0,/usr/python3.10,0u,0g,dnf',
-    '80,6,500,/usr/python3.10,0u,0g,yum',
    '80,6,0,/usr/python3.10,0u,0g,yum',
    '80,6,0,/usr/tailscaled,0u,0g,tailscaled',
    '80,6,0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra',
@ -110,6 +110,7 @@ WHERE
    '80,6,500,/usr/firefox,0u,0g,firefox',
    '80,6,500,/usr/firefox,0u,0g,.firefox-wrappe',
    '80,6,500,/usr/pacman,0u,0g,pacman',
+    '80,6,500,/usr/python3.10,0u,0g,yum',
    '8080,6,500,/opt/chrome,0u,0g,chrome',
    '8080,6,500,/usr/firefox,0u,0g,firefox',
    '8443,6,500,/opt/chrome,0u,0g,chrome',
@ -130,5 +131,11 @@ WHERE
    AND s.protocol = 6
    AND p.euid > 500
  )
+  -- TODO: Move this to a custom override overlay, as it is extremely obscure (small ISP)
+  AND NOT (
+     exception_key = '32768,6,500,/usr/ssh,0u,0g,ssh'
+     AND s.remote_port = 40022
+     AND s.remote_address = '104.131.84.33' -- gatekeeper.uservers.net
+  )
 GROUP BY
  p.cmdline
--- a/detection/evasion/empty_environ_macos.sql
+++ b/detection/evasion/empty_environ_macos.sql
@ -35,6 +35,11 @@ WHERE -- This time should match the interval
  p.start_time > (strftime('%s', 'now') - 605) -- Filter out transient processes that may not have an envs entry by the time we poll for it
  AND p.start_time < (strftime('%s', 'now') - 5)
  AND p.path NOT LIKE '/System/Library/%'
+  -- This condition happens a fair bit on macOS, particularly electron apps
+  AND NOT (
+    p.path LIKE '/Applications/%.app/Contents/%/Contents/MacOS/%'
+    AND signature.authority = 'Apple Mac OS Application Signing'
+  )
  AND NOT (
    signature.identifier LIKE 'com.apple.%'
    AND signature.authority = 'Software Signing'
@ -43,9 +48,10 @@ WHERE -- This time should match the interval
    '500,chrome_crashpad_handler,chrome_crashpad_handler,Developer ID Application: Google LLC (EQHXZ8M8AV)',
    '500,com.docker.cli,com.docker,Developer ID Application: Docker Inc (9BNSXJN65R)',
    '500,CraftWidgetExtension,com.lukilabs.lukiapp.CraftWidget,Apple Mac OS Application Signing',
-    '500,Pages,com.apple.iWork.Pages,Apple Mac OS Application Signing',
    '500,Obsidian Helper (Renderer),md.obsidian.helper.Renderer,Developer ID Application: Dynalist Inc. (6JSW4SJWN9)',
-    '500,SafariLaunchAgent,SafariLaunchAgent-55554944882a849c6a6839b4b0e7c551bbc81898,Software Signing'
+    '500,Pages,com.apple.iWork.Pages,Apple Mac OS Application Signing',
+    '500,SafariLaunchAgent,SafariLaunchAgent-55554944882a849c6a6839b4b0e7c551bbc81898,Software Signing',
+    '500,TwitterNotificationServiceExtension,maccatalyst.com.atebits.Tweetie2.NotificationServiceExtension,Apple Mac OS Application Signing'
  )
  AND NOT exception_key LIKE '500,Google Chrome%,Developer ID Application: Google LLC (EQHXZ8M8AV)'
  AND NOT exception_key LIKE '500,Brave Browser %,com.brave.Browser.%,Developer ID Application: Brave Software, Inc. (KL8N8XSYF4)'
--- a/detection/evasion/touched-executable-linux.sql
+++ b/detection/evasion/touched-executable-linux.sql
@ -34,5 +34,6 @@ WHERE
  AND f.path NOT LIKE '/snap/%'
  AND f.path NOT LIKE '/home/%'
  AND f.path != '/usr/local/bin/chainctl'
+  AND f.path NOT LIKE '/tmp/go-build%/exe/main'
 GROUP by
  p.pid
--- a/detection/execution/unexpected-env-values-linux.sql
+++ b/detection/execution/unexpected-env-values-linux.sql
@ -6,11 +6,12 @@
 -- WARNING: This query is known to require a higher than average wall time.
 --
 -- tags: transient state
-- interval: 600
+-- interval: 300
 -- platform: linux
-SELECT key,
+SELECT p.pid, p.name,
+  key,
  value,
-  p.pid,
+  LENGTH(value) AS value_len,
  p.path,
  p.cmdline,
  p.parent AS parent_pid,
@ -18,10 +19,11 @@ SELECT key,
 -- Querying processes first and filtering by time gives a massive 20X speed improvement
 -- over querying process_envs first and JOIN'ing against processes
 FROM processes p
-  LEFT JOIN process_envs pe ON p.pid = pe.pid
+  JOIN process_envs pe ON p.pid = pe.pid
+  LEFT JOIN file f ON p.path = f.path
  LEFT JOIN processes pp ON p.parent = pp.pid
 WHERE -- This time should match the interval
-  p.start_time > (strftime('%s', 'now') - 600)
+  p.start_time > (strftime('%s', 'now') - 300)
  AND (
    key = 'HISTFILE'
    AND NOT VALUE LIKE '/home/%/.%_history'
@ -35,4 +37,10 @@ WHERE -- This time should match the interval
    AND NOT pe.value LIKE ':/snap/%'
    AND NOT pe.value LIKE '/app/bin/%'
    AND NOT pe.value LIKE 'libmozsandbox.so%'
+  )
+  -- setuid
+  OR (
+    LENGTH(value) > 1024
+    AND f.mode IS NOT NULL
+    AND f.mode NOT LIKE '0%'
  )