Merge pull request #73 from tstromberg/more-flushing2

More exceptions: obs, ssh, gjs, spotify, etc.
2025-01-25 06:42:56 +00:00 · 2022-11-08 13:00:20 -05:00 · 2022-11-08 13:00:20 -05:00 · 158ca1d899
commit 158ca1d899
parent adee8e2380 3dec23370c
10 changed files with 26 additions and 1 deletions
--- a/detection/c2/unexpected-https-client-linux.sql
+++ b/detection/c2/unexpected-https-client-linux.sql
@ -103,6 +103,9 @@ WHERE
    '500,/opt/Brackets,0u,0g,Brackets',
    '500,/opt/todoist,0u,0g,todoist',
    '500,/opt/chrome,0u,0g,chrome',
+    '500,/opt/snap-store,0u,0g,snap-store',
+    '500,/usr/obs,0u,0g,obs',
+    '500,/opt/zoom,0u,0g,zoom',
    '500,/opt/Discord,0u,0g,Discord',
    '500,/opt/firefox,0u,0g,firefox',
    '500,/opt/firefox,0u,0g,Socket Process',
--- a/detection/c2/unexpected-talkers-linux.sql
+++ b/detection/c2/unexpected-talkers-linux.sql
@ -10,6 +10,7 @@
 -- platform: linux
 SELECT
  s.remote_address,
+  s.remote_port,
  p.name,
  p.path,
  p.cmdline AS child_cmd,
@ -90,13 +91,16 @@ WHERE
    '27034,6,500,/home/steam,500u,100g,steam',
    '27035,6,500,/home/steam,500u,100g,steam',
    '32768,6,0,/usr/tailscaled,0u,0g,tailscaled',
+    '32768,6,500,/usr/ssh,0u,0g,ssh',
    '3443,6,500,/opt/chrome,0u,0g,chrome',
    '3478,6,500,/opt/chrome,0u,0g,chrome',
    '3478,6,500,/usr/firefox,0u,0g,firefox',
    '4070,6,500,/opt/spotify,0u,0g,spotify',
+    '4070,6,500,/usr/spotify,0u,0g,spotify',
    '43,6,500,/usr/whois,0u,0g,whois',
    '5228,6,500,/opt/chrome,0u,0g,chrome',
    '5228,6,500,/usr/chrome,0u,0g,chrome',
+    '6443,6,500,/usr/kubectl,0u,0g,kubectl',
    '67,17,0,/usr/NetworkManager,0u,0g,NetworkManager',
    '8000,6,500,/opt/chrome,0u,0g,chrome',
    '8000,6,500,/usr/firefox,0u,0g,firefox',
--- a/detection/evasion/empty_environ_linux.sql
+++ b/detection/evasion/empty_environ_linux.sql
@ -36,8 +36,12 @@ WHERE -- This time should match the interval
    'slack',
    'gnome-boxes-sea',
    'gnome-contacts-',
+    'gnome-clocks',
+    'systemd-userwor',
+    'gnome-terminal-',
    'sshd',
    'zoom.real',
+    'zoom',
    'zypak-sandbox'
  )
  AND p.path NOT IN (
@ -45,6 +49,7 @@ WHERE -- This time should match the interval
    '/usr/bin/bwrap',
    '/usr/lib/slack/slack',
    '/usr/sbin/nginx',
+    '/usr/libexec/gnome-terminal-server',
    '/usr/lib/systemd/systemd-userdbd',
    '/opt/google/chrome/chrome',
    '/opt/spotify/spotify'
--- a/detection/evasion/empty_environ_macos.sql
+++ b/detection/evasion/empty_environ_macos.sql
@ -69,6 +69,8 @@ WHERE -- This time should match the interval
  AND NOT exception_key IN (
    '500,CraftWidgetExtension,com.lukilabs.lukiapp.CraftWidget,Apple Mac OS Application Signing',
    '500,gsleep,sleep,',
+    '500,ssh,,',
+    '500,ssh-sk-helper,,',
    '500,Obsidian Helper (Renderer),md.obsidian.helper.Renderer,Developer ID Application: Dynalist Inc. (6JSW4SJWN9)',
    '500,Pages,com.apple.iWork.Pages,Apple Mac OS Application Signing',
    '500,SafariLaunchAgent,SafariLaunchAgent-55554944882a849c6a6839b4b0e7c551bbc81898,Software Signing',
--- a/detection/evasion/hidden-cwd.sql
+++ b/detection/evasion/hidden-cwd.sql
@ -107,8 +107,10 @@ WHERE
    OR dir LIKE '~/%/.git'
    OR dir LIKE '~/.gimme%'
    OR dir LIKE '~/%/.github%'
-    OR dir LIKE '~/go/src/%'
+    OR dir LIKE '~/%/src/%'
+    OR dir LIKE '~/%/.modcache/%'
    OR dir LIKE '~/.gradle/%'
+    OR dir LIKE '~/%/github.com/%'
    OR dir LIKE '/Library/Apple/System/Library/InstallerSandboxes/.PKInstallSandboxManager-SystemSoftware/%'
    OR dir LIKE '~/.local/share/fish/%'
    OR dir LIKE '~/.local/share/JetBrains/%'
--- a/detection/evasion/name_path_mismatch.sql
+++ b/detection/evasion/name_path_mismatch.sql
@ -46,6 +46,7 @@ WHERE
    'name=blueman-tray,file=python3,500',
    'name=cat,file=coreutils,500',
    'name=chrome-gnome-s,file=python3,500',
+    'name=restorecon,file=setfiles,0',
    'name=Chroot,file=firefox,500',
    'name=code-oss,file=electron,500',
    'name=exe,file=rootlessport,500',
@ -53,6 +54,7 @@ WHERE
    'name=firefox-wrappe,file=firefox,500',
    'name=firewalld,file=python3,0',
    'name=gjs,file=gjs-console,120',
+    'name=gjs,file=gjs-console,42',
    'name=gjs,file=gjs-console,500',
    'name=sh,file=busybox,0',
    'name=cc,file=gcc,0',
--- a/detection/execution/recently-created-executables-linux.sql
+++ b/detection/execution/recently-created-executables-linux.sql
@ -59,6 +59,7 @@ WHERE
    '/usr/bin/rpi-imager',
    '/usr/bin/tailscaled',
    '/usr/bin/udevadm',
+    '/opt/sublime_text/sublime_text',
    '/usr/bin/wpa_supplicant',
    '/usr/lib64/firefox/firefox',
    '/usr/lib64/google-cloud-sdk/platform/bundledpythonunix/bin/python3',
--- a/detection/exfil/high_disk_bytes_read.sql
+++ b/detection/exfil/high_disk_bytes_read.sql
@ -71,6 +71,7 @@ WHERE
    '/usr/bin/udevadm',
    '/usr/libexec/aned',
    '/usr/libexec/coreduetd',
+    '/usr/bin/update-notifier',
    '/usr/libexec/flatpak-system-helper',
    '/usr/libexec/logd',
    '/usr/libexec/logd_helper',
--- a/detection/privesc/unexpected-elevated-children-events_linux.sql
+++ b/detection/privesc/unexpected-elevated-children-events_linux.sql
@ -44,6 +44,9 @@ WHERE
    '/usr/bin/fusermount3',
    '/usr/bin/login',
    '/usr/bin/sudo',
+    '/usr/bin/gpgsm',
+    '/usr/bin/gpgconf',
+    '/usr/bin/gpg',
    '/usr/bin/top',
    '/usr/lib/snapd/snap-confine',
    '/usr/lib/snapd/snap-update-ns',
@ -55,6 +58,7 @@ WHERE
  AND p.path NOT LIKE '/nix/store/%/bin/sudo'
  AND p.path NOT LIKE '/nix/store/%/bin/dhcpcd'
  AND p.path NOT LIKE '/snap/snapd/%/usr/lib/snapd/snap-confine'
+  AND NOT pp.cmdline = '/usr/lib/systemd/systemd --user'
  AND NOT (
    child_name = 'polkit-agent-helper-1'
    AND parent_path = '/usr/bin/gnome-shell'
--- a/detection/privesc/unexpected-privilege-escalation_macos.sql
+++ b/detection/privesc/unexpected-privilege-escalation_macos.sql
@ -39,6 +39,7 @@ WHERE
    '/usr/bin/login',
    '/usr/bin/su',
    '/usr/bin/sudo',
+    '/bin/ps',
    '/usr/local/bin/doas',
    '/usr/bin/top'
  )