More monday tuning

2025-02-27 15:30:24 +00:00 · 2022-09-12 18:25:18 -04:00 · 2022-09-12 18:25:18 -04:00 · 197804e51b
commit 197804e51b
parent e919bdde9f
6 changed files with 36 additions and 20 deletions
--- a/fd/unexpected-dev-opener.sql
+++ b/fd/unexpected-dev-opener.sql
@ -49,7 +49,7 @@ WHERE pof.path LIKE '/dev/%'
    )
    AND NOT (
        device LIKE '/dev/bus/usb/%'
-        AND (program IN ('/usr/bin/gphoto2', '/usr/sbin/pcscd'))
+        AND (program IN ('/usr/bin/gphoto2', '/usr/sbin/pcscd', '/usr/lib/gvfsd-mtp'))
        OR cmdline LIKE "%/bin/streamdeck"
    )
    AND NOT (
@ -104,11 +104,7 @@ WHERE pof.path LIKE '/dev/%'
    )
    AND NOT (
        device = '/dev/auditpipe'
-        AND program LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd'
-    )
-    AND NOT (
-        device = '/dev/auditpipe'
-        AND program = '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd'
+        AND program_name = 'osqueryd'
    )
    AND NOT (
        device = '/dev/auditsessions'
--- a/fs/unexpected-hidden-system-folders.sql
+++ b/fs/unexpected-hidden-system-folders.sql
@ -1,4 +1,4 @@
-SELECT path, mtime, ctime, size, type
+SELECT path, uid, gid, mode, mtime, ctime, type, size
 FROM file
 WHERE (
        path LIKE '/lib/.%'
@ -43,7 +43,8 @@ WHERE (
        '/tmp/.X1-lock',
        '/tmp/.X11-unix/',
        '/tmp/.XIM-unix/',
-        '/var/.Parallels_swap/'
+        '/var/.Parallels_swap/',
+        '/dev/.mdadm/'
    )
    AND path NOT LIKE '/tmp/.#%'
    AND path NOT LIKE '/tmp/.com.google.Chrome.%'
@ -58,7 +59,4 @@ WHERE (
    AND PATH NOT LIKE '/%bin/bootstrapping/.default_components'
    AND PATH NOT LIKE '%/google-cloud-sdk/.install/'
    AND PATH NOT LIKE '/tmp/.%.gcode'
-    AND (
-        type != 'regular'
-        OR size > 1
-    )
+    AND NOT (type == 'regular' AND (filename LIKE "%.swp" OR size < 1000))
--- a/fs/unexpected-setuid-binaries.sql
+++ b/fs/unexpected-setuid-binaries.sql
@ -222,9 +222,14 @@ AND NOT (mode LIKE '4%55' AND uid=0 AND gid=0 AND
        '/usr/lib64/xf86-video-intel-backlight-helper',
        '/usr/libexec/qemu-bridge-helper',
        '/usr/libexec/Xorg.wrap',
-        '/usr/libexec/polkit-agent-helper-1'
+        '/usr/libexec/polkit-agent-helper-1',
+        '/bin/newgidmap',
+        '/bin/newuidmap'
    )
 )
+AND NOT (mode ='4754' AND uid=0 AND gid=30 AND
+    file.path IN ('/usr/sbin/pppd', '/sbin/ppid')
+)

 AND NOT (mode ='6755' AND uid=0 AND gid=0 AND
    file.path IN (
@ -244,4 +249,3 @@ AND NOT (mode ='6755' AND uid=0 AND gid=0 AND
        '/usr/lib64/xtest'
    )
 )
-
--- a/process/high-disk-bytes-written.sql
+++ b/process/high-disk-bytes-written.sql
@ -36,7 +36,7 @@ WHERE bytes_per_second > 2000000
    AND NOT (name = 'kernel_task' AND path = '' AND parent IN (0, 1) AND on_disk = -1)
    AND NOT (name = 'launchd' AND path = '/sbin/launchd' AND parent = 0)
    AND NOT (name = 'logd' AND cmdline = '/usr/libexec/logd' AND parent = 1)
-    AND NOT name IN ('firefox', 'gopls', 'containerd', 'slack', 'chrome','goland', 'esbuild', 'slack')
+    AND NOT name IN ('firefox', 'gopls', 'containerd', 'slack', 'chrome','goland', 'esbuild', 'slack', 'com.apple.MobileSoftwareUpdate.UpdateBrainService')
    AND path NOT LIKE '/Applications/%.app/Contents/%'
    AND path NOT LIKE '/System/Applications/%'
    AND path NOT LIKE '/System/Library/%'
--- a/process/missing-from-disk.sql
+++ b/process/missing-from-disk.sql
@ -19,7 +19,10 @@ AND p.path NOT IN (
    '/usr/bin/gnome-shell',
    '/usr/bin/wireplumber',
    '/usr/libexec/gnome-shell-calendar-server',
-    '/usr/sbin/NetworkManager'
+    '/usr/sbin/NetworkManager',
+    '/usr/local/bin/containerd-shim-runc-v2',
+    '/usr/local/bin/containerd',
+    '/usr/bin/kubelet'
 )
 AND parent_path NOT IN (
    '/usr/bin/containerd-shim-runc-v2',
--- a/process/sketchy-cmdline.sql
+++ b/process/sketchy-cmdline.sql
@ -17,12 +17,13 @@ WHERE
 p.cmdline LIKE "%bitspin%" OR
 p.cmdline LIKE "%lushput%" OR
 p.cmdline LIKE "%incbit%" OR
-p.cmdline LIKE "%treason%" OR
+p.cmdline LIKE "%traitor%" OR
+p.cmdline LIKE "%msfvenom%" OR
+p.cmdline LIKE "%pwn%" OR
+p.cmdline LIKE "%attack%" OR
 -- Unusual behaviors
 p.cmdline LIKE "%ufw disable%" OR
-p.cmdline LIKE "%iptables -P INPUT ACCEPT%" OR
-p.cmdline LIKE "%iptables -P OUTPUT ACCEPT%" OR
-p.cmdline LIKE "%iptables -P FORWARD ACCEPT%" OR
+p.cmdline LIKE "%iptables -P % ACCEPT%" OR
 p.cmdline LIKE "%iptables -F%" OR
 p.cmdline LIKE "%chattr -ia%" OR
 p.cmdline LIKE "%bpftool%" OR
@ -49,3 +50,17 @@ p.cmdline LIKE "%xmr%" OR
 p.cmdline LIKE "%ransom%" OR
 p.cmdline LIKE "%malware%" OR
 p.cmdline LIKE "%plant%" OR
+-- Reverse shells
+p.cmdline LIKE '%/dev/tcp/%' OR
+p.cmdline LIKE '%/dev/udp/%' OR
+p.cmdline LIKE '%fsockopen%' OR
+p.cmdline LIKE '%openssl%quiet%' OR
+p.cmdline LIKE '%pty.spawn%' OR
+p.cmdline LIKE '%sh -i' OR
+p.cmdline LIKE '%socat%' OR
+p.cmdline LIKE '%SOCK_STREAM%' OR
+p.cmdline LIKE '%Socket.fork%' OR
+p.cmdline LIKE '%Socket.new%' OR
+p.cmdline LIKE '%socket.socket%' OR
+p.name IN ('nc', 'mkfifo')
+