From 197804e51bd92b8df6155f27fbd1eec33a18a877 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Mon, 12 Sep 2022 18:25:18 -0400 Subject: [PATCH] More monday tuning --- fd/unexpected-dev-opener.sql | 8 ++------ fs/unexpected-hidden-system-folders.sql | 10 ++++------ fs/unexpected-setuid-binaries.sql | 8 ++++++-- process/high-disk-bytes-written.sql | 2 +- process/missing-from-disk.sql | 5 ++++- process/sketchy-cmdline.sql | 23 +++++++++++++++++++---- 6 files changed, 36 insertions(+), 20 deletions(-) diff --git a/fd/unexpected-dev-opener.sql b/fd/unexpected-dev-opener.sql index 3ad66c8..e6dc01c 100644 --- a/fd/unexpected-dev-opener.sql +++ b/fd/unexpected-dev-opener.sql @@ -49,7 +49,7 @@ WHERE pof.path LIKE '/dev/%' ) AND NOT ( device LIKE '/dev/bus/usb/%' - AND (program IN ('/usr/bin/gphoto2', '/usr/sbin/pcscd')) + AND (program IN ('/usr/bin/gphoto2', '/usr/sbin/pcscd', '/usr/lib/gvfsd-mtp')) OR cmdline LIKE "%/bin/streamdeck" ) AND NOT ( @@ -104,11 +104,7 @@ WHERE pof.path LIKE '/dev/%' ) AND NOT ( device = '/dev/auditpipe' - AND program LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd' - ) - AND NOT ( - device = '/dev/auditpipe' - AND program = '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd' + AND program_name = 'osqueryd' ) AND NOT ( device = '/dev/auditsessions' diff --git a/fs/unexpected-hidden-system-folders.sql b/fs/unexpected-hidden-system-folders.sql index dd7498b..2eb29e7 100644 --- a/fs/unexpected-hidden-system-folders.sql +++ b/fs/unexpected-hidden-system-folders.sql @@ -1,4 +1,4 @@ -SELECT path, mtime, ctime, size, type +SELECT path, uid, gid, mode, mtime, ctime, type, size FROM file WHERE ( path LIKE '/lib/.%' @@ -43,7 +43,8 @@ WHERE ( '/tmp/.X1-lock', '/tmp/.X11-unix/', '/tmp/.XIM-unix/', - '/var/.Parallels_swap/' + '/var/.Parallels_swap/', + '/dev/.mdadm/' ) AND path NOT LIKE '/tmp/.#%' AND path NOT LIKE '/tmp/.com.google.Chrome.%' @@ -58,7 +59,4 @@ WHERE ( AND PATH NOT LIKE '/%bin/bootstrapping/.default_components' AND PATH NOT LIKE '%/google-cloud-sdk/.install/' AND PATH NOT LIKE '/tmp/.%.gcode' - AND ( - type != 'regular' - OR size > 1 - ) \ No newline at end of file + AND NOT (type == 'regular' AND (filename LIKE "%.swp" OR size < 1000)) \ No newline at end of file diff --git a/fs/unexpected-setuid-binaries.sql b/fs/unexpected-setuid-binaries.sql index 4444c90..8a4669b 100644 --- a/fs/unexpected-setuid-binaries.sql +++ b/fs/unexpected-setuid-binaries.sql @@ -222,9 +222,14 @@ AND NOT (mode LIKE '4%55' AND uid=0 AND gid=0 AND '/usr/lib64/xf86-video-intel-backlight-helper', '/usr/libexec/qemu-bridge-helper', '/usr/libexec/Xorg.wrap', - '/usr/libexec/polkit-agent-helper-1' + '/usr/libexec/polkit-agent-helper-1', + '/bin/newgidmap', + '/bin/newuidmap' ) ) +AND NOT (mode ='4754' AND uid=0 AND gid=30 AND + file.path IN ('/usr/sbin/pppd', '/sbin/ppid') +) AND NOT (mode ='6755' AND uid=0 AND gid=0 AND file.path IN ( @@ -244,4 +249,3 @@ AND NOT (mode ='6755' AND uid=0 AND gid=0 AND '/usr/lib64/xtest' ) ) - diff --git a/process/high-disk-bytes-written.sql b/process/high-disk-bytes-written.sql index 75c7216..0ab58e5 100644 --- a/process/high-disk-bytes-written.sql +++ b/process/high-disk-bytes-written.sql @@ -36,7 +36,7 @@ WHERE bytes_per_second > 2000000 AND NOT (name = 'kernel_task' AND path = '' AND parent IN (0, 1) AND on_disk = -1) AND NOT (name = 'launchd' AND path = '/sbin/launchd' AND parent = 0) AND NOT (name = 'logd' AND cmdline = '/usr/libexec/logd' AND parent = 1) - AND NOT name IN ('firefox', 'gopls', 'containerd', 'slack', 'chrome','goland', 'esbuild', 'slack') + AND NOT name IN ('firefox', 'gopls', 'containerd', 'slack', 'chrome','goland', 'esbuild', 'slack', 'com.apple.MobileSoftwareUpdate.UpdateBrainService') AND path NOT LIKE '/Applications/%.app/Contents/%' AND path NOT LIKE '/System/Applications/%' AND path NOT LIKE '/System/Library/%' diff --git a/process/missing-from-disk.sql b/process/missing-from-disk.sql index e2e5dbb..46664bc 100644 --- a/process/missing-from-disk.sql +++ b/process/missing-from-disk.sql @@ -19,7 +19,10 @@ AND p.path NOT IN ( '/usr/bin/gnome-shell', '/usr/bin/wireplumber', '/usr/libexec/gnome-shell-calendar-server', - '/usr/sbin/NetworkManager' + '/usr/sbin/NetworkManager', + '/usr/local/bin/containerd-shim-runc-v2', + '/usr/local/bin/containerd', + '/usr/bin/kubelet' ) AND parent_path NOT IN ( '/usr/bin/containerd-shim-runc-v2', diff --git a/process/sketchy-cmdline.sql b/process/sketchy-cmdline.sql index 0514ec2..7acaa0e 100644 --- a/process/sketchy-cmdline.sql +++ b/process/sketchy-cmdline.sql @@ -17,12 +17,13 @@ WHERE p.cmdline LIKE "%bitspin%" OR p.cmdline LIKE "%lushput%" OR p.cmdline LIKE "%incbit%" OR -p.cmdline LIKE "%treason%" OR +p.cmdline LIKE "%traitor%" OR +p.cmdline LIKE "%msfvenom%" OR +p.cmdline LIKE "%pwn%" OR +p.cmdline LIKE "%attack%" OR -- Unusual behaviors p.cmdline LIKE "%ufw disable%" OR -p.cmdline LIKE "%iptables -P INPUT ACCEPT%" OR -p.cmdline LIKE "%iptables -P OUTPUT ACCEPT%" OR -p.cmdline LIKE "%iptables -P FORWARD ACCEPT%" OR +p.cmdline LIKE "%iptables -P % ACCEPT%" OR p.cmdline LIKE "%iptables -F%" OR p.cmdline LIKE "%chattr -ia%" OR p.cmdline LIKE "%bpftool%" OR @@ -49,3 +50,17 @@ p.cmdline LIKE "%xmr%" OR p.cmdline LIKE "%ransom%" OR p.cmdline LIKE "%malware%" OR p.cmdline LIKE "%plant%" OR +-- Reverse shells +p.cmdline LIKE '%/dev/tcp/%' OR +p.cmdline LIKE '%/dev/udp/%' OR +p.cmdline LIKE '%fsockopen%' OR +p.cmdline LIKE '%openssl%quiet%' OR +p.cmdline LIKE '%pty.spawn%' OR +p.cmdline LIKE '%sh -i' OR +p.cmdline LIKE '%socat%' OR +p.cmdline LIKE '%SOCK_STREAM%' OR +p.cmdline LIKE '%Socket.fork%' OR +p.cmdline LIKE '%Socket.new%' OR +p.cmdline LIKE '%socket.socket%' OR +p.name IN ('nc', 'mkfifo') +