diff --git a/detection/c2/unexpected-https-client-linux.sql b/detection/c2/unexpected-https-client-linux.sql index 91efaab..a1404d6 100644 --- a/detection/c2/unexpected-https-client-linux.sql +++ b/detection/c2/unexpected-https-client-linux.sql @@ -8,64 +8,72 @@ -- -- tags: transient state net rapid -- platform: linux -SELECT s.remote_address, - p.name, - p.path, - p.cmdline AS child_cmd, - p.cwd, - pp.path AS parent_path, - p.parent AS parent_pid, - pp.cmdline AS parent_cmd, - s.state, - hash.sha256, - -- This intentionally avoids file.path, as it won't join across mount namespaces - CONCAT ( - MIN(p.euid, 500), - ',', - REPLACE(REGEX_MATCH(p.path, '(/.*?)/', 1), '/nix', '/usr'), - '/', - REGEX_MATCH(p.path, '.*/(.*?)$', 1), - ',', - MIN(f.uid, 500), - 'u,', - MIN(f.gid, 500), - 'g,', - p.name - ) AS exception_key -FROM process_open_sockets s - LEFT JOIN processes p ON s.pid = p.pid - LEFT JOIN processes pp ON p.parent = pp.pid - LEFT JOIN file f ON p.path = f.path - LEFT JOIN hash ON p.path = hash.path -WHERE protocol IN (6, 17) - AND s.remote_port = 443 - AND s.remote_address NOT IN ('127.0.0.1', '::ffff:127.0.0.1', '::1') - AND s.remote_address NOT LIKE 'fe80:%' - AND s.remote_address NOT LIKE '127.%' - AND s.remote_address NOT LIKE '192.168.%' - AND s.remote_address NOT LIKE '172.1%' - AND s.remote_address NOT LIKE '172.2%' - AND s.remote_address NOT LIKE '172.30.%' - AND s.remote_address NOT LIKE '172.31.%' - AND s.remote_address NOT LIKE '::ffff:172.%' - AND s.remote_address NOT LIKE '10.%' - AND s.remote_address NOT LIKE '::ffff:10.%' - AND s.remote_address NOT LIKE 'fc00:%' - AND p.path != '' - AND NOT exception_key IN ( - '0,/usr/launcher,0u,0g,launcher', - '0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra', - '500,/app/slack,u,g,slack', - '500,/ko-app/controlplane,u,g,controlplane', - '500,/opt/chrome,0u,0g,chrome', - '500,/opt/spotify,0u,0g,spotify', - '500,/usr/chrome,0u,0g,chrome', - '500,/usr/code,0u,0g,code', - '500,/usr/firefox,0u,0g,firefox', - '500,/usr/firefox,0u,0g,.firefox-wrappe', - '500,/usr/geoclue,0u,0g,geoclue', - '500,/usr/gnome-software,0u,0g,gnome-software', - '500,/usr/slack,0u,0g,slack', - '500,/usr/syncthing,0u,0g,syncthing' - ) -GROUP BY p.cmdline +SELECT + s.remote_address, + p.name, + p.path, + p.cmdline AS child_cmd, + p.cwd, + pp.path AS parent_path, + p.parent AS parent_pid, + pp.cmdline AS parent_cmd, + s.state, + hash.sha256, + -- This intentionally avoids file.path, as it won't join across mount namespaces + CONCAT ( + MIN(p.euid, 500), + ',', + REPLACE( + REGEX_MATCH (p.path, '(/.*?)/', 1), + '/nix', + '/usr' + ), + '/', + REGEX_MATCH (p.path, '.*/(.*?)$', 1), + ',', + MIN(f.uid, 500), + 'u,', + MIN(f.gid, 500), + 'g,', + p.name + ) AS exception_key +FROM + process_open_sockets s + LEFT JOIN processes p ON s.pid = p.pid + LEFT JOIN processes pp ON p.parent = pp.pid + LEFT JOIN file f ON p.path = f.path + LEFT JOIN hash ON p.path = hash.path +WHERE + protocol IN (6, 17) + AND s.remote_port = 443 + AND s.remote_address NOT IN ('127.0.0.1', '::ffff:127.0.0.1', '::1') + AND s.remote_address NOT LIKE 'fe80:%' + AND s.remote_address NOT LIKE '127.%' + AND s.remote_address NOT LIKE '192.168.%' + AND s.remote_address NOT LIKE '172.1%' + AND s.remote_address NOT LIKE '172.2%' + AND s.remote_address NOT LIKE '172.30.%' + AND s.remote_address NOT LIKE '172.31.%' + AND s.remote_address NOT LIKE '::ffff:172.%' + AND s.remote_address NOT LIKE '10.%' + AND s.remote_address NOT LIKE '::ffff:10.%' + AND s.remote_address NOT LIKE 'fc00:%' + AND p.path != '' + AND NOT exception_key IN ( + '0,/usr/launcher,0u,0g,launcher', + '0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra', + '500,/app/slack,u,g,slack', + '500,/ko-app/controlplane,u,g,controlplane', + '500,/opt/chrome,0u,0g,chrome', + '500,/opt/spotify,0u,0g,spotify', + '500,/usr/chrome,0u,0g,chrome', + '500,/usr/code,0u,0g,code', + '500,/usr/firefox,0u,0g,firefox', + '500,/usr/firefox,0u,0g,.firefox-wrappe', + '500,/usr/geoclue,0u,0g,geoclue', + '500,/usr/gnome-software,0u,0g,gnome-software', + '500,/usr/slack,0u,0g,slack', + '500,/usr/syncthing,0u,0g,syncthing' + ) +GROUP BY + p.cmdline diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql index 1b035fc..d486678 100644 --- a/detection/c2/unexpected-talkers-linux.sql +++ b/detection/c2/unexpected-talkers-linux.sql @@ -8,7 +8,8 @@ -- -- tags: transient state net rapid -- platform: linux -SELECT s.remote_address, +SELECT + s.remote_address, p.name, p.path, p.cmdline AS child_cmd, @@ -27,12 +28,12 @@ SELECT s.remote_address, MIN(p.euid, 500), ',', REPLACE( - REGEX_MATCH(p.path, '(/.*?)/', 1), + REGEX_MATCH (p.path, '(/.*?)/', 1), '/nix', '/usr' ), '/', - REGEX_MATCH(p.path, '.*/(.*?)$', 1), + REGEX_MATCH (p.path, '.*/(.*?)$', 1), ',', MIN(f.uid, 500), 'u,', @@ -40,12 +41,14 @@ SELECT s.remote_address, 'g,', p.name ) AS exception_key -FROM process_open_sockets s +FROM + process_open_sockets s LEFT JOIN processes p ON s.pid = p.pid LEFT JOIN processes pp ON p.parent = pp.pid LEFT JOIN file f ON p.path = f.path LEFT JOIN hash ON p.path = hash.path -WHERE protocol > 0 +WHERE + protocol > 0 AND s.remote_port > 0 -- See unexpected-https-client AND NOT ( @@ -99,4 +102,5 @@ WHERE protocol > 0 AND s.protocol = 6 AND p.euid > 500 ) -GROUP BY p.cmdline \ No newline at end of file +GROUP BY + p.cmdline diff --git a/detection/evasion/unexpected-library-entries-macos.sql b/detection/evasion/unexpected-library-entries-macos.sql index 5b9ce13..503c3fd 100644 --- a/detection/evasion/unexpected-library-entries-macos.sql +++ b/detection/evasion/unexpected-library-entries-macos.sql @@ -8,115 +8,118 @@ -- -- tags: persistent state filesystem seldom -- platform: darwin -SELECT file.path, - file.type, - file.size, - file.mtime, - file.uid, - file.ctime, - file.gid, - hash.sha256, - magic.data -FROM file - LEFT JOIN hash ON file.path = hash.path - LEFT JOIN magic ON file.path = magic.path -WHERE ( - file.path LIKE '/Library/%' - OR file.path LIKE '/Library/.%' - OR file.path LIKE '/Library/%/.%' - OR file.path LIKE '/Library/WebServer/%' - OR file.path LIKE '/Library/WebServer/Documents/%%' - OR file.path LIKE '/Library/WebServer/CGI-Executables/%%' - ) - AND file.path NOT LIKE '%/../%' - AND file.path NOT LIKE '%/./%' - AND file.size > 1 - AND file.path NOT IN ( - '/Library/Apple/', - '/Library/Application Support/', - '/Library/Audio/', - '/Library/AutoBugCapture/', - '/Library/Bluetooth/', - '/Library/Caches/', - '/Library/Catacomb/', - '/Library/ColorPickers/', - '/Library/ColorSync/', - '/Library/Components/', - '/Library/Compositions/', - '/Library/Compositions/.localized', - '/Library/Contextual Menu Items/', - '/Library/CoreAnalytics/', - '/Library/CoreMediaIO/', - '/Library/Desktop Pictures/', - '/Library/Desktop Pictures/.localizations/', - '/Library/Desktop Pictures/.thumbnails/', - '/Library/Developer/', - '/Library/DirectoryServices/', - '/Library/Documentation/', - '/Library/DriverExtensions/', - '/Library/Extensions/', - '/Library/Filesystems/', - '/Library/Fonts/', - '/Library/Fonts/.uuid', - '/Library/Frameworks/', - '/Library/Google/', - '/Library/GPUBundles/', - '/Library/Graphics/', - '/Library/Image Capture/', - '/Library/Input Methods/', - '/Library/InstallerSandboxes/', - '/Library/InstallerSandboxes/.metadata_never_index', - '/Library/InstallerSandboxes/.PKInstallSandboxManager/', - '/Library/Internet Plug-Ins/', - '/Library/Java/', - '/Library/KernelCollections/', - '/Library/KernelCollections/.file', - '/Library/Keyboard Layouts/', - '/Library/Keychains/', - '/Library/LaunchAgents/', - '/Library/LaunchDaemons/', - '/Library/.localized', - '/Library/Logs/', - '/Library/Mail/', - '/Library/Managed Preferences/', - '/Library/Modem Scripts/', - '/Library/Nessus/', - '/Library/Objective-See/', - '/Library/OpenDirectory/', - '/Library/OSAnalytics/', - '/Library/Perl/', - '/Library/PreferencePanes/', - '/Library/Preferences/', - '/Library/Preferences/.GlobalPreferences.plist', - '/Library/Printers/', - '/Library/PrivilegedHelperTools/', - '/Library/QuickLook/', - '/Library/Receipts/', - '/Library/Ruby/', - '/Library/Sandbox/', - '/Library/Screen Savers/', - '/Library/ScriptingAdditions/', - '/Library/Scripts/', - '/Library/Security/', - '/Library/Services/', - '/Library/Speech/', - '/Library/Spotlight/', - '/Library/StagedDriverExtensions/', - '/Library/StagedExtensions/', - '/Library/StartupItems/', - '/Library/SystemExtensions/', - '/Library/SystemExtensions/.staging/', - '/Library/SystemMigration/', - '/Library/SystemProfiler/', - '/Library/TeX/', - '/Library/Updates/', - '/Library/User Pictures/', - '/Library/User Template/', - '/Library/Video/', - '/Library/WebServer/', - '/Library/WebServer/CGI-Executables/', - '/Library/WebServer/Documents/', - '/Library/WebServer/Documents/index.html.en', - '/Library/WebServer/share/' - ) - AND NOT file.path LIKE '/Library/Caches/.00%' \ No newline at end of file +SELECT + file.path, + file.type, + file.size, + file.mtime, + file.uid, + file.ctime, + file.gid, + hash.sha256, + magic.data +FROM + file + LEFT JOIN hash ON file.path = hash.path + LEFT JOIN magic ON file.path = magic.path +WHERE + ( + file.path LIKE '/Library/%' + OR file.path LIKE '/Library/.%' + OR file.path LIKE '/Library/%/.%' + OR file.path LIKE '/Library/WebServer/%' + OR file.path LIKE '/Library/WebServer/Documents/%%' + OR file.path LIKE '/Library/WebServer/CGI-Executables/%%' + ) + AND file.path NOT LIKE '%/../%' + AND file.path NOT LIKE '%/./%' + AND file.size > 1 + AND file.path NOT IN ( + '/Library/Apple/', + '/Library/Application Support/', + '/Library/Audio/', + '/Library/AutoBugCapture/', + '/Library/Bluetooth/', + '/Library/Caches/', + '/Library/Catacomb/', + '/Library/ColorPickers/', + '/Library/ColorSync/', + '/Library/Components/', + '/Library/Compositions/', + '/Library/Compositions/.localized', + '/Library/Contextual Menu Items/', + '/Library/CoreAnalytics/', + '/Library/CoreMediaIO/', + '/Library/Desktop Pictures/', + '/Library/Desktop Pictures/.localizations/', + '/Library/Desktop Pictures/.thumbnails/', + '/Library/Developer/', + '/Library/DirectoryServices/', + '/Library/Documentation/', + '/Library/DriverExtensions/', + '/Library/Extensions/', + '/Library/Filesystems/', + '/Library/Fonts/', + '/Library/Fonts/.uuid', + '/Library/Frameworks/', + '/Library/Google/', + '/Library/GPUBundles/', + '/Library/Graphics/', + '/Library/Image Capture/', + '/Library/Input Methods/', + '/Library/InstallerSandboxes/', + '/Library/InstallerSandboxes/.metadata_never_index', + '/Library/InstallerSandboxes/.PKInstallSandboxManager/', + '/Library/Internet Plug-Ins/', + '/Library/Java/', + '/Library/KernelCollections/', + '/Library/KernelCollections/.file', + '/Library/Keyboard Layouts/', + '/Library/Keychains/', + '/Library/LaunchAgents/', + '/Library/LaunchDaemons/', + '/Library/.localized', + '/Library/Logs/', + '/Library/Mail/', + '/Library/Managed Preferences/', + '/Library/Modem Scripts/', + '/Library/Nessus/', + '/Library/Objective-See/', + '/Library/OpenDirectory/', + '/Library/OSAnalytics/', + '/Library/Perl/', + '/Library/PreferencePanes/', + '/Library/Preferences/', + '/Library/Preferences/.GlobalPreferences.plist', + '/Library/Printers/', + '/Library/PrivilegedHelperTools/', + '/Library/QuickLook/', + '/Library/Receipts/', + '/Library/Ruby/', + '/Library/Sandbox/', + '/Library/Screen Savers/', + '/Library/ScriptingAdditions/', + '/Library/Scripts/', + '/Library/Security/', + '/Library/Services/', + '/Library/Speech/', + '/Library/Spotlight/', + '/Library/StagedDriverExtensions/', + '/Library/StagedExtensions/', + '/Library/StartupItems/', + '/Library/SystemExtensions/', + '/Library/SystemExtensions/.staging/', + '/Library/SystemMigration/', + '/Library/SystemProfiler/', + '/Library/TeX/', + '/Library/Updates/', + '/Library/User Pictures/', + '/Library/User Template/', + '/Library/Video/', + '/Library/WebServer/', + '/Library/WebServer/CGI-Executables/', + '/Library/WebServer/Documents/', + '/Library/WebServer/Documents/index.html.en', + '/Library/WebServer/share/' + ) + AND NOT file.path LIKE '/Library/Caches/.00%' diff --git a/detection/evasion/unexpected-tmp-executables.sql b/detection/evasion/unexpected-tmp-executables.sql index bbb7d4f..9012d6b 100644 --- a/detection/evasion/unexpected-tmp-executables.sql +++ b/detection/evasion/unexpected-tmp-executables.sql @@ -5,7 +5,8 @@ -- -- tags: persistent -- platform: posix -SELECT file.path, +SELECT + file.path, uid, gid, mode, @@ -13,10 +14,12 @@ SELECT file.path, file.size, hash.sha256, magic.data -FROM file +FROM + file LEFT JOIN hash on file.path = hash.path LEFT JOIN magic ON file.path = magic.path -WHERE ( +WHERE + ( -- Recursive queries don't seem to work well with hidden directories :( file.path LIKE '/tmp/%%' OR file.path LIKE '/tmp/.%/%%' @@ -94,4 +97,4 @@ WHERE ( AND NOT ( file.type = 'regular' AND size < 10 - ) \ No newline at end of file + ) diff --git a/incident_response/systemd_units.sql b/incident_response/systemd_units.sql index 7436a6e..2d6d4b1 100644 --- a/incident_response/systemd_units.sql +++ b/incident_response/systemd_units.sql @@ -5,4 +5,4 @@ SELECT * FROM - systemd_units; \ No newline at end of file + systemd_units; diff --git a/incident_response/users.sql b/incident_response/users.sql index 27da601..eea41d7 100644 --- a/incident_response/users.sql +++ b/incident_response/users.sql @@ -5,4 +5,4 @@ SELECT * FROM - users \ No newline at end of file + users