diff --git a/detection/c2/unexpected-dns-traffic-events.sql b/detection/c2/unexpected-dns-traffic-events.sql index b6b118c..baf4bd2 100644 --- a/detection/c2/unexpected-dns-traffic-events.sql +++ b/detection/c2/unexpected-dns-traffic-events.sql @@ -68,7 +68,6 @@ WHERE '75.75.75.75', -- Comcast '75.75.76.76', -- Comcast '68.105.28.13' -- Cox - ) -- Exceptions that specifically talk to one server AND exception_key NOT IN ( diff --git a/detection/c2/unexpected-https-client-linux.sql b/detection/c2/unexpected-https-client-linux.sql index 9d61f9d..66a3901 100644 --- a/detection/c2/unexpected-https-client-linux.sql +++ b/detection/c2/unexpected-https-client-linux.sql @@ -78,6 +78,7 @@ WHERE '0,/usr/packagekitd,0u,0g,packagekitd', '0,/usr/pacman,0u,0g,pacman', '0,/usr/python3.10,0u,0g,dnf', + '0,/usr/python3.10,0u,0g,dnf-automatic', '0,/usr/python3.10,0u,0g,yum', '0,/usr/python3.11,0u,0g,dnf', '0,/usr/rpi-imager,0u,0g,rpi-imager', @@ -87,16 +88,15 @@ WHERE '0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra', '105,/usr/http,0u,0g,https', '106,/usr/geoclue,0u,0g,geoclue', + '500,/app/signal-desktop,u,g,signal-desktop', '500,/app/slack,u,g,slack', '500,/app/spotify,u,g,spotify', - '500,/home/promoter,500u,500g,promoter', '500,/app/thunderbird,u,g,thunderbird', '500,/app/zoom.real,u,g,zoom.real', '500,/home/cargo,500u,500g,cargo', '500,/home/chainctl,500u,100g,chainctl', '500,/home/chainctl,500u,500g,chainctl', '500,/home/code,500u,500g,code', - '500,/usr/pacman,0u,0g,pacman', '500,/home/cosign,500u,500g,cosign', '500,/home/gitsign,500u,500g,gitsign', '500,/home/go,500u,500g,go', @@ -104,8 +104,7 @@ WHERE '500,/home/java,500u,500g,java', '500,/home/jcef_helper,500u,500g,jcef_helper', '500,/home/ko,500u,500g,ko', - '0,/usr/python3.10,0u,0g,dnf-automatic', - '500,/usr/io.elementary.appcenter,0u,0g,io.elementary.a', + '500,/home/promoter,500u,500g,promoter', '500,/home/python3,500u,500g,python3', '500,/home/steam,500u,100g,steam', '500,/home/steamwebhelper,500u,100g,steamwebhelper', @@ -116,6 +115,7 @@ WHERE '500,/ko-app/controlplane,u,g,controlplane', '500,/opt/1password,0u,0g,1password', '500,/opt/Brackets,0u,0g,Brackets', + '500,/opt/brave,0u,0g,brave', '500,/opt/chrome,0u,0g,chrome', '500,/opt/Discord,0u,0g,Discord', '500,/opt/firefox,0u,0g,firefox', @@ -158,6 +158,7 @@ WHERE '500,/usr/goa-daemon,0u,0g,goa-daemon', '500,/usr/gsd-datetime,0u,0g,gsd-datetime', '500,/usr/gvfsd-http,0u,0g,gvfsd-http', + '500,/usr/io.elementary.appcenter,0u,0g,io.elementary.a', '500,/usr/java,0u,0g,java', '500,/usr/java,u,g,java', '500,/usr/kbfsfuse,0u,0g,kbfsfuse', @@ -167,7 +168,9 @@ WHERE '500,/usr/lens,0u,0g,lens', '500,/usr/nautilus,0u,0g,nautilus', '500,/usr/obs,0u,0g,obs', + '500,/usr/pacman,0u,0g,pacman', '500,/usr/python3,0u,0g,python3', + '500,/usr/python3.10,0u,0g,python3', '500,/usr/reporter-ureport,0u,0g,reporter-urepor', '500,/usr/rpi-imager,0u,0g,rpi-imager', '500,/usr/signal-desktop,0u,0g,signal-desktop', diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql index f4a9593..7551238 100644 --- a/detection/c2/unexpected-talkers-linux.sql +++ b/detection/c2/unexpected-talkers-linux.sql @@ -91,6 +91,7 @@ WHERE '22,6,500,/home/cargo,500u,500g,cargo', '22,6,500,/usr/cargo,0u,0g,cargo', '22,6,500,/usr/ssh,0u,0g,ssh', + '22,6,0,/usr/ssh,0u,0g,ssh', '27034,6,500,/home/steam,500u,100g,steam', '27035,6,500,/home/steam,500u,100g,steam', '32768,6,0,/usr/tailscaled,0u,0g,tailscaled', @@ -146,7 +147,7 @@ WHERE '8801,17,500,/opt/zoom,0u,0g,zoom', '993,6,500,/app/thunderbird,u,g,thunderbird', '993,6,500,/usr/thunderbird,0u,0g,thunderbird' - ) + ) AND NOT ( p.name = 'syncthing' AND f.filename = 'syncthing' diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql index 1538f96..aa6e870 100644 --- a/detection/c2/unexpected-talkers-macos.sql +++ b/detection/c2/unexpected-talkers-macos.sql @@ -147,8 +147,8 @@ WHERE '443,17,500,Code Helper,com.microsoft.VSCode.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)', '443,17,500,Evernote Helper,,', '443,17,500,Evernote Helper,com.evernote.Evernote.helper,Apple Mac OS Application Signing', - '443,6,500,PlexMobile,com.plexapp.plex,Apple iPhone OS Application Signing', '443,17,500,GitKraken Boards,com.axosoft.glo,Apple iPhone OS Application Signing', + '443,17,500,old,dev.warp.Warp-Stable,Developer ID Application: Denver Technologies, Inc (2BBY89MBSN)', '443,17,500,Reflect Helper,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)', '443,17,500,Slack Helper,,', '443,6,0,com.apple.MobileSoftwareUpdate.UpdateBrainService,com.apple.MobileSoftwareUpdate.UpdateBrainService,Software Signing', @@ -191,6 +191,7 @@ WHERE '443,6,500,gh,gh,', '443,6,500,git,com.apple.git,Software Signing', '443,6,500,git,git,', + '443,6,500,GitHub Desktop Helper,com.github.GitHubClient.helper,Developer ID Application: GitHub (VEKTX9H2N7)', '443,6,500,GitHub.UI,GitHub,Developer ID Application: Microsoft Corporation (UBF8T346G9)', '443,6,500,GitKraken Boards,com.axosoft.glo,Apple iPhone OS Application Signing', '443,6,500,git-remote-http,,', @@ -220,12 +221,12 @@ WHERE '443,6,500,node,node,Developer ID Application: Node.js Foundation (HX7739G8FX)', '443,6,500,old,dev.warp.Warp-Stable,Developer ID Application: Denver Technologies, Inc (2BBY89MBSN)', '443,6,500,OneDriveStandaloneUpdater,com.microsoft.OneDriveStandaloneUpdater,Developer ID Application: Microsoft Corporation (UBF8T346G9)', + '443,6,500,PlexMobile,com.plexapp.plex,Apple iPhone OS Application Signing', '443,6,500,prober,a.out,', '443,6,500,provisio,,', '443,6,500,pulumi-resource-gcp,a.out,', '443,6,500,pulumi-resource-github,a.out,', '443,6,500,python2.7,python2.7,', - '443,6,500,GitHub Desktop Helper,com.github.GitHubClient.helper,Developer ID Application: GitHub (VEKTX9H2N7)', '443,6,500,python3.10,python3.10,', '443,6,500,Python,com.apple.python3,Software Signing', '443,6,500,Python,org.python.python,', @@ -235,6 +236,7 @@ WHERE '443,6,500,release-notes,a.out,', '443,6,500,sample,com.apple.dt.SamplingTools.sample,Software Signing', '443,6,500,scorecard-darwin-amd64,,', + '443,6,500,Signal Helper (Renderer),org.whispersystems.signal-desktop.helper.Renderer,Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR)', '443,6,500,Slack Helper,,', '443,6,500,Slack Helper,com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing', '443,6,500,Slack Helper,com.tinyspeck.slackmacgap.helper,Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL)', @@ -248,12 +250,12 @@ WHERE '443,6,500,trivy,a.out,', '443,6,500,vegeta,a.out,', '443,6,500,vim,vim,', + '443,6,500,wolfictl,a.out,', '443,6,500,zoom.us,us.zoom.xos,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)', '443,6,500,zsh,com.apple.zsh,Software Signing', '53,17,500,docker-credential-gcr,a.out,', '53,17,500,trivy,,', '6000,6,500,ssh,,', - '443,17,500,old,dev.warp.Warp-Stable,Developer ID Application: Denver Technologies, Inc (2BBY89MBSN)', '6000,6,500,ssh,com.apple.openssh,Software Signing', '6000,6,500,ssh,ssh-55554944fbf65684ab9b37c2bad3a27ef78b23f4,', '80,6,0,com.apple.MobileSoftwareUpdate.UpdateBrainService,com.apple.MobileSoftwareUpdate.UpdateBrainService,Software Signing', @@ -262,6 +264,8 @@ WHERE '80,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)', '80,6,500,webhook.test,a.out,' ) + -- Steam uses ports in the 27xxx range + AND NOT exception_key LIKE '27%,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)' -- There are many signing hashes for git AND NOT exception_key LIKE '443,6,500,git-remote-http,git-remote-http-%' AND NOT exception_key LIKE '443,6,500,cargo,cargo-%' diff --git a/detection/credentials/unexpected-dev-opener-linux.sql b/detection/credentials/unexpected-dev-opener-linux.sql index 532eb33..54bbd44 100644 --- a/detection/credentials/unexpected-dev-opener-linux.sql +++ b/detection/credentials/unexpected-dev-opener-linux.sql @@ -163,6 +163,7 @@ WHERE '/dev/video,ffmpeg', '/dev/video,firefox', '/dev/video,obs', + '/dev/video,brave', '/dev/video,obs-ffmpeg-mux', '/dev/video,pipewire', '/dev/video,vlc', diff --git a/detection/evasion/empty_root_environ_linux.sql b/detection/evasion/empty_root_environ_linux.sql index 4801cb1..649a83e 100644 --- a/detection/evasion/empty_root_environ_linux.sql +++ b/detection/evasion/empty_root_environ_linux.sql @@ -42,7 +42,10 @@ WHERE 'sshd', 'zypak-sandbox' ) - AND NOT (p.name LIKE 'systemd-%' AND p.parent=1) + AND NOT ( + p.name LIKE 'systemd-%' + AND p.parent = 1 + ) AND NOT pp.cmdline LIKE 'bwrap %' AND NOT p.cmdline LIKE '%--type=zygote%' AND NOT p.cmdline LIKE '%--disable-seccomp-filter-sandbox%' diff --git a/detection/evasion/name_path_mismatch.sql b/detection/evasion/name_path_mismatch.sql index a202e73..2d07561 100644 --- a/detection/evasion/name_path_mismatch.sql +++ b/detection/evasion/name_path_mismatch.sql @@ -45,8 +45,8 @@ WHERE 'name=blueman-applet,file=python3,500', 'name=blueman-tray,file=python3,500', 'name=cat,file=coreutils,500', + 'name=cc,file=gcc,0', 'name=chrome-gnome-s,file=python3,500', - 'name=restorecon,file=setfiles,0', 'name=Chroot,file=firefox,500', 'name=code-oss,file=electron,500', 'name=exe,file=rootlessport,500', @@ -56,13 +56,11 @@ WHERE 'name=gjs,file=gjs-console,120', 'name=gjs,file=gjs-console,42', 'name=gjs,file=gjs-console,500', - 'name=sh,file=busybox,0', - 'name=cc,file=gcc,0', - 'name=systemd-udevd,file=udevadm,500', 'name=gnome-characte,file=gjs-console,500', 'name=gnome-character,file=gjs-console,500', 'name=gnome-tweak-to,file=python3,500', 'name=gsettings-hel,file=gsettings-help,500', + 'name=iptables,file=xtables-nft-mu,0', 'name=Isolated,file=firefox,500', 'name=Isolated,file=thunderbird,500', 'name=MainThread,file=plugin-contain,500', @@ -77,14 +75,17 @@ WHERE 'name=pipewire-pulse,file=pipewire,500', 'name=Privileged,file=firefox,500', 'name=RDD,file=firefox,500', + 'name=restorecon,file=setfiles,0', 'name=sd_espeak-ng-m,file=sd_espeak-ng,500', 'name=sessionclean,file=dash,0', + 'name=sh,file=busybox,0', 'name=sh,file=dash,0', 'name=sh,file=dash,500', 'name=slic3r_main,file=prusa-slicer,500', 'name=Socket,file=firefox,500', 'name=streamdeck,file=python3,500', 'name=systemd-udevd,file=udevadm,0', + 'name=systemd-udevd,file=udevadm,500', 'name=terminator,file=python3,500', 'name=Thunar,file=thunar,500', 'name=unattended-upg,file=python3,0', diff --git a/detection/evasion/touched-executable-macos.sql b/detection/evasion/touched-executable-macos.sql index ab59ea5..dbf9728 100644 --- a/detection/evasion/touched-executable-macos.sql +++ b/detection/evasion/touched-executable-macos.sql @@ -86,6 +86,7 @@ WHERE ) OR p.path LIKE '/Users/%/Library/Application Support/com.elgato.StreamDeck/Plugins/%' OR p.path LIKE '/Applications/%.app/Contents/MacOS/%' + OR p.path LIKE '/Applications/%.app/Contents/Frameworks/%/Versions/A/Resources/%' OR p.path LIKE '/opt/homebrew/Cellar/%/bin/%' OR p.path LIKE '/opt/homebrew/Caskroom/%/bin/%' OR p.path LIKE '/Users/%/google-cloud-sdk/bin/%' diff --git a/detection/evasion/unexpected-alf-exceptions-macos.sql b/detection/evasion/unexpected-alf-exceptions-macos.sql index ff23085..4857129 100644 --- a/detection/evasion/unexpected-alf-exceptions-macos.sql +++ b/detection/evasion/unexpected-alf-exceptions-macos.sql @@ -71,7 +71,6 @@ WHERE -- NOTE:We intentionally want to preserve missing files '/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/', ',,/usr/bin/nmblookup,', ',,/usr/libexec/discoveryd,' - ) AND NOT ( signature.identifier LIKE 'cargo-%' diff --git a/detection/execution/exotic-command-events-linux.sql b/detection/execution/exotic-command-events-linux.sql index 8712f9b..a3b948f 100644 --- a/detection/execution/exotic-command-events-linux.sql +++ b/detection/execution/exotic-command-events-linux.sql @@ -9,7 +9,6 @@ -- tags: transient process events -- platform: linux -- interval: 30 - SELECT p.pid, p.path, @@ -148,3 +147,4 @@ WHERE AND NOT cmd LIKE 'pkill -f cut -c3%' AND NOT cmd LIKE 'dirname %history' AND NOT cmd LIKE 'tail /%history' + AND NOT cmd LIKE 'find . -executable -type f -name %grep -l GNU Libtool%touch -r%' diff --git a/detection/execution/exotic-command-events-macos.sql b/detection/execution/exotic-command-events-macos.sql index 08e542e..d0d2ce0 100644 --- a/detection/execution/exotic-command-events-macos.sql +++ b/detection/execution/exotic-command-events-macos.sql @@ -27,10 +27,10 @@ SELECT hash.sha256, pp.path AS parent_path, pp.name AS parent_name, + TRIM(pp.cmdline) AS parent_cmd, + pp.euid AS parent_euid, ppp.path AS gparent_path, ppp.name AS gparent_name, - TRIM(p.cmdline) AS parent_cmd, - pp.euid AS parent_euid, phash.sha256 AS parent_sha256, gphash.sha256 AS gparent_sha256 FROM @@ -100,6 +100,7 @@ WHERE OR ( cmd LIKE '%sh -i' AND NOT parent_name IN ('sh', 'java') + AND NOT parent_cmd LIKE "%pipenv shell" ) OR cmd LIKE '%socat%' OR cmd LIKE '%SOCK_STREAM%' diff --git a/detection/execution/exotic-commands.sql b/detection/execution/exotic-commands.sql index 04b80f3..5347673 100644 --- a/detection/execution/exotic-commands.sql +++ b/detection/execution/exotic-commands.sql @@ -76,6 +76,7 @@ WHERE OR ( cmd LIKE '%sh -i' AND NOT parent_name IN ('sh', 'java') + AND NOT parent_cmd LIKE '%pipenv shell' ) OR cmd LIKE '%socat%' OR cmd LIKE '%SOCK_STREAM%' diff --git a/detection/execution/recently-created-executables-linux.sql b/detection/execution/recently-created-executables-linux.sql index 2fd513c..7c95cac 100644 --- a/detection/execution/recently-created-executables-linux.sql +++ b/detection/execution/recently-created-executables-linux.sql @@ -47,11 +47,9 @@ WHERE '/opt/google/chrome/chrome_crashpad_handler', '/opt/google/chrome/nacl_helper', '/opt/Lens/chrome_crashpad_handler', - '/usr/lib/flatpak-session-helper', '/opt/Lens/lens', '/opt/sublime_text/sublime_text', '/usr/bin/alacritty', - '/usr/sbin/avahi-daemon', '/usr/bin/bash', '/usr/bin/cargo', '/usr/bin/containerd', @@ -59,11 +57,9 @@ WHERE '/usr/bin/docker', '/usr/bin/dockerd', '/usr/bin/docker-proxy', - '/usr/lib/flatpak-session-helper', '/usr/bin/gedit', '/usr/bin/gnome-keyring-daemon', '/usr/bin/kbfsfuse', - '/usr/sbin/alsactl', '/usr/bin/keybase', 'usr/bin/keybase-redirector', '/usr/bin/nm-applet', @@ -74,14 +70,17 @@ WHERE '/usr/bin/tailscaled', '/usr/bin/udevadm', '/usr/bin/wpa_supplicant', + '/usr/lib64/electron/electron', '/usr/lib64/firefox/firefox', '/usr/lib64/google-cloud-sdk/platform/bundledpythonunix/bin/python3', '/usr/lib/at-spi2-registryd', '/usr/lib/at-spi-bus-launcher', + '/usr/libexec/bluetooth/bluetoothd', '/usr/libexec/docker/docker-proxy', '/usr/libexec/fwupd/fwupd', '/usr/libexec/snapd/snapd', '/usr/libexec/sssd/sssd_kcm', + '/usr/lib/flatpak-session-helper', '/usr/lib/fwupd/fwupd', '/usr/lib/gdm', '/usr/lib/gdm-session-worker', @@ -94,6 +93,8 @@ WHERE '/usr/lib/slack/slack', '/usr/lib/snapd/snapd', '/usr/lib/systemd/systemd', + '/usr/bin/wireplumber', + '/usr/lib/xdg-desktop-portal-gtk', '/usr/lib/systemd/systemd-journald', '/usr/lib/systemd/systemd-logind', '/usr/lib/systemd/systemd-oomd', @@ -102,6 +103,8 @@ WHERE '/usr/lib/x86_64-linux-gnu/obs-plugins/obs-browser-page', '/usr/lib/xf86-video-intel-backlight-helper', '/usr/local/bin/kind', + '/usr/sbin/alsactl', + '/usr/sbin/avahi-daemon', '/usr/sbin/chronyd', '/usr/sbin/cupsd', '/usr/sbin/tailscaled', @@ -115,7 +118,7 @@ WHERE AND NOT p.path LIKE '/home/%/terraform-provider-%' AND NOT p.path LIKE '/home/%/%.test' AND NOT p.path LIKE '/home/%/Projects/%' - AND NOT p.path LIKE '/home/%/node_modules/.bin/exec-bin/%' + AND NOT p.path LIKE '/home/%/node_modules/.bin/%' AND NOT p.path LIKE '/nix/store/%/bin/%' AND NOT p.path LIKE '/usr/local/bin/%' AND NOT p.path LIKE '/opt/%' diff --git a/detection/execution/recently-created-executables-macos.sql b/detection/execution/recently-created-executables-macos.sql index 41eba01..6b604a2 100644 --- a/detection/execution/recently-created-executables-macos.sql +++ b/detection/execution/recently-created-executables-macos.sql @@ -106,6 +106,7 @@ WHERE AND NOT p.path LIKE '%/.vscode/extensions/%' AND NOT p.path LIKE '/Users/%/Library/Caches/snyk/%/snyk-macos' AND NOT p.path LIKE '/Users/%/Parallels/%/Contents/MacOS/WinAppHelper' + AND NOT p.path LIKE '/Users/%/Applications (Parallels)/%/Contents/MacOS/WinAppHelper' AND NOT ( p.path LIKE '/Users/%' AND p.uid > 499 diff --git a/detection/execution/unexpected-execdir-events-macos.sql b/detection/execution/unexpected-execdir-events-macos.sql index a4dfd0b..c797609 100644 --- a/detection/execution/unexpected-execdir-events-macos.sql +++ b/detection/execution/unexpected-execdir-events-macos.sql @@ -119,33 +119,40 @@ WHERE '~/Applications (Parallels)/', '~/bin/', '~/.cargo/', - '~/.rustup/', + '~/chainguard/', '~/code/', + '~/Code/', '~/.config/', '~/git/', '~/github/', '~/go/', - '~/Parallels/', '~/google-cloud-sdk/', '~/homebrew/', '~/.kuberlr/', '~/Library/', '~/.local/', + '~/Parallels/', '~/projects/', '~/.pulumi/', '~/.pyenv/', + '~/.rustup/', '~/src/', '~/.tflint.d/', '~/.vscode/', - '~/.vs-kubernetes/', - '~/Code/' + '~/.vs-kubernetes/' ) -- Locally built executables AND NOT ( - signature.identifier = "a.out" + signature.identifier = 'a.out' AND homedir LIKE '~/%' AND pp.name IN ('fish', 'sh', 'bash', 'zsh', 'terraform', 'code') ) + AND NOT ( + signature.authority = '' + AND homedir LIKE '~/%' + AND pp.name IN ('fish', 'sh', 'bash', 'zsh') + AND p.cmdline LIKE './%' + ) AND dir NOT LIKE '../%' -- data issue AND dir NOT LIKE '/Applications/%' AND dir NOT LIKE '/private/tmp/%.app/Contents/MacOS' @@ -164,7 +171,9 @@ WHERE AND homedir NOT LIKE '~/%/google-cloud-sdk/bin/%' AND homedir NOT LIKE '~/Library/Caches/ms-playwright/%' AND homedir NOT LIKE '~/%/node_modules/.pnpm/%' - + AND homedir NOT LIKE '~/%repo%' + AND homedir NOT LIKE '~/%sigstore%' + AND homedir NOT LIKE '~/%/bin' AND signature.authority NOT IN ( 'Apple iPhone OS Application Signing', 'Apple Mac OS Application Signing', diff --git a/detection/execution/unexpected-execdir-macos.sql b/detection/execution/unexpected-execdir-macos.sql index 46e83bf..2435803 100644 --- a/detection/execution/unexpected-execdir-macos.sql +++ b/detection/execution/unexpected-execdir-macos.sql @@ -136,7 +136,6 @@ WHERE AND homedir LIKE '~/%' AND pp.name LIKE '%sh' ) - AND dir NOT LIKE '/Applications/%' AND dir NOT LIKE '/private/tmp/%.app/Contents/MacOS' AND dir NOT LIKE '/private/tmp/go-build%/exe' @@ -154,7 +153,6 @@ WHERE AND homedir NOT LIKE '~/%/google-cloud-sdk/bin/%' AND homedir NOT LIKE '~/Library/Caches/ms-playwright/%' AND homedir NOT LIKE '~/%/node_modules/.pnpm/%' - -- Allow these anywhere (put last because it's slow to query signatures) AND signature.authority NOT IN ( 'Apple iPhone OS Application Signing', diff --git a/detection/execution/unexpected-osascript-calls.sql b/detection/execution/unexpected-osascript-calls.sql index 1b98908..99b81d8 100644 --- a/detection/execution/unexpected-osascript-calls.sql +++ b/detection/execution/unexpected-osascript-calls.sql @@ -63,7 +63,7 @@ WHERE ) AND NOT ( parent_cmd LIKE '%/google-cloud-sdk/lib/gcloud.py auth login' - OR parent_cmd LIKE '%/bin/gcloud auth login' + OR parent_cmd LIKE '%/bin/gcloud auth%login' ) AND NOT ( exception_key = ',,osascript -s se -l JavaScript' diff --git a/detection/execution/unexpected-setuid-binaries.sql b/detection/execution/unexpected-setuid-binaries.sql index ffc516f..a846e4c 100644 --- a/detection/execution/unexpected-setuid-binaries.sql +++ b/detection/execution/unexpected-setuid-binaries.sql @@ -107,6 +107,9 @@ WHERE AND uid = 0 AND gid = 0 AND file.path IN ( + '/bin/at', + '/bin/atq', + '/bin/atrm', '/bin/chage', '/bin/chfn', '/bin/chsh', diff --git a/detection/impact/unexpected-etc-hosts.sql b/detection/impact/unexpected-etc-hosts.sql index 329827b..41d598c 100644 --- a/detection/impact/unexpected-etc-hosts.sql +++ b/detection/impact/unexpected-etc-hosts.sql @@ -29,6 +29,8 @@ WHERE 'ff00::0' ) AND address NOT LIKE '127.%' + AND address NOT LIKE '192.168.%' + AND address NOT LIKE '10.%' AND hostnames NOT LIKE 'localhost.%' AND hostnames NOT LIKE '%.svc' AND hostnames NOT LIKE '%.%-%.%.dev' diff --git a/detection/initial_access/unexpected-diskimage-source-macos.sql b/detection/initial_access/unexpected-diskimage-source-macos.sql index e17fa70..afda6e4 100644 --- a/detection/initial_access/unexpected-diskimage-source-macos.sql +++ b/detection/initial_access/unexpected-diskimage-source-macos.sql @@ -46,6 +46,8 @@ WHERE 'fcix.net', 'xtom.com', 'gaomon.net', + 'notion-static.com', + 'notion.so', 'oracle.com', 'akmedia.digidesign.com', 'canon.co.uk', diff --git a/detection/initial_access/unexpected-shell-parents.sql b/detection/initial_access/unexpected-shell-parents.sql index f3fb0e0..e2a32dc 100644 --- a/detection/initial_access/unexpected-shell-parents.sql +++ b/detection/initial_access/unexpected-shell-parents.sql @@ -54,6 +54,7 @@ WHERE 'i3bar', 'i3blocks', 'java', + 'kitty', 'ko', 'kubectl', 'lightdm', @@ -90,7 +91,6 @@ WHERE 'yum', 'zellij', 'zsh' - ) AND parent_path NOT IN ( '/Applications/Docker.app/Contents/MacOS/Docker', diff --git a/detection/persistence/unexpected-chrome-extensions.sql b/detection/persistence/unexpected-chrome-extensions.sql index 8293f3d..935cf6d 100644 --- a/detection/persistence/unexpected-chrome-extensions.sql +++ b/detection/persistence/unexpected-chrome-extensions.sql @@ -59,17 +59,19 @@ WHERE 'false,,YouTube,agimnkijcaahngcdmfeangaknmldooml,', -- Deprecated Google Extension 'true,Adaware,Safe Torrent Scanner,aegnopegbbhjeeiganiajffnalhlkkjb,storage, tabs', 'true,,Adblock for Youtube™,cmedhionkhpnakcndndgjdbohmhepckk,storage, unlimitedStorage, webRequest, webRequestBlocking, ', + 'true,Adblock, Inc.,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom,tabs, , contextMenus, webRequest, webRequestBlocking, webNavigation, storage, unlimitedStorage, notifications, idle, alarms', 'true,,Add to Amazon Wish List,ciagpekplgpbepdgggflgmahnjgiaced,tabs, http://*/*, https://*/*', 'true,,Adobe Acrobat: PDF edit, convert, sign tools,efaidnbmnnnibpcajpcglclefindmkaj,contextMenus, , tabs, downloads, nativeMessaging, webRequest, storage, webRequestBlocking', 'true,,Adobe Acrobat: PDF edit, convert, sign tools,efaidnbmnnnibpcajpcglclefindmkaj,contextMenus, , tabs, downloads, nativeMessaging, webRequest, webRequestBlocking', + 'true,,Adobe Acrobat: PDF edit, convert, sign tools,efaidnbmnnnibpcajpcglclefindmkaj,contextMenus, tabs, downloads, nativeMessaging, webRequest, webNavigation, storage, scripting, alarms, declarativeNetRequest', 'true,AgileBits,1Password extension (desktop app required),aomjjhallfgjeglblehebfpbcfeobpgk,contextMenus, nativeMessaging, storage, tabs, webRequest, webRequestBlocking, http://*/*, https://*/*', 'true,AgileBits,1Password – Password Manager,aeblfdkhhhdcdjpifhhbdiojplfjncoa,, alarms, contextMenus, downloads, idle, management, nativeMessaging, notifications, privacy, tabs, webNavigation, webRequest, webRequestBlocking', 'true,AgileBits,1Password – Password Manager,aeblfdkhhhdcdjpifhhbdiojplfjncoa,, contextMenus, downloads, idle, management, nativeMessaging, notifications, privacy, tabs, webNavigation, webRequest, webRequestBlocking', 'true,Alexander Shutau,Dark Reader,eimadpbcbfnmbkopoojfekhnkhdbieeh,alarms, fontSettings, storage, tabs, ', 'true,All uBlock contributors,uBlock - free ad blocker,epcnnfbjfcgphgdmggkamkmgojdagdnn,contextMenus, storage, tabs, unlimitedStorage, webNavigation, webRequest, webRequestBlocking, ', + 'true,,Bardeen - automate workflows with one click,ihhkmalpkhkoedlmcnilbbhhbhnicjga,activeTab, alarms, bookmarks, contextMenus, history, notifications, scripting, storage, tabs, tts, unlimitedStorage, webNavigation', 'true,,Bardeen - automate workflows with one click,ihhkmalpkhkoedlmcnilbbhhbhnicjga,, webNavigation, unlimitedStorage, notifications, activeTab, tabs, storage, *://*/*, history, bookmarks, contextMenus', 'true,BetaFish,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom,tabs, , contextMenus, webRequest, webRequestBlocking, webNavigation, storage, unlimitedStorage, notifications, idle, alarms', - 'true,Adblock, Inc.,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom,tabs, , contextMenus, webRequest, webRequestBlocking, webNavigation, storage, unlimitedStorage, notifications, idle, alarms', 'true,Bitwarden Inc.,Bitwarden - Free Password Manager,nngceckbapebfimnlniiiahkandclblb,tabs, contextMenus, storage, unlimitedStorage, clipboardRead, clipboardWrite, idle, http://*/*, https://*/*, webRequest, webRequestBlocking', 'true,,BrowserStack Local,mfiddfehmfdojjfdpfngagldgaaafcfo,https://*.bsstag.com/*, https://*.browserstack.com/*, , clipboardWrite, app.window, storage', 'true,,Capital One Shopping: Add to Chrome for Free,nenlahapcbofgnanklpelkaejcehkggg,tabs, contextMenus, storage, cookies, webRequest, webRequestBlocking, ', @@ -174,6 +176,7 @@ WHERE 'true,,User-Agent Switcher for Chrome,djflhoibgkdhkhhcedjiklpkjnoahfmg,storage, unlimitedStorage, tabs, webRequest, webRequestBlocking, http://spoofer-extension.appspot.com/, https://spoofer-extension.appspot.com/, ', 'true,,Utime,kpcibgnngaaabebmcabmkocdokepdaki,clipboardWrite, contextMenus, notifications', 'true,,Vimium,dbepggeogbaibhgnhhndojpepiihcmeb,tabs, bookmarks, history, clipboardRead, storage, sessions, notifications, webNavigation, ', + 'true,,Vimium,dbepggeogbaibhgnhhndojpepiihcmeb,tabs, bookmarks, history, storage, sessions, notifications, webNavigation, ', 'true,,Vue.js devtools,nhdogjmejiglipccpnnnanhbledajbpd,, storage', 'true,Wappalyzer,Wappalyzer - Technology profiler,gppongmhjkpfnbhagpmjfkannfbllamg,cookies, storage, tabs, webNavigation, webRequest', 'true,Wappalyzer,Wappalyzer - Technology profiler,gppongmhjkpfnbhagpmjfkannfbllamg,cookies, storage, tabs, webRequest, webNavigation, http://*/*, https://*/*', diff --git a/detection/persistence/unexpected-launchd-program.sql b/detection/persistence/unexpected-launchd-program.sql index 0b8d481..1e28215 100644 --- a/detection/persistence/unexpected-launchd-program.sql +++ b/detection/persistence/unexpected-launchd-program.sql @@ -40,3 +40,9 @@ WHERE 'Developer ID Application: Wireshark Foundation, Inc. (7Z6EMTD2C6)' ) AND program NOT IN ('/usr/local/MacGPG2/libexec/shutdown-gpg-agent') + AND NOT ( + l.path = '/Library/LaunchDaemons/com.docker.socket.plist' + AND program_authority = 'Software Signing' + AND program_identifier = 'com.apple.ln' + AND program_arguments LIKE '/bin/ln -s -f /Users/%/run/docker.sock /var/run/docker.sock' + ) diff --git a/detection/persistence/unexpected-uid0-daemon-linux.sql b/detection/persistence/unexpected-uid0-daemon-linux.sql index 5430945..7e66cfa 100644 --- a/detection/persistence/unexpected-uid0-daemon-linux.sql +++ b/detection/persistence/unexpected-uid0-daemon-linux.sql @@ -150,5 +150,4 @@ WHERE AND p.path NOT LIKE '/nix/store/%/libexec/%' AND p.path NOT LIKE '/snap/snapd/%/usr/lib/snapd/snapd' -- Exclude processes running inside of Docker containers - AND NOT p.cgroup_path LIKE '/system.slice/docker-%' -; \ No newline at end of file + AND NOT p.cgroup_path LIKE '/system.slice/docker-%'; diff --git a/detection/privesc/unexpected-elevated-children-events_linux.sql b/detection/privesc/unexpected-elevated-children-events_linux.sql index 8405914..ac6272d 100644 --- a/detection/privesc/unexpected-elevated-children-events_linux.sql +++ b/detection/privesc/unexpected-elevated-children-events_linux.sql @@ -16,6 +16,7 @@ SELECT REGEX_MATCH (RTRIM(file.path, '/'), '.*/(.*?)$', 1) AS child_name, p.cmdline AS child_cmdline, p.time, + pp.cgroup_path, pp.start_time, p.euid AS child_euid, file.mode AS child_mode, @@ -38,6 +39,7 @@ WHERE p.time > (strftime('%s', 'now') -30) AND p.euid < pp.euid AND p.path NOT IN ( + '/', '/bin/ps', '/usr/bin/doas', '/usr/bin/fusermount', @@ -59,6 +61,11 @@ WHERE AND p.path NOT LIKE '/nix/store/%/bin/dhcpcd' AND p.path NOT LIKE '/snap/snapd/%/usr/lib/snapd/snap-confine' AND NOT pp.cmdline = '/usr/lib/systemd/systemd --user' + -- used by kind + AND NOT ( + p.path = '/usr/bin/bash' + AND p.cmdline = '/bin/bash /usr/local/bin/mount-product-files' + ) AND NOT ( child_name = 'polkit-agent-helper-1' AND parent_path = '/usr/bin/gnome-shell' diff --git a/detection/privesc/unexpected-elevated-children-events_macos.sql b/detection/privesc/unexpected-elevated-children-events_macos.sql index 80325db..96fbc77 100644 --- a/detection/privesc/unexpected-elevated-children-events_macos.sql +++ b/detection/privesc/unexpected-elevated-children-events_macos.sql @@ -44,3 +44,18 @@ WHERE '/usr/bin/sudo', '/usr/local/bin/doas' ) + -- Exclude weird bad data we've seen due to badly recorded macOS parent/child relationships, fixable by reboot + AND NOT ( + p.cmdline IN ( + '/usr/sbin/cupsd -l', + '/usr/libexec/mdmclient daemon', + '/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker_shared -s mdworker -c MDSImporterWorker -m com.apple.mdworker.shared' + ) + ) + -- More very weird data that keeps showing up: gopls starting everything! + -- I think this may be due to some bad joining + AND NOT ( + pp.cmdline LIKE '%/go/bin/gopls -mode=stdio' + AND pp.path LIKE '/Users/%/go/bin/gopls' + AND pp.euid > 500 + ) diff --git a/detection/privesc/unexpected-privileged-containers.sql b/detection/privesc/unexpected-privileged-containers.sql index 3a445ee..7a70c7a 100644 --- a/detection/privesc/unexpected-privileged-containers.sql +++ b/detection/privesc/unexpected-privileged-containers.sql @@ -26,6 +26,7 @@ WHERE AND image NOT LIKE 'kindest/node:%' AND image NOT LIKE 'ghcr.io/k3d-io/k3d-%' AND image NOT LIKE 'docker.io/rancher/k3s:%' + AND image NOT LIKE 'melange-%' -- this one makes me sad. It's due to limitations running bubblewrap in a container AND image NOT IN ( 'cgr.dev/chainguard/melange',