Merge pull request #399 from tstromberg/fpr-oct21

2024-12-17 19:44:31 +00:00 · 2024-10-21 11:56:53 -04:00 · 2024-10-21 11:56:53 -04:00 · 2ff2fa431e
commit 2ff2fa431e
parent 638266bddc 2da853b35e
7 changed files with 35 additions and 28 deletions
--- a/detection/c2/unexpected-talkers-linux.sql
+++ b/detection/c2/unexpected-talkers-linux.sql
@ -92,6 +92,7 @@ WHERE
    '8000,6,500,brave,0u,0g,brave',
    '8000,6,500,chrome,0u,0g,chrome',
    '8000,6,500,firefox,0u,0g,firefox',
+    '80,6,500,telegram-desktop,u,g,telegram-deskto',
    '80,6,0,grep,0u,0g,grep',
    '80,6,0,incusd,0u,0g,incusd',
    '80,6,0,kmod,0u,0g,depmod',
--- a/detection/credentials/unexpected-dev-opener-linux.sql
+++ b/detection/credentials/unexpected-dev-opener-linux.sql
@ -241,13 +241,8 @@ WHERE
    '/dev/zfs,zfs',
    '/dev/zfs,zpool'
  )
-  -- Halflife
-  AND path_exception NOT LIKE '/dev/shm/u1000-Shm_%,bash'
-  -- lvmdbusd / gcloud / gsutil
-  AND path_exception NOT LIKE '/dev/shm/pym-%python3%'
-  -- celery
-  AND path_exception NOT LIKE '/dev/shm/pymp-%,python3.%'
-  AND dir_exception NOT LIKE '/dev/shm/byobu-%/%.tmux%'
+  AND path_exception NOT LIKE '/dev/shm/%'
+  AND path_exception NOT LIKE '/dev/cpu_dma_latency,python%'
  AND NOT (
    pof.path = "/dev/uinput"
    AND p0.name LIKE "solaar%"
--- a/detection/evasion/empty_root_environ_linux.sql
+++ b/detection/evasion/empty_root_environ_linux.sql
@ -73,7 +73,8 @@ WHERE
    'crond',
    'systemd',
    'systemd-udevd',
-    '(udev-worker)'
+    '(udev-worker)',
+    '(sd-exec-strv)'
  )
  AND NOT (
    p.name LIKE 'systemd-%'
--- a/detection/evasion/touched-executable-linux.sql
+++ b/detection/evasion/touched-executable-linux.sql
@ -11,6 +11,7 @@ SELECT
  p.path,
  p.name,
  p.cmdline,
+  p.cgroup_path,
  p.cwd,
  p.euid,
  p.parent,
@ -34,6 +35,8 @@ WHERE
    '/opt/google/endpoint-verification/bin/apihelper',
    '/opt/Elastic/Endpoint/elastic-endpoint',
    '/opt/resolve/bin/resolve',
+    '/usr/bin/ld',
+    '/usr/bin/ld.bfd',
    '/var/opt/velociraptor/bin/velociraptor',
    '/usr/bin/melange'
  )
--- a/detection/execution/unexpected-packet-sniffer.sql
+++ b/detection/execution/unexpected-packet-sniffer.sql
@ -48,3 +48,9 @@ WHERE
    'dhcpcd',
    'tcpdump'
  )
+  AND NOT (
+    p0.cgroup_path LIKE '/system.slice/docker-%'
+    AND p0.path = '/speaker'
+    AND p0.name = 'speaker'
+    AND protocol = 2054
+  )
--- a/detection/exfil/high_disk_bytes_read.sql
+++ b/detection/exfil/high_disk_bytes_read.sql
@ -57,19 +57,12 @@ WHERE
  AND p0.path NOT LIKE '/System/Applications/%'
  AND p0.path NOT LIKE '/System/Library/%'
  AND p0.name NOT IN (
-    'BDLDaemon',
-    'Disk Inventory X',
-    'GoogleSoftwareUpdateAgent',
-    'LogiFacecamService',
-    'Safari',
-    'UpdateBrainService',
-    'ZwiftAppMetal',
-    'ZwiftAppSilicon',
    'apko',
-    'Meeting Center',
+    'Autodesk Identity Manager',
    'baloo_file',
    'baloo_file_extr',
    'bash',
+    'BDLDaemon',
    'bincapz',
    'bwrap',
    'cargo',
@ -79,25 +72,26 @@ WHERE
    'com.apple.MobileSoftwareUpdate.UpdateBrainService',
    'com.apple.NRD.UpdateBrainService',
    'cpptools',
+    'Disk Inventory X',
    'dnf',
    'docker',
    'elastic-endpoin',
    'elastic-endpoint',
    'electron',
    'emacs',
-    'steam_osx',
    'factorio',
-    'Google Chrome',
+    'Fedora Media Writer',
    'firefox',
-    'meta',
-    'ollama',
    'fish',
    'fleet_backend',
    'fsdaemon',
    'fsnotifier',
    'gnome-software',
    'go',
+    'goland',
    'golangci-lint',
+    'Google Chrome',
+    'GoogleSoftwareUpdateAgent',
    'gopls',
    'grype',
    'hugo',
@ -108,21 +102,22 @@ WHERE
    'kube-controller',
    'kube-scheduler',
    'kue',
-    'goland',
    'launcher',
+    'LogiFacecamService',
+    'mal',
    'mediawriter',
+    'Meeting Center',
    'melange',
+    'meta',
+    'Microsoft Update Assistant',
    'nautilus',
    'nessusd',
    'nix',
-    'Fedora Media Writer',
-    'updatedb',
    'nix-daemon',
    'nvim',
    'ollama',
-    'Autodesk Identity Manager',
-    'ollama-runer',
    'ollama_llama_server',
+    'ollama-runer',
    'osqueryd',
    'osqueryi',
    'plasmashell',
@ -132,13 +127,14 @@ WHERE
    'rpi-imager',
    'rpm-ostree',
    'rsync',
-    'Microsoft Update Assistant',
+    'Safari',
    'sh',
    'simdiskimaged',
    'slack',
    'snapd',
    'spotify',
    'steam',
+    'steam_osx',
    'systemd',
    'terraform',
    'terraform-ls',
@ -146,6 +142,8 @@ WHERE
    'thunderbird',
    'tilt',
    'unattended-upgr',
+    'UpdateBrainService',
+    'updatedb',
    'update_dyld_sim_shared_cache',
    'vim',
    'wineserver',
@ -153,7 +151,9 @@ WHERE
    'yay',
    'ykman-gui',
    'yum',
-    'zsh'
+    'zsh',
+    'ZwiftAppMetal',
+    'ZwiftAppSilicon'
  )
  AND NOT p0.path IN (
    '/app/libexec/mediawriter/helper',
--- a/detection/privesc/setxid-cmdline-overflow-attempt.sql
+++ b/detection/privesc/setxid-cmdline-overflow-attempt.sql
@ -62,4 +62,5 @@ WHERE
  AND file.mode NOT LIKE '0%'
  AND pe.cmdline_size > 2048
  AND p0_cmd NOT LIKE '%sudo dpkg %'
+  AND p0_cmd NOT LIKE '%bwrap --bind %'
  AND p0_cmd NOT LIKE '%sudo %--vmodule=% --audit-policy-file=%kube%'