fpr: Slack, Gnome, Sigstore, Logitune, etc

2023-06-12 10:10:57 -04:00 · 2023-06-12 10:10:57 -04:00 · 32328c91f1
parent c096acee92
commit 32328c91f1
16 changed files with 37 additions and 8 deletions
--- a/detection/c2/unexpected-https-linux.sql
+++ b/detection/c2/unexpected-https-linux.sql
@ -160,6 +160,7 @@ WHERE
    '500,gnome-recipes,0u,0g,gnome-recipes',
    '500,gnome-shell,0u,0g,gnome-shell',
    '500,gnome-software,0u,0g,gnome-software',
+    '0,go,0u,0g,go',
    '500,go,0u,0g,go',
    '500,go,500u,500g,go',
    '500,goa-daemon,0u,0g,goa-daemon',
--- a/detection/c2/unexpected-https-macos.sql
+++ b/detection/c2/unexpected-https-macos.sql
@ -123,6 +123,7 @@ WHERE
    '500,chrome_crashpad_handler,chrome_crashpad_handler,Developer ID Application: Microsoft Corporation (UBF8T346G9),chrome_crashpad_handler',
    '500,git-remote-http,git-remote-http,,git-remote-http-55554944748a32c47cdc35cfa7f071bb69a39ce4',
    '500,go,go,Developer ID Application: Google LLC (EQHXZ8M8AV),org.golang.go',
+    '500,ngrok,ngrok,Developer ID Application: ngrok LLC (TEX8MHRDQ9),a.out',
    '500,grype,grype,Developer ID Application: ANCHORE, INC. (9MJHKYX5AT),grype',
    '500,IterableRichNotifications,IterableRichNotifications,Apple iPhone OS Application Signing,com.plexapp.plex.IterableRichNotifications',
    '500,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV),ksfetch',
@ -147,6 +148,7 @@ WHERE
    '500,apko,apko,0u,0g',
    '500,apko,apko,500u,20g',
    '500,chainctl,chainctl,0u,0g',
+    '500,git,git,0u,500g',
    '500,chainctl,chainctl,500u,20g',
    '500,chainlink,chainlink,500u,20g',
    '500,aws,aws,0u,0g',
--- a/detection/c2/unexpected-talkers-linux.sql
+++ b/detection/c2/unexpected-talkers-linux.sql
@ -198,6 +198,7 @@ WHERE
    '80,6,500,spotify-launcher,0u,0g,spotify-launche',
    '80,6,500,spotify,u,g,spotify',
    '80,6,500,steam,500u,100g,steam',
+    '80,6,500,java,0u,0g,java',
    '80,6,500,steam,500u,500g,steam',
    '80,6,500,steamwebhelper,500u,500g,steamwebhelper',
    '80,6,500,terraform,0u,0g,terraform',
@ -271,6 +272,12 @@ WHERE
    exception_key = '32768,6,500,ssh,0u,0g,ssh'
    AND s.remote_port = 40022
  )
+  -- Qualys
+  AND NOT (
+    exception_key = '80,6,0,curl,0u,0g,curl'
+    AND p.cgroup_path = '/system.slice/qualys-cloud-agent.service'
+    AND child_cmd LIKE ' curl -sS -H Metadata:true http://169.254.169.254/metadata/instance%'
+  )
  AND NOT (
    s.remote_port = 80
    AND (
--- a/detection/c2/unexpected-talkers-macos.sql
+++ b/detection/c2/unexpected-talkers-macos.sql
@ -185,7 +185,7 @@ WHERE
  AND NOT (
    (
      pos.remote_port IN (80, 999)
-      OR pos.remote_port > 3000
+      OR pos.remote_port > 1024
    )
    AND id_exception_key IN (
      'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker',
--- a/detection/collection/high-disk-bytes-written.sql
+++ b/detection/collection/high-disk-bytes-written.sql
@ -150,6 +150,7 @@ WHERE
    'grype',
    'idea',
    'Install',
+    'terraform-provider-apko',
    'java',
    'jetbrains-toolb',
    'launcher',
--- a/detection/evasion/hidden-home-config-dir.sql
+++ b/detection/evasion/hidden-home-config-dir.sql
@ -38,3 +38,4 @@ WHERE
  AND file.path NOT LIKE '/root/.debug/.build-id/%'
  AND file.path NOT LIKE '/home/%/.config/%/.git%'
  AND file.path NOT LIKE '/home/%/.config/.gsd-keyboard.settings-ported'
+  AND file.path NOT LIKE '/home/%/.config/.org.chromium.Chromium.%'
--- a/detection/execution/recently-created-executables-long-lived-macos.sql
+++ b/detection/execution/recently-created-executables-long-lived-macos.sql
@ -194,6 +194,10 @@ WHERE
    AND p0.path NOT LIKE '%/.%'
    AND p0.path NOT LIKE '%Cache%'
  )
+  AND NOT homepath LIKE '~/%/terraform-provider-%'
+  AND NOT homepath LIKE '~/src/%'
+  AND NOT homepath LIKE '~/github/%'
+  AND NOT homepath LIKE '~/go/src/%'
  -- Arc
  AND NOT (
    p0.path LIKE '/Users/%/Library/Caches/%/org.sparkle-project.Sparkle/Launcher/%'
--- a/detection/execution/unexpected-fetcher-parents.sql
+++ b/detection/execution/unexpected-fetcher-parents.sql
@ -52,6 +52,7 @@ WHERE -- NOTE: The remainder of this query is synced with unexpected-fetcher-par
    'curl,500,nvim,nvim',
    'curl,307,bash,nix',
    'curl,500,bash,bash',
+    'curl,0,sh,qualys-scan-uti',
    'curl,500,bash,fakeroot',
    'curl,500,bash,fish',
    'curl,500,bash,nix-daemon',
--- a/detection/execution/unexpected-osascript-calls.sql
+++ b/detection/execution/unexpected-osascript-calls.sql
@ -103,6 +103,7 @@ WHERE
      OR p1_cmd LIKE '%aws %sso%'
      OR p1_cmd LIKE '%gcloud% auth %login%'
      OR p1_cmd LIKE '% /opt/homebrew/bin/jupyter%notebook'
+      OR p1_cmd LIKE '/bin/sh %/opt/homebrew/bin/git-gui%'
      OR p1_authority = 'Developer ID Application: Docker Inc (9BNSXJN65R)'
      OR p1_name IN ('yubikey-agent')
      OR (
@ -117,6 +118,5 @@ WHERE
    'osascript -e user locale of (get system info)',
    '/usr/bin/osascript -e do shell script "/bin/rm -Rf /opt/vagrant /usr/local/bin/vagrant" with administrator privileges'
  )
-
 GROUP BY
  pe.pid
--- a/detection/exfil/high_disk_bytes_read.sql
+++ b/detection/exfil/high_disk_bytes_read.sql
@ -60,9 +60,9 @@ WHERE
    'cargo',
    'chrome',
    'clamscan',
-    'dnf',
    'code',
    'com.apple.NRD.UpdateBrainService',
+    'dnf',
    'docker',
    'electron',
    'emacs',
@ -102,6 +102,7 @@ WHERE
    'spotify',
    'steam',
    'systemd',
+    'terraform-provider-apko',
    'thunderbird',
    'tilt',
    'unattended-upgr',
--- a/detection/initial_access/unexpected-shell-parent-events.sql
+++ b/detection/initial_access/unexpected-shell-parent-events.sql
@ -198,6 +198,7 @@ WHERE
      '/bin/bash /usr/local/bin/mount-product-files',
      '/bin/sh -c black .',
      '/bin/sh -c lsb_release -a --short',
+      '/bin/sh -c ioreg -rd1 -c IOPlatformExpertDevice',
      '/bin/sh -c ps ax -ww -o pid,ppid,uid,gid,args',
      '/bin/sh -c scutil --get ComputerName',
      "/bin/sh -c defaults delete 'com.cisco.webexmeetingsapp'",
@ -250,6 +251,7 @@ WHERE
      'bash,500,com.docker.dev-envs,com.docker.backend',
      'bash,500,Foxit PDF Reader,launchd',
      'bash,500,script,bash',
+      'sh,500,LogiTune,launchd',
      'bash,500,docker-builder,bash',
      'bash,500,Hyprland,gdm-wayland-session',
      'bash,500,gnome-session-binary,systemd',
--- a/detection/initial_access/unexpected-webmail-downloads.sql
+++ b/detection/initial_access/unexpected-webmail-downloads.sql
@ -49,6 +49,7 @@ WHERE
    'mov',
    'mp3',
    'mp4',
+    'Dockerfile',
    'mpeg',
    'mpg',
    'ods',
--- a/detection/persistence/unexpected-chrome-extensions.sql
+++ b/detection/persistence/unexpected-chrome-extensions.sql
@ -7,7 +7,8 @@
 --   * Almost unlimited: any extension that isn't on your whitelist
 --
 -- tags: persistent seldom browser
-SELECT name,
+SELECT
+  name,
  profile,
  chrome_extensions.description AS 'descr',
  persistent AS persists,
@ -28,11 +29,13 @@ SELECT name,
    identifier
  ) AS exception_key,
  hash.sha256
-FROM users
+FROM
+  users
  CROSS JOIN chrome_extensions USING (uid)
  LEFT JOIN file ON chrome_extensions.path = file.path
  LEFT JOIN hash ON chrome_extensions.path = hash.path
-WHERE (
+WHERE
+  (
    -- These extensions need the most review.
    from_webstore != 'true'
    OR perms LIKE '%google.com%'
@ -48,6 +51,7 @@ WHERE (
  AND exception_key NOT IN (
    -- Deprecated Google Extension
    'false,AgileBits,1Password – Password Manager,dppgmdbiimibapkepcbdbmkaabgiofem',
+    'false,,Sigstore close post-auth tabs,',
    'false,Anthony Feddersen - Chainguard, Inc.,Chainguard On-Call Chrome Extension,',
    'false,,base64 encode or decode selected text,',
    'false,,Edge relevant text changes,jmjflgjpcpepeafmmgdpfkogkghcpiha',
@ -220,4 +224,5 @@ WHERE (
    'true,,ZoomInfo Engage Chrome Extension,mnbjlpbmllanehlpbgilmbjgocpmcijp',
    'true,,Zoom Scheduler,kgjfgplpablkjnlkjmjdecgdpfankdle'
  )
-GROUP BY exception_key
+GROUP BY
+  exception_key
--- a/detection/persistence/unexpected-lock-opener.sql
+++ b/detection/persistence/unexpected-lock-opener.sql
@ -61,6 +61,7 @@ WHERE
  AND NOT exception_key IN (
    '0,com.apple.MobileSoftwareUpdate.CryptegraftService,/private/var/db/softwareupdate/SplunkHistory',
    '0,snapd,/var/lib/snapd',
+    '120,gnome-shell,/run/user/120',
    '200,NRDUpdated,/private~/SplunkHistory',
    '200,softwareupdated,/private~/SplunkHistory',
    '500,Adobe Premiere Pro 2023,~/Library/Caches/Adobe/Premiere Pro/23.0/SentryIO-db',
--- a/detection/persistence/unexpected-uid0-daemon-macos.sql
+++ b/detection/persistence/unexpected-uid0-daemon-macos.sql
@ -294,6 +294,7 @@ WHERE -- Focus on longer-running programs
    'Developer ID Application: Ecamm Network, LLC (5EJH68M642)',
    'Developer ID Application: Foxit Corporation (8GN47HTP75)',
    'Developer ID Application: Fumihiko Takayama (G43BCU2T37)',
+    'Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL)',
    'Developer ID Application: Google LLC (EQHXZ8M8AV)',
    'Developer ID Application: Kandji, Inc. (P3FGV63VK7)',
    'Developer ID Application: Keybase, Inc. (99229SGT5K)',
--- a/detection/privesc/unexpected-elevated-children-events_macos.sql
+++ b/detection/privesc/unexpected-elevated-children-events_macos.sql
@ -7,7 +7,7 @@
 -- related:
 --   * unexpected-privilege-escalation.sql
 --
-- tags: events process escalation
+-- tags: events process escalation disabled
 -- platform: darwin
 -- interval: 300
 SELECT -- Child
@ -113,6 +113,7 @@ WHERE
    'amfid,0,com.docker.backend,Docker',
    'biometrickitd,0,LogiTune,launchd',
    'bioutil,0,callservicesd,launchd',
+    'com.apple.geod,0,fmfd,launchd',
    'trustd,205,trustd,launchd',
    'CAReportingService,0,LogiTune,launchd',
    'efilogin-helper,0,containermanagerd,launchd',