Add exceptions for Jetbrains/Delve, more for Steam

2022-10-30 12:00:43 -04:00 · 2022-10-30 12:00:43 -04:00 · 3d75593c76
parent 1543793f3b
commit 3d75593c76
4 changed files with 21 additions and 6 deletions
--- a/detection/credentials/unexpected-dev-opener-linux.sql
+++ b/detection/credentials/unexpected-dev-opener-linux.sql
@ -80,6 +80,7 @@ WHERE
    '/dev/nvidiactl',
    '/dev/ptmx',
    '/dev/pts/ptmx',
+    '/dev/shm/u1000-ValveIPCSharedObj-Steam',
    '/dev/random',
    '/dev/rfkill',
    '/dev/snd/seq',
@ -97,6 +98,7 @@ WHERE
  AND NOT dir_exception IN (
    '/dev/bus/usb,pcscd',
    '/dev/input,acpid',
+    '/dev/shm,gameoverlayui',
    '/dev/input,gnome-shell',
    '/dev/input,systemd',
    '/dev/input,systemd-logind',
--- a/detection/evasion/unexpected-dev-executables-linux.sql
+++ b/detection/evasion/unexpected-dev-executables-linux.sql
@ -4,8 +4,7 @@
 --   * https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
 --
 -- tags: persistent state filesystem
-SELECT
-  file.path,
+SELECT file.path,
  file.directory,
  uid,
  gid,
@ -14,12 +13,10 @@ SELECT
  file.size,
  hash.sha256,
  magic.data
-FROM
-  file
+FROM file
  LEFT JOIN hash on file.path = hash.path
  LEFT JOIN magic ON file.path = magic.path
-WHERE
-  (
+WHERE (
    -- This list is the result of multiple queries combined and can likely be minimized
    file.path LIKE '/dev/%%'
    OR file.path LIKE '/dev/%%/%%'
@ -49,4 +46,12 @@ WHERE
    AND file.mode = 0700
    AND file.path LIKE '/dev/shm/pulse-shm-%'
    AND file.size > 60000000
+  )
+  -- Seen with Steam
+  AND NOT (
+    file.uid = 1000
+    AND file.gid = 100
+    AND file.mode = 0755
+    AND file.path LIKE '/dev/shm/u1000-Shm_%'
+    AND file.size > 10000000
  )
--- a/detection/evasion/unexpected-var-executables-macos.sql
+++ b/detection/evasion/unexpected-var-executables-macos.sql
@ -84,4 +84,11 @@ WHERE
    AND magic.data LIKE 'timezone%'
    AND file.size < 3000
    AND file.mode = 0755
+  )
+  -- JetBrains (Delve)
+  AND NOT (
+    file.path LIKE '/var/folders/%/T/dlvLauncher.sh'
+    AND magic.data LIKE 'Bourne-Again shell script%'
+    AND file.size < 1024
+    AND file.mode = 0744
  )
--- a/detection/execution/exotic-command-events-linux.sql
+++ b/detection/execution/exotic-command-events-linux.sql
@ -136,3 +136,4 @@ WHERE
  -- Seen on Ubuntu
  AND NOT cmd LIKE 'rm -f /tmp/apt-key-gpghome.%/pubring.gpg'
  AND NOT cmd LIKE 'rm -f /var/tmp/mkinitramfs_%'
+  AND NOT cmd LIKE 'rm -f -- /tmp/%'