From 420d26902546bdf25a556aa068ca1754623ea18c Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Mon, 9 Jan 2023 15:10:48 -0500 Subject: [PATCH] Reformat and reduce false positives --- .../c2/unexpected-dns-traffic-events.sql | 3 +- .../c2/unexpected-https-client-linux.sql | 1 + detection/c2/unexpected-talkers-linux.sql | 1 + .../collection/high-disk-bytes-written.sql | 8 +- .../evasion/empty_root_environ_linux.sql | 5 +- .../evasion/executables-from-the-future.sql | 1 - detection/evasion/hidden-cwd.sql | 1 + detection/evasion/name_path_mismatch.sql | 9 +- .../unexpected-dev-executables-linux.sql | 1 - .../evasion/unexpected-etc-executables.sql | 5 +- .../evasion/unexpected-tmp-executables.sql | 23 +- .../execution/exotic-command-events-linux.sql | 12 +- .../relative-exec-low-uid-events.sql | 3 +- detection/execution/relative-exec-low-uid.sql | 11 +- .../execution/unexpected-execdir-linux.sql | 1 - .../execution/unexpected-fetcher-parents.sql | 1 - .../execution/unexpected-osascript-calls.sql | 14 +- .../unexpected-root-signer-macos.sql | 10 +- .../execution/unexpected-setuid-binaries.sql | 578 +++++++++--------- .../execution/unexpected-sysctl-calls.sql | 8 +- detection/exfil/high_disk_bytes_read.sql | 1 - .../unexpected-shell-parent-events.sql | 1 - ...xpected-elevated-children-events_macos.sql | 2 +- 23 files changed, 367 insertions(+), 333 deletions(-) diff --git a/detection/c2/unexpected-dns-traffic-events.sql b/detection/c2/unexpected-dns-traffic-events.sql index 39e4408..4043f27 100644 --- a/detection/c2/unexpected-dns-traffic-events.sql +++ b/detection/c2/unexpected-dns-traffic-events.sql @@ -14,6 +14,8 @@ SELECT protocol, s.remote_port, s.remote_address, + s.action, + s.status, p.name, p.path, p.cmdline AS child_cmd, @@ -94,7 +96,6 @@ WHERE -- Chromium apps can send stray DNS packets AND p.path NOT LIKE '/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/%/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper' AND p.path NOT LIKE '/Applications/Brave Browser.app/Contents/Frameworks/Brave Browser Framework.framework/Versions/%/Helpers/Brave Browser Helper.app/Contents/MacOS/Brave Browser Helper' - -- Workaround for the GROUP_CONCAT subselect adding a blank ent GROUP BY s.remote_address, diff --git a/detection/c2/unexpected-https-client-linux.sql b/detection/c2/unexpected-https-client-linux.sql index 57dbf68..29f0a92 100644 --- a/detection/c2/unexpected-https-client-linux.sql +++ b/detection/c2/unexpected-https-client-linux.sql @@ -205,6 +205,7 @@ WHERE '500,/usr/spotify,0u,0g,spotify', '500,/usr/step,500u,500g,step', '500,/usr/step-cli,0u,0g,step', + '500,/usr/node,u,g,node', '500,/usr/syncthing,0u,0g,syncthing', '500,/usr/teams,0u,0g,teams', '500,/usr/terraform,0u,0g,terraform', diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql index 90c7ccc..066417e 100644 --- a/detection/c2/unexpected-talkers-linux.sql +++ b/detection/c2/unexpected-talkers-linux.sql @@ -105,6 +105,7 @@ WHERE '3478,6,500,/opt/chrome,0u,0g,chrome', '3478,6,500,/usr/chrome,0u,0g,chrome', '3478,6,500,/usr/firefox,0u,0g,firefox', + '3478,6,500,/opt/firefox,0u,0g,firefox', '4070,6,500,/app/spotify,u,g,spotify', '4070,6,500,/opt/spotify,0u,0g,spotify', '4070,6,500,/opt/spotify,500u,500g,spotify', diff --git a/detection/collection/high-disk-bytes-written.sql b/detection/collection/high-disk-bytes-written.sql index 0c6c619..8073367 100644 --- a/detection/collection/high-disk-bytes-written.sql +++ b/detection/collection/high-disk-bytes-written.sql @@ -107,10 +107,12 @@ WHERE 'com.apple.MobileSoftwareUpdate.UpdateBrainService', 'com.apple.NRD.UpdateBrainService', 'containerd', + 'containerd-', + 'containerd-shim', 'darkfiles', + 'dnf', 'esbuild', 'firefox', - 'dnf', 'fsdaemon', 'go', 'goland', @@ -120,15 +122,15 @@ WHERE 'java', 'jetbrains-toolb', 'launcher', - 'nessusd', 'limactl', + 'nessusd', 'ninja', 'photorec', 'qemu-system-aarch64', - 'syft', 'slack', 'snyk', 'steam', + 'syft', 'wineserver' ) AND p.path NOT LIKE '/Applications/%.app/Contents/%' diff --git a/detection/evasion/empty_root_environ_linux.sql b/detection/evasion/empty_root_environ_linux.sql index 30eaff4..37bb6ee 100644 --- a/detection/evasion/empty_root_environ_linux.sql +++ b/detection/evasion/empty_root_environ_linux.sql @@ -57,7 +57,10 @@ WHERE AND NOT p.cmdline LIKE '%--type=zygote%' AND NOT p.cmdline LIKE '%--disable-seccomp-filter-sandbox%' AND NOT p.cgroup_path LIKE '/system.slice/docker-%' - AND NOT (p.name = 'sh' AND p.cgroup_path='/system.slice/znapzend.service') + AND NOT ( + p.name = 'sh' + AND p.cgroup_path = '/system.slice/znapzend.service' + ) GROUP BY p.pid HAVING diff --git a/detection/evasion/executables-from-the-future.sql b/detection/evasion/executables-from-the-future.sql index 881c9b6..b4e7c72 100644 --- a/detection/evasion/executables-from-the-future.sql +++ b/detection/evasion/executables-from-the-future.sql @@ -36,4 +36,3 @@ WHERE mtime_newer == 1 OR ctime_newer == 1 OR btime_newer == 1 - diff --git a/detection/evasion/hidden-cwd.sql b/detection/evasion/hidden-cwd.sql index ce0c35d..604fb1f 100644 --- a/detection/evasion/hidden-cwd.sql +++ b/detection/evasion/hidden-cwd.sql @@ -106,6 +106,7 @@ WHERE OR dir LIKE '~/code/%' OR dir LIKE '/opt/homebrew/%/.cache/%' OR dir LIKE '~/%/.github%' + OR dir LIKE '/tmp/%/.github/workflows' OR dir LIKE '~/%/github.com/%' OR dir LIKE '~/%google-cloud-sdk/.install/.backup%' OR dir LIKE '~/.gradle/%' diff --git a/detection/evasion/name_path_mismatch.sql b/detection/evasion/name_path_mismatch.sql index b07b77f..695b325 100644 --- a/detection/evasion/name_path_mismatch.sql +++ b/detection/evasion/name_path_mismatch.sql @@ -40,7 +40,14 @@ FROM WHERE short_filename != short_name AND NOT cmd LIKE '/nix/store/%/bin/bash%' -- Serial masqueraders - AND NOT short_filename IN ('bash', 'ruby', 'python', 'python3', 'perl', 'node') + AND NOT short_filename IN ( + 'bash', + 'ruby', + 'python', + 'python3', + 'perl', + 'node' + ) AND exception_key NOT IN ( 'name=blueman-applet,file=python3,500', 'name=blueman-tray,file=python3,500', diff --git a/detection/evasion/unexpected-dev-executables-linux.sql b/detection/evasion/unexpected-dev-executables-linux.sql index 02bf081..f29b104 100644 --- a/detection/evasion/unexpected-dev-executables-linux.sql +++ b/detection/evasion/unexpected-dev-executables-linux.sql @@ -66,4 +66,3 @@ WHERE AND file.path LIKE '/dev/shm/flatpak-com.valvesoftware.Steam-%/u1000-Shm_%' AND file.size > 1000000 ) - diff --git a/detection/evasion/unexpected-etc-executables.sql b/detection/evasion/unexpected-etc-executables.sql index 14e8173..921de1c 100644 --- a/detection/evasion/unexpected-etc-executables.sql +++ b/detection/evasion/unexpected-etc-executables.sql @@ -29,6 +29,7 @@ WHERE ) AND file.directory NOT IN ( '/etc/acpi', + '/etc/acpi/actions', '/etc/alternatives', '/etc/apcupsd', '/etc/apm/resume.d', @@ -80,7 +81,6 @@ WHERE '/etc/mcelog/triggers', '/etc/menu-methods', '/etc/network/if-down.d', - '/etc/smartmontools', '/etc/network/if-post-down.d', '/etc/network/if-pre-up.d', '/etc/network/if-up.d', @@ -121,6 +121,7 @@ WHERE '/etc/resolvconf/update.d', '/etc/security', '/etc/skel', + '/etc/smartmontools', '/etc/ssl/certs', '/etc/ssl/misc', '/etc/ssl/trust-source', @@ -153,3 +154,5 @@ WHERE ) -- Nix (on macOS) -- actually a symbolic link AND file.path NOT LIKE '/etc/profiles/per-user/%/bin/%' + AND file.path NOT LIKE '/etc/pwrstatd-%.sh' + AND file.path NOT LIKE '/etc/pwrstatd-%.sh' diff --git a/detection/evasion/unexpected-tmp-executables.sql b/detection/evasion/unexpected-tmp-executables.sql index 007d849..6c81ed1 100644 --- a/detection/evasion/unexpected-tmp-executables.sql +++ b/detection/evasion/unexpected-tmp-executables.sql @@ -10,6 +10,7 @@ SELECT uid, gid, mode, + REGEX_MATCH (RTRIM(file.path, '/'), '.*\.(.*?)$', 1) AS extension, file.mtime, file.size, hash.sha256, @@ -57,23 +58,8 @@ WHERE OR -- These regular expressions can be narrowed down ( file.size < 50000 - AND file.path LIKE '/tmp/%.sh' - AND file.uid > 500 - ) - OR ( - file.size < 50000 - AND file.path LIKE '/tmp/%.py' - AND file.uid > 500 - ) - OR ( - file.size < 50000 - AND file.path LIKE '/tmp/%.pl' - AND file.uid > 500 - ) - OR ( - file.size < 50000 - AND file.path LIKE '/tmp/%.perl' AND file.uid > 500 + AND extension IN ('sh', 'py', 'pl', 'perl', 'json', 'js', 'txt') ) ) ) -- Nix @@ -118,3 +104,8 @@ WHERE file.type = 'regular' AND size < 10 ) + -- Common shell scripts + AND NOT ( + file.filename IN ("configure", "mkinstalldirs") + AND magic.data = "POSIX shell script, ASCII text executable" + ) diff --git a/detection/execution/exotic-command-events-linux.sql b/detection/execution/exotic-command-events-linux.sql index 201248a..d21d9d6 100644 --- a/detection/execution/exotic-command-events-linux.sql +++ b/detection/execution/exotic-command-events-linux.sql @@ -12,11 +12,13 @@ SELECT p.pid, p.path, - TRIM(REPLACE( - p.path, - RTRIM(p.path, REPLACE(p.path, '/', '')), - '' - )) AS basename, + TRIM( + REPLACE( + p.path, + RTRIM(p.path, REPLACE(p.path, '/', '')), + '' + ) + ) AS basename, -- On macOS there is often a trailing space TRIM(p.cmdline) AS cmd, p.mode, diff --git a/detection/execution/relative-exec-low-uid-events.sql b/detection/execution/relative-exec-low-uid-events.sql index 7a165c3..f437f91 100644 --- a/detection/execution/relative-exec-low-uid-events.sql +++ b/detection/execution/relative-exec-low-uid-events.sql @@ -31,5 +31,6 @@ FROM LEFT JOIN hash ON pe.path = hash.path LEFT JOIN hash phash ON pp.path = hash.path WHERE - pe.euid < 500 AND pe.cmdline LIKE './%' + pe.euid < 500 + AND pe.cmdline LIKE './%' AND pe.time > (strftime('%s', 'now') -300) diff --git a/detection/execution/relative-exec-low-uid.sql b/detection/execution/relative-exec-low-uid.sql index 5a76184..99ea4dc 100644 --- a/detection/execution/relative-exec-low-uid.sql +++ b/detection/execution/relative-exec-low-uid.sql @@ -5,7 +5,8 @@ -- -- tags: transient process rapid state -- platform: linux -SELECT p.pid, +SELECT + p.pid, p.name, p.path, p.euid, @@ -20,10 +21,12 @@ SELECT p.pid, pp.cmdline AS parent_cmdline, pp.euid AS parent_euid, hash.sha256 AS parent_sha256 -FROM processes p +FROM + processes p LEFT JOIN file f ON p.path = f.path LEFT JOIN hash ON hash.path = p.path LEFT JOIN processes pp ON p.parent = pp.pid -WHERE p.euid < 500 +WHERE + p.euid < 500 AND p.cmdline LIKE './%' - AND NOT p.cgroup_path LIKE '/system.slice/docker-%' \ No newline at end of file + AND NOT p.cgroup_path LIKE '/system.slice/docker-%' diff --git a/detection/execution/unexpected-execdir-linux.sql b/detection/execution/unexpected-execdir-linux.sql index 6b25da1..005b83a 100644 --- a/detection/execution/unexpected-execdir-linux.sql +++ b/detection/execution/unexpected-execdir-linux.sql @@ -86,4 +86,3 @@ WHERE p.cgroup_path LIKE '/user.slice/user-1000.slice/user@1000.service/app.slice/app-gnome-Alacritty-%.scope' AND dirname LIKE '/tmp/%' ) - diff --git a/detection/execution/unexpected-fetcher-parents.sql b/detection/execution/unexpected-fetcher-parents.sql index 76f9d76..812861c 100644 --- a/detection/execution/unexpected-fetcher-parents.sql +++ b/detection/execution/unexpected-fetcher-parents.sql @@ -53,7 +53,6 @@ WHERE 'curl,500,zsh,login', 'curl,500,zsh,sh', 'wget,500,env,env' - ) AND NOT ( p.euid > 500 diff --git a/detection/execution/unexpected-osascript-calls.sql b/detection/execution/unexpected-osascript-calls.sql index 645adbc..174d861 100644 --- a/detection/execution/unexpected-osascript-calls.sql +++ b/detection/execution/unexpected-osascript-calls.sql @@ -12,7 +12,8 @@ -- interval: 900 -- platform: darwin -- tags: process events -SELECT pe.path AS path, +SELECT + pe.path AS path, REGEX_MATCH (pe.path, '.*/(.*)', 1) AS name, TRIM(pe.cmdline) AS cmd, pe.pid AS pid, @@ -44,7 +45,8 @@ SELECT pe.path AS path, signature.authority, esignature.authority ) AS parent_authority -FROM process_events pe +FROM + process_events pe LEFT JOIN processes p ON pe.pid = p.pid LEFT JOIN processes pp ON pe.parent = pp.pid LEFT JOIN process_events ppe ON pe.parent = ppe.pid @@ -54,7 +56,8 @@ FROM process_events pe LEFT JOIN hash ehash ON ppe.path = ehash.path LEFT JOIN signature ON pp.path = signature.path LEFT JOIN signature esignature ON ppe.path = esignature.path -WHERE pe.path IN ('/usr/bin/osascript', '/usr/bin/osacompile') +WHERE + pe.path IN ('/usr/bin/osascript', '/usr/bin/osacompile') AND pe.time > (strftime('%s', 'now') -900) AND NOT ( p.euid > 500 @@ -79,6 +82,5 @@ WHERE pe.path IN ('/usr/bin/osascript', '/usr/bin/osacompile') ) ) ) -GROUP BY pe.pid - - +GROUP BY + pe.pid diff --git a/detection/execution/unexpected-root-signer-macos.sql b/detection/execution/unexpected-root-signer-macos.sql index 3bb1d37..981af42 100644 --- a/detection/execution/unexpected-root-signer-macos.sql +++ b/detection/execution/unexpected-root-signer-macos.sql @@ -29,8 +29,8 @@ FROM LEFT JOIN signature ON p.path = signature.path WHERE -- query optimization: Exclude SIP protected directories - p.euid = 0 AND - top_dir NOT IN ( + p.euid = 0 + AND top_dir NOT IN ( '/Library/Apple', '/System/Library', '/usr/bin', @@ -59,7 +59,7 @@ WHERE 'Software Signing' ) AND NOT ( - signature.authority = "" AND - p.path LIKE "/nix/store/%-nix-%/bin/nix" + signature.authority = "" + AND p.path LIKE "/nix/store/%-nix-%/bin/nix" AND pp.path = "/sbin/launchd" - ) \ No newline at end of file + ) diff --git a/detection/execution/unexpected-setuid-binaries.sql b/detection/execution/unexpected-setuid-binaries.sql index 1ee3a3d..bd218ec 100644 --- a/detection/execution/unexpected-setuid-binaries.sql +++ b/detection/execution/unexpected-setuid-binaries.sql @@ -6,292 +6,310 @@ -- tags: persistent seldom -- platform: posix SELECT - file.path, + GROUP_CONCAT(path) AS paths, gid, uid, mode, type, size, + data, sha256 FROM - file - JOIN hash ON file.path = hash.path -WHERE ( - file.path LIKE '/bin/%' - OR file.path LIKE '/home/%/bin/%' - OR file.path LIKE '/opt/%/bin/%' - OR file.path LIKE '/opt/%/sbin/%' - OR file.path LIKE '/sbin/%' - OR file.path LIKE '/tmp/%' - OR file.path LIKE '/Users/%/bin/%' - OR file.path LIKE '/usr/bin/%' - OR file.path LIKE '/usr/lib/%' - OR file.path LIKE '/usr/lib64/%' - OR file.path LIKE '/usr/libexec/%' - OR file.path LIKE '/usr/local/bin/%' - OR file.path LIKE '/usr/local/lib/%' - OR file.path LIKE '/usr/local/lib64/%' - OR file.path LIKE '/usr/local/libexec/%' - OR file.path LIKE '/usr/local/sbin/%' - OR file.path LIKE '/usr/sbin/%' - OR file.path LIKE '/var/lib/%' - OR file.path LIKE '/var/tmp/%' - ) - AND type = 'regular' - AND mode NOT LIKE '0%' - AND mode NOT LIKE '1%' - AND mode NOT LIKE '2%' - AND NOT ( - mode LIKE '4%11' - AND uid = 0 - AND gid = 0 - AND file.path IN ( - '/bin/cdda2wav', - '/bin/cdrecord', - '/bin/icedax', - '/bin/mount.nfs', - '/bin/mount.nfs4', - '/bin/readcd', - '/bin/readom', - '/bin/rscsi', - '/bin/staprun', - '/bin/sudo', - '/bin/sudoedit', - '/bin/umount.nfs', - '/bin/umount.nfs4', - '/bin/wodim', - '/sbin/cdda2wav', - '/sbin/cdrecord', - '/sbin/icedax', - '/sbin/mount.nfs', - '/sbin/mount.nfs4', - '/sbin/readcd', - '/sbin/readom', - '/sbin/rscsi', - '/sbin/umount.nfs', - '/sbin/umount.nfs4', - '/sbin/userhelper', - '/sbin/wodim', - '/usr/bin/cdda2wav', - '/usr/bin/cdrecord', - '/usr/bin/icedax', - '/usr/bin/mount.nfs', - '/usr/bin/mount.nfs4', - '/usr/bin/readcd', - '/usr/bin/readom', - '/usr/bin/rscsi', - '/usr/bin/staprun', - '/usr/bin/sudo', - '/usr/bin/sudoedit', - '/usr/bin/umount.nfs', - '/usr/bin/umount.nfs4', - '/usr/bin/wodim', - '/usr/libexec/security_authtrampoline', - '/usr/sbin/cdda2wav', - '/usr/sbin/cdrecord', - '/usr/sbin/icedax', - '/usr/sbin/mount.nfs', - '/usr/sbin/mount.nfs4', - '/usr/sbin/readcd', - '/usr/sbin/readom', - '/usr/sbin/rscsi', - '/usr/bin/chsh', - '/usr/bin/chfn', - '/bin/chsh', - '/bin/chfn', - '/usr/sbin/umount.nfs', - '/usr/sbin/umount.nfs4', - '/usr/sbin/userhelper', - '/usr/sbin/wodim' - ) - ) - AND NOT ( - mode LIKE '4%55' - AND uid = 0 - AND gid = 0 - AND file.path IN ( - '/bin/at', - '/bin/atq', - '/bin/atrm', - '/bin/chage', - '/bin/chfn', - '/bin/chsh', - '/bin/crontab', - '/bin/doas', - '/bin/expiry', - '/bin/fusermount-glusterfs', - '/bin/fusermount', - '/bin/fusermount3', - '/bin/gpasswd', - '/bin/ksu', - '/bin/mount', - '/bin/ndisc6', - '/bin/newgidmap', - '/bin/newgrp', - '/bin/newuidmap', - '/usr/bin/newgidmap', - '/bin/nvidia-modprobe', - '/bin/passwd', - '/bin/pkexec', - '/bin/ps', - '/bin/rdisc6', - '/bin/rltraceroute6', - '/bin/sg', - '/bin/su', - '/bin/sudo', - '/bin/sudoedit', - '/bin/suexec', - '/bin/ubuntu-core-launcher', - '/bin/umount', - '/bin/vmware-user-suid-wrapper', - '/bin/vmware-user', - '/sbin/chage', - '/sbin/chfn', - '/sbin/chsh', - '/sbin/crontab', - '/sbin/doas', - '/sbin/expiry', - '/sbin/fusermount', - '/sbin/fusermount3', - '/sbin/gpasswd', - '/sbin/grub2-set-bootflag', - '/sbin/ksu', - '/sbin/mount.nfs', - '/sbin/mount.nfs4', - '/sbin/mount', - '/sbin/ndisc6', - '/sbin/newgrp', - '/sbin/nvidia-modprobe', - '/sbin/pam_timestamp_check', - '/sbin/passwd', - '/sbin/pkexec', - '/sbin/rdisc6', - '/sbin/rltraceroute6', - '/sbin/sg', - '/sbin/su', - '/sbin/sudo', - '/sbin/sudoedit', - '/sbin/suexec', - '/sbin/umount.nfs', - '/sbin/umount.nfs4', - '/sbin/umount', - '/sbin/unix_chkpwd', - '/usr/bin/at', - '/usr/bin/atq', - '/usr/bin/atrm', - '/usr/bin/batch', - '/usr/bin/chage', - '/usr/bin/chfn', - '/usr/bin/chsh', - '/usr/bin/crontab', - '/usr/bin/doas', - '/usr/bin/expiry', - '/usr/bin/fusermount-glusterfs', - '/usr/bin/fusermount', - '/usr/bin/fusermount3', - '/usr/bin/gpasswd', - '/usr/bin/ksu', - '/usr/bin/login', - '/usr/bin/mount', - '/usr/bin/ndisc6', - '/usr/bin/newgrp', - '/usr/bin/newuidmap', - '/usr/bin/nvidia-modprobe', - '/usr/bin/passwd', - '/usr/bin/pkexec', - '/usr/bin/quota', - '/usr/bin/mullvad-exclude', - '/usr/sbin/mullvad-exclude', - '/usr/bin/rdisc6', - '/usr/bin/rltraceroute6', - '/usr/bin/sg', - '/sbin/mullvad-exclude', - '/bin/mullvad-exclude', - '/usr/bin/su', - '/usr/bin/sudo', - '/usr/bin/sudoedit', - '/usr/bin/suexec', - '/usr/bin/top', - '/usr/bin/ubuntu-core-launcher', - '/usr/bin/umount', - '/usr/bin/vmware-user-suid-wrapper', - '/usr/bin/vmware-user', - '/usr/lib/mail-dotlock', - '/usr/lib/xf86-video-intel-backlight-helper', - '/usr/lib/Xorg.wrap', - '/usr/lib64/mail-dotlock', - '/usr/lib64/xf86-video-intel-backlight-helper', - '/usr/lib64/Xorg.wrap', - '/usr/libexec/authopen', - '/usr/libexec/polkit-agent-helper-1', - '/usr/libexec/qemu-bridge-helper', - '/usr/libexec/Xorg.wrap', - '/usr/sbin/chage', - '/usr/sbin/chfn', - '/usr/sbin/chsh', - '/usr/sbin/crontab', - '/usr/sbin/doas', - '/usr/sbin/expiry', - '/usr/sbin/fusermount', - '/usr/sbin/fusermount3', - '/usr/sbin/gpasswd', - '/usr/sbin/grub2-set-bootflag', - '/usr/sbin/ksu', - '/usr/sbin/mount.nfs', - '/usr/sbin/mount.nfs4', - '/usr/sbin/mount', - '/usr/sbin/ndisc6', - '/usr/sbin/newgrp', - '/usr/sbin/nvidia-modprobe', - '/usr/sbin/pam_timestamp_check', - '/usr/sbin/passwd', - '/usr/sbin/pkexec', - '/usr/sbin/rdisc6', - '/usr/sbin/rltraceroute6', - '/usr/sbin/sg', - '/usr/sbin/su', - '/usr/sbin/sudo', - '/usr/sbin/sudoedit', - '/usr/sbin/suexec', - '/usr/sbin/traceroute', - '/usr/sbin/traceroute6', - '/usr/sbin/umount.nfs', - '/usr/sbin/umount.nfs4', - '/usr/sbin/umount', - '/usr/sbin/unix_chkpwd' - ) - ) - AND NOT ( - mode = '4754' - AND uid = 0 - AND gid = 30 - AND file.path IN ('/usr/sbin/pppd', '/sbin/pppd') - ) - AND NOT ( - mode = '6755' - AND uid = 0 - AND gid = 0 - AND file.path IN ( - '/bin/mount.cifs', - '/bin/mount.smb3', - '/bin/unix_chkpwd', - '/sbin/mount.cifs', - '/sbin/mount.smb3', - '/sbin/unix_chkpwd', - '/usr/bin/mount.cifs', - '/usr/bin/mount.smb3', - '/usr/bin/unix_chkpwd', - '/usr/lib/xtest', - '/usr/lib64/xtest', - '/usr/sbin/mount.cifs', - '/usr/sbin/mount.smb3', - '/usr/sbin/unix_chkpwd' - ) - ) - AND NOT ( - mode = '4110' - AND uid = 0 - AND gid = 156 - AND file.path IN ('/bin/staprun', '/usr/bin/staprun') + SELECT + file.path, + file.gid, + file.uid, + file.inode, + file.mode, + file.type, + file.size, + magic.data, + hash.sha256 + FROM + file + LEFT JOIN hash ON file.path = hash.path + LEFT JOIN magic ON file.path = magic.path + WHERE + file.directory IN ( + '/bin', + '/opt/google-cloud-sdk/bin', + '/opt/homebrew/bin', + '/opt/homebrew/sbin', + '/sbin', + '/etc', + '/tmp', + '/var/lib', + '/usr/bin', + '/usr/lib', + '/usr/lib64', + '/usr/libexec', + '/usr/lib/jvm/default/bin', + '/usr/local/bin', + '/usr/local/lib', + '/usr/local/lib64', + '/usr/local/libexec', + '/usr/local/sbin', + '/usr/sbin', + '/var/tmp' + ) + AND type = 'regular' + AND mode NOT LIKE '0%' + AND mode NOT LIKE '1%' + AND mode NOT LIKE '2%' + AND NOT ( + mode LIKE '4%11' + AND uid = 0 + AND gid = 0 + AND file.path IN ( + '/bin/cdda2wav', + '/bin/cdrecord', + '/bin/icedax', + '/bin/mount.nfs', + '/bin/mount.nfs4', + '/bin/readcd', + '/bin/readom', + '/bin/rscsi', + '/bin/staprun', + '/bin/sudo', + '/bin/sudoedit', + '/bin/umount.nfs', + '/bin/umount.nfs4', + '/bin/wodim', + '/sbin/cdda2wav', + '/sbin/cdrecord', + '/sbin/icedax', + '/sbin/mount.nfs', + '/sbin/mount.nfs4', + '/sbin/readcd', + '/sbin/readom', + '/sbin/rscsi', + '/sbin/umount.nfs', + '/sbin/umount.nfs4', + '/sbin/userhelper', + '/sbin/wodim', + '/usr/bin/cdda2wav', + '/usr/bin/cdrecord', + '/usr/bin/icedax', + '/usr/bin/mount.nfs', + '/usr/bin/mount.nfs4', + '/usr/bin/readcd', + '/usr/bin/readom', + '/usr/bin/rscsi', + '/usr/bin/staprun', + '/usr/bin/sudo', + '/usr/bin/sudoedit', + '/usr/bin/umount.nfs', + '/usr/bin/umount.nfs4', + '/usr/bin/wodim', + '/usr/libexec/security_authtrampoline', + '/usr/sbin/cdda2wav', + '/usr/sbin/cdrecord', + '/usr/sbin/icedax', + '/usr/sbin/mount.nfs', + '/usr/sbin/mount.nfs4', + '/usr/sbin/readcd', + '/usr/sbin/readom', + '/usr/sbin/rscsi', + '/usr/bin/chsh', + '/usr/bin/chfn', + '/bin/chsh', + '/bin/chfn', + '/usr/sbin/umount.nfs', + '/usr/sbin/umount.nfs4', + '/usr/sbin/userhelper', + '/usr/sbin/wodim' + ) + ) + AND NOT ( + mode LIKE '4%55' + AND uid = 0 + AND gid = 0 + AND file.path IN ( + '/bin/at', + '/bin/atq', + '/bin/atrm', + '/bin/chage', + '/bin/chfn', + '/bin/chsh', + '/bin/crontab', + '/bin/expiry', + '/bin/fusermount-glusterfs', + '/bin/fusermount', + '/bin/fusermount3', + '/bin/gpasswd', + '/bin/ksu', + '/bin/mount', + '/bin/ndisc6', + '/bin/newgidmap', + '/bin/newgrp', + '/bin/newuidmap', + '/usr/bin/newgidmap', + '/bin/nvidia-modprobe', + '/bin/passwd', + '/bin/pkexec', + '/bin/ps', + '/bin/rdisc6', + '/bin/rltraceroute6', + '/bin/sg', + '/bin/su', + '/bin/sudo', + '/bin/sudoedit', + '/bin/suexec', + '/bin/ubuntu-core-launcher', + '/bin/umount', + '/bin/vmware-user-suid-wrapper', + '/bin/vmware-user', + '/sbin/chage', + '/sbin/chfn', + '/sbin/chsh', + '/sbin/crontab', + '/sbin/expiry', + '/sbin/fusermount', + '/sbin/fusermount3', + '/sbin/gpasswd', + '/sbin/grub2-set-bootflag', + '/sbin/ksu', + '/sbin/mount.nfs', + '/sbin/mount.nfs4', + '/sbin/mount', + '/sbin/ndisc6', + '/sbin/newgrp', + '/sbin/nvidia-modprobe', + '/sbin/pam_timestamp_check', + '/sbin/passwd', + '/sbin/pkexec', + '/sbin/rdisc6', + '/sbin/rltraceroute6', + '/sbin/sg', + '/sbin/su', + '/sbin/sudo', + '/sbin/sudoedit', + '/sbin/suexec', + '/sbin/umount.nfs', + '/sbin/umount.nfs4', + '/sbin/umount', + '/sbin/unix_chkpwd', + '/usr/bin/at', + '/usr/bin/atq', + '/usr/bin/atrm', + '/usr/bin/batch', + '/usr/bin/chage', + '/usr/bin/chfn', + '/usr/bin/chsh', + '/usr/bin/crontab', + '/usr/bin/doas', + '/usr/bin/expiry', + '/usr/bin/fusermount-glusterfs', + '/usr/bin/fusermount', + '/usr/bin/fusermount3', + '/usr/bin/gpasswd', + '/usr/bin/ksu', + '/usr/bin/login', + '/usr/bin/mount', + '/usr/bin/ndisc6', + '/usr/bin/newgrp', + '/usr/bin/newuidmap', + '/usr/bin/nvidia-modprobe', + '/usr/bin/passwd', + '/usr/bin/pkexec', + '/usr/bin/quota', + '/usr/bin/mullvad-exclude', + '/usr/sbin/mullvad-exclude', + '/usr/bin/rdisc6', + '/usr/bin/rltraceroute6', + '/usr/bin/sg', + '/sbin/mullvad-exclude', + '/bin/mullvad-exclude', + '/usr/bin/su', + '/usr/bin/sudo', + '/usr/bin/sudoedit', + '/usr/bin/keybase-redirector', + '/bin/keybase-redirector', + '/usr/bin/suexec', + '/usr/bin/top', + '/usr/bin/ubuntu-core-launcher', + '/usr/bin/umount', + '/usr/bin/vmware-user-suid-wrapper', + '/usr/bin/vmware-user', + '/usr/lib/mail-dotlock', + '/usr/lib/xf86-video-intel-backlight-helper', + '/usr/lib/Xorg.wrap', + '/usr/lib64/mail-dotlock', + '/usr/lib64/xf86-video-intel-backlight-helper', + '/usr/lib64/Xorg.wrap', + '/usr/libexec/authopen', + '/usr/libexec/polkit-agent-helper-1', + '/usr/libexec/qemu-bridge-helper', + '/usr/libexec/Xorg.wrap', + '/usr/sbin/chage', + '/usr/sbin/chfn', + '/usr/sbin/chsh', + '/usr/sbin/crontab', + '/usr/sbin/doas', + '/usr/sbin/expiry', + '/usr/sbin/fusermount', + '/usr/sbin/fusermount3', + '/usr/sbin/gpasswd', + '/usr/sbin/grub2-set-bootflag', + '/usr/sbin/ksu', + '/usr/sbin/mount.nfs', + '/usr/sbin/mount.nfs4', + '/usr/sbin/mount', + '/usr/sbin/ndisc6', + '/usr/sbin/newgrp', + '/usr/sbin/nvidia-modprobe', + '/usr/sbin/pam_timestamp_check', + '/usr/sbin/passwd', + '/usr/sbin/pkexec', + '/usr/sbin/rdisc6', + '/usr/sbin/rltraceroute6', + '/usr/sbin/sg', + '/usr/sbin/su', + '/usr/sbin/sudo', + '/usr/sbin/sudoedit', + '/usr/sbin/suexec', + '/usr/sbin/traceroute', + '/usr/sbin/traceroute6', + '/usr/sbin/umount.nfs', + '/usr/sbin/umount.nfs4', + '/usr/sbin/umount', + '/usr/sbin/unix_chkpwd' + ) + ) + AND NOT ( + mode = '4754' + AND uid = 0 + AND gid = 30 + AND file.path IN ('/usr/sbin/pppd', '/sbin/pppd') + ) + AND NOT ( + mode = '6755' + AND uid = 0 + AND gid = 0 + AND file.path IN ( + '/bin/mount.cifs', + '/bin/mount.smb3', + '/bin/unix_chkpwd', + '/sbin/mount.cifs', + '/sbin/mount.smb3', + '/sbin/unix_chkpwd', + '/usr/bin/mount.cifs', + '/usr/bin/mount.smb3', + '/usr/bin/unix_chkpwd', + '/usr/lib/xtest', + '/usr/lib64/xtest', + '/usr/sbin/mount.cifs', + '/usr/sbin/mount.smb3', + '/usr/sbin/unix_chkpwd' + ) + ) + AND NOT ( + mode = '4110' + AND uid = 0 + AND gid = 156 + AND file.path IN ('/bin/staprun', '/usr/bin/staprun') + ) ) +GROUP BY + inode diff --git a/detection/execution/unexpected-sysctl-calls.sql b/detection/execution/unexpected-sysctl-calls.sql index 3af5439..c1887c6 100644 --- a/detection/execution/unexpected-sysctl-calls.sql +++ b/detection/execution/unexpected-sysctl-calls.sql @@ -41,9 +41,13 @@ FROM LEFT JOIN hash gphash ON gp.path = gphash.path LEFT JOIN process_events gpe ON ppe.parent = gpe.pid LEFT JOIN hash gpehash ON gpe.path = gpehash.path - WHERE +WHERE pe.time > (strftime('%s', 'now') -900) - AND pe.path IN ('/usr/bin/sysctl', '/sbin/sysctl', '/usr/sbin/sysctl') + AND pe.path IN ( + '/usr/bin/sysctl', + '/sbin/sysctl', + '/usr/sbin/sysctl' + ) AND NOT p.parent IS NULL AND NOT child_cmd IN ( 'sysctl -n hw.optional.arm64', diff --git a/detection/exfil/high_disk_bytes_read.sql b/detection/exfil/high_disk_bytes_read.sql index 7dd2aa4..275f37a 100644 --- a/detection/exfil/high_disk_bytes_read.sql +++ b/detection/exfil/high_disk_bytes_read.sql @@ -133,4 +133,3 @@ WHERE ) AND NOT (p.path LIKE '/home/%/Apps/PhpStorm%/jbr/bin/java') AND NOT p.cgroup_path LIKE '/system.slice/docker-%' - diff --git a/detection/initial_access/unexpected-shell-parent-events.sql b/detection/initial_access/unexpected-shell-parent-events.sql index e54837b..3b50967 100644 --- a/detection/initial_access/unexpected-shell-parent-events.sql +++ b/detection/initial_access/unexpected-shell-parent-events.sql @@ -126,7 +126,6 @@ WHERE 'yum', 'zellij', 'zsh' - ) OR parent_name LIKE 'terraform-provider-%' -- Do not add shells to this list if you want your query to detect diff --git a/detection/privesc/unexpected-elevated-children-events_macos.sql b/detection/privesc/unexpected-elevated-children-events_macos.sql index f5958d8..083b377 100644 --- a/detection/privesc/unexpected-elevated-children-events_macos.sql +++ b/detection/privesc/unexpected-elevated-children-events_macos.sql @@ -50,7 +50,7 @@ FROM WHERE pe.time > (strftime('%s', 'now') -60) AND child_euid < parent_euid - AND pe.path NOT IN ( + AND parent_path NOT IN ( '/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mdworker_shared', '/usr/bin/login', '/usr/bin/su',