diff --git a/Makefile b/Makefile index eb19d7a..2613191 100644 --- a/Makefile +++ b/Makefile @@ -23,7 +23,7 @@ out/odk-detection-evasion.conf: out/osqtool-$(ARCH) $(wildcard detection/evasion ./out/osqtool-$(ARCH) --max-query-duration=4s --verify -output out/odk-detection-evasion.conf pack detection/evasion out/odk-detection-execution.conf: out/osqtool-$(ARCH) $(wildcard detection/execution/*.sql) - ./out/osqtool-$(ARCH) --max-query-duration=8s --verify -output out/odk-detection-execution.conf pack detection/execution + ./out/osqtool-$(ARCH) --max-query-duration=16s --verify -output out/odk-detection-execution.conf pack detection/execution out/odk-detection-exfil.conf: out/osqtool-$(ARCH) $(wildcard detection/exfil/*.sql) ./out/osqtool-$(ARCH) --max-query-duration=4s --verify -output out/odk-detection-exfil.conf pack detection/exfil @@ -47,7 +47,7 @@ out/odk-vulnerabilities.conf: out/osqtool-$(ARCH) $(wildcard vulnerabilities/*. ./out/osqtool-$(ARCH) --output out/odk-vulnerabilities.conf pack vulnerabilities/ out/odk-incident-response.conf: out/osqtool-$(ARCH) $(wildcard incident_response/*.sql) - ./out/osqtool-$(ARCH) --max-query-duration=12s --output out/odk-incident-response.conf --verify pack incident_response/ + ./out/osqtool-$(ARCH) --max-query-duration=12s --output out/odk-incident-response.conf --verify pack incident_response/ # A privacy-aware variation of IR rules out/odk-incident-response-privacy.conf: out/osqtool-$(ARCH) $(wildcard incident_response/*.sql) @@ -101,7 +101,7 @@ verify-ci: ./out/osqtool-$(ARCH) verify: ./out/osqtool-$(ARCH) $(SUDO) ./out/osqtool-$(ARCH) --max-results=150000 --max-query-duration=10s --max-total-daily-duration=15m verify incident_response $(SUDO) ./out/osqtool-$(ARCH) --max-results=0 --max-query-duration=6s --max-total-daily-duration=10m verify policy - $(SUDO) ./out/osqtool-$(ARCH) --max-results=0 --max-query-duration=12s --max-total-daily-duration=2h30m --max-query-daily-duration=1h verify detection + $(SUDO) ./out/osqtool-$(ARCH) --max-results=0 --max-query-duration=16s --max-total-daily-duration=2h30m --max-query-daily-duration=1h verify detection all: out/odk-packs.zip diff --git a/detection/evasion/unexpected-etc-executables.sql b/detection/evasion/unexpected-etc-executables.sql index 3294da5..35d2b29 100644 --- a/detection/evasion/unexpected-etc-executables.sql +++ b/detection/evasion/unexpected-etc-executables.sql @@ -33,7 +33,6 @@ WHERE '/etc/alternatives', '/etc/apcupsd', '/etc/apm/resume.d', - '/etc/vmware-tools/scripts/vmware', '/etc/apm/scripts.d', '/etc/apm/suspend.d', '/etc/avahi', @@ -42,10 +41,10 @@ WHERE '/etc/ca-certificates/update.d', '/etc/chromium/native-messaging-hosts', '/etc/cifs-utils', + '/etc/cloud/clean.d/99-installer-use-networkmanager', '/etc/console-setup', '/etc/cron.daily', '/etc/cron.hourly', - '/etc/mc', '/etc/cron.monthly', '/etc/cron.weekly', '/etc/dhcp/dhclient.d', @@ -80,8 +79,13 @@ WHERE '/etc/kernel/prerm.d', '/etc/lightdm', '/etc/localtime', + '/etc/mc', '/etc/mcelog/triggers', '/etc/menu-methods', + '/etc/needrestart/hook.d', + '/etc/needrestart/notify.d', + '/etc/needrestart/restart.d', + '/etc/network', '/etc/network/if-down.d', '/etc/network/if-post-down.d', '/etc/network/if-pre-up.d', @@ -93,8 +97,8 @@ WHERE '/etc/periodic/daily', '/etc/periodic/monthly', '/etc/periodic/weekly', - '/etc/cloud/clean.d/99-installer-use-networkmanager', '/etc/pinentry', + '/etc/pki/tls/misc', '/etc/pm/sleep.d', '/etc/pop-os/update-motd.d', '/etc/ppp', @@ -122,24 +126,20 @@ WHERE '/etc/rdnssd', '/etc/redhat-lsb', '/etc/resolvconf/update.d', - '/etc/needrestart/notify.d', - '/etc/needrestart/hook.d', - '/etc/needrestart/restart.d', - '/etc/sysconfig/network-scripts', '/etc/security', '/etc/skel', - '/etc/network', - '/etc/pki/tls/misc', '/etc/smartmontools', '/etc/ssl/certs', '/etc/ssl/misc', '/etc/ssl/trust-source', + '/etc/sysconfig/network-scripts', '/etc/systemd/system', '/etc/systemd/system/graphical.target.wants', '/etc/systemd/system-shutdown', '/etc/udev/rules.d', '/etc/update-motd.d', '/etc/vmware-tools', + '/etc/vmware-tools/scripts/vmware', '/etc/vpnc', '/etc/wpa_supplicant', '/etc/X11', @@ -165,6 +165,7 @@ WHERE '/etc/pwrstatd.conf', '/etc/qemu-ifdown', '/etc/qemu-ifup', + '/etc/modulefiles/vpl', '/etc/rmt', '/etc/shutdown.sh', '/etc/sudoers.d/lima', diff --git a/detection/persistence/yara-suspicious-strings-process-linux.sql b/detection/persistence/yara-suspicious-strings-process-linux.sql index 4a1f272..dcb50c5 100644 --- a/detection/persistence/yara-suspicious-strings-process-linux.sql +++ b/detection/persistence/yara-suspicious-strings-process-linux.sql @@ -84,10 +84,10 @@ WHERE AND p0.path NOT LIKE '%/chrome_crashpad_handler' AND p0.path NOT LIKE '/nix/store/%/bin/%' AND p0.path NOT LIKE '/nix/store/%/libexec/%' + AND p0.path NOT LIKE '/usr/local/kolide-k2/bin/launcher-updates/%/launcher' AND p0.path NOT IN ( '/bin/fish', - '/usr/bin/NetworkManager', - '/usr/bin/Xwayland', + '/usr/bin/sudo', '/usr/bin/bash', '/usr/bin/containerd-shim-runc-v2', '/usr/bin/docker-proxy', @@ -96,22 +96,23 @@ WHERE '/usr/bin/gpg-agent', '/usr/bin/ibus-daemon', '/usr/bin/make', + '/usr/bin/NetworkManager', '/usr/bin/nvidia-persistenced', '/usr/bin/pulseaudio', '/usr/bin/udevadm', '/usr/bin/update-notifier', + '/usr/bin/Xwayland', '/usr/lib/bluetooth/bluetoothd', '/usr/lib/bluetooth/obexd', - '/usr/lib/systemd/systemd', - '/usr/lib/systemd/systemd-journald', - '/usr/lib/systemd/systemd-machined', '/usr/libexec/accounts-daemon', '/usr/libexec/bluetooth/bluetoothd', '/usr/libexec/bluetooth/obexd', '/usr/libexec/sssd/sssd_kcm', '/usr/libexec/xdg-desktop-portal', + '/usr/lib/systemd/systemd', + '/usr/lib/systemd/systemd-journald', + '/usr/lib/systemd/systemd-machined', '/usr/local/kolide-k2/bin/launcher', - '/usr/sbin/NetworkManager', '/usr/sbin/acpid', '/usr/sbin/auditd', '/usr/sbin/cron', @@ -119,7 +120,7 @@ WHERE '/usr/sbin/gdm', '/usr/sbin/gssproxy', '/usr/sbin/mcelog', + '/usr/sbin/NetworkManager', '/usr/sbin/rsyslogd', '/usr/sbin/smartd' - ) \ No newline at end of file