diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql index 2bb04a9..67046fc 100644 --- a/detection/c2/unexpected-talkers-linux.sql +++ b/detection/c2/unexpected-talkers-linux.sql @@ -87,7 +87,6 @@ WHERE AND NOT exception_key IN ( '123,17,114,/usr/chronyd,0u,0g,chronyd', '123,17,500,/usr/chronyd,0u,0g,chronyd', - '80,6,500,/usr/WebKitNetworkProcess,0u,0g,WebKitNetworkPr', '143,6,500,/app/thunderbird,u,g,thunderbird', '143,6,500,/usr/thunderbird,0u,0g,thunderbird', '19305,6,500,/opt/firefox,0u,0g,firefox', @@ -129,10 +128,12 @@ WHERE '80,6,0,/usr/bash,0u,0g,sh', '80,6,0,/usr/bash,0u,0g,update-ca-trust', '80,6,0,/usr/cp,0u,0g,cp', + '80,6,0,/usr/fc-cache,0u,0g,fc-cache', '80,6,0,/usr/find,0u,0g,find', '80,6,0,/usr/gpg,0u,0g,gpg', '80,6,0,/usr/kmod,0u,0g,depmod', '80,6,0,/usr/kubelet,u,g,kubelet', + '80,6,0,/usr/ldconfig,0u,0g,ldconfig', '80,6,0,/usr/NetworkManager,0u,0g,NetworkManager', '80,6,0,/usr/packagekitd,0u,0g,packagekitd', '80,6,0,/usr/pacman,0u,0g,pacman', @@ -170,6 +171,7 @@ WHERE '80,6,500,/usr/rpi-imager,0u,0g,rpi-imager', '80,6,500,/usr/signal-desktop,0u,0g,signal-desktop', '80,6,500,/usr/thunderbird,0u,0g,thunderbird', + '80,6,500,/usr/WebKitNetworkProcess,0u,0g,WebKitNetworkPr', '8080,6,500,/opt/chrome,0u,0g,chrome', '8080,6,500,/usr/firefox,0u,0g,firefox', '8080,6,500,/usr/python3.11,0u,0g,speedtest-cli', diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql index ae5ff60..1b0dc43 100644 --- a/detection/c2/unexpected-talkers-macos.sql +++ b/detection/c2/unexpected-talkers-macos.sql @@ -140,7 +140,6 @@ WHERE '22,6,500,ssh,com.apple.openssh,Software Signing', '22,6,500,ssh,com.apple.ssh,Software Signing', '22,6,500,ssh,ssh,', - '443,6,500,jx,,', '22,6,500,ssh,ssh-55554944fbf65684ab9b37c2bad3a27ef78b23f4,', '30004,6,500,java,net.java.openjdk.java,Developer ID Application: Microsoft Corporation (UBF8T346G9)', '30011,6,500,java,net.java.openjdk.java,Developer ID Application: Microsoft Corporation (UBF8T346G9)', @@ -174,6 +173,7 @@ WHERE '443,6,500,chainctl,,', '443,6,500,chainctl,a.out,', '443,6,500,chainctl,chainctl,', + '443,6,500,chainctl_darwin_arm64,a.out,', '443,6,500,chainctl_Darwin_arm64,a.out,', '443,6,500,civo,a.out,', '443,6,500,cloud_sql_proxy,a.out,', @@ -224,6 +224,7 @@ WHERE '443,6,500,java,net.java.openjdk.java,Developer ID Application: Microsoft Corporation (UBF8T346G9)', '443,6,500,java,net.java.openjdk.java,Developer ID Application: Oracle America, Inc. (VB5E2TV963)', '443,6,500,Java Updater,com.oracle.java.Java-Updater,Developer ID Application: Oracle America, Inc. (VB5E2TV963)', + '443,6,500,jx,,', '443,6,500,ko,a.out,', '443,6,500,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV)', '443,6,500,kubectl,,', @@ -279,6 +280,7 @@ WHERE '6000,6,500,ssh,com.apple.openssh,Software Signing', '6000,6,500,ssh,ssh-55554944fbf65684ab9b37c2bad3a27ef78b23f4,', '80,6,0,com.apple.MobileSoftwareUpdate.UpdateBrainService,com.apple.MobileSoftwareUpdate.UpdateBrainService,Software Signing', + '80,6,0,com.google.one.NetworkExtension,com.google.one.NetworkExtension,Developer ID Application: Google LLC (EQHXZ8M8AV)', '80,6,500,curl,com.apple.curl,Software Signing', '80,6,500,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV)', '80,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)', diff --git a/detection/discovery/unexpected-netutil-calls-linux.sql b/detection/discovery/unexpected-netutil-calls-linux.sql index f11015a..8de862d 100644 --- a/detection/discovery/unexpected-netutil-calls-linux.sql +++ b/detection/discovery/unexpected-netutil-calls-linux.sql @@ -1,11 +1,11 @@ --- Suspicious parenting of fetch tools (event-based) +-- Suspicious parenting of network utilities (event-based) -- -- refs: -- * https://attack.mitre.org/techniques/T1016/ (System Network Configuration Discovery) -- -- tags: transient process state often -- platform: linux --- interval: 300 +-- interval: 60 SELECT -- Child pe.path AS p0_path, @@ -65,7 +65,7 @@ WHERE '/sbin/nft' ) AND pe.cmdline != '' - AND pe.time > (strftime('%s', 'now') -300) + AND pe.time > (strftime('%s', 'now') -60) AND NOT ( pe.euid > 500 AND p1_name IN ('sh', 'fish', 'zsh', 'bash', 'dash') diff --git a/detection/evasion/parent-missing-from-disk-linux.sql b/detection/evasion/parent-missing-from-disk-linux.sql index 549b1d0..1363fcd 100644 --- a/detection/evasion/parent-missing-from-disk-linux.sql +++ b/detection/evasion/parent-missing-from-disk-linux.sql @@ -43,13 +43,14 @@ WHERE AND NOT parent_path IN ( '/opt/google/chrome/chrome', '/usr/bin/alacritty', + '/usr/bin/doas', '/usr/bin/dockerd', '/usr/bin/fusermount3', - '/usr/bin/osqueryd', - '/usr/bin/yay', - '/usr/bin/sudo', - '/usr/bin/doas', '/usr/bin/gnome-shell', + '/usr/bin/osqueryd', + '/usr/bin/sudo', + '/usr/bin/yay', + '/usr/libexec/gnome-terminal-server', '/usr/lib/systemd/systemd' ) -- long-running launchers AND NOT parent_name IN ( diff --git a/detection/execution/exotic-command-events-macos.sql b/detection/execution/exotic-command-events-macos.sql index a586478..6ace6bd 100644 --- a/detection/execution/exotic-command-events-macos.sql +++ b/detection/execution/exotic-command-events-macos.sql @@ -157,7 +157,11 @@ WHERE pe.time > (strftime('%s', 'now') -30) ) AND NOT ( p0_cmd IN ( + '/bin/launchctl bootout gui/501 /Library/LaunchAgents/com.logi.optionsplus.plist', + '/bin/launchctl bootout system/com.docker.socket', + '/bin/launchctl load /Library/LaunchDaemons/com.logi.optionsplus.updater.plist', '/bin/launchctl load -wF /Library/LaunchAgents/com.adobe.GC.AGM.plist', + '/bin/launchctl load -w /Library/LaunchDaemons/com.docker.socket.plist', '/bin/rm -f /tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress', 'git history', 'launchctl asuser 501 launchctl load /System/Library/LaunchAgents/com.apple.SafariBookmarksSyncAgent.plist', diff --git a/detection/execution/exotic-commands.sql b/detection/execution/exotic-commands.sql index f1b399f..022be97 100644 --- a/detection/execution/exotic-commands.sql +++ b/detection/execution/exotic-commands.sql @@ -119,4 +119,5 @@ WHERE ) AND NOT cmd IN ( 'socat UNIX-LISTEN:/run/user/1000/app/com.discordapp.Discord/discord-ipc-0,forever,fork UNIX-CONNECT:/run/user/1000/discord-ipc-0' - ) \ No newline at end of file + ) + AND NOT p.name IN ('cc1', 'compile', 'cmake', 'cc1plus') \ No newline at end of file diff --git a/detection/exfil/high_disk_bytes_read.sql b/detection/exfil/high_disk_bytes_read.sql index 3a819df..0c997f9 100644 --- a/detection/exfil/high_disk_bytes_read.sql +++ b/detection/exfil/high_disk_bytes_read.sql @@ -83,6 +83,7 @@ WHERE 'thunderbird', 'vim', 'wineserver', + 'yay', 'ykman-gui', 'zsh' ) diff --git a/detection/initial_access/unexpected-diskimage-source-macos.sql b/detection/initial_access/unexpected-diskimage-source-macos.sql index ec6afb3..a4ac0d7 100644 --- a/detection/initial_access/unexpected-diskimage-source-macos.sql +++ b/detection/initial_access/unexpected-diskimage-source-macos.sql @@ -45,6 +45,9 @@ WHERE 'arc.net', 'balena.io', 'balsamiq.com', + 'techsmith.com', + 'cron.com', + 'macbartender.com', 'brave.com', 'canon.co.uk', 'cdn.mozilla.net', diff --git a/detection/initial_access/unexpected-shell-parent-events.sql b/detection/initial_access/unexpected-shell-parent-events.sql index 0776e27..84a82bf 100644 --- a/detection/initial_access/unexpected-shell-parent-events.sql +++ b/detection/initial_access/unexpected-shell-parent-events.sql @@ -58,6 +58,7 @@ WHERE p1_name IN ( 'abrt-handle-eve', 'alacritty', + 'at-spi-bus-launcher', 'bash', 'build-script-build', 'chainctl', @@ -77,22 +78,26 @@ WHERE 'doas', 'docker-credential-desktop', 'docker-credential-gcr', + 'Docker Desktop', + 'Emacs-arm64-11', 'env', 'erl_child_setup', 'find', 'FinderSyncExtension', 'fish', 'gatherheaderdoc', + 'gdm3', 'gdm-session-worker', 'gdm-x-session', 'git', 'gke-gcloud-auth-plugin', + 'gnome-session-binary', + 'gnome-shell', 'gnome-terminal-server', 'go', 'goland', 'gopls', 'helm', - 'Docker Desktop', 'HP Diagnose & Fix', 'i3bar', 'i3blocks', @@ -101,7 +106,6 @@ WHERE 'ko', 'kubectl', 'lightdm', - 'Xorg', 'local-path-provisioner', 'login', 'make', @@ -133,6 +137,7 @@ WHERE 'systemd', 'systemd-sleep', 'terminator', + 'terraform-ls', 'test2json', 'tmux', 'tmux:server', @@ -145,8 +150,10 @@ WHERE 'xargs', 'xcrun', 'xfce4-terminal', + 'Xorg', 'yay', 'yum', + 'zed'',' 'zellij', 'zsh' ) @@ -156,12 +163,14 @@ WHERE OR p2_name IN ('env', 'git') -- Homebrew, except we don't want to allow all of ruby OR p0_cmd IN ( - 'sh -c /bin/stty size 2>/dev/null', - 'sh -c python3.7 --version 2>&1', + '/bin/bash /usr/bin/xdg-settings set default-url-scheme-handler slack Slack.desktop', '/bin/sh -c lsb_release -a --short', - '/bin/zsh -c ls', '/bin/sh -c ps ax -ww -o pid,ppid,uid,gid,args', + '/bin/sh /usr/bin/lsb_release -a --short', + '/bin/zsh -c ls', + 'sh -c /bin/stty size 2>/dev/null', "sh -c osascript -e 'user locale of (get system info)'", + 'sh -c python3.7 --version 2>&1', 'sh -c xcode-select --print-path >/dev/null 2>&1 && xcrun --sdk macosx --show-sdk-path 2>/dev/null' ) OR ( @@ -175,20 +184,33 @@ WHERE ) OR ( p1_cmd LIKE '%Python% /opt/homebrew/bin/jupyter%' - AND p0_cmd = '/bin/sh -c osascript' + AND p0_cmd = '/bin/sh -c osascript' + ) + OR ( + p1_name = 'osqueryd' + AND p0_cmd LIKE '/bin/sh /etc/NetworkManager/dispatcher.d/%' + ) + OR ( + p1_name = 'ssh' + AND p0_cmd LIKE 'gcloud.py compute start-iap-tunnel%' + ) + + OR exception_key IN ( + 'bash,0,pia-daemon,launchd', + 'zsh,500,python3.10,gnome-shell' ) - OR exception_key IN ('bash,0,pia-daemon,launchd') OR p0_cmd LIKE '%/bash -e%/bin/as -arch%' OR p0_cmd LIKE '/bin/bash /usr/local/Homebrew/%' OR p0_cmd LIKE '/bin/bash /opt/homebrew/%' OR p0_cmd LIKE '/bin/sh -c pkg-config %' OR p0_cmd LIKE '/bin/sh %/docker-credential-gcloud get' - OR p0_cmd LIKE '%/google-chrome --flag-switches-begin % --product-version' + OR p0_cmd LIKE '%/google-chrome% --flag-switches-begin % --product-version' OR p0_cmd LIKE '/bin/sh /usr/bin/xdg-open %' OR p0_cmd LIKE '/bin/bash /usr/bin/xdg-settings check %' OR p0_cmd LIKE '/bin/sh /usr/bin/xdg-settings set %' OR p0_cmd LIKE '/bin/sh /usr/bin/xdg-settings check %' OR p0_cmd LIKE '%gcloud config config-helper --format=json' + OR p0_cmd LIKE '%gcloud config get-value%' OR p1_cmd LIKE '%Python /opt/homebrew/bin/aws configure sso' OR p2_cmd LIKE '/bin/bash /usr/local/bin/brew%' OR p2_cmd LIKE '/usr/bin/python3 -m py_compile %' diff --git a/detection/persistence/unexpected-active-systemd-units.sql b/detection/persistence/unexpected-active-systemd-units.sql index 12979d7..3d387b1 100644 --- a/detection/persistence/unexpected-active-systemd-units.sql +++ b/detection/persistence/unexpected-active-systemd-units.sql @@ -45,8 +45,8 @@ WHERE ) AND ( exception_key IN ( - 'abrtd.service,ABRT Automated Bug Reporting Tool,,400', - 'nvidia-fallback.service,Fallback to nouveau as nvidia did not load,,400', + + 'abrtd.service,ABRT Automated Bug Reporting Tool,,400', 'abrt-journal-core.service,Creates ABRT problems from coredumpctl messages,,200', 'abrt-oops.service,ABRT kernel log watcher,,200', 'abrt-xorg.service,ABRT Xorg log watcher,,200', @@ -226,6 +226,7 @@ WHERE 'nscd.service,Name Service Cache Daemon,nscd,1800', 'nss-lookup.target,Host and Network Name Lookups,,500', 'nss-user-lookup.target,User and Group Name Lookups,,500', + 'nvidia-fallback.service,Fallback to nouveau as nvidia did not load,,400', 'nvidia-persistenced.service,NVIDIA Persistence Daemon,,300', 'nvidia-powerd.service,nvidia-powerd service,,100', 'openvpn.service,OpenVPN service,,200', @@ -389,6 +390,7 @@ WHERE 'user.slice,User and Session Slice,,400', 'uuidd.socket,UUID daemon activation socket,,100', 'vboxautostart-service.service,vboxautostart-service.service,,400', + 'vboxballoonctrl-service.service,vboxballoonctrl-service.service,,500', 'vboxdrv.service,VirtualBox Linux kernel module,,400', 'vboxweb-service.service,vboxweb-service.service,,500', 'veritysetup.target,Local Verity Protected Volumes,,400', @@ -434,7 +436,7 @@ WHERE 'znapzend.service,ZnapZend - ZFS Backup System,root,1700', 'zpool-trim.service,ZFS pools trim,,1200', 'zpool-trim.timer,zpool-trim.timer,,0' - ) + ) OR exception_key LIKE 'machine-qemu%,Virtual Machine qemu%,,300' OR exception_key LIKE 'dbus-:1.%-org.freedesktop.problems@%.service,dbus-:%.%-org.freedesktop.problems@%.service,0,200' OR exception_key LIKE 'run-media-%.mount,run-media-%.mount,,0' diff --git a/detection/persistence/unexpected-chrome-extensions.sql b/detection/persistence/unexpected-chrome-extensions.sql index 934a5e8..6ce9c36 100644 --- a/detection/persistence/unexpected-chrome-extensions.sql +++ b/detection/persistence/unexpected-chrome-extensions.sql @@ -72,6 +72,7 @@ WHERE 'true,,Bardeen - automate manual work,ihhkmalpkhkoedlmcnilbbhhbhnicjga', 'true,,Bardeen - automate workflows with one click,ihhkmalpkhkoedlmcnilbbhhbhnicjga', 'true,BetaFish,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom', + 'true,,Bionic Reading,kdfkejelgkdjgfoolngegkhkiecmlflj', 'true,Bitwarden Inc.,Bitwarden - Free Password Manager,nngceckbapebfimnlniiiahkandclblb', 'true,,BrowserStack Local,mfiddfehmfdojjfdpfngagldgaaafcfo', 'true,CAD Team,Cookie AutoDelete,fhcgjolkccmbidfldomjliifgaodjagh', @@ -95,6 +96,7 @@ WHERE "true,Daniel Kladnik @ kiboke studio,I don't care about cookies,fihnjjcciajhdojfnbdddfaoknhalnja", 'true,,Datanyze Chrome Extension,mlholfadgbpidekmhdibonbjhdmpmafd', 'true,,DEPRECATED Secure Shell App,pnhechapfaindjhompbnflcldabbghjo', + 'true,,Disconnect,jeoacafpbcihiomhlakheieifhpjdfeo', 'true,,DuckDuckGo Privacy Essentials,bkdgflcldnnnapblkhphbgpggdiikppg', 'true,,EditThisCookie,fngmhnnpilhplaeedifhccceomclgfbg', 'true,,Endpoint Verification,callobklhcbilhphinckomhgkigmfocg', @@ -128,6 +130,7 @@ WHERE 'true,Keepa GmbH,Keepa - Amazon Price Tracker,neebplgakaahbhdphmkckjjcegoiijjo', 'true,LastPass,LastPass: Free Password Manager,hdokiejnpimakedhajhdlcegeplioahd', 'true,Leadjet,Leadjet - Make your CRM work on LinkedIn,kojhcdejfimplnokhhhekhiapceggamn', + 'true,,Link to Text Fragment,pbcodcjpfjdpcineamnnmbkkmkdpajjg', 'true,,Lolli: Earn Bitcoin When You Shop,fleenceagaplaefnklabikkmocalkcpo', 'true,,Loom – Free Screen Recorder & Screen Capture,liecbddmkiiihnedobmlmillhodjkdmb', 'true,,Loom – Screen Recorder & Screen Capture,liecbddmkiiihnedobmlmillhodjkdmb', @@ -164,8 +167,10 @@ WHERE 'true,,Save to Pocket,niloccemoadcdkdjlinkgdfekeahmflj', 'true,,Secure Shell,iodihamcpbpeioajjeobimgagajmlibd', 'true,,Selenium IDE,mooikfkahbdckldjjndioackbalphokd', + 'true,,Send from Gmail (by Google),pgphcomnlaojlmmcjmiddhdapjpbgeoc', 'true,,Send to Kindle for Google Chrome™,cgdjpilhipecahhcilnafpblkieebhea', 'true,,Session Buddy,edacconmaakjimmfgnblocblbcdcpbko', + 'true,,Shodan,jjalcfnidlmpjhdfepjhjbhnhkbgleap', 'true,,Simple Tab Sorter,cgfpgnepljlgenjclbekbjdlgcodfmjp', 'true,,Slack,jeogkiiogjbmhklcnbgkdcjoioegiknm', 'true,,SSH for Google Cloud Platform,ojilllmhjhibplnppnamldakhpmdnibd',