From 6b4700c3dd61938257e464cd6198adbef62f3da2 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Sun, 24 Sep 2023 22:02:34 -0400 Subject: [PATCH] Address issues which kept these alerts from firing --- detection/evasion/unexpected-dev-executables-linux.sql | 8 ++++++-- detection/evasion/unexpected-var-executables-linux.sql | 5 ++++- detection/execution/unexpected-execdir-linux.sql | 5 +++-- 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/detection/evasion/unexpected-dev-executables-linux.sql b/detection/evasion/unexpected-dev-executables-linux.sql index a145ad6..0998854 100644 --- a/detection/evasion/unexpected-dev-executables-linux.sql +++ b/detection/evasion/unexpected-dev-executables-linux.sql @@ -47,7 +47,10 @@ WHERE file.uid = 1000 AND file.gid = 1000 AND file.mode = '0700' - AND magic.data = 'data' + AND ( + magic.data IS NULL + OR magic.data = 'data' + ) AND file.path LIKE '/dev/shm/pulse-shm-%' AND file.size > 60000000 ) -- Seen with Steam @@ -57,7 +60,8 @@ WHERE AND file.mode IN ('0755', '0775') AND file.path LIKE '/dev/shm/u1000-Shm_%' AND ( - magic.data NOT LIKE "%executable%" + magic.data IS NULL + OR magic.data NOT LIKE "%executable%" OR magic.data IN ( 'data', 'Applesoft BASIC program data, first line number 86', diff --git a/detection/evasion/unexpected-var-executables-linux.sql b/detection/evasion/unexpected-var-executables-linux.sql index 8452e92..497bb30 100644 --- a/detection/evasion/unexpected-var-executables-linux.sql +++ b/detection/evasion/unexpected-var-executables-linux.sql @@ -54,5 +54,8 @@ WHERE '/var/run/lima-boot-done', '/var/run/lima-ssh-ready' ) - AND magic.data NOT IN ('JSON data') + AND ( + magic.data IS NULL + OR magic.data != 'JSON data' + ) AND file.size > 10 diff --git a/detection/execution/unexpected-execdir-linux.sql b/detection/execution/unexpected-execdir-linux.sql index 25eba7a..5e07505 100644 --- a/detection/execution/unexpected-execdir-linux.sql +++ b/detection/execution/unexpected-execdir-linux.sql @@ -5,7 +5,8 @@ -- -- tags: transient process state -- platform: linux -SELECT -- Child +SELECT + -- Child p0.pid AS p0_pid, p0.cgroup_path AS p0_cgroup, p0.path AS p0_path, @@ -66,7 +67,7 @@ WHERE AND INSTR(path, "/app/") != 1 AND INSTR(path, "/ko-app") != 1 AND INSTR(path, "/usr/share/teams/") != 1 - AND INSTR(path, "/.terraform/") > 0 + AND path NOT LIKE "%/.terraform%" AND NOT path LIKE '/tmp/%/osqtool' AND NOT path LIKE '/tmp/GoLand/___go_build_%_go' AND NOT cgroup_path LIKE '/user.slice/user-1000.slice/user@1000.service/user.slice/nerdctl-%'