diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql index 72abb8d..fa6ff3e 100644 --- a/detection/c2/unexpected-talkers-linux.sql +++ b/detection/c2/unexpected-talkers-linux.sql @@ -197,6 +197,7 @@ WHERE '8080,6,500,chrome,0u,0g,chrome', '8080,6,500,firefox,0u,0g,firefox', '8080,6,500,idea,0u,0g,idea', + '32768,6,500,mumble,0u,0g,mumble', '8080,6,500,python3.11,0u,0g,speedtest-cli', '8080,6,500,speedtest,500u,500g,speedtest', '8080,6,500,bambu-studio,u,g,bambustu_main', diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql index ce535e5..efca1d5 100644 --- a/detection/c2/unexpected-talkers-macos.sql +++ b/detection/c2/unexpected-talkers-macos.sql @@ -111,26 +111,17 @@ WHERE unsigned_exception = '500,6,80,main,main' AND p0.path LIKE '/var/folders/%/T/go-build%/b001/exe/main' ) - AND NOT ( - unsigned_exception IN ( + -- port 0 means the connection has come and gone since the original process_open_sockets entry + AND NOT unsigned_exception IN ( '500,0,0,gvproxy,gvproxy', '500,6,0,gvproxy,gvproxy', + '500,17,53,gvproxy,gvproxy', + '500,17,53,gvproxy,gvproxy', '500,6,32768,gvproxy,gvproxy', - '500,17,123,gvproxy,gvproxy' - ) - AND p0.path LIKE '/opt/homebrew/Cellar/podman/%/libexec/podman/gvproxy' - ) - AND NOT ( - unsigned_exception = '500,0,0,chainlink,chainlink' - AND p0.path LIKE '/var/folders/%/T/go-build%/b001/exe/chainlink' - AND remote_port = 0 - AND protocol = 0 - ) - AND NOT ( - unsigned_exception = '500,0,0,.Telegram-wrapped,.Telegram-wrapped' - AND p0.path LIKE '/nix/store/%-telegram-desktop-%' - AND remote_port = 0 - AND protocol = 0 + '500,0,0,chainlink,chainlink', + '500,17,123,gvproxy,gvproxy', + '500,0,0,,', + '500,0,0,.Telegram-wrapped,.Telegram-wrapped' ) GROUP BY p0.cmdline diff --git a/detection/credentials/unexpected-dev-opener-linux.sql b/detection/credentials/unexpected-dev-opener-linux.sql index 79f4422..d0fdedd 100644 --- a/detection/credentials/unexpected-dev-opener-linux.sql +++ b/detection/credentials/unexpected-dev-opener-linux.sql @@ -111,6 +111,7 @@ WHERE '/dev/snd/seq', '/dev/urandom', '/dev/vga_arbiter', + '/dev/udmabuf', '/dev/video10' -- workaround for poor regex management (ffmpeg) ) AND pof.path NOT LIKE '/dev/pts/%' diff --git a/detection/discovery/unexpected-bpf-user.sql b/detection/discovery/unexpected-bpf-user.sql index 930e6c3..0729d3d 100644 --- a/detection/discovery/unexpected-bpf-user.sql +++ b/detection/discovery/unexpected-bpf-user.sql @@ -39,6 +39,7 @@ WHERE AND p.path NOT IN ( '/usr/bin/qemu-system-x86_64', '/usr/lib/systemd/systemd', + '/usr/lib/systemd/systemd-nsresourced', '/var/opt/Elastic/Endpoint/elastic-endpoint', '/opt/Elastic/Endpoint/elastic-endpoint' ) diff --git a/detection/evasion/hidden-cwd.sql b/detection/evasion/hidden-cwd.sql index e0769de..69f2e44 100644 --- a/detection/evasion/hidden-cwd.sql +++ b/detection/evasion/hidden-cwd.sql @@ -154,40 +154,41 @@ WHERE '~/.zsh' ) OR top_dir IN ('~/Sync', '~/src', '~/workspace', '~/dev') - OR dir LIKE '/Library/Apple/System/Library/InstallerSandboxes/.PKInstallSandboxManager-SystemSoftware/%' - OR dir LIKE '/opt/homebrew/%/.cache/%' - OR dir LIKE '~/%enterprise-packages/.chainguard' - OR dir LIKE '/private/tmp/%/.git' - OR dir LIKE '/tmp/.mount_%' - OR dir LIKE '/tmp/%/.git' - OR dir LIKE '~/%/.tests/%' - OR dir LIKE '/tmp/%/.github/workflows' - OR dir LIKE '~/%/.terragrunt-cache/%' + OR dir LIKE '~/.%' OR dir LIKE '%/.build' + OR dir LIKE '%/.cache/melange%' OR dir LIKE '%/.cargo/%' + OR dir LIKE '~/code/%' + OR dir LIKE '~/%/.config/nvim' + OR dir LIKE '~/dev/%/dots/%/.config%' + OR dir LIKE '~/%/.docker%' + OR dir LIKE '~/%enterprise-packages/.chainguard' OR dir LIKE '%/.git' OR dir LIKE '%/.git/%' - OR dir LIKE '%/.gradle' - OR dir LIKE '%/.github/%' - OR dir LIKE '%/node_modules/.bin' - OR dir LIKE '%/.cache/melange%' OR dir LIKE '%/.github' - OR dir LIKE '%/.venv' - OR dir LIKE '/home/build/.cache%' - OR dir LIKE '~/.%' - OR dir LIKE '~/.gradle/%' - OR dir LIKE '~/%/.config/nvim' - OR dir LIKE '~/%/.docker%' - OR dir LIKE '/.gradle/%' - OR dir LIKE '~/%/.modcache/%' - OR dir LIKE '~/%/.terraform%' - OR dir LIKE '~/%/.vercel%' + OR dir LIKE '%/.github/%' OR dir LIKE '~/%/github.com/%' - OR dir LIKE '~/%/node_modules/.pnpm/%' - OR dir LIKE '~/%/src/%' OR dir LIKE '~/%google-cloud-sdk/.install/.backup%' - OR dir LIKE '~/code/%' - OR dir LIKE '~/dev/%/dots/%/.config%' + OR dir LIKE '%/.gradle' + OR dir LIKE '/.gradle/%' + OR dir LIKE '~/.gradle/%' + OR dir LIKE '/home/build/%' + OR dir LIKE '/home/build/.%' + OR dir LIKE '/Library/Apple/System/Library/InstallerSandboxes/.PKInstallSandboxManager-SystemSoftware/%' + OR dir LIKE '~/%/.modcache/%' + OR dir LIKE '%/node_modules/.bin' + OR dir LIKE '~/%/node_modules/.pnpm/%' + OR dir LIKE '/opt/homebrew/%/.cache/%' + OR dir LIKE '/private/tmp/%/.git' + OR dir LIKE '~/%/src/%' + OR dir LIKE '~/%/.terraform%' + OR dir LIKE '~/%/.terragrunt-cache/%' + OR dir LIKE '~/%/.tests/%' + OR dir LIKE '/tmp/%/.git' + OR dir LIKE '/tmp/%/.github/workflows' + OR dir LIKE '/tmp/.mount_%' + OR dir LIKE '%/.venv' + OR dir LIKE '~/%/.vercel%' OR dir LIKE '~/src/%' -- For sudo calls to other things OR ( dir LIKE '/home/.terraform.d/%' diff --git a/detection/evasion/hidden-executable.sql b/detection/evasion/hidden-executable.sql index fa1bc62..2430dfd 100644 --- a/detection/evasion/hidden-executable.sql +++ b/detection/evasion/hidden-executable.sql @@ -99,6 +99,7 @@ WHERE ) AND NOT top3_dir IN ( '~/.bin', + '~/.vscode/cli', '~/.bin-unwrapped', '~/.cache/gitstatus', '~/.cache/selenium', diff --git a/detection/evasion/name_path_mismatch.sql b/detection/evasion/name_path_mismatch.sql index be4b814..85e807c 100644 --- a/detection/evasion/name_path_mismatch.sql +++ b/detection/evasion/name_path_mismatch.sql @@ -91,6 +91,7 @@ WHERE AND NOT exception_key IN ( '0,udevadm,systemd-udevd', '0,udevadm,(udev-worker)', + '0,systemd-executor,(sd-pam)', '120,systemd-executor,(sd-pam)', '42,systemd-executor,(sd-pam)', '500,busybox,sh', diff --git a/detection/evasion/unexpected-hidden-system-paths.sql b/detection/evasion/unexpected-hidden-system-paths.sql index 9921bdf..c28d06f 100644 --- a/detection/evasion/unexpected-hidden-system-paths.sql +++ b/detection/evasion/unexpected-hidden-system-paths.sql @@ -61,10 +61,11 @@ WHERE AND strftime('%s', 'now') - file.ctime > 20 AND file.path NOT IN ( '/.autorelabel', + '/.cache/', + '/dev/.blkid.tab', '/dev/.mdadm/', '/.equarantine/', '/etc/.bootcount', - '/dev/.blkid.tab', '/etc/.clean', '/etc/.java/', '/etc/.resolv.conf.systemd-resolved.bak', @@ -79,11 +80,8 @@ WHERE '/.mozilla/', '/tmp/.accounts-agent/', '/tmp/.audio-agent/', - -- Xcode; - -- see https://github.com/pyenv/pyenv/issues/1066#issuecomment-536782897 - -- and https://github.com/fyne-io/fyne-cross/issues/187#issuecomment-1666606946 - '/tmp/.BBE72B41371180178E084EEAF106AED4F350939DB95D3516864A1CC62E7AE82F', '/tmp/.bazelci/', + '/tmp/.BBE72B41371180178E084EEAF106AED4F350939DB95D3516864A1CC62E7AE82F', -- Xcode '/tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress', '/tmp/.content-agent/', '/tmp/._contentbarrier_installed', @@ -97,7 +95,6 @@ WHERE '/tmp/.eos-update-notifier.log', '/tmp/.featureflags-agent/', '/tmp/.font-unix/', - '/tmp/.SIGN.RSA.local-melange-enterprise.rsa.pub', '/tmp/.git/', '/tmp/.go-version', '/tmp/.helmrepo', @@ -110,14 +107,13 @@ WHERE '/tmp/.ses', '/tmp/.settings-agent/', '/tmp/.SIGN.RSA.chainguard-enterprise.rsa.pub', + '/tmp/.SIGN.RSA.local-melange-enterprise.rsa.pub', '/tmp/.SIGN.RSA..local-melange.rsa.pub', '/tmp/.SIGN.RSA.local-melange.rsa.pub', '/tmp/.SIGN.RSA.wolfi-signing.rsa.pub', '/tmp/.s.PGSQL.5432', - '/var/root/.nx/', '/tmp/.s.PGSQL.5432.lock', '/tmp/.terraform/', - '/.cache/', '/tmp/.terraform.lock.hcl', '/tmp/.Test-unix/', '/tmp/.touchpaddefaults', @@ -151,6 +147,7 @@ WHERE '/var/db/.StagedAppleUpgrade', '/var/db/.SystemPolicy-default', '/var/home/.duperemove.hash', + '/var/home/.snapshots', '/var/mail/.cache/', '/var/.ntw_cache', '/var/.Parallels_swap/', @@ -158,8 +155,8 @@ WHERE '/var/root/.bash_history', '/var/root/.bash_profile', '/var/root/.cache/', - '/var/root/.config/', '/var/root/.CFUserTextEncoding', + '/var/root/.config/', '/var/root/.docker/', '/var/root/.forward', '/var/roothome/.bash_history', @@ -173,11 +170,14 @@ WHERE '/var/roothome/.local/', '/var/roothome/.osquery/', '/var/roothome/.ssh/', + '/var/roothome/.var/', + '/var/home/.snapshots/', '/var/roothome/.viminfo', '/var/root/.lesshst', '/var/root/.nix-channels', '/var/root/.nix-defexpr/', '/var/root/.nix-profile/', + '/var/root/.nx/', '/var/root/.osquery/', '/var/root/.PenTablet/', '/var/root/.provisio', diff --git a/detection/evasion/unexpected-ld-so-files-linux.sql b/detection/evasion/unexpected-ld-so-files-linux.sql index c09a7d1..3b8cb06 100644 --- a/detection/evasion/unexpected-ld-so-files-linux.sql +++ b/detection/evasion/unexpected-ld-so-files-linux.sql @@ -62,12 +62,15 @@ WHERE '/etc/ld.so.conf.d/llvm15-x86_64.conf,0644,22,30e995961d9e382d287469acce7e168d15811356bf20971fc17bb582a8d62afa', '/etc/ld.so.conf.d/llvm16-x86_64.conf,0644,22,3ddda874af4dd14e9e873da09d082031abfacd4b5094982c28f53e1fd50a5fe3', '/etc/ld.so.conf.d/llvm17-x86_64.conf,0644,22,3aceee0a4efb8cc2b0f981035cdbb6f28be48634f72f9b6fb98c1e282d32347c', + '/etc/ld.so.conf.d/llvm18-x86_64.conf,0644,22,a22fdfb5b0443aa1e820a319c56867529ebc54b0f11634c51e5dd847cd8f1b97', '/etc/ld.so.conf.d/mariadb-x86_64.conf,0644,17,598466b4954bc66c6f45f1f119211b0698d4a549f6c01b5d9a933a2511b82626', + '/etc/ld.so.conf.d/mingw32-hostlib.conf,0644,27,3cc2feee654c7193027397a7f6ab41bd1c6db13fda295278205a050f870f3f3d', '/etc/ld.so.conf.d/mingw64-hostlib.conf,0644,29,df1b65371bead6dddc703346f56dde023e22d52d9f071a3b646beaaec75a53c9', '/etc/ld.so.conf.d/nessus.conf,0644,16,5a9dc65a4a0daa50ce9dd70ff3973fcceef9660cc3fdf5bb0beec8e0b6c57708', '/etc/ld.so.conf.d/opencollada.conf,0644,21,2fc9656a2b881ca4528416daa91fc525adaa97d73e96a18b41aa7856270eba1f', '/etc/ld.so.conf.d/perf.conf,0644,14,c67f871bdc72182dc75c160b16ca3b5371fdab76a27199a29f14b52a5aed1d3f', '/etc/ld.so.conf.d/pipewire-jack-x86_64.conf,0644,30,cf4cb69feaa8ec8b99558c4e1123518831b3c56488981cbc34a662fe218ef221', + '/etc/ld.so.conf.d/pipewire-jack-x86_64-linux-gnu.conf,0644,45,b84c0e703c387e522837367d8db7b09d46aa3c39a476471643dda38faf5b226d', '/etc/ld.so.conf.d/tix-x86_64.conf,0644,18,b2ef4843990ded5fd96e417fc08027a785fac59bd70eca6a26dd7b057542273a', '/etc/ld.so.conf.d/x86_64-linux-gnu.conf,0644,100,f03e4740e6922b4f4a1181cd696b52f62f9f10d003740a8940f7121795c59c98', '/etc/ld.so.conf.d/zz_i386-biarch-compat.conf,0644,56,4e3c617050427d51497a0e5969b0159421580cf5e7c9649e39f45b5e2fcb47b6', diff --git a/detection/evasion/unusual-process-name-linux.sql b/detection/evasion/unusual-process-name-linux.sql index 51fa865..a723780 100644 --- a/detection/evasion/unusual-process-name-linux.sql +++ b/detection/evasion/unusual-process-name-linux.sql @@ -40,6 +40,7 @@ FROM LEFT JOIN processes p2 ON p1.parent = p2.pid LEFT JOIN hash p2_hash ON p2.path = p2_hash.path WHERE + p0.start_time < (strftime('%s', 'now') - 43200) AND ( pname LIKE "%kthread%" OR pname LIKE "%-help" @@ -98,6 +99,7 @@ WHERE AND basename NOT IN ( "acpid", "busybox", + "cpulimit", "com.docker.backend", "com.docker.build", "com.docker.extensions", @@ -126,6 +128,7 @@ WHERE "xwaylandvideobridge" ) AND basename NOT LIKE '___Test%' + AND basename NOT LIKE '___2Test%' AND NOT ( basename IN ('nm-dispatcher') AND p1_pid = 1 diff --git a/detection/evasion/unusual-process-name-macos.sql b/detection/evasion/unusual-process-name-macos.sql index ee35ad5..5934d17 100644 --- a/detection/evasion/unusual-process-name-macos.sql +++ b/detection/evasion/unusual-process-name-macos.sql @@ -43,6 +43,7 @@ FROM LEFT JOIN processes p2 ON p1.parent = p2.pid LEFT JOIN hash p2_hash ON p2.path = p2_hash.path WHERE + p0.start_time < (strftime('%s', 'now') - 43200) AND ( pname LIKE "%kthread%" OR pname LIKE "%-help" @@ -105,6 +106,8 @@ WHERE 'at.obdev.littlesnitch.networkextension', 'com.microsoft.teams2.notificationcenter', 'cpu', + 'xdg-open', + 'EncryptMe', 'dynamiclinkmanager', 'launchd_startx' ) diff --git a/detection/execution/exotic-commands-macos.sql b/detection/execution/exotic-commands-macos.sql index d6b84ee..f38a3f0 100644 --- a/detection/execution/exotic-commands-macos.sql +++ b/detection/execution/exotic-commands-macos.sql @@ -79,7 +79,7 @@ WHERE ) != "" -- suspicious things OR REGEX_MATCH ( p.cmdline, - "(UserKnownHostsFile=/dev/null|ransom|malware|fsockopen|openssl.*quiet|pty.spawn|SOCK_STREAM)", + "(UserKnownHostsFile=/dev/null|ransom|fsockopen|openssl.*quiet|pty.spawn|SOCK_STREAM)", 1 ) != "" -- Crypto miners OR REGEX_MATCH ( diff --git a/detection/execution/unexpected-execdir-linux.sql b/detection/execution/unexpected-execdir-linux.sql index 6e2355b..38a8222 100644 --- a/detection/execution/unexpected-execdir-linux.sql +++ b/detection/execution/unexpected-execdir-linux.sql @@ -67,6 +67,7 @@ WHERE AND INSTR(path, "/var/kolide-k2/") != 1 AND INSTR(path, "/usr/share/spotify") != 1 AND INSTR(path, "/usr/share/code/") != 1 + AND INSTR(path, "/usr/share/smartgit/") != 1 AND INSTR(path, "/var/home/") != 1 AND INSTR(path, "/usr/local/") != 1 AND INSTR(path, "/tmp/go-build") != 1 diff --git a/detection/execution/unexpected-gatekeeper-approvals-macos.sql b/detection/execution/unexpected-gatekeeper-approvals-macos.sql index a575523..0c2dfcf 100644 --- a/detection/execution/unexpected-gatekeeper-approvals-macos.sql +++ b/detection/execution/unexpected-gatekeeper-approvals-macos.sql @@ -30,6 +30,7 @@ WHERE AND gap.path NOT LIKE '/Users/%/%_darwin_a%64%' AND gap.path NOT LIKE '/Users/%/Downloads/cosign' AND gap.path NOT LIKE '/Users/%/Downloads/missp' + AND gap.path NOT LIKE '/Users/%/Downloads/twistcli' AND gap.path NOT LIKE '/Users/%/bom' AND gap.path NOT LIKE '/Users/%/configure' AND gap.path NOT LIKE '/Users/%/cosign-%' diff --git a/detection/persistence/minimal-socket-client-linux.sql b/detection/persistence/minimal-socket-client-linux.sql index 3fe2732..cd6a988 100644 --- a/detection/persistence/minimal-socket-client-linux.sql +++ b/detection/persistence/minimal-socket-client-linux.sql @@ -36,20 +36,23 @@ WHERE p0.path != '' -- optimization: focus on longer running processes AND p0.start_time < (strftime('%s', 'now') - 900) AND p0.path NOT IN ( - '/usr/bin/containerd', - '/usr/bin/fusermount3', - '/usr/sbin/acpid', - '/usr/bin/dash', '/opt/bitnami/redis/bin/redis-server', - '/usr/bin/kas', - '/usr/local/bin/gitary', - '/usr/bin/docker', - '/usr/sbin/mcelog', - '/usr/libexec/docker/docker-proxy', - '/usr/bin/docker-proxy', '/usr/bin/cat', + '/usr/bin/containerd', + '/usr/bin/dash', + '/usr/bin/docker', + '/usr/bin/docker-proxy', + '/usr/bin/fusermount3', + '/usr/bin/i3blocks', + '/usr/bin/kas', + '/usr/bin/vmalert', '/usr/lib/electron/chrome-sandbox', - '/usr/bin/i3blocks' + '/usr/libexec/docker/docker-proxy', + '/usr/lib/snapd/snapd', + '/usr/local/bin/containerd', + '/usr/local/bin/gitary', + '/usr/sbin/acpid', + '/usr/sbin/mcelog' ) AND p0.name NOT IN ( 'chrome_crashpad', diff --git a/detection/persistence/suspicious-systemd-unit.sql b/detection/persistence/suspicious-systemd-unit.sql index 0aaf65b..54d7680 100644 --- a/detection/persistence/suspicious-systemd-unit.sql +++ b/detection/persistence/suspicious-systemd-unit.sql @@ -226,6 +226,7 @@ rule usr_bin_execstop_shell : medium { $execstop = /ExecStop=\/bin\/sh .{0,64}/ $not_podman_logging = "/usr/bin/podman $LOGGING" $not_stderr = /ExecStop=\/bin\/sh .{0,64}set -eu/ + $not_nfs = /ExecStop=\/bin\/sh -c \'\/usr\/sbin\/nfsdctl / condition: filesize < 4096 and $execstop and none of ($not*) } diff --git a/detection/persistence/unexpected-active-systemd-units.sql b/detection/persistence/unexpected-active-systemd-units.sql index c2ac23c..26b2894 100644 --- a/detection/persistence/unexpected-active-systemd-units.sql +++ b/detection/persistence/unexpected-active-systemd-units.sql @@ -59,9 +59,9 @@ WHERE 'anacron.service,Run anacron jobs,', 'anacron.timer,Trigger anacron every hour,', 'apache2.service,The Apache HTTP Server,', + 'apache-htcacheclean.service,Disk Cache Cleaning Daemon for Apache HTTP Server,www-data', 'apcupsd.service,APC UPS Power Control Daemon for Linux,', 'apparmor.service,Load AppArmor profiles,', - 'vnstat.service,vnStat network traffic monitor,vnstat', 'apport-autoreport.path,Process error reports when automatic reporting is enabled (file watch),', 'apport-autoreport.service,Process error reports when automatic reporting is enabled,', 'apport-autoreport.timer,Process error reports when automatic reporting is enabled (timer based),', @@ -90,9 +90,9 @@ WHERE 'bluetooth.service,Bluetooth service,', 'bolt.service,Thunderbolt system service,', 'bootupd.socket,bootupd.socket,', - 'brew-upgrade.service,Upgrade Brew packages,1000', 'brew-update.service,Auto update brew for mutable brew installs,1000', 'brew-update.timer,Timer for brew update for mutable brew,', + 'brew-upgrade.service,Upgrade Brew packages,1000', 'brew-upgrade.timer,Timer for brew upgrade for on image brew,', 'btrfs-dedup@var-home.timer,Weekly Btrfs deduplication on /var/home,', 'ca-certificates.path,Watch for changes in CA certificates,', @@ -175,7 +175,6 @@ WHERE 'iscsiuio.socket,Open-iSCSI iscsiuio Socket,', 'issue-generator.path,Watch for changes in issue snippets,', 'iwd.service,Wireless service,', - 'apache-htcacheclean.service,Disk Cache Cleaning Daemon for Apache HTTP Server,www-data', 'jeos-firstboot.service,SUSE JeOS First Boot Wizard,', 'jeos-firstboot-snapshot.service,SUSE JeOS First Boot Wizard - create system snapshot,', 'kbdsettings.service,Apply settings from /etc/sysconfig/keyboard,', @@ -327,9 +326,11 @@ WHERE 'sshd.service,OpenSSH Daemon,', 'sshd.service,OpenSSH server daemon,', 'sshd.service,SSH Daemon,', + 'sshd-unix-local.socket,OpenSSH Server Socket (systemd-ssh-generator, AF_UNIX Local),', 'ssh.service,OpenBSD Secure Shell server,', 'ssh.socket,OpenBSD Secure Shell server socket,', 'sssd-kcm.service,SSSD Kerberos Cache Manager,', + 'sssd-kcm.service,SSSD Kerberos Cache Manager,sssd', 'sssd-kcm.socket,SSSD Kerberos Cache Manager responder socket,', 'supergfxd.service,SUPERGFX,', 'swapfile.swap,/swapfile,', @@ -340,19 +341,23 @@ WHERE 'sysstat-collect.timer,Run system activity accounting tool every 10 minutes,', 'sysstat.service,Resets System Activity Logs,root', 'sysstat-summary.timer,Generate summary of yesterday''s process accounting,', + 'system-cups.slice,CUPS Slice,', 'systemd-ask-password-console.path,Dispatch Password Requests to Console Directory Watch,', 'systemd-ask-password-plymouth.path,Forward Password Requests to Plymouth Directory Watch,', 'systemd-ask-password-wall.path,Forward Password Requests to Wall Directory Watch,', 'systemd-binfmt.service,Set Up Additional Binary Formats,', + 'systemd-bootctl.socket,Boot Entries Service Socket,', 'systemd-boot-random-seed.service,Update Boot Loader Random Seed,', 'systemd-boot-update.service,Automatic Boot Loader Update,', 'systemd-coredump.socket,Process Core Dump Socket,', + 'systemd-creds.socket,Credential Encryption/Decryption,', 'systemd-fsckd.socket,fsck to fsckd communication Socket,', 'systemd-fsck-root.service,File System Check on Root Device,', 'systemd-growfs@-.service,Grow File System on /,', 'systemd-homed-activate.service,Home Area Activation,', 'systemd-homed.service,Home Area Manager,', 'systemd-hostnamed.service,Hostname Service,', + 'systemd-hostnamed.socket,Hostname Service Socket,', 'systemd-hwdb-update.service,Rebuild Hardware Database,', 'systemd-initctl.socket,initctl Compatibility Named Pipe,', 'systemd-journal-catalog-update.service,Rebuild Journal Catalog,', @@ -360,16 +365,20 @@ WHERE 'systemd-journald-dev-log.socket,Journal Socket (/dev/log),', 'systemd-journald.service,Journal Service,', 'systemd-journald.socket,Journal Socket,', + 'systemd-journald.socket,Journal Sockets,', 'systemd-journal-flush.service,Flush Journal to Persistent Storage,', 'systemd-localed.service,Locale Service,', 'systemd-logind.service,User Login Management,', 'systemd-machined.service,Virtual Machine and Container Registration Service,', 'systemd-machine-id-commit.service,Commit a transient machine-id on disk,', 'systemd-modules-load.service,Load Kernel Modules,', + 'systemd-mountfsd.socket,DDI File System Mounter Socket,', 'systemd-networkd.service,Network Configuration,systemd-network', 'systemd-networkd.socket,Network Service Netlink Socket,', 'systemd-networkd-wait-online.service,Wait for Network to be Configured,', 'systemd-network-generator.service,Generate network units from Kernel command line,', + 'systemd-nsresourced.service,Namespace Resource Manager,', + 'systemd-nsresourced.socket,Namespace Resource Manager Socket,', 'systemd-oomd.service,Userspace Out-Of-Memory (OOM) Killer,systemd-oom', 'systemd-oomd.socket,Userspace Out-Of-Memory (OOM) Killer Socket,', 'systemd-pcrmachine.service,TPM2 PCR Machine ID Measurement,', @@ -383,6 +392,7 @@ WHERE 'systemd-rfkill.socket,Load/Save RF Kill Switch Status /dev/rfkill Watch,', 'systemd-suspend.service,System Suspend,', 'systemd-sysctl.service,Apply Kernel Variables,', + 'systemd-sysext.socket,System Extension Image Management,', 'systemd-sysext.socket,System Extension Image Management (Varlink),', 'systemd-sysusers.service,Create System Users,', 'systemd-timedated.service,Time & Date Service,', @@ -395,6 +405,7 @@ WHERE 'systemd-udevd-control.socket,udev Control Socket,', 'systemd-udevd-kernel.socket,udev Kernel Socket,', 'systemd-udevd.service,Rule-based Manager for Device Events and Files,', + 'systemd-udev-load-credentials.service,Load udev Rules from Credentials,', 'systemd-udev-settle.service,Wait for udev To Complete Device Initialization,', 'systemd-udev-trigger.service,Coldplug All udev Devices,', 'systemd-update-done.service,Update is Completed,', @@ -410,6 +421,8 @@ WHERE 'thermald.service,Thermal Daemon Service,', 'tlp.service,TLP system startup/shutdown,', 'touchegg.service,Touchégg Daemon,', + 'tuned-ppd.service,PPD-to-TuneD API Translation Daemon,', + 'tuned.service,Dynamic System Tuning Daemon,', 'ua-timer.timer,Ubuntu Advantage Timer for running repeated jobs,', 'ua-timer.timer,Ubuntu Pro Timer for running repeated jobs,', 'ublue-system-setup.service,Configure system,', @@ -485,6 +498,7 @@ WHERE 'virtvboxd-admin.socket,libvirt VirtualBox daemon admin socket,', 'virtvboxd-ro.socket,libvirt VirtualBox daemon read-only socket,', 'virtvboxd.socket,libvirt VirtualBox daemon socket,', + 'vnstat.service,vnStat network traffic monitor,vnstat', 'whoopsie.path,Start whoopsie on modification of the /var/crash directory,', 'wickedd-auto4.service,wicked AutoIPv4 supplicant service,', 'wickedd-dhcp4.service,wicked DHCPv4 supplicant service,', diff --git a/detection/persistence/unexpected-chrome-extensions.sql b/detection/persistence/unexpected-chrome-extensions.sql index 688a94f..72037d3 100644 --- a/detection/persistence/unexpected-chrome-extensions.sql +++ b/detection/persistence/unexpected-chrome-extensions.sql @@ -228,6 +228,7 @@ WHERE state = 1 'true,Keepa GmbH,Keepa - Amazon Price Tracker,neebplgakaahbhdphmkckjjcegoiijjo', 'true,LastPass,LastPass: Free Password Manager,hdokiejnpimakedhajhdlcegeplioahd', 'true,Leadjet,Leadjet - Make your CRM work on LinkedIn,kojhcdejfimplnokhhhekhiapceggamn', + 'true,,LeadIQ: Contact Data in One Click,befngoippmpmobkkpkdoblkmofpjihnk', 'true,,Lever Hire Extension,dgbcohbjchndmjocioegkgdniaffcaia', 'true,,Link to Text Fragment,pbcodcjpfjdpcineamnnmbkkmkdpajjg', 'true,,Lolli: Earn Bitcoin When You Shop,fleenceagaplaefnklabikkmocalkcpo', diff --git a/detection/persistence/unexpected-cron-entries.sql b/detection/persistence/unexpected-cron-entries.sql index ad8b744..1501db0 100644 --- a/detection/persistence/unexpected-cron-entries.sql +++ b/detection/persistence/unexpected-cron-entries.sql @@ -27,4 +27,5 @@ WHERE AND command NOT LIKE 'gsutil %' AND command NOT LIKE 'root command -v debian-sa1%' AND command NOT LIKE 'root test -x /usr/bin/geoipupdate % && /usr/bin/geoipupdate' - AND command NOT LIKe 'root [ -d "/run/systemd/system" ] || /usr/share/atop/atop%' + AND command NOT LIKE 'root [ -d "/run/systemd/system" ] || /usr/share/atop/atop%' + AND command NOT IN ("ps -A | grep at.obdev.littlesnitch.networkextension | grep -v 'grep' | awk '{print $1}' | xargs kill") diff --git a/detection/persistence/unexpected-device-linux.sql b/detection/persistence/unexpected-device-linux.sql index ee3b403..270b335 100644 --- a/detection/persistence/unexpected-device-linux.sql +++ b/detection/persistence/unexpected-device-linux.sql @@ -60,39 +60,39 @@ WHERE ( AND path NOT LIKE '%/./%' AND path NOT LIKE '%/../%' AND exception_key NOT IN ( - '/dev/HID-SENSOR-e..auto,character', - '/dev/accel/,directory', '/dev/accel/accel,character', + '/dev/accel/,directory', '/dev/acpi_thermal_rel,character', '/dev/autofs,character', '/dev/binder,character', - '/dev/binderfs/,directory', '/dev/binderfs/binder,character', '/dev/binderfs/binder-control,character', + '/dev/binderfs/,directory', '/dev/binderfs/features,directory', '/dev/binderfs/hwbinder,character', '/dev/binderfs/vndbinder,character', - '/dev/block/,directory', '/dev/block/:,block', - '/dev/bsg/,directory', + '/dev/block/,directory', '/dev/bsg/:::,character', + '/dev/bsg/,directory', '/dev/btrfs-control,character', '/dev/bus/,directory', '/dev/bus/usb,directory', '/dev/cdrom,block', '/dev/cec,character', - '/dev/char/,directory', '/dev/char/:,character', + '/dev/char/,directory', '/dev/char/:,unknown', '/dev/console,character', '/dev/core,regular', '/dev/cpu/,directory', - '/dev/cpu/microcode', '/dev/cpu_dma_latency,character', + '/dev/cpu/microcode', '/dev/cros_ec,character', '/dev/cuse,character', + '/dev/data/,directory', + '/dev/data/root,block', '/dev/dbc,character', - '/dev/disk/,directory', '/dev/disk/by-diskseq,directory', '/dev/disk/by-dname,directory', '/dev/disk/by-id,directory', @@ -103,12 +103,13 @@ WHERE ( '/dev/disk/by-partuuid,directory', '/dev/disk/by-path,directory', '/dev/disk/by-uuid,directory', - '/dev/dm-,block', + '/dev/disk/,directory', '/dev/dma_heap/,directory', '/dev/dma_heap/system,character', - '/dev/dri/,directory', + '/dev/dm-,block', '/dev/dri/by-path,directory', '/dev/dri/card,character', + '/dev/dri/,directory', '/dev/dri/renderD,character', '/dev/drm_dp_aux,character', '/dev/ecryptfs,character', @@ -123,6 +124,7 @@ WHERE ( '/dev/fuse,character', '/dev/gpiochip,character', '/dev/hidraw,character', + '/dev/HID-SENSOR-e..auto,character', '/dev/hpet,character', '/dev/hugepages/,directory', '/dev/hugepages/libvirt,directory', @@ -131,9 +133,9 @@ WHERE ( '/dev/ic-,character', '/dev/iio:device,character', '/dev/initctl,fifo', - '/dev/input/,directory', '/dev/input/by-id,directory', '/dev/input/by-path,directory', + '/dev/input/,directory', '/dev/input/event,character', '/dev/input/js,character', '/dev/input/mice,character', @@ -142,8 +144,8 @@ WHERE ( '/dev/kfd,character', '/dev/kmsg,character', '/dev/kvm,character', - '/dev/libmtp--.,character', '/dev/libmtp--,character', + '/dev/libmtp--.,character', '/dev/log,socket', '/dev/loop,block', '/dev/loop-control,character', @@ -153,9 +155,9 @@ WHERE ( '/dev/mei,character', '/dev/mem,character', '/dev/mqueue/,directory', + '/dev/mtd/by-name,directory', '/dev/mtd,character', '/dev/mtd/,directory', - '/dev/mtd/by-name,directory', '/dev/mtdro,character', '/dev/net/,directory', '/dev/net/tun,character', @@ -163,10 +165,10 @@ WHERE ( '/dev/ntsync,character', '/dev/null,character', '/dev/nvidia,character', + '/dev/nvidiactl,character', '/dev/nvidia-modeset,character', '/dev/nvidia-uvm,character', '/dev/nvidia-uvm-tools,character', - '/dev/nvidiactl,character', '/dev/nvme,character', '/dev/nvmen,block', '/dev/nvmenp,block', @@ -188,22 +190,23 @@ WHERE ( '/dev/sdc,block', '/dev/sdd,block', '/dev/sde,block', - '/dev/serial/,directory', '/dev/serial/by-id,directory', '/dev/serial/by-path,directory', + '/dev/serial/,directory', '/dev/sg,character', '/dev/sgx_provision', '/dev/shm/,directory', '/dev/shm/envoy_shared_memory_,regular', + '/dev/shm/jack_db-,directory', '/dev/shm/libpod_lock,regular', '/dev/shm/libpod_rootless_lock_,regular', '/dev/shm/lttng-ust-wait-,regular', '/dev/shm/lttng-ust-wait--,regular', '/dev/snapshot,character', - '/dev/snd/,directory', '/dev/snd/by-id,directory', '/dev/snd/by-path,directory', '/dev/snd/controlC,character', + '/dev/snd/,directory', '/dev/snd/hwCD,character', '/dev/snd/pcmCDc,character', '/dev/snd/pcmCDp,character', @@ -219,10 +222,10 @@ WHERE ( '/dev/tee,character', '/dev/tpm,character', '/dev/tpmrm,character', - '/dev/tty,character', '/dev/ttyACM,character', - '/dev/ttyS,character', + '/dev/tty,character', '/dev/ttyprintk,character', + '/dev/ttyS,character', '/dev/ubuntu-vg/,directory', '/dev/udmabuf,character', '/dev/uhid,character', @@ -233,8 +236,8 @@ WHERE ( '/dev/usbmon,character', '/dev/userfaultfd,character', '/dev/userio,character', - '/dev/vcs,character', '/dev/vcsa,character', + '/dev/vcs,character', '/dev/vcsu,character', '/dev/vfio/,directory', '/dev/vfio/vfio,character', @@ -251,11 +254,11 @@ WHERE ( '/dev/vhost-vsock', '/dev/vhost-vsock,character', '/dev/video,character', - '/dev/vl-subdev,character', - '/dev/vl/,directory', '/dev/vl/by-id,directory', '/dev/vl/by-path,directory', + '/dev/vl/,directory', '/dev/vlloopback,character', + '/dev/vl-subdev,character', '/dev/vndbinder,character', '/dev/vsock,character', '/dev/watchdog,character', @@ -276,6 +279,7 @@ WHERE ( AND NOT path LIKE '/dev/shm/sem.mp-%' AND NOT path LIKE '/dev/shm/u%-Shm_%' AND NOT path LIKE '/dev/shm/.com.google.Chrome.%' + AND NOT path LIKE '/dev/shm/.com.microsoft.Edge.%' AND NOT path LIKE '/dev/shm/libv4l-%' AND NOT path LIKE '/dev/shm/u%-ValveIPC%' AND NOT path LIKE '/dev/%-vg/%-lv' diff --git a/detection/persistence/unexpected-listening-port-macos.sql b/detection/persistence/unexpected-listening-port-macos.sql index 4307358..747efab 100644 --- a/detection/persistence/unexpected-listening-port-macos.sql +++ b/detection/persistence/unexpected-listening-port-macos.sql @@ -99,6 +99,7 @@ WHERE '3306,6,500,mariadbd,', '3306,6,74,mysqld,Developer ID Application: Oracle America, Inc. (VB5E2TV963)', '33333,6,500,Ultimate,', + '49152,6,500,Windsurf Helper (Plugin),Developer ID Application: EXAFUNCTION, INC. (83Z2LHX6XW)', '3400,6,500,Sonos,Developer ID Application: Sonos, Inc. (2G4LW83Q3E)', '3491,6,500,MuteDeck,Developer ID Application: Martijn Smit (GX645XXEAX)', '3492,6,500,MuteDeck,Developer ID Application: Martijn Smit (GX645XXEAX)', diff --git a/detection/persistence/yara-suspicious-strings-process-linux.sql b/detection/persistence/yara-suspicious-strings-process-linux.sql index 95ce43b..d3c8a59 100644 --- a/detection/persistence/yara-suspicious-strings-process-linux.sql +++ b/detection/persistence/yara-suspicious-strings-process-linux.sql @@ -1,5 +1,5 @@ -- Currently running program with Linux red flags --- +-- -- reference: -- * https://github.com/timb-machine/linux-malware/blob/725aad34e216cc024c93b04964b289f10f819e6e/defensive/yara/personal-malware-bazaar/unixredflags3.yara -- @@ -53,7 +53,7 @@ WHERE GROUP BY path ) - AND yara.sigrule = ' + AND yara.sigrule = ' rule redflags { strings: $bash_history = ".bash_history" @@ -103,6 +103,7 @@ WHERE '/bin/fish', '/bin/dash', '/bin/sh', + '/usr/lib/systemd/systemd-executor', '/usr/bin/bash', '/usr/lib/snapd/snapd', '/usr/bin/snap', diff --git a/detection/privesc/unexpected-setxid-process.sql b/detection/privesc/unexpected-setxid-process.sql index 703f22c..140de8e 100644 --- a/detection/privesc/unexpected-setxid-process.sql +++ b/detection/privesc/unexpected-setxid-process.sql @@ -34,6 +34,7 @@ WHERE '/usr/lib/opt/1Password/1Password-BrowserSupport', '/opt/1Password/1Password-KeyringHelper', '/opt/google/chrome/chrome-sandbox', + '/opt/IRCCloud/chrome-sandbox', '/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent', '/usr/bin/doas', '/usr/bin/crontab',