From 75a858b4eead2f17fe7a222a6bf88bae53f1d5ec Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Fri, 7 Oct 2022 16:19:18 -0400 Subject: [PATCH] Optimize queries for lower false positives --- fd/unexpected-pcap-user-macos.sql | 3 +- fd/unexpected-sensitive-file-access-linux.sql | 1 + net/unexpected-listening-port-linux.sql | 38 ++++++++-------- net/unexpected-talkers-linux.sql | 37 +++++++-------- net/unexpected-talkers-macos.sql | 18 ++++---- process/hidden-cwd.sql | 13 ++++-- process/missing-from-disk-macos.sql | 27 +++++------ process/recently-created-executables.sql | 24 +++++----- process/sketchy-fetcher.sql | 2 + process/tiny-executable.sql | 26 +++++++++++ process/touched-executable-macos.sql | 26 ++++++----- .../unexpected-executable-directory-macos.sql | 15 ++++--- process/unexpected-shell-parents.sql | 3 ++ process/unexpected-uid0-daemon-linux.sql | 2 + process_events/sketchy-fetcher-events.sql | 3 +- process_events/tiny-executable-events.sql | 28 ++++++++++++ ...unexpected-privilege-escalation-events.sql | 45 +++++++++++++++++++ startup/unexpected-small-udev-entry.sql | 44 ++++++++++++++++++ 18 files changed, 258 insertions(+), 97 deletions(-) create mode 100644 process/tiny-executable.sql create mode 100644 process_events/tiny-executable-events.sql create mode 100644 process_events/unexpected-privilege-escalation-events.sql create mode 100644 startup/unexpected-small-udev-entry.sql diff --git a/fd/unexpected-pcap-user-macos.sql b/fd/unexpected-pcap-user-macos.sql index e168f63..53462bd 100644 --- a/fd/unexpected-pcap-user-macos.sql +++ b/fd/unexpected-pcap-user-macos.sql @@ -34,6 +34,7 @@ WHERE pmm.path LIKE "%libpcap%" AND child_path NOT LIKE "/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd" AND NOT s.authority IN ( "Software Signing", - "Apple Mac OS Application Signing" + "Apple Mac OS Application Signing", + "Developer ID Application: Kolide Inc (YZ3EM74M78)" ) GROUP BY pmm.pid \ No newline at end of file diff --git a/fd/unexpected-sensitive-file-access-linux.sql b/fd/unexpected-sensitive-file-access-linux.sql index 6fe7643..73ba893 100644 --- a/fd/unexpected-sensitive-file-access-linux.sql +++ b/fd/unexpected-sensitive-file-access-linux.sql @@ -73,6 +73,7 @@ WHERE f.uid != "" "firefox,file:// Content,~/.mozilla/firefox", "firefox,firefox,~/.cache/mozilla", "firefox,firefox,~/.mozilla/firefox", + "firefox,file:// Content,~/.cache/mozilla", "firefox,firefox,~/snap/firefox", "firefox,Isolated Servic,~/.cache/mozilla", "firefox,Isolated Servic,~/snap/firefox", diff --git a/net/unexpected-listening-port-linux.sql b/net/unexpected-listening-port-linux.sql index 4d5f1b1..d9988e3 100644 --- a/net/unexpected-listening-port-linux.sql +++ b/net/unexpected-listening-port-linux.sql @@ -55,60 +55,60 @@ WHERE ) IN ( "10250,6,0,kubelet", "10256,6,0,kube-proxy", - "17,255,500,dhcpcd", "1716,6,500,kdeconnectd", - "22,6,0,sshd", - "443,6,500,jcef_helper", - "4143,6,500,linkerd2-proxy", + "17,255,0,dhcpcd", + "17,255,500,dhcpcd", "22000,6,500,syncthing", + "22,6,0,sshd", "3000,6,472,grafana-server", - "8086,6,500,controller", - "4191,6,500,linkerd2-proxy", "3000,6,500,grafana-server", - "8090,6,500,linkerd-policy-", + "32768,6,0,tailscaled", "32768,6,0,.tailscaled-wra", - "32768,6,0,tailscaled", - "32768,6,0,tailscaled", "32768,6,500,com.docker.backend", + "32768,6,500,dleyna-renderer", "32768,6,500,spotify", "3551,6,0,apcupsd", - "8443,6,500,controller", + "4143,6,500,linkerd2-proxy", + "4191,6,500,linkerd2-proxy", + "443,6,500,jcef_helper", + "4443,6,500,metrics-server", "5000,6,500,ControlCenter", "5001,6,0,registry", "53,17,0,coredns", + "53,17,500,dnsmasq", + "5355,6,193,systemd-resolve", "53,6,0,coredns", "53,6,500,dnsmasq", - "5355,6,193,systemd-resolve", "5432,6,70,postgres", "546,17,500,dhcpcd", + "58,255,0,dhcpcd", "58,255,0,NetworkManager", "58,255,500,dhcpcd", - "53,17,500,dnsmasq", "631,17,0,cups-browsed", "6379,6,500,redis-server", "6443,6,0,kube-apiserver", "67,17,500,dnsmasq", - "8009,6,0,java", "68,17,500,dhcpcd", "7000,6,500,ControlCenter", - "80,6,60,nginx", "8008,6,500,controlplane", + "8009,6,0,java", + "80,6,60,nginx", "8080,6,0,coredns", - "443,6,500,jcef_helper", - "8086,6,0,influxd", - "4443,6,500,metrics-server", - "32768,6,500,dleyna-renderer", "8080,6,0,java", + "8086,6,0,influxd", + "8086,6,500,controller", "8086,6,500,influxd", - "53,17,500,dnsmasq", + "8090,6,500,linkerd-policy-", "8123,6,500,Brackets-node", "8181,6,0,coredns", "8443,6,0,kube-apiserver", + "8443,6,500,controller", "8443,6,500,controlplane", "9000,6,500,authentik-proxy", "9090,6,500,controlplane", "9153,6,0,coredns", "9300,6,500,authentik-proxy" + ) AND NOT ( p.path LIKE ",ko-app,%" diff --git a/net/unexpected-talkers-linux.sql b/net/unexpected-talkers-linux.sql index bef05dd..d3faa52 100644 --- a/net/unexpected-talkers-linux.sql +++ b/net/unexpected-talkers-linux.sql @@ -125,13 +125,13 @@ WHERE protocol > 0 AND NOT exception_key IN ( "123,17,,", "123,17,500,chronyd", - "22,6,,", - -- shortlived SSH (git push) - "22,6,500,ssh", "22067,6,500,syncthing", + "22,6,,", + "22,6,500,ssh", "27024,6,500,steam", "3100,6,500,firefox", "3100,6,500,k6", + "32768,6,0,tailscaled", "3307,6,500,cloud_sql_proxy", "4070,6,500,spotify", "443,17,500,chrome", @@ -139,7 +139,7 @@ WHERE protocol > 0 "443,17,500,jcef_helper", "443,17,500,slack", "443,17,500,spotify", - "443,6,0,.tailscaled-wra", + "443,6,0,apk", "443,6,0,containerd", "443,6,0,depmod", "443,6,0,dirmngr", @@ -147,17 +147,17 @@ WHERE protocol > 0 "443,6,0,dockerd", "443,6,0,influxd", "443,6,0,launcher", + "443,6,0,nix", "443,6,0,nix-daemon", "443,6,0,packagekitd", "443,6,0,pacman", "443,6,0,snapd", + "443,6,0,systemctl", "443,6,0,tailscaled", + "443,6,0,.tailscaled-wra", "443,6,0,yum", "443,6,105,https", - -- /usr/lib/apt/methods/https "443,6,472,grafana-server", - "443,6,500,___go_build_github_com_anchore_grype,a.out,", - "443,6,500,.firefox-wrappe", "443,6,500,1password", "443,6,500,authentik-proxy", "443,6,500,aws", @@ -179,6 +179,7 @@ WHERE protocol > 0 "443,6,500,electron", "443,6,500,emacs", "443,6,500,firefox", + "443,6,500,.firefox-wrappe", "443,6,500,flameshot", "443,6,500,geoclue", "443,6,500,gh", @@ -187,6 +188,7 @@ WHERE protocol > 0 "443,6,500,gnome-shell", "443,6,500,gnome-software", "443,6,500,go", + "443,6,500,___go_build_github_com_anchore_grype,a.out,", "443,6,500,grafana-server", "443,6,500,grype", "443,6,500,gunicorn", @@ -202,12 +204,13 @@ WHERE protocol > 0 "443,6,500,ko", "443,6,500,kolide-pipeline", "443,6,500,kubectl", + "443,6,500,minicli", "443,6,500,ngrok", "443,6,500,nix", "443,6,500,node", + "443,6,500,obs", "443,6,500,obs-browser-page", "443,6,500,obs-ffmpeg-mux", - "443,6,500,obs", "443,6,500,obsidian", "443,6,500,pingsender", "443,6,500,pip", @@ -220,11 +223,11 @@ WHERE protocol > 0 "443,6,500,spotify", "443,6,500,steamwebhelper", "443,6,500,teams", - "443,6,500,terraform-provi", "443,6,500,terraform", + "443,6,500,terraform-provi", "443,6,500,tkn", + "443,6,500,.tox-wrapped", "443,6,500,trivy", - "443,6,0,systemctl", "443,6,500,vcluster", "443,6,500,vim", "443,6,500,WebKitNetworkPr", @@ -236,31 +239,29 @@ WHERE protocol > 0 "443,6,500,zoom", "5228,6,500,chrome", "6000,6,500,ssh", + "67,17,0,NetworkManager", "7903,6,500,syncthing", - "80,6,0,.tailscaled-wra", + "8006,6,500,chrome", "80,6,0,dnf", - "443,6,500,.tox-wrapped", + "80,6,0,gdk-pixbuf-quer", "80,6,0,NetworkManager", "80,6,0,pacman", "80,6,0,tailscaled", + "80,6,0,.tailscaled-wra", "80,6,0,yum", "80,6,105,http", - -- /usr/lib/apt/methods/http - "80,6,500,.firefox-wrappe", "80,6,500,curl", "80,6,500,firefox", + "80,6,500,.firefox-wrappe", + "80,6,500,gitsign", "80,6,500,slack", "80,6,500,spotify", - "67,17,0,NetworkManager", "80,6,500,steam", - "80,6,0,gdk-pixbuf-quer", "80,6,500,steamwebhelper", "80,6,500,syncthing", - "8006,6,500,chrome", "8801,17,500,zoom", "9090,6,500,firefox", "9090,6,500,k6", - "443,6,0,nix", "9090,6,500,prometheus", "9090,6,500,rootlessport" ) -- These programs would normally never make an outgoing connection, but thanks to Nix, it can happen. diff --git a/net/unexpected-talkers-macos.sql b/net/unexpected-talkers-macos.sql index ebcbed3..8e8484b 100644 --- a/net/unexpected-talkers-macos.sql +++ b/net/unexpected-talkers-macos.sql @@ -116,8 +116,8 @@ WHERE protocol > 0 "22,6,500,Cyberduck,ch.sudo.cyberduck,Developer ID Application: David Kocher (G69SCX94XU)", "22,6,500,ssh,,", "22,6,500,ssh,com.apple.openssh,Software Signing", - "22,6,500,ssh,ssh-55554944fbf65684ab9b37c2bad3a27ef78b23f4,", "22,6,500,ssh,ssh,", + "22,6,500,ssh,ssh-55554944fbf65684ab9b37c2bad3a27ef78b23f4,", "30004,6,500,java,net.java.openjdk.java,Developer ID Application: Microsoft Corporation (UBF8T346G9)", "30011,6,500,java,net.java.openjdk.java,Developer ID Application: Microsoft Corporation (UBF8T346G9)", "32768,6,500,java,net.java.openjdk.java,Developer ID Application: Oracle America, Inc. (VB5E2TV963)", @@ -133,17 +133,17 @@ WHERE protocol > 0 "443,6,0,nessusd,nessusd,Developer ID Application: Tenable, Inc. (4B8J598M7U)", "443,6,0,nix,nix,", "443,6,0,OneDrivePkgTelemetry,com.microsoft.OneDrivePkgTelemetry,Developer ID Application: Microsoft Corporation (UBF8T346G9)", - "443,6,500,,,", + "443,6,0,Setup,com.adobe.acc.Setup,Developer ID Application: Adobe Inc. (JQ525L2MZD)", "443,6,500,,,", "443,6,500,Acrobat Update Helper,com.adobe.ARMDCHelper,Developer ID Application: Adobe Inc. (JQ525L2MZD)", "443,6,500,bash,bash,", - "443,6,500,chainctl_Darwin_arm64,a.out,", "443,6,500,chainctl,,", "443,6,500,chainctl,a.out,", + "443,6,500,chainctl_Darwin_arm64,a.out,", "443,6,500,civo,a.out,", "443,6,500,cloud_sql_proxy,a.out,", - "443,6,500,Code Helper (Renderer),com.github.Electron.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)", "443,6,500,Code Helper,com.microsoft.VSCode.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)", + "443,6,500,Code Helper (Renderer),com.github.Electron.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)", "443,6,500,cosign,,", "443,6,500,cosign,a.out,", "443,6,500,crane,,", @@ -157,12 +157,12 @@ WHERE protocol > 0 "443,6,500,figma_agent,com.figma.agent,Developer ID Application: Figma, Inc. (T8RA8NE3B7)", "443,6,500,gh,a.out,", "443,6,500,gh,gh,", + "443,6,500,git,com.apple.git,Software Signing", + "443,6,500,git,git,", "443,6,500,git-remote-http,com.apple.git-remote-http,Software Signing", "443,6,500,git-remote-http,git-remote-http-5555494493930c47f9d9385e94cdee8b19968153,", "443,6,500,git-remote-http,git-remote-http-55554944ce011d0e889a3cf58e5ac97ac15728f3,", "443,6,500,git-remote-http,git-remote-http-55554944e5dca79a2b44332e941af547708b0c68,", - "443,6,500,git,com.apple.git,Software Signing", - "443,6,500,git,git,", "443,6,500,gitsign,,", "443,6,500,gitsign,a.out,", "443,6,500,gitsign,gitsign,", @@ -187,13 +187,13 @@ WHERE protocol > 0 "443,6,500,prober,a.out,", "443,6,500,pulumi-resource-gcp,a.out,", "443,6,500,pulumi-resource-github,a.out,", + "443,6,500,python2.7,python2.7,", + "443,6,500,python3.10,python3.10,", "443,6,500,Python,com.apple.python3,Software Signing", "443,6,500,Python,org.python.python,", "443,6,500,Python,Python,", - "443,6,500,python2.7,python2.7,", - "443,6,500,python3.10,python3.10,", - "443,6,500,Reflect Helper,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)", "443,6,500,Reflect,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)", + "443,6,500,Reflect Helper,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)", "443,6,500,sample,com.apple.dt.SamplingTools.sample,Software Signing", "443,6,500,scorecard-darwin-amd64,,", "443,6,500,Slack Helper,,", diff --git a/process/hidden-cwd.sql b/process/hidden-cwd.sql index 1aaa2ce..255a186 100644 --- a/process/hidden-cwd.sql +++ b/process/hidden-cwd.sql @@ -36,13 +36,20 @@ FROM processes p WHERE dir LIKE "%/.%" AND NOT ( exception_key IN ( + "bash,~/.local/share", "bash,~/go/src", - "mysqld,~/.local/share", - "Electron,~/.vscode/extensions" + "Electron,~/.vscode/extensions", + "fish,~/.local/share", + "git,~/.local/share", + "mysqld,~/.local/share" ) - OR dir IN ("~/.vim", "~/.config/nvim") + OR dir IN ("~/.vim", "~/.config/nvim", "~/.cache/yay") OR p.name IN ("bindfs", "vim", "nvim", "code") OR dir LIKE "~/go/src/%" + OR dir LIKE "~/.local/share/nvim/%" + OR dir LIKE "~/.local/share/fish/%" + OR dir LIKE "/Library/Apple/System/Library/InstallerSandboxes/.PKInstallSandboxManager-SystemSoftware/%" OR dir LIKE "~/src/%" OR dir LIKE "~/%/.github%" + OR dir LIKE "~/code/%" ) \ No newline at end of file diff --git a/process/missing-from-disk-macos.sql b/process/missing-from-disk-macos.sql index e16531b..0f9409b 100644 --- a/process/missing-from-disk-macos.sql +++ b/process/missing-from-disk-macos.sql @@ -1,5 +1,4 @@ -SELECT - p.pid, +SELECT p.pid, p.path, p.name, p.parent, @@ -17,21 +16,17 @@ SELECT pp.cmdline AS parent_cmd, pp.cwd AS parent_cwd, hash.sha256 AS parent_sha256 -FROM - processes p +FROM processes p LEFT JOIN processes pp ON p.parent = pp.pid LEFT JOIN hash ON pp.path = hash.path -WHERE - p.on_disk != 1 - -- false positives from recently spawned processes +WHERE p.on_disk != 1 -- false positives from recently spawned processes AND (strftime("%s", "now") - p.start_time) > 15 AND p.pid > 0 - AND p.parent != 2 - -- kthreadd - AND p.state != "Z" - -- The kernel no longer has enough tracking information for this alert to be useful + AND p.parent != 2 -- kthreadd + AND p.state != "Z" -- The kernel no longer has enough tracking information for this alert to be useful AND NOT ( - p.parent = 1 AND p.path = "" + p.parent = 1 + AND p.path = "" ) AND NOT ( p.gid = 20 @@ -42,12 +37,14 @@ WHERE OR cmd LIKE "/Library/Apple/System/%" OR cmd LIKE "/Library/Application Support/Logitech.localized/%" OR cmd LIKE "/Library/Developer/CommandLineTools/%" + OR p.path IN ( + "/Applications/Slack.app/Contents/Frameworks/Slack Helper.app/Contents/MacOS/Slack Helper" + ) OR cmd LIKE "/opt/homebrew/Cellar/%" - OR p.path LIKE "/opt/homebrew/Cellar/%" + OR p.path LIKE "/opt/homebrew/Cellar/%/bin/%" OR cmd LIKE "/opt/homebrew/opt/%" OR cmd LIKE "/private/var/folders/%/Visual Studio Code.app/Contents/%" - OR cmd LIKE "/Users/%/homebrew/opt/mysql/bin/%" - -- Sometimes cmd is empty also :( + OR cmd LIKE "/Users/%/homebrew/opt/mysql/bin/%" -- Sometimes cmd is empty also :( OR parent_cmd LIKE "/Applications/Google Chrome.app/%" ) ) diff --git a/process/recently-created-executables.sql b/process/recently-created-executables.sql index 18aaa83..b37eddc 100644 --- a/process/recently-created-executables.sql +++ b/process/recently-created-executables.sql @@ -36,25 +36,25 @@ WHERE p.start_time > 0 "/Applications/Opal.app/Contents/Library/LaunchServices", "/Applications/Opal.app/Contents/MacOS", "/Applications/Opal.app/Contents/XPCServices/OpalCameraDeviceService.xpc/Contents/MacOS", + "/Applications/Signal.app/Contents/Frameworks/Signal Helper.app/Contents/MacOS", "/Applications/Signal.app/Contents/Frameworks/Signal Helper (GPU).app/Contents/MacOS", "/Applications/Signal.app/Contents/Frameworks/Signal Helper (Renderer).app/Contents/MacOS", - "/Applications/Signal.app/Contents/Frameworks/Signal Helper.app/Contents/MacOS", "/Applications/Signal.app/Contents/MacOS", + "/Applications/Slack.app/Contents/Frameworks/Slack Helper.app/Contents/MacOS", "/Applications/Slack.app/Contents/Frameworks/Slack Helper (GPU).app/Contents/MacOS", "/Applications/Slack.app/Contents/Frameworks/Slack Helper (Renderer).app/Contents/MacOS", - "/Applications/Slack.app/Contents/Frameworks/Slack Helper.app/Contents/MacOS", "/Applications/Slack.app/Contents/MacOS", + "/Applications/Spotify.app/Contents/Frameworks/Spotify Helper.app/Contents/MacOS", "/Applications/Spotify.app/Contents/Frameworks/Spotify Helper (GPU).app/Contents/MacOS", "/Applications/Spotify.app/Contents/Frameworks/Spotify Helper (Renderer).app/Contents/MacOS", - "/Applications/Spotify.app/Contents/Frameworks/Spotify Helper.app/Contents/MacOS", "/Applications/Spotify.app/Contents/MacOS", "/Applications/Stream Deck.app/Contents/Frameworks/QtWebEngineCore.framework/Versions/5/Helpers/QtWebEngineProcess.app/Contents/MacOS", "/Applications/Stream Deck.app/Contents/MacOS", "/Applications/Tailscale.app/Contents/MacOS", "/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/Contents/MacOS", + "/Applications/Todoist.app/Contents/Frameworks/Todoist Helper.app/Contents/MacOS", "/Applications/Todoist.app/Contents/Frameworks/Todoist Helper (GPU).app/Contents/MacOS", "/Applications/Todoist.app/Contents/Frameworks/Todoist Helper (Renderer).app/Contents/MacOS", - "/Applications/Todoist.app/Contents/Frameworks/Todoist Helper.app/Contents/MacOS", "/Applications/Todoist.app/Contents/MacOS", "/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS", "/Library/Apple/System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/Resources", @@ -64,7 +64,6 @@ WHERE p.start_time > 0 "/Library/Printers/Brother/Utilities/Server/LOGINserver.app/Contents/MacOS", "/Library/Printers/Brother/Utilities/Server/NETserver.app/Contents/MacOS", "/Library/Printers/Brother/Utilities/Server/USBAppControl.app/Contents/MacOS", - "/Library/Printers/Brother/Utilities/Server/USBAppControl.app/Contents/MacOS", "/Library/Printers/Brother/Utilities/Server/USBserver.app/Contents/MacOS", "/Library/Printers/Brother/Utilities/Server/WorkflowAppControl.app/Contents/MacOS", "/usr/local/kolide-k2/bin" @@ -81,8 +80,10 @@ WHERE p.start_time > 0 "/usr/bin/dockerd", "/usr/bin/obs", "/usr/bin/udevadm", - "/usr/lib/at-spi-bus-launcher", "/usr/lib/at-spi2-registryd", + "/usr/lib/at-spi-bus-launcher", + "/usr/libexec/fwupd/fwupd", + "/usr/libexec/sssd/sssd_kcm", "/usr/lib/fwupd/fwupd", "/usr/lib/slack/chrome_crashpad_handler", "/usr/lib/slack/slack", @@ -92,17 +93,17 @@ WHERE p.start_time > 0 "/usr/lib/systemd/systemd-timesyncd", "/usr/lib/x86_64-linux-gnu/obs-plugins/obs-browser-page", "/usr/lib/xf86-video-intel-backlight-helper", - "/usr/libexec/fwupd/fwupd", - "/usr/libexec/sssd/sssd_kcm", "/usr/sbin/cupsd", "/usr/sbin/tailscaled" ) AND NOT p.path LIKE "/Applications/%.app/%" - AND NOT p.path LIKE "/home/%/%.test" + AND NOT p.path LIKE "%-go-build%" AND NOT p.path LIKE "/home/%/bin/%" AND NOT p.path LIKE "/home/%/terraform-provider-%" + AND NOT p.path LIKE "/home/%/%.test" AND NOT p.path LIKE "/Library/Apple/System/%" AND NOT p.path LIKE "/Library/Application Support/Adobe/Adobe Desktop Common/%" + AND NOT p.path LIKE "%/Library/Application Support/com.elgato.StreamDeck%" -- Known parent processes, typically GUI shells and updaters AND NOT p.path LIKE "/Library/Application Support/Logitech.localized/%" AND NOT p.path LIKE "/nix/store/%/bin/%" AND NOT p.path LIKE "/opt/homebrew/bin/%" @@ -114,7 +115,7 @@ WHERE p.start_time > 0 AND NOT p.path LIKE "/private/var/folders/%/bin/%" AND NOT p.path LIKE "/private/var/folders/%/go-build%" AND NOT p.path LIKE "/private/var/folders/%/GoLand/%" - AND NOT p.path LIKE "/Users/%/%.test" + AND NOT p.path LIKE "/private/var/folders/%/T/pulumi-go.%" AND NOT p.path LIKE "/Users/%/bin/%" AND NOT p.path LIKE "/Users/%/code/%" AND NOT p.path LIKE "/Users/%/Library/Application Support/%/Contents/MacOS/%" @@ -123,12 +124,11 @@ WHERE p.start_time > 0 AND NOT p.path LIKE "/Users/%/Library/Google/%.bundle/Contents/Helpers/%" AND NOT p.path LIKE "/Users/%/Library/Mobile Documents/%/Contents/Frameworks%" AND NOT p.path LIKE "/Users/%/terraform-provider-%" + AND NOT p.path LIKE "/Users/%/%.test" AND NOT p.path LIKE "/usr/local/bin/%" AND NOT p.path LIKE "/usr/local/Cellar/%" AND NOT p.path LIKE "/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd" - AND NOT p.path LIKE "%-go-build%" AND NOT p.path LIKE "%/.vscode/extensions/%" - AND NOT p.path LIKE "%/Library/Application Support/com.elgato.StreamDeck%" -- Known parent processes, typically GUI shells and updaters AND NOT pp.path IN ("/usr/bin/gnome-shell") -- Filter out developers working on their own code AND NOT ( ( diff --git a/process/sketchy-fetcher.sql b/process/sketchy-fetcher.sql index 4a1487e..3badcdf 100644 --- a/process/sketchy-fetcher.sql +++ b/process/sketchy-fetcher.sql @@ -32,6 +32,7 @@ WHERE OR p.cmdline LIKE "%pastebin%" OR p.cmdline LIKE "%curl %--user-agent%" OR p.cmdline LIKE "%curl -k%" + OR p.cmdline LIKE "%curl -sL%" OR p.cmdline LIKE "%curl%--insecure%" OR p.cmdline LIKE "%wget %--user-agent%" OR p.cmdline LIKE "%wget %--no-check-certificate%" @@ -72,5 +73,6 @@ WHERE OR p.cmdline LIKE "%LICENSES/vendor/%" OR p.cmdline LIKE "%localhost:%" OR p.cmdline LIKE "%127.0.0.1:%" + OR p.name IN ("apko") ) ) diff --git a/process/tiny-executable.sql b/process/tiny-executable.sql new file mode 100644 index 0000000..8f55d70 --- /dev/null +++ b/process/tiny-executable.sql @@ -0,0 +1,26 @@ +-- Discover tiny dropper binaries, such as Shikitega: +-- https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux + +-- Duration: 0.063s +SELECT + p.pid, + p.path, + p.cmdline, + file.size, + file.mode, + p.cwd, + p.euid, + p.parent, + pp.path AS parent_path, + pp.name AS parent_name, + pp.cmdline AS parent_cmdline, + pp.euid AS parent_euid, + hash.sha256 AS parent_sha256 +FROM + processes p + LEFT JOIN file ON p.path = file.path + LEFT JOIN processes pp ON p.parent = pp.pid + LEFT JOIN hash ON pp.path = hash.path +WHERE file.size > 0 + AND file.size < 10000 + diff --git a/process/touched-executable-macos.sql b/process/touched-executable-macos.sql index cb71fcc..3d0b1c9 100644 --- a/process/touched-executable-macos.sql +++ b/process/touched-executable-macos.sql @@ -25,14 +25,15 @@ FROM processes p LEFT JOIN signature ON p.path = signature.path WHERE f.btime == f.mtime AND ( - btime_ctime_days_diff > 0 -- change time is older than birth time - OR (btime_ctime_days_diff < -365 && btime_ctime_days_diff < -1000) -- change time is older than birth time, but not 1970 - OR start_atime_days_diff > 90 -- access time is older than start time - OR start_atime_days_diff < -10 -- access time is newer than start time - ) - - -- Vendors that create software packages that look like a touched file. - -- Typically they have a ctime way earlier than btime (>90 days) + -- change time is older than birth time + btime_ctime_days_diff > 0 -- change time is older than birth time, but not 1970 + OR ( + (btime_ctime_days_diff < -365) + AND (btime_ctime_days_diff < -1000) + ) -- access time is older than start time + OR start_atime_days_diff > 90 -- access time is newer than start time + OR start_atime_days_diff < -10 + ) -- Vendors that create software packages that look like a touched file. AND NOT signature.authority IN ( "Apple Mac OS Application Signing", "Developer ID Application: Adobe Inc. (JQ525L2MZD)", @@ -41,22 +42,23 @@ WHERE f.btime == f.mtime "Developer ID Application: Bryan Jones (49EYHPJ4Q3)", "Developer ID Application: CodeWeavers Inc. (9C6B7X7Z8E)", "Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)", + "Developer ID Application: Docker Inc (9BNSXJN65R)", "Developer ID Application: Emmanouil Konstantinidis (3YP8SXP3BF)", + "Developer ID Application: Galvanix (5BRAQAFB8B)", "Developer ID Application: General Arcade (Pte. Ltd.) (S8JLSG5ES7)", "Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D)", - "Developer ID Application: Galvanix (5BRAQAFB8B)", + "Developer ID Application: GitHub (VEKTX9H2N7)", "Developer ID Application: Google LLC (EQHXZ8M8AV)", - "Developer ID Application: Docker Inc (9BNSXJN65R)", "Developer ID Application: Logitech Inc. (QED4VVPZWA)", "Developer ID Application: Michael Jones (YD6LEYT6WZ)", + "Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)", "Developer ID Application: RescueTime, Inc (FSY4RB8H39)", "Developer ID Application: Seiko Epson Corporation (TXAEAV5RN4)", "Developer ID Application: Yubico Limited (LQA3CS5MM7)", "Software Signing" ) AND NOT ( - btime_ctime_days_diff < -90 - AND p.euid > 500 + p.euid > 500 AND ( p.path IN ( "/Applications/Divvy.app/Contents/MacOS/Divvy", diff --git a/process/unexpected-executable-directory-macos.sql b/process/unexpected-executable-directory-macos.sql index cd9cd2a..99a0f88 100644 --- a/process/unexpected-executable-directory-macos.sql +++ b/process/unexpected-executable-directory-macos.sql @@ -54,21 +54,21 @@ WHERE dirname NOT IN ( AND signature.authority NOT IN ( "Apple Mac OS Application Signing", "Developer ID Application: Adobe Inc. (JQ525L2MZD)", - "Developer ID Application: Hashicorp, Inc. (D38WU7D763)", "Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)", - "Developer ID Application: Figma, Inc. (T8RA8NE3B7)", "Developer ID Application: Docker Inc (9BNSXJN65R)", + "Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)", + "Developer ID Application: Figma, Inc. (T8RA8NE3B7)", "Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D)", + "Developer ID Application: Hashicorp, Inc. (D38WU7D763)", "Developer ID Application: Logitech Inc. (QED4VVPZWA)", - "Developer ID Application: Objective-See, LLC (VBG97UB4TA)", "Developer ID Application: Microsoft Corporation (UBF8T346G9)", "Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R)", - "Developer ID Application: Oracle America, Inc. (VB5E2TV963)", - "Developer ID Application: Oracle America, Inc. (VB5E2TV963)", - "Developer ID Application: Valve Corporation (MXGJJ98X76)", - "Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)", + "Developer ID Application: Objective-See, LLC (VBG97UB4TA)", "Developer ID Application: Opal Camera Inc (97Z3HJWCRT)", + "Developer ID Application: Oracle America, Inc. (VB5E2TV963)", + "Developer ID Application: Oracle America, Inc. (VB5E2TV963)", "Developer ID Application: Tenable, Inc. (4B8J598M7U)", + "Developer ID Application: Valve Corporation (MXGJJ98X76)", "Developer ID Application: Wireshark Foundation, Inc. (7Z6EMTD2C6)", "Software Signing" ) @@ -93,6 +93,7 @@ WHERE dirname NOT IN ( AND dirname NOT LIKE "/opt/homebrew/Cellar/%/libexec" AND dirname NOT LIKE "/opt/homebrew/Cellar/%/libexec/%" AND dirname NOT LIKE "/opt/homebrew/Cellar/%/Contents/MacOS" + AND dirname NOT LIKE "/opt/homebrew/Caskroom/%/bin" AND dirname NOT LIKE "/private/tmp/%.app/Contents/MacOS" AND dirname NOT LIKE "/private/tmp/go-build%/exe" AND dirname NOT LIKE "/private/tmp/nix-build-%" diff --git a/process/unexpected-shell-parents.sql b/process/unexpected-shell-parents.sql index 11e724a..9230d2f 100644 --- a/process/unexpected-shell-parents.sql +++ b/process/unexpected-shell-parents.sql @@ -40,6 +40,7 @@ WHERE "java", "ko", "kubectl", + "doas", "make", "monorail", "nix-daemon", @@ -53,6 +54,7 @@ WHERE "python", "roxterm", "sdzoomplugin", + "sh", "skhd", "swift", "systemd", @@ -79,6 +81,7 @@ WHERE "/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateDaemon", "/opt/X11/libexec/launchd_startx", "/sbin/launchd", + "/usr/lib/xorg/Xorg", "/usr/bin/alacritty", "/usr/bin/apt-get", "/usr/bin/bash", diff --git a/process/unexpected-uid0-daemon-linux.sql b/process/unexpected-uid0-daemon-linux.sql index e2f10b0..8219106 100644 --- a/process/unexpected-uid0-daemon-linux.sql +++ b/process/unexpected-uid0-daemon-linux.sql @@ -31,6 +31,8 @@ WHERE p.uid = 0 "/usr/bin/abrt-dump-journal-core", "/usr/bin/abrt-dump-journal-oops", "/usr/bin/abrt-dump-journal-xorg", + "/usr/bin/pacman", + "/usr/bin/fish", "/usr/bin/anacron", "/usr/bin/apcupsd", "/usr/bin/containerd-shim-runc-v2", diff --git a/process_events/sketchy-fetcher-events.sql b/process_events/sketchy-fetcher-events.sql index b38e208..22c8158 100644 --- a/process_events/sketchy-fetcher-events.sql +++ b/process_events/sketchy-fetcher-events.sql @@ -40,6 +40,7 @@ WHERE OR p.cmdline LIKE "%curl.*—write-out%" OR p.cmdline LIKE "%curl %--user-agent%" OR p.cmdline LIKE "%curl -k%" + OR p.cmdline LIKE "%curl -sL%" OR p.cmdline LIKE "%curl%--connect-timeout%" OR p.cmdline LIKE "%curl%--output /dev/null%" OR p.cmdline LIKE "%curl%--O /dev/null%" @@ -59,7 +60,7 @@ WHERE ) ) -- Exceptions for all calls - AND pp.name NOT IN ('makepkg') -- Exceptions for non-privileged calls + AND pp.name NOT IN ('makepkg', 'apko') -- Exceptions for non-privileged calls AND NOT ( p.euid > 500 AND ( diff --git a/process_events/tiny-executable-events.sql b/process_events/tiny-executable-events.sql new file mode 100644 index 0000000..7391d18 --- /dev/null +++ b/process_events/tiny-executable-events.sql @@ -0,0 +1,28 @@ +-- Discover tiny dropper binaries, such as Shikitega: +-- https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux +-- Designed for execution every 30 seconds (where the parent may still be around) +SELECT + p.pid, + p.path, + p.cmdline, + file.size, + p.mode, + p.cwd, + p.euid, + p.parent, + p.syscall, + pp.path AS parent_path, + pp.name AS parent_name, + pp.cmdline AS parent_cmdline, + pp.euid AS parent_euid, + hash.sha256 AS parent_sha256 +FROM + process_events p + LEFT JOIN file ON p.path = file.path + LEFT JOIN processes pp ON p.parent = pp.pid + LEFT JOIN hash ON pp.path = hash.path +WHERE + p.time > (strftime('%s', 'now') -30) + AND file.size > 0 + AND file.size < 10000 + diff --git a/process_events/unexpected-privilege-escalation-events.sql b/process_events/unexpected-privilege-escalation-events.sql new file mode 100644 index 0000000..55a6d33 --- /dev/null +++ b/process_events/unexpected-privilege-escalation-events.sql @@ -0,0 +1,45 @@ +-- Designed for execution every 30 seconds (where the parent may still be around) +SELECT + p.pid AS child_pid, + p.path AS child_path, + REGEX_MATCH (RTRIM(file.path, "/"), ".*/(.*?)$", 1) AS child_name, + p.cmdline AS child_cmdline, + p.euid AS child_euid, + file.mode AS child_mode, + hash.sha256 AS child_hash, + p.parent AS parent_pid, + pp.path AS parent_path, + pp.name AS parent_name, + pp.cmdline AS parent_cmdline, + pp.euid AS parent_euid, + pfile.mode AS parent_mode, + hash.sha256 AS parent_hash +FROM + process_events p + JOIN processes pp ON p.parent = pp.pid + LEFT JOIN file ON p.path = file.path + LEFT JOIN hash ON p.path = hash.path + LEFT JOIN file AS pfile ON pp.path = file.path + LEFT JOIN hash AS phash ON pp.path = hash.path +WHERE + p.time > (strftime('%s', 'now') -30) + AND p.euid < pp.euid + AND p.path NOT IN ( + '/usr/bin/fusermount', + '/usr/bin/fusermount3', + '/usr/bin/login', + '/usr/bin/sudo', + '/usr/bin/doas', + '/bin/ps', + '/usr/bin/top' + ) + AND p.path NOT LIKE "/nix/store/%/bin/sudo" + AND p.path NOT LIKE "/nix/store/%/bin/dhcpcd" + AND NOT ( + child_name = 'polkit-agent-helper-1' + AND parent_path = '/usr/bin/gnome-shell' + ) + AND NOT ( + child_name = 'fusermount3' + AND parent_path = '/usr/lib/xdg-document-portal' + ) diff --git a/startup/unexpected-small-udev-entry.sql b/startup/unexpected-small-udev-entry.sql new file mode 100644 index 0000000..da429b8 --- /dev/null +++ b/startup/unexpected-small-udev-entry.sql @@ -0,0 +1,44 @@ +-- Inspired by Operation Earth Berberoka +-- https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf + +SELECT + file.path, + uid, + gid, + mode, + mtime, + ctime, + type, + size, + hash.sha256, + magic.data +FROM + file + LEFT JOIN hash ON file.path = hash.path + LEFT JOIN magic ON file.path = magic.path +WHERE + file.path LIKE "/usr/lib/udev/rules.d/%" + AND file.size < 180 +AND file.path NOT IN ( + "/usr/lib/udev/rules.d/60-rfkill.rules", + "/usr/lib/udev/rules.d/50-apport.rules", + "/usr/lib/udev/rules.d/60-net.rules", + "/usr/lib/udev/rules.d/61-mutter.rules", + "/usr/lib/udev/rules.d/66-saned.rules", + "/usr/lib/udev/rules.d/70-hypervfcopy.rules", + "/usr/lib/udev/rules.d/70-hypervkvp.rules", + "/usr/lib/udev/rules.d/70-hypervvss.rules", + "/usr/lib/udev/rules.d/70-spice-vdagentd.rules", + "/usr/lib/udev/rules.d/70-spice-webdavd.rules", + "/usr/lib/udev/rules.d/75-probe_mtd.rules", + "/usr/lib/udev/rules.d/85-hdparm.rules", + "/usr/lib/udev/rules.d/85-regulatory.rules", + "/usr/lib/udev/rules.d/90-daxctl-device.rules", + "/usr/lib/udev/rules.d/91-drm-modeset.rules", + "/usr/lib/udev/rules.d/96-e2scrub.rules", + "/usr/lib/udev/rules.d/99-fuse.rules", + "/usr/lib/udev/rules.d/99-fuse3.rules", + "/usr/lib/udev/rules.d/99-libsane1.rules", + "/usr/lib/udev/rules.d/99-nfs.rules", + "/usr/lib/udev/rules.d/99-qemu-guest-agent.rules" +)