From d3352610f491a4ea7dcf54abd190858819118be9 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Thu, 7 Mar 2024 16:33:01 -0500 Subject: [PATCH] fpr: snapd, cups, ubuntu, etc --- detection/c2/unexpected-https-macos.sql | 3 +++ detection/c2/unexpected-talker-events.sql | 3 +++ detection/c2/unexpected-talkers-macos.sql | 25 ++++++++----------- .../unexpected-dev-opener-linux.sql | 1 + .../evasion/touched-executable-linux.sql | 1 + .../evasion/unexpected-var-run-linux.sql | 1 + .../evasion/unusual-process-name-linux.sql | 3 +++ detection/execution/exotic-commands-linux.sql | 4 +-- .../unexpected-execdir-events-linux.sql | 1 + .../execution/unexpected-execdir-linux.sql | 2 ++ .../yara-unexpected-go-crypt-exec-process.sql | 1 + .../unexpected-shell-parent-events.sql | 1 + .../unexpected-chrome-extensions.sql | 6 +++++ .../unexpected-listening-port-linux.sql | 3 +++ .../unexpected-systemctl-calls-linux.sql | 2 ++ .../unexpected-uid0-daemon-linux.sql | 4 +++ 16 files changed, 45 insertions(+), 16 deletions(-) diff --git a/detection/c2/unexpected-https-macos.sql b/detection/c2/unexpected-https-macos.sql index 3a242db..4178671 100644 --- a/detection/c2/unexpected-https-macos.sql +++ b/detection/c2/unexpected-https-macos.sql @@ -119,6 +119,7 @@ WHERE '500,trunk,trunk,Developer ID Application: Trunk Technologies, Inc. (LDR5F9BL92),trunk-cli', '500,java,java,Developer ID Application: Oracle America, Inc. (VB5E2TV963),com.oracle.java.8u401.java', '500,bash,bash,,bash', + '500,Sky Go,Sky Go,Developer ID Application: Sky UK Limited (GJ24C8864F),com.bskyb.skygoplayer', '500,Skitch,Skitch,Developer ID Application: Skitch Inc (J8RPQ294UB),com.skitch.skitch', '500,cloud_sql_proxy,cloud_sql_proxy,,a.out', '500,git-remote-http,git-remote-http,,git-remote-http-55554944748a32c47cdc35cfa7f071bb69a39ce4', @@ -131,6 +132,7 @@ WHERE AND NOT alt_exception_key IN ( '0,velociraptor,velociraptor,0u,0g', '0,velociraptor,velociraptor,0u,80g', + '500,taplo,taplo,500u,20g', '500,nodegizmo,nodegizmo,500u,20g', '500,apko,apko,0u,0g', '500,apko,apko,500u,20g', @@ -218,6 +220,7 @@ WHERE '500,Python,Python,,org.python.python', '500,Python,Python,,Python', '500,Python,Python,,', + '500,Python,Python,Developer ID Application: Python Software Foundation (BMM5U3QVKW),org.python.python', '500,Python,Python,0u,80g', '500,Python,Python,Developer ID Application: Ned Deily (DJ3H93M7VJ),org.python.python' ) diff --git a/detection/c2/unexpected-talker-events.sql b/detection/c2/unexpected-talker-events.sql index 89e7d86..26ec796 100644 --- a/detection/c2/unexpected-talker-events.sql +++ b/detection/c2/unexpected-talker-events.sql @@ -133,6 +133,8 @@ WHERE '500,0,32768,ir_agent', '500,0,32768,ksfetch', '500,0,32768,networkQuality', + '500,500,80,elastic-agent', + '500,0,80,filebeat', '500,0,32768,syncthing', '500,0,3478,firefox', '500,0,4070,spotify', @@ -208,6 +210,7 @@ WHERE '500,0,80,com.apple.NRD.UpdateBrainService', '500,0,80,com.bitdefender.cst.net.dci.dci-network-extension', '500,0,80,electron', + '500,0,443,com.docker.backend', '500,0,80,firefox', '500,0,80,http', '500,0,80,incusd', diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql index 4be2e97..d066de0 100644 --- a/detection/c2/unexpected-talkers-macos.sql +++ b/detection/c2/unexpected-talkers-macos.sql @@ -5,8 +5,7 @@ -- -- tags: transient state net often -- platform: macos -SELECT - pos.protocol, +SELECT pos.protocol, pos.local_port, pos.remote_port, pos.remote_address, @@ -67,8 +66,7 @@ SELECT p2.path AS p2_path, p2.cmdline AS p2_cmd, p2_hash.sha256 AS p2_sha256 -FROM - process_open_sockets pos +FROM process_open_sockets pos LEFT JOIN processes p0 ON pos.pid = p0.pid LEFT JOIN hash p0_hash ON p0.path = p0_hash.path LEFT JOIN processes p1 ON p0.parent = p1.pid @@ -77,8 +75,7 @@ FROM LEFT JOIN hash p2_hash ON p2.path = p2_hash.path LEFT JOIN file f ON p0.path = f.path LEFT JOIN signature s ON p0.path = s.path -WHERE - pos.protocol > 0 +WHERE pos.protocol > 0 AND NOT ( pos.remote_port IN (53, 443) AND pos.protocol IN (6, 17) @@ -234,27 +231,27 @@ WHERE AND id_exception_key IN ( 'Apple Mac OS Application Signing,com.microsoft.OneDrive-mac', 'Apple Mac OS Application Signing,com.ookla.speedtest-macos', + 'Developer ID Application: Adguard Software Limited (TC3Q7MAJXF),com.adguard.mac.adguard.network-extension', 'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.AdobeResourceSynchronizer', 'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.Reader', 'Developer ID Application: Bitdefender SRL (GUNFMW623Y),com.bitdefender.cst.net.dci.dci-network-extension', 'Developer ID Application: Bookry Ltd (4259LE8SU5),com.bookry.wavebox.helper', 'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4),com.brave.Browser.helper', - 'Developer ID Application: Cloudflare Inc. (68WVV388M8),CloudflareWARP', - 'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker', 'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4),com.brave.Browser.nightly.helper', + 'Developer ID Application: Cloudflare Inc. (68WVV388M8),CloudflareWARP', 'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker.docker', + 'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker.docker', + 'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker', 'Developer ID Application: Epic Games International, S.a.r.l. (96DBZ92D3Y),com.epicgames.EpicGamesLauncher', 'Developer ID Application: Epic Games International, S.a.r.l. (96DBZ92D3Y),com.epicgames.UE4EditorServices', 'Developer ID Application: Fortinet, Inc (AH4XFXJ7DK),fctupdate', - 'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode.helper', - 'Developer ID Application: Vivaldi Technologies AS (4XF3XNRN6Y),com.vivaldi.Vivaldi.helper', - 'Developer ID Application: Adguard Software Limited (TC3Q7MAJXF),com.adguard.mac.adguard.network-extension', 'Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D),com.googlecode.iterm2', 'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.Chrome.helper', 'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.GoogleUpdater', 'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.one.NetworkExtension', 'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.edgemac.helper', 'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.teams2.helper', + 'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode.helper', 'Developer ID Application: Microsoft Corporation (UBF8T346G9),net.java.openjdk.java', 'Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.firefox', 'Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.firefoxdeveloperedition', @@ -263,16 +260,16 @@ WHERE 'Developer ID Application: Parallels International GmbH (4C6364ACXT),com.parallels.naptd', 'Developer ID Application: Skype Communications S.a.r.l (AL798K98FX),com.skype.skype.Helper', 'Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL),com.tinyspeck.slackmacgap.helper', - 'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client', 'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client.helper', + 'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client', 'Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension', 'Developer ID Application: TechSmith Corporation (7TQL462TU8),com.techsmith.snagit.capturehelper2020', 'Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G),company.thebrowser.browser.helper', 'Developer ID Application: Valve Corporation (MXGJJ98X76),com.valvesoftware.steam', + 'Developer ID Application: Vivaldi Technologies AS (4XF3XNRN6Y),com.vivaldi.Vivaldi.helper', 'Developer ID Application: Vladimir Prelovac (TFVG979488),com.apple.WebKit.Networking', 'Developer ID Application: WhatsApp Inc. (57T9237FN3),net.whatsapp.WhatsApp.ServiceExtension', 'Developer ID Application: Zwift, Inc (C2GM8Y9VFM),ZwiftAppSilicon' ) ) -GROUP BY - p0.cmdline +GROUP BY p0.cmdline \ No newline at end of file diff --git a/detection/credentials/unexpected-dev-opener-linux.sql b/detection/credentials/unexpected-dev-opener-linux.sql index d1bedf1..d2e1152 100644 --- a/detection/credentials/unexpected-dev-opener-linux.sql +++ b/detection/credentials/unexpected-dev-opener-linux.sql @@ -174,6 +174,7 @@ WHERE '/dev/hidraw,chrome', '/dev/hvc,agetty', '/dev/hwrng,rngd', + '/dev/wwan0mbim,mbim-proxy', '/dev/input/event,Xorg', '/dev/input/event,thermald', '/dev/input/event,touchegg', diff --git a/detection/evasion/touched-executable-linux.sql b/detection/evasion/touched-executable-linux.sql index 41a1ce0..f06769d 100644 --- a/detection/evasion/touched-executable-linux.sql +++ b/detection/evasion/touched-executable-linux.sql @@ -42,6 +42,7 @@ WHERE AND f.path NOT LIKE '/opt/rapid7/ir_agent/%' AND f.path NOT LIKE '/usr/local/aws-cli/%/dist/aws' AND f.path NOT LIKE '/usr/local/kolide-k2/bin/%-updates/%' + AND f.path NOT LIKE '/var/kolide-k2/k2device.kolide.com/updates/%' AND f.path NOT LIKE '/tmp/go-build%' AND p.name NOT LIKE 'osqtool%' GROUP by diff --git a/detection/evasion/unexpected-var-run-linux.sql b/detection/evasion/unexpected-var-run-linux.sql index 20f6261..045a6e0 100644 --- a/detection/evasion/unexpected-var-run-linux.sql +++ b/detection/evasion/unexpected-var-run-linux.sql @@ -29,6 +29,7 @@ WHERE AND file.filename NOT IN ( 'acpid.pid', 'agetty.reload', + 'pulseaudio-enable-autospawn', 'alsactl.pid', 'apcupsd.pid', 'com.rapid7.cnchub.pid', diff --git a/detection/evasion/unusual-process-name-linux.sql b/detection/evasion/unusual-process-name-linux.sql index a655268..7a96e16 100644 --- a/detection/evasion/unusual-process-name-linux.sql +++ b/detection/evasion/unusual-process-name-linux.sql @@ -102,6 +102,9 @@ WHERE "systemd-executor", "irqbalance", "kactivitymanagerd", + "com.docker.backend", + "com.docker.build", + "com.docker.extensions", "nm-applet", "perl", "systemd", diff --git a/detection/execution/exotic-commands-linux.sql b/detection/execution/exotic-commands-linux.sql index 3bec5ff..cc37868 100644 --- a/detection/execution/exotic-commands-linux.sql +++ b/detection/execution/exotic-commands-linux.sql @@ -103,8 +103,8 @@ WHERE OR ( p0.cmdline LIKE '%UserKnownHostsFile=/dev/null%' AND NOT p1.name = 'limactl' - AND NOT p0.cmdline LIKE '%@localhost' - AND NOT p0.cmdline LIKE '%@localhost -A' + AND NOT p0.cmdline LIKE '%@localhost%' + AND NOT p0.cmdline LIKE '%@localhost -A%' ) -- Crypto miners OR p0.cmdline LIKE '%hashrate%' OR p0.cmdline LIKE '%hashvault%' diff --git a/detection/execution/unexpected-execdir-events-linux.sql b/detection/execution/unexpected-execdir-events-linux.sql index 3733bcc..dfa8551 100644 --- a/detection/execution/unexpected-execdir-events-linux.sql +++ b/detection/execution/unexpected-execdir-events-linux.sql @@ -77,6 +77,7 @@ WHERE AND INSTR(path, "/nix/") != 1 AND INSTR(path, "/opt/") != 1 AND INSTR(path, "/snap/") != 1 + AND INSTR(path, "/var/kolide-k2/") != 1 AND INSTR(path, "/var/lib/snapd/") != 1 AND INSTR(path, "/usr/share/spotify") != 1 AND INSTR(path, "/usr/share/code/") != 1 diff --git a/detection/execution/unexpected-execdir-linux.sql b/detection/execution/unexpected-execdir-linux.sql index 4e4e4ef..686cba3 100644 --- a/detection/execution/unexpected-execdir-linux.sql +++ b/detection/execution/unexpected-execdir-linux.sql @@ -60,6 +60,8 @@ WHERE AND INSTR(path, "/opt/") != 1 AND INSTR(path, "/snap/") != 1 AND INSTR(path, "/var/lib/snapd/") != 1 + AND INSTR(path, "/usr/local/kolide-k2/bin/") != 1 + AND INSTR(path, "/var/kolide-k2/") != 1 AND INSTR(path, "/usr/share/spotify") != 1 AND INSTR(path, "/usr/share/code/") != 1 AND INSTR(path, "/usr/local/") != 1 diff --git a/detection/exfil/yara-unexpected-go-crypt-exec-process.sql b/detection/exfil/yara-unexpected-go-crypt-exec-process.sql index c635e40..08d83c9 100644 --- a/detection/exfil/yara-unexpected-go-crypt-exec-process.sql +++ b/detection/exfil/yara-unexpected-go-crypt-exec-process.sql @@ -101,6 +101,7 @@ WHERE 'go', 'gopls', 'grype', + 'packetbeat', 'incus', 'incusd', 'keybase', diff --git a/detection/initial_access/unexpected-shell-parent-events.sql b/detection/initial_access/unexpected-shell-parent-events.sql index 7916774..7ec07f8 100644 --- a/detection/initial_access/unexpected-shell-parent-events.sql +++ b/detection/initial_access/unexpected-shell-parent-events.sql @@ -290,6 +290,7 @@ WHERE 'zsh,500,OpenLens,launchd', 'sh,500,ssh,mosh-client', 'sh,500,updater,Foxit PDF Reader', + 'dash,500,gdm-wayland-session,gdm-session-worker', 'sh,500,yabai,launchd', 'zsh,500,old,launchd', 'zsh,500,old,old', diff --git a/detection/persistence/unexpected-chrome-extensions.sql b/detection/persistence/unexpected-chrome-extensions.sql index ac44c4e..1718d67 100644 --- a/detection/persistence/unexpected-chrome-extensions.sql +++ b/detection/persistence/unexpected-chrome-extensions.sql @@ -76,7 +76,12 @@ WHERE AND NOT exception_key IN ( "true,Gareth Stephenson,My O'Reilly Downloader,deebiaolijlopiocielojiipnpnaldlk", 'false,privacybadger-owner@eff.org,Privacy Badger,mkejgcgkdlddbggjhhflekkondicpnop', + 'true,,Hundred Handshakes,cmlngncglcblbobiehdpjcgbpoemidho', 'true,,Acorns Earn,facncfnojagdpibmijfjdmhkklabakgd', + 'true,,Google Play Movies & TV,gdijeikdkaembjbdobgfkoidjkpbmlkd', + 'true,Gordon Pedsersen,MarkDownload - Markdown Web Clipper,pcmpcfapbekmbjjkdalcgopdkipoggdi', + "true,Daniel Kladnik @ kiboke studio,I don't care about cookies,fihnjjcciajhdojfnbdddfaoknhalnja", + 'true,Microsoft Corporation,Microsoft Autofill,fiedbfgcleddlbcmgdigjgdfcggjcion', 'true,,Adblock for Youtube™,cmedhionkhpnakcndndgjdbohmhepckk', 'true,,Add to Amazon Wish List,ciagpekplgpbepdgggflgmahnjgiaced', 'true,,Adobe Acrobat: PDF edit, convert, sign tools,efaidnbmnnnibpcajpcglclefindmkaj', @@ -155,6 +160,7 @@ WHERE 'true,,HubSpot Sales,oiiaigjnkhngdbnoookogelabohpglmd', 'true,,IBA Opt-out (by Google),gbiekjoijknlhijdjbaadobpkdhmoebb', 'true,,Instapaper,ldjkgaaoikpmhmkelcgkgacicjfbofhh', + 'true,,Greenhouse Recruiting Chrome extension,naooopefdfeangnkgmjpklgblnfmbaea', 'true,,JSON Formatter,bcjindcccaagfpapjjmafapmmgkkhgoa', 'true,,JSON Viewer Pro,eifflpmocdbdmepbjaopkkhbfmdgijcc', 'true,,Jamstash,jccdpflnecheidefpofmlblgebobbloc', diff --git a/detection/persistence/unexpected-listening-port-linux.sql b/detection/persistence/unexpected-listening-port-linux.sql index 4acd251..b68d1e6 100644 --- a/detection/persistence/unexpected-listening-port-linux.sql +++ b/detection/persistence/unexpected-listening-port-linux.sql @@ -168,11 +168,14 @@ WHERE '8181,6,0,coredns', '8181,6,500,coredns', '8443,6,0,kube-apiserver', + '631,17,133,cups-browsed', '8443,6,101,nginx-ingress-c', + '58,255,500,dnsmasq', '8443,6,500,controller', '8443,6,500,controlplane', '8443,6,500,webhook', '8834,6,0,nessusd', + '631,17,116,cups-browsed', '547,17,500,dnsmasq', '9000,6,500,authentik-proxy', '9000,6,500,main', diff --git a/detection/persistence/unexpected-systemctl-calls-linux.sql b/detection/persistence/unexpected-systemctl-calls-linux.sql index 0debc76..79cd6b9 100644 --- a/detection/persistence/unexpected-systemctl-calls-linux.sql +++ b/detection/persistence/unexpected-systemctl-calls-linux.sql @@ -80,6 +80,8 @@ WHERE 'systemctl,0,snapd,systemd', 'systemctl,0,tailscaled,', 'systemctl,127,snap,systemd', + 'systemctl,500,snapd,systemd', + 'systemctl,500,systemd,systemd', 'systemctl,500,bash,gnome-terminal-server', 'systemctl,500,snap,systemd', 'systemctl,500,systemd,', diff --git a/detection/persistence/unexpected-uid0-daemon-linux.sql b/detection/persistence/unexpected-uid0-daemon-linux.sql index bd31aba..40b57db 100644 --- a/detection/persistence/unexpected-uid0-daemon-linux.sql +++ b/detection/persistence/unexpected-uid0-daemon-linux.sql @@ -101,6 +101,7 @@ WHERE 'anacron,/usr/bin/anacron,0,system.slice,cronie.service,0755', 'incusd,/usr/libexec/incus/incusd,0,lxc.monitor.pure-dodo,,0755', 'canonical-livep,/snap/canonical-livepatch/__VERSION__/canonical-livepatchd,0,system.slice,snap.canonical-livepatch.canonical-livepatchd.service,0755', + 'dirmngr,/usr/bin/dirmngr,0,system.slice,system-dirmngr.slice,0755', 'anacron,/usr/sbin/anacron,0,system.slice,crond.service,0755', 'apcupsd,/usr/bin/apcupsd,0,system.slice,apcupsd.service,0755', 'atd,/usr/sbin/atd,0,system.slice,atd.service,0755', @@ -122,6 +123,9 @@ WHERE 'containerd-shim,/usr/bin/containerd-shim-runc-v2,0,system.slice,containerd.service,0755', 'containerd-shim,/usr/bin/containerd-shim-runc-v2,0,system.slice,docker.service,0755', 'cron,/usr/sbin/cron,0,system.slice,cron.service,0755', + 'networkd-dispat,/usr/bin/python3.12,0,system.slice,networkd-dispatcher.service,0755', + 'unattended-upgr,/usr/bin/python3.12,0,system.slice,unattended-upgrades.service,0755', + 'unattended-upgr,/usr/bin/python3.12,0,system.slice,unattended-upgrades.service,0755', 'crond,/usr/bin/crond,0,system.slice,cronie.service,0755', 'crond,/usr/sbin/crond,0,system.slice,crond.service,0755', 'cups-browsed,/usr/sbin/cups-browsed,0,system.slice,cups-browsed.service,0755',