diff --git a/detection/c2/unexpected-https-client-linux.sql b/detection/c2/unexpected-https-client-linux.sql index 5bff212..0797556 100644 --- a/detection/c2/unexpected-https-client-linux.sql +++ b/detection/c2/unexpected-https-client-linux.sql @@ -159,6 +159,7 @@ WHERE '500,/usr/firefox,0u,0g,.firefox-wrappe', '500,/usr/firefox,0u,0g,Socket Process', '500,/usr/flameshot,0u,0g,flameshot', + '500,/usr/apko,u,g,apko', '500,/usr/flatpak-oci-authenticator,0u,0g,flatpak-oci-aut', '500,/usr/geoclue,0u,0g,geoclue', '500,/usr/git,0u,0g,git', @@ -179,13 +180,17 @@ WHERE '500,/usr/kbfsfuse,0u,0g,kbfsfuse', '500,/usr/keybase,0u,0g,keybase', '500,/usr/ko,u,g,ko', + '500,/opt/python3,500u,500g,python3', '500,/usr/kubectl,500u,500g,kubectl', '500,/usr/lens,0u,0g,lens', '500,/usr/nautilus,0u,0g,nautilus', + '500,/usr/python3.10,0u,0g,python', '500,/usr/nix,0u,0g,nix', '500,/usr/node,0u,0g,node', + '500,/usr/python3.11,0u,0g,gnome-abrt', '500,/usr/obs,0u,0g,obs', '500,/usr/obs-ffmpeg-mux,0u,0g,obs-ffmpeg-mux', + '500,/opt/python3,500u,500g,python3', '500,/usr/pacman,0u,0g,pacman', '500,/usr/python3,0u,0g,python3', '500,/usr/python3.10,0u,0g,python3', diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql index 67611a8..e5e1aa3 100644 --- a/detection/c2/unexpected-talkers-linux.sql +++ b/detection/c2/unexpected-talkers-linux.sql @@ -18,6 +18,7 @@ SELECT pp.path AS parent_path, p.parent AS parent_pid, pp.cmdline AS parent_cmd, + p.cgroup_path, s.state, hash.sha256, -- This intentionally avoids file.path, as it won't join across mount namespaces @@ -85,6 +86,7 @@ WHERE AND NOT exception_key IN ( '123,17,114,/usr/chronyd,0u,0g,chronyd', '123,17,500,/usr/chronyd,0u,0g,chronyd', + '80,6,0,/usr/wget,0u,0g,wget', '143,6,500,/app/thunderbird,u,g,thunderbird', '143,6,500,/usr/thunderbird,0u,0g,thunderbird', '22000,6,500,/usr/syncthing,0u,0g,syncthing', @@ -92,6 +94,7 @@ WHERE '22,6,0,/usr/tailscaled,0u,0g,tailscaled', '22,6,500,/home/cargo,500u,500g,cargo', '22,6,500,/usr/cargo,0u,0g,cargo', + '80,6,500,/home/mconvert,500u,500g,mconvert', '22,6,500,/usr/ssh,0u,0g,ssh', '27034,6,500,/home/steam,500u,100g,steam', '27035,6,500,/home/steam,500u,100g,steam', diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql index 6483e9a..9555a23 100644 --- a/detection/c2/unexpected-talkers-macos.sql +++ b/detection/c2/unexpected-talkers-macos.sql @@ -163,6 +163,7 @@ WHERE '443,6,500,,,', '443,6,500,Acrobat Update Helper,com.adobe.ARMDCHelper,Developer ID Application: Adobe Inc. (JQ525L2MZD)', '443,6,500,bash,bash,', + '443,6,500,bom,,', '443,6,500,chainctl,,', '443,6,500,chainctl,a.out,', '443,6,500,chainctl,chainctl,', @@ -172,6 +173,7 @@ WHERE '443,6,500,Code Helper,com.microsoft.VSCode.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)', '443,6,500,Code Helper (Renderer),com.github.Electron.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)', '443,6,500,com.docker.backend,com.docker,Developer ID Application: Docker Inc (9BNSXJN65R)', + '443,6,500,com.docker.extensions,com.docker,Developer ID Application: Docker Inc (9BNSXJN65R)', '443,6,500,cosign,,', '443,6,500,cosign,a.out,', '443,6,500,cosign,cosign,', @@ -182,6 +184,7 @@ WHERE '443,6,500,curl,com.apple.curl,Software Signing', '443,6,500,darkfiles,a.out,', '443,6,500,docker-credential-gcr,a.out,', + '443,6,500,Docker Desktop Helper,com.electron.dockerdesktop.helper,Developer ID Application: Docker Inc (9BNSXJN65R)', '443,6,500,Electron,com.microsoft.VSCode,Developer ID Application: Microsoft Corporation (UBF8T346G9)', '443,6,500,emacs-28.2,emacs-28.2,', '443,6,500,Evernote Helper,,', @@ -258,8 +261,6 @@ WHERE '443,6,500,zsh,com.apple.zsh,Software Signing', '53,17,500,docker-credential-gcr,a.out,', '53,17,500,trivy,,', - '443,6,500,bom,,', - '443,6,500,Docker Desktop Helper,com.electron.dockerdesktop.helper,Developer ID Application: Docker Inc (9BNSXJN65R)', '6000,6,500,ssh,,', '6000,6,500,ssh,com.apple.openssh,Software Signing', '6000,6,500,ssh,ssh-55554944fbf65684ab9b37c2bad3a27ef78b23f4,', diff --git a/detection/evasion/empty_root_environ_linux.sql b/detection/evasion/empty_root_environ_linux.sql index e684550..7a0fb99 100644 --- a/detection/evasion/empty_root_environ_linux.sql +++ b/detection/evasion/empty_root_environ_linux.sql @@ -40,6 +40,7 @@ WHERE 'dnf', 'systemd-udevd', 'gdm-session-wor', + 'fprintd', 'gpg-agent', 'nginx', 'sshd', diff --git a/detection/evasion/executables-from-the-future.sql b/detection/evasion/executables-from-the-future.sql index 8a276b7..b4e7c72 100644 --- a/detection/evasion/executables-from-the-future.sql +++ b/detection/evasion/executables-from-the-future.sql @@ -19,9 +19,9 @@ SELECT f.btime, f.mtime, p.start_time, - f.mtime > strftime('%s', 'now') AS mtime_newer, - f.ctime > strftime('%s', 'now') AS ctime_newer, - f.btime > strftime('%s', 'now') AS btime_newer, + f.mtime > (strftime('%s', 'now') + 43200) AS mtime_newer, + f.ctime > (strftime('%s', 'now') + 43200) AS ctime_newer, + f.btime > (strftime('%s', 'now') + 43200) AS btime_newer, hash.sha256 AS child_hash256, pp.path AS parent_path, pp.cmdline AS parent_cmd, diff --git a/detection/evasion/hidden-cwd.sql b/detection/evasion/hidden-cwd.sql index b3cae04..2ddbec3 100644 --- a/detection/evasion/hidden-cwd.sql +++ b/detection/evasion/hidden-cwd.sql @@ -103,6 +103,7 @@ WHERE OR dir LIKE '~/.%' OR dir LIKE '~/%/.git' OR dir LIKE '~/code/%' + OR dir LIKE '/opt/homebrew/%/.cache/%' OR dir LIKE '~/%/.github%' OR dir LIKE '~/%/github.com/%' OR dir LIKE '~/%google-cloud-sdk/.install/.backup%' diff --git a/detection/evasion/unexpected-etc-executables.sql b/detection/evasion/unexpected-etc-executables.sql index 3b4a299..14e8173 100644 --- a/detection/evasion/unexpected-etc-executables.sql +++ b/detection/evasion/unexpected-etc-executables.sql @@ -80,6 +80,7 @@ WHERE '/etc/mcelog/triggers', '/etc/menu-methods', '/etc/network/if-down.d', + '/etc/smartmontools', '/etc/network/if-post-down.d', '/etc/network/if-pre-up.d', '/etc/network/if-up.d', diff --git a/detection/evasion/unexpected-tmp-executables.sql b/detection/evasion/unexpected-tmp-executables.sql index 660088f..007d849 100644 --- a/detection/evasion/unexpected-tmp-executables.sql +++ b/detection/evasion/unexpected-tmp-executables.sql @@ -65,6 +65,16 @@ WHERE AND file.path LIKE '/tmp/%.py' AND file.uid > 500 ) + OR ( + file.size < 50000 + AND file.path LIKE '/tmp/%.pl' + AND file.uid > 500 + ) + OR ( + file.size < 50000 + AND file.path LIKE '/tmp/%.perl' + AND file.uid > 500 + ) ) ) -- Nix AND NOT ( diff --git a/detection/execution/recently-created-executables-linux.sql b/detection/execution/recently-created-executables-linux.sql index 5e9ba2a..3ca7098 100644 --- a/detection/execution/recently-created-executables-linux.sql +++ b/detection/execution/recently-created-executables-linux.sql @@ -87,6 +87,7 @@ WHERE '/usr/libexec/snapd/snapd', '/usr/libexec/sssd/sssd_kcm', '/usr/libexec/tracker-extract-3', + '/usr/lib/tracker-extract-3', '/usr/libexec/tracker-miner-fs-3', '/usr/lib/flatpak-session-helper', '/usr/lib/fwupd/fwupd', diff --git a/detection/execution/unexpected-execdir-macos.sql b/detection/execution/unexpected-execdir-macos.sql index 8a37625..9a345c0 100644 --- a/detection/execution/unexpected-execdir-macos.sql +++ b/detection/execution/unexpected-execdir-macos.sql @@ -124,6 +124,7 @@ WHERE '~/Parallels/', '~/proj/', '~/projects/', + '~/.provisio/', '~/.pulumi/', '~/.pyenv/', '~/.rustup/', @@ -131,7 +132,6 @@ WHERE '~/.tflint.d/', '~/.vscode/', '~/.vs-kubernetes/' - ) -- Locally built executables AND NOT ( diff --git a/detection/execution/unexpected-fetcher-parent-events.sql b/detection/execution/unexpected-fetcher-parent-events.sql index 24aa43f..1ed8956 100644 --- a/detection/execution/unexpected-fetcher-parent-events.sql +++ b/detection/execution/unexpected-fetcher-parent-events.sql @@ -58,6 +58,8 @@ WHERE AND pe.time > (strftime('%s', 'now') -900) -- Ignore partial table joins AND NOT exception_key IN ( 'curl,0,nm-dispatcher,', + 'curl,0,nm-dispatcher,nm-dispatcher', + 'curl,500,bash,nix-daemon', 'curl,500,bash,ShellLauncher', 'curl,500,bash,zsh', 'curl,500,env,env', @@ -66,7 +68,9 @@ WHERE 'curl,500,ShellLauncher,', 'curl,500,ShellLauncher,login', 'curl,500,zsh,login', + 'curl,500,zsh,sh', 'wget,500,env,env' + ) AND NOT ( pe.euid > 500 diff --git a/detection/execution/unexpected-fetcher-parents.sql b/detection/execution/unexpected-fetcher-parents.sql index 3015ece..0129c06 100644 --- a/detection/execution/unexpected-fetcher-parents.sql +++ b/detection/execution/unexpected-fetcher-parents.sql @@ -40,11 +40,20 @@ WHERE -- NOTE: The remainder of this query is synced with unexpected-fetcher-parent-events child_name IN ('curl', 'wget', 'ftp', 'tftp') -- And not a regular local user AND NOT exception_key IN ( + 'curl,0,nm-dispatcher,', + 'curl,0,nm-dispatcher,nm-dispatcher', + 'curl,500,bash,nix-daemon', + 'curl,500,bash,ShellLauncher', 'curl,500,bash,zsh', 'curl,500,env,env', 'curl,500,fish,gnome-terminal-', + 'curl,500,ruby,zsh', + 'curl,500,ShellLauncher,', 'curl,500,ShellLauncher,login', - 'curl,500,zsh,login' + 'curl,500,zsh,login', + 'curl,500,zsh,sh', + 'wget,500,env,env' + ) AND NOT ( p.euid > 500 diff --git a/detection/execution/unexpected-osascript-calls.sql b/detection/execution/unexpected-osascript-calls.sql index 2301f40..645adbc 100644 --- a/detection/execution/unexpected-osascript-calls.sql +++ b/detection/execution/unexpected-osascript-calls.sql @@ -68,10 +68,15 @@ WHERE pe.path IN ('/usr/bin/osascript', '/usr/bin/osacompile') OR cmd LIKE 'osascript openChrome.applescript http%://localhost%' OR cmd LIKE '/usr/bin/osascript /Users/%/Library/Caches/com.runningwithcrayons.Alfred/Workflow Scripts/%' OR cmd LIKE '/usr/bin/osascript /Users/%/osx-trash/trashfile.AppleScript %' + OR cmd LIKE '/usr/bin/osascript /Applications/Amazon Photos.app/Contents/Resources/quit_and_restart_app.scpt /Applications/Amazon Photos.app com.amazon.clouddrive.mac%' OR parent_cmd LIKE '%/bin/gcloud auth%login' - OR parent_cmd LIKE '%/google-cloud-sdk/lib/gcloud.py auth login' - OR parent_cmd LIKE '% /opt/homebrew/bin/jupyter-notebook' + OR parent_cmd LIKE '%/google-cloud-sdk/lib/gcloud.py auth%login' + OR parent_cmd LIKE '% /opt/homebrew/bin/jupyter%notebook' OR parent_name IN ('yubikey-agent') + OR ( + parent_authority = 'Developer ID Application: VNG ONLINE CO.,LTD (CVB6BX97VM)' + AND cmd = 'osascript -ss' + ) ) ) GROUP BY pe.pid diff --git a/detection/execution/unexpected-setuid-binaries.sql b/detection/execution/unexpected-setuid-binaries.sql index a846e4c..1ee3a3d 100644 --- a/detection/execution/unexpected-setuid-binaries.sql +++ b/detection/execution/unexpected-setuid-binaries.sql @@ -96,6 +96,10 @@ WHERE '/usr/sbin/readcd', '/usr/sbin/readom', '/usr/sbin/rscsi', + '/usr/bin/chsh', + '/usr/bin/chfn', + '/bin/chsh', + '/bin/chfn', '/usr/sbin/umount.nfs', '/usr/sbin/umount.nfs4', '/usr/sbin/userhelper', diff --git a/detection/initial_access/unexpected-shell-parent-events.sql b/detection/initial_access/unexpected-shell-parent-events.sql index 6c6f8a5..37ae7f2 100644 --- a/detection/initial_access/unexpected-shell-parent-events.sql +++ b/detection/initial_access/unexpected-shell-parent-events.sql @@ -65,7 +65,9 @@ WHERE 'docker-credential-desktop', 'env', 'erl_child_setup', + 'chainctl', 'find', + 'docker-credential-gcr', 'FinderSyncExtension', 'fish', 'git', @@ -130,6 +132,7 @@ WHERE 'sh -c xcode-select --print-path >/dev/null 2>&1 && xcrun --sdk macosx --show-sdk-path 2>/dev/null' ) OR child_cmd LIKE '/bin/bash /usr/local/Homebrew/Library%' + OR child_cmd LIKE '/bin/sh %google-cloud-sdk/bin/docker-credential-gcloud get' OR gparent_cmd LIKE '/bin/bash /usr/local/bin/brew%' ) GROUP BY diff --git a/detection/initial_access/unexpected-shell-parents.sql b/detection/initial_access/unexpected-shell-parents.sql index 2f66367..d856ece 100644 --- a/detection/initial_access/unexpected-shell-parents.sql +++ b/detection/initial_access/unexpected-shell-parents.sql @@ -36,6 +36,7 @@ WHERE 'alacritty', 'bash', 'build-script-build', + 'dnf', 'chezmoi', 'clang-11', 'code', @@ -103,6 +104,7 @@ WHERE '/Applications/Docker.app/Contents/MacOS/install', '/Applications/Docker.app/Contents/Resources/bin/docker-credential-desktop', '/bin/dash', + '/usr/bin/dirname', '/bin/sh', '/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateDaemon', '/opt/X11/libexec/launchd_startx', diff --git a/detection/persistence/unexpected-chrome-extensions.sql b/detection/persistence/unexpected-chrome-extensions.sql index 7bfd7db..2c507c4 100644 --- a/detection/persistence/unexpected-chrome-extensions.sql +++ b/detection/persistence/unexpected-chrome-extensions.sql @@ -51,6 +51,7 @@ WHERE AND enabled = 1 AND exception_key NOT IN ( 'false,Anthony Feddersen - Chainguard, Inc.,Chainguard On-Call Chrome Extension,,background', -- TODO: Move to local exceptions list once osqtool supports them + 'false,juverm@chainguard.dev,auto-close-gitsign,,', 'false,,Google Chat,chfbpgnooceecdoohagngmjnndbbaeip,', -- Deprecated Google Extension 'false,,Google Chat,mdpkiolbdkhdjpekfbkbmhigcaggjagi,', -- Deprecated Google Extension 'false,,Google Cloud,gmdcbpephenfeelhagpbceidhdbobfpk,', -- Deprecated Google Extension diff --git a/detection/privesc/unexpected-elevated-children-events_linux.sql b/detection/privesc/unexpected-elevated-children-events_linux.sql index 65b4955..cf7c506 100644 --- a/detection/privesc/unexpected-elevated-children-events_linux.sql +++ b/detection/privesc/unexpected-elevated-children-events_linux.sql @@ -47,6 +47,7 @@ WHERE '/usr/bin/login', '/usr/bin/i3lock', '/usr/bin/sudo', + '/usr/bin/unix_chkpwd', '/usr/bin/gpgsm', '/usr/bin/gpgconf', '/usr/bin/gpg',