From 8e3d6a1614861d010f476febe0b7d00a66c94ec4 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Fri, 18 Nov 2022 10:27:43 -0500 Subject: [PATCH] False positives: melange, ~/dev, debian-sa1, AdBlock, cover, kubelr, etc --- .../c2/unexpected-https-client-linux.sql | 4 +++ detection/c2/unexpected-talkers-linux.sql | 2 ++ .../discovery/unexpected-pcap-user-linux.sql | 11 ++++--- .../discovery/unexpected-pcap-user-macos.sql | 10 +++--- .../evasion/empty_root_environ_macos.sql | 3 +- detection/evasion/hidden-executable.sql | 9 ++++-- .../evasion/touched-executable-macos.sql | 3 +- .../evasion/unexpected-etc-executables.sql | 1 + .../evasion/unexpected-tmp-executables.sql | 3 +- .../execution/exotic-command-events-linux.sql | 7 ++++- .../execution/exotic-command-events-macos.sql | 31 ++++++++++++------- .../recently-created-executables-linux.sql | 1 + .../unexpected-execdir-events-macos.sql | 3 +- .../execution/unexpected-execdir-linux.sql | 2 +- .../execution/unexpected-execdir-macos.sql | 1 + .../unexpected-chrome-extensions.sql | 1 + .../persistence/unexpected-cron-entries.sql | 1 + .../unexpected-listening-port-linux.sql | 2 +- .../unexpected-listening-port-macos.sql | 5 ++- .../unexpected-uid0-daemon-linux.sql | 2 +- .../unexpected-privileged-containers.sql | 1 + 21 files changed, 70 insertions(+), 33 deletions(-) diff --git a/detection/c2/unexpected-https-client-linux.sql b/detection/c2/unexpected-https-client-linux.sql index 3df79f9..88d3f1c 100644 --- a/detection/c2/unexpected-https-client-linux.sql +++ b/detection/c2/unexpected-https-client-linux.sql @@ -131,6 +131,7 @@ WHERE '500,/usr/cosign,500u,500g,cosign', '500,/usr/curl,0u,0g,curl', '500,/usr/electron,0u,0g,electron', + '500,/usr/evolution-addressbook-factory,0u,0g,evolution-addre', '500,/usr/evolution-calendar-factory,0u,0g,evolution-calen', '500,/usr/firefox,0u,0g,firefox', '500,/usr/firefox,0u,0g,.firefox-wrappe', @@ -158,6 +159,7 @@ WHERE '500,/usr/lens,0u,0g,lens', '500,/usr/nautilus,0u,0g,nautilus', '500,/usr/obs,0u,0g,obs', + '500,/usr/python3,0u,0g,python3', '500,/usr/reporter-ureport,0u,0g,reporter-urepor', '500,/usr/rpi-imager,0u,0g,rpi-imager', '500,/usr/signal-desktop,0u,0g,signal-desktop', @@ -167,6 +169,7 @@ WHERE '500,/usr/syncthing,0u,0g,syncthing', '500,/usr/teams,0u,0g,teams', '500,/usr/terraform,0u,0g,terraform', + '500,/usr/thunderbird,0u,0g,thunderbird', '500,/usr/trivy,0u,0g,trivy', '500,/usr/WebKitNetworkProcess,0u,0g,WebKitNetworkPr', '500,/usr/xmobar,0u,0g,xmobar', @@ -174,6 +177,7 @@ WHERE ) -- Exceptions where we have to be more flexible for the process name AND NOT exception_key LIKE '500,/usr/node,0u,0g,npm exec %' + AND NOT exception_key LIKE '500,/usr/node,0u,0g,npm install %' AND NOT exception_key LIKE '500,%/terraform-provider-%,500u,500g,terraform-provi' -- stay weird, NixOS (Fastly nix mirror) AND NOT ( diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql index a4ebeb7..4cc2644 100644 --- a/detection/c2/unexpected-talkers-linux.sql +++ b/detection/c2/unexpected-talkers-linux.sql @@ -92,7 +92,9 @@ WHERE '27035,6,500,/home/steam,500u,100g,steam', '32768,6,0,/usr/tailscaled,0u,0g,tailscaled', '32768,6,500,/usr/ssh,0u,0g,ssh', + '22,6,500,/home/cargo,500u,500g,cargo', '3443,6,500,/opt/chrome,0u,0g,chrome', + '3478,6,500,/usr/chrome,0u,0g,chrome', '3478,6,500,/opt/chrome,0u,0g,chrome', '3478,6,500,/usr/firefox,0u,0g,firefox', '4070,6,500,/opt/spotify,0u,0g,spotify', diff --git a/detection/discovery/unexpected-pcap-user-linux.sql b/detection/discovery/unexpected-pcap-user-linux.sql index 4eddedb..6a711ba 100644 --- a/detection/discovery/unexpected-pcap-user-linux.sql +++ b/detection/discovery/unexpected-pcap-user-linux.sql @@ -23,15 +23,16 @@ SELECT pp.cwd AS parent_cwd, pp.euid AS parent_euid, ph.sha256 AS parent_sha256 + -- Using processes is much faster than process_memory_map FROM - process_memory_map pmm - LEFT JOIN processes p ON pmm.pid = p.pid + processes p + LEFT JOIN process_memory_map pmm ON p.pid = pmm.pid LEFT JOIN hash h ON p.path = h.path LEFT JOIN processes pp ON p.parent = pp.pid LEFT JOIN hash AS ph ON pp.path = ph.path WHERE - pmm.path LIKE '%libpcap%' - AND p.euid = 0 + p.euid = 0 + AND pmm.path LIKE '%libpcap%' AND child_path NOT LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd' AND child_path NOT LIKE '/nix/store/%-systemd-%/lib/systemd/systemd%' AND child_path NOT LIKE '/nix/store/%-systemd-%/bin/udevadm' @@ -50,4 +51,4 @@ WHERE ) AND child_cmd NOT LIKE '/usr/bin/python3 -s%/usr/sbin/firewalld%' GROUP BY - pmm.pid + p.pid diff --git a/detection/discovery/unexpected-pcap-user-macos.sql b/detection/discovery/unexpected-pcap-user-macos.sql index 953a198..8d97d76 100644 --- a/detection/discovery/unexpected-pcap-user-macos.sql +++ b/detection/discovery/unexpected-pcap-user-macos.sql @@ -26,15 +26,17 @@ SELECT s.authority, s.identifier FROM - process_memory_map pmm + processes p + LEFT JOIN process_memory_map pmm ON p.pid = pmm.pid LEFT JOIN processes p ON pmm.pid = p.pid LEFT JOIN hash h ON p.path = h.path LEFT JOIN processes pp ON p.parent = pp.pid LEFT JOIN hash AS ph ON pp.path = ph.path LEFT JOIN signature s ON p.path = s.path WHERE - pmm.path LIKE '%libpcap%' - AND p.euid = 0 -- These are all protected directories + p.euid = 0 + AND pmm.path LIKE '%libpcap%' + -- These are all protected directories AND child_path NOT LIKE '/System/%' AND child_path NOT LIKE '/usr/libexec/%' AND child_path NOT LIKE '/usr/sbin/%' @@ -49,4 +51,4 @@ WHERE 'Developer ID Application: Docker Inc (9BNSXJN65R)' ) GROUP BY - pmm.pid + p.pid diff --git a/detection/evasion/empty_root_environ_macos.sql b/detection/evasion/empty_root_environ_macos.sql index 80be8a4..e5b5af4 100644 --- a/detection/evasion/empty_root_environ_macos.sql +++ b/detection/evasion/empty_root_environ_macos.sql @@ -36,7 +36,8 @@ FROM LEFT JOIN hash ON p.path = hash.path LEFT JOIN signature ON p.path = signature.path WHERE - p.euid = 0 AND + p.euid = 0 + AND -- This time should match the interval p.start_time > (strftime('%s', 'now') - 601) -- Filter out transient processes that may not have an envs entry by the time we poll for it AND p.start_time < (strftime('%s', 'now') - 1) diff --git a/detection/evasion/hidden-executable.sql b/detection/evasion/hidden-executable.sql index eba42ae..f8faa7d 100644 --- a/detection/evasion/hidden-executable.sql +++ b/detection/evasion/hidden-executable.sql @@ -26,6 +26,9 @@ FROM LEFT JOIN users u ON p.uid = u.uid LEFT JOIN hash ON p.path = hash.path WHERE - (p.name LIKE '.%' OR f.filename LIKE '.%') -AND NOT f.path LIKE '/nix/store/%/%-wrapped' -AND NOT p.name = '.firefox-wrappe' \ No newline at end of file + ( + p.name LIKE '.%' + OR f.filename LIKE '.%' + ) + AND NOT f.path LIKE '/nix/store/%/%-wrapped' + AND NOT p.name = '.firefox-wrappe' diff --git a/detection/evasion/touched-executable-macos.sql b/detection/evasion/touched-executable-macos.sql index 1322ced..ab59ea5 100644 --- a/detection/evasion/touched-executable-macos.sql +++ b/detection/evasion/touched-executable-macos.sql @@ -88,8 +88,7 @@ WHERE OR p.path LIKE '/Applications/%.app/Contents/MacOS/%' OR p.path LIKE '/opt/homebrew/Cellar/%/bin/%' OR p.path LIKE '/opt/homebrew/Caskroom/%/bin/%' - OR p.path LIKE '/Users/%/google-cloud-sdk/bin/kubectl' - OR p.path LIKE '/Users/%/Library/Application Support/cloud-code/installer/google-cloud-sdk/bin/%' + OR p.path LIKE '/Users/%/google-cloud-sdk/bin/%' ) ) AND NOT ( diff --git a/detection/evasion/unexpected-etc-executables.sql b/detection/evasion/unexpected-etc-executables.sql index c961580..24cc9cb 100644 --- a/detection/evasion/unexpected-etc-executables.sql +++ b/detection/evasion/unexpected-etc-executables.sql @@ -124,6 +124,7 @@ WHERE '/etc/update-motd.d', '/etc/vmware-tools', '/etc/vpnc', + '/etc/localtime', '/etc/wpa_supplicant', '/etc/X11', '/etc/X11/xinit', diff --git a/detection/evasion/unexpected-tmp-executables.sql b/detection/evasion/unexpected-tmp-executables.sql index 18516b0..d85a04b 100644 --- a/detection/evasion/unexpected-tmp-executables.sql +++ b/detection/evasion/unexpected-tmp-executables.sql @@ -94,7 +94,8 @@ WHERE AND NOT file.directory LIKE '/tmp/UpdateBrain-%/AssetData/com.apple.MobileSoftwareUpdate.UpdateBrainService.xpc/Contents/MacOS/' -- terraform AND NOT ( - uid > 500 AND file.path LIKE '/tmp/terraform_%/terraform' + uid > 500 + AND file.path LIKE '/tmp/terraform_%/terraform' ) AND NOT ( file.path LIKE '/tmp/%compressed' diff --git a/detection/execution/exotic-command-events-linux.sql b/detection/execution/exotic-command-events-linux.sql index d27bfcf..8e30c00 100644 --- a/detection/execution/exotic-command-events-linux.sql +++ b/detection/execution/exotic-command-events-linux.sql @@ -24,6 +24,7 @@ SELECT p.euid, p.parent, p.syscall, + pp.cgroup_path, hash.sha256, pp.path AS parent_path, pp.name AS parent_name, @@ -79,7 +80,10 @@ WHERE OR cmd LIKE '%systemctl stop firewalld%' OR cmd LIKE '%systemctl disable firewalld%' OR cmd LIKE '%pkill -f%' - OR (cmd LIKE '%xargs kill -9%' AND p.euid=0) + OR ( + cmd LIKE '%xargs kill -9%' + AND p.euid = 0 + ) OR cmd LIKE '%rm -f%/tmp%' OR cmd LIKE '%rm -rf /boot%' OR cmd LIKE '%nohup /bin/bash%' @@ -149,3 +153,4 @@ WHERE AND NOT cmd LIKE 'rm -f /var/lib/update-notifier/tmp%' -- Invalid command from someones tmux environment AND NOT cmd LIKE 'pkill -f cut -c3%' + AND NOT cmd LIKE 'dirname %history' diff --git a/detection/execution/exotic-command-events-macos.sql b/detection/execution/exotic-command-events-macos.sql index 49e6f4c..5faae6e 100644 --- a/detection/execution/exotic-command-events-macos.sql +++ b/detection/execution/exotic-command-events-macos.sql @@ -76,11 +76,15 @@ WHERE OR cmd LIKE '%nohup%tmp%' OR cmd LIKE '%killall Terminal%' OR cmd LIKE '%iptables stop' - OR cmd LIKE '%pkill -f%' + OR ( + p.euid = 0 + AND ( + cmd LIKE '%pkill -f%' + OR cmd LIKE '%xargs kill -9%' + ) + ) OR cmd LIKE '%rm -f /var/tmp%' - OR cmd LIKE '%rm -rf /boot%' OR cmd LIKE '%rm -f /tmp%' - OR (cmd LIKE '%xargs kill -9%' AND p.euid=0) OR cmd LIKE '%nohup /bin/bash%' OR cmd LIKE '%history' OR cmd LIKE '%echo%|%base64 --decode %|%' @@ -101,8 +105,11 @@ WHERE OR cmd LIKE '%SOCK_STREAM%' OR ( cmd LIKE '%Socket.%' - AND NOT basename IN ('compile', 'sed', 'mv') + AND NOT basename IN ('compile', 'sed', 'mv', 'cover') AND NOT cmd LIKE "%sys/socket.h%" + AND NOT cmd LIKE "%websocket%" + AND NOT cmd LIKE "%socket.go%" + AND NOT cmd LIKE "%socket.cpython%" ) ) -- Things that could reasonably happen at boot. AND NOT ( @@ -115,17 +122,17 @@ WHERE ) AND NOT ( cmd IN ( - '/usr/bin/csrutil status', - '/usr/bin/csrutil report', + '/bin/launchctl asuser 0 /bin/launchctl list', '/bin/launchctl list', - 'launchctl list com.parallels.desktop.launchdaemon', - 'launchctl list us.zoom.ZoomDaemon', - 'sudo launchctl list us.zoom.ZoomDaemon', '/bin/launchctl list com.logi.optionsplus.update', '/bin/launchctl list homebrew.mxcl.yabai', - 'xpcproxy com.apple.Safari.History', + 'launchctl list com.parallels.desktop.launchdaemon', + 'launchctl list us.zoom.ZoomDaemon', '/Library/Apple/System/Library/StagedFrameworks/Safari/SafariShared.framework/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History', - '/bin/launchctl asuser 0 /bin/launchctl list' + 'sudo launchctl list us.zoom.ZoomDaemon', + '/usr/bin/csrutil report', + '/usr/bin/csrutil status', + 'xpcproxy com.apple.Safari.History' ) -- The source of these commands is still a mystery to me. OR p.parent = -1 @@ -137,3 +144,5 @@ WHERE AND NOT cmd LIKE '/bin/cp %history%sessions/%' AND NOT cmd LIKE 'touch -r /tmp/KSInstallAction.%' AND NOT cmd LIKE '%find /Applications/LogiTuneInstaller.app -type d -exec chmod 777 {}%' + AND NOT cmd LIKE '/bin/rm -f /tmp/com.adobe.%.updater/%' + AND NOT cmd LIKE 'dirname %history' diff --git a/detection/execution/recently-created-executables-linux.sql b/detection/execution/recently-created-executables-linux.sql index d882b58..634e898 100644 --- a/detection/execution/recently-created-executables-linux.sql +++ b/detection/execution/recently-created-executables-linux.sql @@ -56,6 +56,7 @@ WHERE '/usr/bin/docker', '/usr/bin/dockerd', '/usr/bin/docker-proxy', + '/usr/lib/flatpak-session-helper', '/usr/bin/gedit', '/usr/bin/gnome-keyring-daemon', '/usr/bin/kbfsfuse', diff --git a/detection/execution/unexpected-execdir-events-macos.sql b/detection/execution/unexpected-execdir-events-macos.sql index d123436..13995a6 100644 --- a/detection/execution/unexpected-execdir-events-macos.sql +++ b/detection/execution/unexpected-execdir-events-macos.sql @@ -116,6 +116,7 @@ WHERE AND top_homedir NOT IN ( '~/Applications/', '~/bin/', + '~/.cargo/', '~/code/', '~/.config/', '~/go/', @@ -123,8 +124,8 @@ WHERE '~/Library/', '~/.local/', '~/projects/', - '~/src/', '~/.pyenv/', + '~/src/', '~/.tflint.d/', '~/.vscode/', '~/.vs-kubernetes/' diff --git a/detection/execution/unexpected-execdir-linux.sql b/detection/execution/unexpected-execdir-linux.sql index 0c27a40..ba99f05 100644 --- a/detection/execution/unexpected-execdir-linux.sql +++ b/detection/execution/unexpected-execdir-linux.sql @@ -73,4 +73,4 @@ WHERE dirname = '' AND p.name LIKE 'runc%' ) - AND p.path NOT LIKE '/tmp/terraform_%/terraform' \ No newline at end of file + AND p.path NOT LIKE '/tmp/terraform_%/terraform' diff --git a/detection/execution/unexpected-execdir-macos.sql b/detection/execution/unexpected-execdir-macos.sql index cd28127..6454bf8 100644 --- a/detection/execution/unexpected-execdir-macos.sql +++ b/detection/execution/unexpected-execdir-macos.sql @@ -112,6 +112,7 @@ WHERE '~/.config/', '~/git/', '~/go/', + '~/.kuberlr/', '~/google-cloud-sdk/', '~/homebrew/', '~/Library/', diff --git a/detection/persistence/unexpected-chrome-extensions.sql b/detection/persistence/unexpected-chrome-extensions.sql index e211d88..8293f3d 100644 --- a/detection/persistence/unexpected-chrome-extensions.sql +++ b/detection/persistence/unexpected-chrome-extensions.sql @@ -69,6 +69,7 @@ WHERE 'true,All uBlock contributors,uBlock - free ad blocker,epcnnfbjfcgphgdmggkamkmgojdagdnn,contextMenus, storage, tabs, unlimitedStorage, webNavigation, webRequest, webRequestBlocking, ', 'true,,Bardeen - automate workflows with one click,ihhkmalpkhkoedlmcnilbbhhbhnicjga,, webNavigation, unlimitedStorage, notifications, activeTab, tabs, storage, *://*/*, history, bookmarks, contextMenus', 'true,BetaFish,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom,tabs, , contextMenus, webRequest, webRequestBlocking, webNavigation, storage, unlimitedStorage, notifications, idle, alarms', + 'true,Adblock, Inc.,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom,tabs, , contextMenus, webRequest, webRequestBlocking, webNavigation, storage, unlimitedStorage, notifications, idle, alarms', 'true,Bitwarden Inc.,Bitwarden - Free Password Manager,nngceckbapebfimnlniiiahkandclblb,tabs, contextMenus, storage, unlimitedStorage, clipboardRead, clipboardWrite, idle, http://*/*, https://*/*, webRequest, webRequestBlocking', 'true,,BrowserStack Local,mfiddfehmfdojjfdpfngagldgaaafcfo,https://*.bsstag.com/*, https://*.browserstack.com/*, , clipboardWrite, app.window, storage', 'true,,Capital One Shopping: Add to Chrome for Free,nenlahapcbofgnanklpelkaejcehkggg,tabs, contextMenus, storage, cookies, webRequest, webRequestBlocking, ', diff --git a/detection/persistence/unexpected-cron-entries.sql b/detection/persistence/unexpected-cron-entries.sql index 87e75e9..b5b8df0 100644 --- a/detection/persistence/unexpected-cron-entries.sql +++ b/detection/persistence/unexpected-cron-entries.sql @@ -20,3 +20,4 @@ WHERE AND command NOT LIKE '%zfs-linux%' AND command NOT LIKE '%anacron start%' AND command NOT LIKE '%/usr/lib/php/sessionclean%' + AND command NOT LIKE 'root command -v debian-sa1%' diff --git a/detection/persistence/unexpected-listening-port-linux.sql b/detection/persistence/unexpected-listening-port-linux.sql index 88aa0cb..ad2c89f 100644 --- a/detection/persistence/unexpected-listening-port-linux.sql +++ b/detection/persistence/unexpected-listening-port-linux.sql @@ -153,7 +153,7 @@ WHERE AND lp.port > 1024 and lp.protocol = 6 ) - -- Exclude processes running inside of Docker containers + -- Exclude processes running inside of Docker containers AND NOT p.cgroup_path LIKE '/system.slice/docker-%' GROUP BY exception_key diff --git a/detection/persistence/unexpected-listening-port-macos.sql b/detection/persistence/unexpected-listening-port-macos.sql index 2fa7d3b..7b11070 100644 --- a/detection/persistence/unexpected-listening-port-macos.sql +++ b/detection/persistence/unexpected-listening-port-macos.sql @@ -151,7 +151,10 @@ WHERE AND lp.protocol = 6 ) AND NOT ( - p.cwd LIKE '/Users/%/src/%' + ( + p.cwd LIKE '/Users/%/src/%' + OR p.cwd LIKE '/Users/%/dev/%' + ) AND p.cmdline LIKE './%' AND lp.port > 1024 AND lp.protocol = 6 diff --git a/detection/persistence/unexpected-uid0-daemon-linux.sql b/detection/persistence/unexpected-uid0-daemon-linux.sql index 41a1c88..17cf230 100644 --- a/detection/persistence/unexpected-uid0-daemon-linux.sql +++ b/detection/persistence/unexpected-uid0-daemon-linux.sql @@ -139,4 +139,4 @@ WHERE AND p.path NOT LIKE '/nix/store/%/libexec/%' AND p.path NOT LIKE '/snap/snapd/%/usr/lib/snapd/snapd' -- Exclude processes running inside of Docker containers - AND NOT p.cgroup_path LIKE '/system.slice/docker-%' \ No newline at end of file + AND NOT p.cgroup_path LIKE '/system.slice/docker-%' diff --git a/detection/privesc/unexpected-privileged-containers.sql b/detection/privesc/unexpected-privileged-containers.sql index 773e17a..7b12208 100644 --- a/detection/privesc/unexpected-privileged-containers.sql +++ b/detection/privesc/unexpected-privileged-containers.sql @@ -30,6 +30,7 @@ WHERE AND image NOT IN ( 'cgr.dev/chainguard/melange', 'wolfi:test', + 'distroless.dev/melange', 'distroless.dev/melange:latest' ) AND command NOT LIKE '/usr/bin/melange build %'