From 8e9ae0fda309c10e48f42872d8006e64389e12bd Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Fri, 20 Jan 2023 08:40:08 -0500 Subject: [PATCH] Less false positives: particularly among systemctl calls --- .../c2/unexpected-https-client-linux.sql | 7 ++++--- .../unexpected-netutil-calls-macos.sql | 4 ++-- detection/evasion/hidden-cwd.sql | 2 +- detection/evasion/name_path_mismatch.sql | 1 + detection/evasion/old-binaries-running.sql | 7 +++++-- .../unexpected-hidden-system-paths.sql | 1 + .../unexpected-tmp-executables-linux.sql | 3 +++ .../execution/sketchy-fetcher-events.sql | 2 +- ...ected-security-framework-program-macos.sql | 2 ++ .../unexpected-xattr-calls-macos.sql | 6 +++++- .../unexpected-diskimage-source-macos.sql | 1 + .../unexpected-shell-parents.sql | 1 + .../unexpected-systemctl-calls.sql | 17 ++++++++++++--- .../unexpected-uid0-daemon-linux.sql | 21 +++++++++++-------- ...lly-long-uptime-likely-missing-patches.sql | 2 +- 15 files changed, 54 insertions(+), 23 deletions(-) diff --git a/detection/c2/unexpected-https-client-linux.sql b/detection/c2/unexpected-https-client-linux.sql index 3316d34..94b07fd 100644 --- a/detection/c2/unexpected-https-client-linux.sql +++ b/detection/c2/unexpected-https-client-linux.sql @@ -114,8 +114,10 @@ WHERE '500,/home/ko,500u,500g,ko', '500,/home/krel,500u,500g,krel', '500,/home/mconvert,500u,500g,mconvert', + '500,/home/Melvor Idle,500u,500g,exe', '500,/home/nerdctl,500u,500g,nerdctl', '500,/home/promoter,500u,500g,promoter', + '500,/home/publish-release,500u,500g,publish-release', '500,/home/python3,500u,500g,python3', '500,/home/slirp4netns,500u,500g,slirp4netns', '500,/home/steam,500u,100g,steam', @@ -123,6 +125,7 @@ WHERE '500,/home/steamwebhelper,500u,100g,steamwebhelper', '500,/home/steamwebhelper,500u,500g,steamwebhelper', '500,/home/terraform,500u,500g,terraform', + '500,/home/trivy,500u,500g,trivy', '500,/home/WPILibInstaller,500u,500g,WPILibInstaller', '500,/ko-app/chainctl,u,g,chainctl', '500,/ko-app/controller,u,g,controller', @@ -185,6 +188,7 @@ WHERE '500,/usr/go,u,g,go', '500,/usr/grype,0u,0g,grype', '500,/usr/gsd-datetime,0u,0g,gsd-datetime', + '500,/usr/gvfsd-google,0u,0g,gvfsd-google', '500,/usr/gvfsd-http,0u,0g,gvfsd-http', '500,/usr/htop,0u,0g,htop', '500,/usr/io.elementary.appcenter,0u,0g,io.elementary.a', @@ -192,14 +196,11 @@ WHERE '500,/usr/java,u,g,java', '500,/usr/kbfsfuse,0u,0g,kbfsfuse', '500,/usr/keybase,0u,0g,keybase', - '500,/home/trivy,500u,500g,trivy', '500,/usr/ko,u,g,ko', - '500,/usr/gvfsd-google,0u,0g,gvfsd-google', '500,/usr/kubectl,500u,500g,kubectl', '500,/usr/lens,0u,0g,lens', '500,/usr/melange,u,g,melange', '500,/usr/nautilus,0u,0g,nautilus', - '500,/home/Melvor Idle,500u,500g,exe', '500,/usr/nix,0u,0g,nix', '500,/usr/node,0u,0g,node', '500,/usr/node,0u,0g,.node2nix-wrapp', diff --git a/detection/discovery/unexpected-netutil-calls-macos.sql b/detection/discovery/unexpected-netutil-calls-macos.sql index d8e3d79..01dcfe7 100644 --- a/detection/discovery/unexpected-netutil-calls-macos.sql +++ b/detection/discovery/unexpected-netutil-calls-macos.sql @@ -5,7 +5,7 @@ -- -- tags: transient process state often -- platform: linux --- interval: 900 +-- interval: 600 SELECT pe.path AS child_path, REGEX_MATCH (pe.path, '.*/(.*)', 1) AS child_name, @@ -67,7 +67,7 @@ WHERE '/usr/libexec/ApplicationFirewall/socketfilterfw' ) AND uptime.total_seconds > 30 - AND pe.time > (strftime('%s', 'now') -900) -- Ignore partial table joins + AND pe.time > (strftime('%s', 'now') -600) -- Ignore partial table joins AND pe.status == 0 AND NOT ( pe.euid > 500 diff --git a/detection/evasion/hidden-cwd.sql b/detection/evasion/hidden-cwd.sql index af3e1d6..c38c4bc 100644 --- a/detection/evasion/hidden-cwd.sql +++ b/detection/evasion/hidden-cwd.sql @@ -107,7 +107,7 @@ WHERE OR dir LIKE '~/.%' OR dir LIKE '~/code/%' OR dir LIKE '~/%/.config/nvim' - OR dir LIKE '~/dev/%/dots/%/.config/%' + OR dir LIKE '~/dev/%/dots/%/.config%' OR dir LIKE '~/%/.git' OR dir LIKE '~/%/.github%' OR dir LIKE '~/%/github.com/%' diff --git a/detection/evasion/name_path_mismatch.sql b/detection/evasion/name_path_mismatch.sql index 83c7807..eebddd2 100644 --- a/detection/evasion/name_path_mismatch.sql +++ b/detection/evasion/name_path_mismatch.sql @@ -63,6 +63,7 @@ WHERE 'name=file,file=firefox,500', 'name=firefox-wrappe,file=firefox,500', 'name=firewalld,file=python3,0', + 'name=apt,file=dash,0', 'name=gimp,file=gimp-2,500', 'name=gjs,file=gjs-console,120', 'name=gjs,file=gjs-console,42', diff --git a/detection/evasion/old-binaries-running.sql b/detection/evasion/old-binaries-running.sql index 4d68407..b9b797c 100644 --- a/detection/evasion/old-binaries-running.sql +++ b/detection/evasion/old-binaries-running.sql @@ -30,7 +30,8 @@ WHERE ( ctime_age_days > 1050 OR mtime_age_days > 1050 ) - AND f.mtime > 1 + -- Jan 1st, 1980 (the source of many false positives) + AND f.mtime > 315561600 AND f.path NOT LIKE '/home/%/idea-IU-223.8214.52/%' AND f.path NOT IN ( '/Library/Printers/Brother/Utilities/Server/LOGINserver.app/Contents/MacOS/LOGINserver', @@ -44,6 +45,7 @@ WHERE ( '/Applications/Skitch.app/Contents/Library/LoginItems/J8RPQ294UB.com.skitch.SkitchHelper.app/Contents/MacOS/J8RPQ294UB.com.skitch.SkitchHelper', '/opt/homebrew/Cellar/bash/5.1.16/bin/bash', '/snap/brackets/138/opt/brackets/Brackets', + '/Applications/Pandora.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Resources/crashpad_handler', '/snap/brackets/138/opt/brackets/Brackets-node', '/Applications/Emacs.app/Contents/MacOS/Emacs-x86_64-10_14', '/Library/Application Support/Logitech/com.logitech.vc.LogiVCCoreService/LogiVCCoreService.app/Contents/MacOS/LogiVCCoreService', @@ -54,7 +56,8 @@ WHERE ( 'BluejeansHelper', 'J8RPQ294UB.com.skitch.SkitchHelper', 'Pandora', - 'Pandora Helper' + 'Pandora Helper', + 'dlv' ) GROUP BY p.pid, p.path \ No newline at end of file diff --git a/detection/evasion/unexpected-hidden-system-paths.sql b/detection/evasion/unexpected-hidden-system-paths.sql index 4a9b418..8a4cbbd 100644 --- a/detection/evasion/unexpected-hidden-system-paths.sql +++ b/detection/evasion/unexpected-hidden-system-paths.sql @@ -92,6 +92,7 @@ WHERE ( '/var/.Parallels_swap/', '/var/.pwd_cache', '/var/root/.bash_history', + '/tmp/.go_version', '/var/root/.cache/', '/var/root/.CFUserTextEncoding', '/var/root/.forward', diff --git a/detection/evasion/unexpected-tmp-executables-linux.sql b/detection/evasion/unexpected-tmp-executables-linux.sql index 1bc7074..059db9d 100644 --- a/detection/evasion/unexpected-tmp-executables-linux.sql +++ b/detection/evasion/unexpected-tmp-executables-linux.sql @@ -49,12 +49,15 @@ WHERE ( OR file.path LIKE '/tmp/%/git/%' OR file.path LIKE '/tmp/%/ci/%' OR file.path LIKE '/tmp/kots/%' + OR file.path LIKE '/tmp/bin/%' + OR file.path LIKE '/tmp/%/github/%' OR file.path LIKE '/tmp/terraformer/%' OR file.path LIKE '/tmp/tmp.%' OR file.path LIKE '/tmp/%/dist/%' OR file.path LIKE '%/bin/%-gen' OR file.path LIKE '/tmp/%/target/debug/build/%' OR file.path LIKE '%/ko/%' + OR file.directory LIKE '/tmp/%/out' OR file.path LIKE '%/pdf-tools/%' OR file.path LIKE '%/tmp/epdf%' OR file.path LIKE "/tmp/%/gradlew" diff --git a/detection/execution/sketchy-fetcher-events.sql b/detection/execution/sketchy-fetcher-events.sql index a4ab50b..ee22dfe 100644 --- a/detection/execution/sketchy-fetcher-events.sql +++ b/detection/execution/sketchy-fetcher-events.sql @@ -11,7 +11,7 @@ SELECT pe.pid, pe.cmdline, REGEX_MATCH (pe.cmdline, '(\w+:\/\/.*)\b', 1) AS url, - REGEX_MATCH (pe.cmdline, '//(\d+\.\d+\.\d+\.\d+)[:/]', 1) AS ip, + REGEX_MATCH (pe.cmdline, '[ /](\d+\.\d+\.\d+\.\d+)[:/]', 1) AS ip, REGEX_MATCH (pe.cmdline, ':(\d+)', 1) AS port, REGEX_MATCH (pe.cmdline, '//([\w\-\.]+)[:/]', 1) AS addr, REGEX_MATCH (pe.cmdline, '//[\w\-\.]+\.(\w+)[:/]', 1) AS tld, diff --git a/detection/execution/unexpected-security-framework-program-macos.sql b/detection/execution/unexpected-security-framework-program-macos.sql index d365147..a15e265 100644 --- a/detection/execution/unexpected-security-framework-program-macos.sql +++ b/detection/execution/unexpected-security-framework-program-macos.sql @@ -47,6 +47,7 @@ WHERE '500,bufls,a.out,', '500,.cargo-wrapped,.cargo-wrapped,', '500,cloud_sql_proxy,a.out,', + '500,Mattermost Helper (GPU),Mattermost.Desktop.helper.GPU,Apple Mac OS Application Signing', '500,cosign,a.out,', '500,cpu,cpu-555549441132dc6b7af538428ce3359ae94eab37,', '500,Emacs-arm64-11,Emacs-arm64-11,Developer ID Application: Galvanix (5BRAQAFB8B)', @@ -71,6 +72,7 @@ WHERE '500,registry-redirect,a.out,', '500,rust-analyzer,rust_analyzer-d11ae4e1bae4360d,', '500,scdaemon,scdaemon,', + '500,sdaudioswitch,,', '500,sdaudioswitch,sdaudioswitch,', '500,sdzoomplugin,,', '500,Slack,com.tinyspeck.slackmacgap,Apple Mac OS Application Signing', diff --git a/detection/execution/unexpected-xattr-calls-macos.sql b/detection/execution/unexpected-xattr-calls-macos.sql index 1aff748..e1ef406 100644 --- a/detection/execution/unexpected-xattr-calls-macos.sql +++ b/detection/execution/unexpected-xattr-calls-macos.sql @@ -65,10 +65,14 @@ WHERE pe.path = '/usr/bin/xattr' pe.euid > 500 AND cmd LIKE '%xattr -l %' ) + AND NOT ( + pe.euid > 500 + AND cmd LIKE '%xattr -p com.apple.quarantine %' + ) AND NOT ( pe.euid > 500 AND cmd = '/usr/bin/xattr -h' - AND parent_cmd LIKE '%/opt/homebrew/bin/brew%' + AND parent_cmd LIKE '%homebrew%' ) AND cmd NOT LIKE '/usr/bin/xattr -w com.apple.quarantine 0002;%' AND cmd NOT LIKE '/usr/bin/xattr -w com.apple.quarantine 0181;%' diff --git a/detection/initial_access/unexpected-diskimage-source-macos.sql b/detection/initial_access/unexpected-diskimage-source-macos.sql index 2925b65..d38eaaa 100644 --- a/detection/initial_access/unexpected-diskimage-source-macos.sql +++ b/detection/initial_access/unexpected-diskimage-source-macos.sql @@ -122,6 +122,7 @@ WHERE 'discord.com', 'dl.discordapp.net', 'obsproject.com', + 'getkap.co', 'www.messenger.com', 'brave.com', 'emacsformacosx.com', diff --git a/detection/initial_access/unexpected-shell-parents.sql b/detection/initial_access/unexpected-shell-parents.sql index b7035bc..bcccb49 100644 --- a/detection/initial_access/unexpected-shell-parents.sql +++ b/detection/initial_access/unexpected-shell-parents.sql @@ -74,6 +74,7 @@ WHERE 'make', 'monorail', 'ninja', + 'update-notifier', 'nix', 'nix-build', 'nix-daemon', diff --git a/detection/persistence/unexpected-systemctl-calls.sql b/detection/persistence/unexpected-systemctl-calls.sql index 21757d5..ce705d4 100644 --- a/detection/persistence/unexpected-systemctl-calls.sql +++ b/detection/persistence/unexpected-systemctl-calls.sql @@ -5,7 +5,7 @@ -- -- tags: transient process state often -- platform: linux --- interval: 900 +-- interval: 300 SELECT pe.path AS child_path, REGEX_MATCH (pe.path, '.*/(.*)', 1) AS child_name, @@ -66,11 +66,22 @@ WHERE '/bin/systemctl', '/sbin/systemctl' ) - AND pe.time > (strftime('%s', 'now') -29000) -- Ignore partial table joins + AND pe.time > (strftime('%s', 'now') -300) -- Ignore partial table joins AND NOT exception_key IN ( - 'systemctl,0,apt-helper,' + 'systemctl,0,apt-helper,', + 'systemctl,500,systemd,', + 'systemctl,0,dash,logrotate', + 'systemctl,0,,containerd-shim-runc-v2' + ) + AND NOT child_cmd IN ( + 'systemctl status kubelet', + 'systemctl stop kubelet', + '/sbin/runlevel' ) -- apt-helper form AND NOT child_cmd LIKE 'systemctl is-active -q %.service' + AND NOT child_cmd LIKE 'systemctl show --property=%' + AND NOT child_cmd LIKE 'systemctl % snap-kubectl-%.mount' + GROUP BY pe.pid diff --git a/detection/persistence/unexpected-uid0-daemon-linux.sql b/detection/persistence/unexpected-uid0-daemon-linux.sql index 4c418ca..b387487 100644 --- a/detection/persistence/unexpected-uid0-daemon-linux.sql +++ b/detection/persistence/unexpected-uid0-daemon-linux.sql @@ -136,17 +136,20 @@ WHERE ) -- Because I don't want to whitelist all of Python3 AND p.cmdline NOT IN ( - 'xargs logger -s', - '/usr/bin/xargs', - '/usr/bin/python3 /usr/sbin/lvmdbusd', + '/bin/sh /usr/lib/apt/apt.systemd.daily lock_is_held', + '/sbin/init splash', + '/usr/bin/monitorix -c /etc/monitorix/monitorix.conf -p /run/monitorix.pid', '/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid', - '/usr/bin/python /usr/bin/firewalld --nofork --nopid', - '/usr/bin/python3 /usr/libexec/blueman-mechanism', - '/usr/bin/python3 /usr/sbin/execsnoop-bpfcc', - '/usr/bin/python3 /usr/lib/pop-transition/service.py', - '/usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal', '/usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers', - '/usr/bin/monitorix -c /etc/monitorix/monitorix.conf -p /run/monitorix.pid' + '/usr/bin/python3 /usr/bin/unattended-upgrade --download-only', + '/usr/bin/python3 /usr/libexec/blueman-mechanism', + '/usr/bin/python3 /usr/lib/pop-transition/service.py', + '/usr/bin/python3 /usr/sbin/execsnoop-bpfcc', + '/usr/bin/python3 /usr/sbin/lvmdbusd', + '/usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal', + '/usr/bin/python /usr/bin/firewalld --nofork --nopid', + '/usr/bin/xargs', + 'xargs logger -s' ) AND NOT p.cmdline LIKE '/usr/bin/python3 -s% /usr/sbin/firewalld%' AND NOT p.cmdline LIKE '/usr/bin/python3 /usr/bin/dnf %' diff --git a/policy/unusually-long-uptime-likely-missing-patches.sql b/policy/unusually-long-uptime-likely-missing-patches.sql index 56511c9..88d0450 100644 --- a/policy/unusually-long-uptime-likely-missing-patches.sql +++ b/policy/unusually-long-uptime-likely-missing-patches.sql @@ -12,4 +12,4 @@ FROM os_version, uptime WHERE - uptime.days > 90; + uptime.days > 89;