From 9b0ed09c8e3bf6e75a55b0ea79904e13611d250e Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Tue, 28 Mar 2023 16:25:26 -0400 Subject: [PATCH] fpr: xdg, docker, dbus, bpfilter_umh, docker, spotify, mage --- .../c2/unexpected-https-client-linux.sql | 4 + detection/c2/unexpected-talkers-linux.sql | 1 + .../unexpected-dev-opener-linux.sql | 1 + detection/evasion/hidden-cwd.sql | 35 ++++---- .../unexpected-hidden-system-paths.sql | 8 ++ .../unexpected-tmp-executables-linux.sql | 26 +++++- .../execution/exotic-command-events-macos.sql | 1 + .../unexpected-execdir-events-macos.sql | 89 ++++++++++--------- .../execution/unexpected-execdir-macos.sql | 1 + .../unexpected-diskimage-source-macos.sql | 1 + .../unexpected-shell-parents.sql | 1 + .../unexpected-uid0-daemon-linux.sql | 5 ++ .../unexpected-privilege-escalation_linux.sql | 7 +- 13 files changed, 115 insertions(+), 65 deletions(-) diff --git a/detection/c2/unexpected-https-client-linux.sql b/detection/c2/unexpected-https-client-linux.sql index 12a8496..9476b0a 100644 --- a/detection/c2/unexpected-https-client-linux.sql +++ b/detection/c2/unexpected-https-client-linux.sql @@ -259,6 +259,10 @@ WHERE protocol IN (6, 17) AND NOT exception_key LIKE '500,node,0u,0g,npm install %' AND NOT exception_key LIKE '500,cosign-%,500u,500g,cosign-%' AND NOT exception_key LIKE '500,terraform-provider-%,500u,500g,terraform-provi' -- stay weird, NixOS (Fastly nix mirror) + AND NOT ( + p.path = '/usr/bin/mage' + AND p.cmdline LIKE '/home/%/.magefile/%' + ) AND NOT ( pp.cmdline = '/run/current-system/sw/bin/bash' AND p.path LIKE '/nix/store/%' diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql index 44b1658..96f2510 100644 --- a/detection/c2/unexpected-talkers-linux.sql +++ b/detection/c2/unexpected-talkers-linux.sql @@ -102,6 +102,7 @@ WHERE '3000,6,500,chrome,0u,0g,chrome', '32768,17,500,traceroute,0u,0g,traceroute', '32768,6,0,tailscaled,0u,0g,tailscaled', + '80,6,500,spotify,500u,500g,spotify', '32768,6,500,ssh,0u,0g,ssh', '3307,6,500,cloud_sql_proxy,0u,0g,cloud_sql_proxy', '3443,6,500,chrome,0u,0g,chrome', diff --git a/detection/credentials/unexpected-dev-opener-linux.sql b/detection/credentials/unexpected-dev-opener-linux.sql index 08b76ca..c7ec18e 100644 --- a/detection/credentials/unexpected-dev-opener-linux.sql +++ b/detection/credentials/unexpected-dev-opener-linux.sql @@ -162,6 +162,7 @@ WHERE ) AND NOT path_exception IN ( '/dev/autofs,systemd', + '/dev/video,guvcview', '/dev/cpu/0/msr,nvidia-powerd', '/dev/fb,Xorg', '/dev/hidraw,chrome', diff --git a/detection/evasion/hidden-cwd.sql b/detection/evasion/hidden-cwd.sql index 03c2a2b..2c61591 100644 --- a/detection/evasion/hidden-cwd.sql +++ b/detection/evasion/hidden-cwd.sql @@ -133,29 +133,30 @@ WHERE '~/.zsh' ) OR top_dir IN ('~/Sync') - OR dir LIKE '~/.%' - OR dir LIKE '%/.build' - OR dir LIKE '~/code/%' - OR dir LIKE '~/%/.config/nvim' - OR dir LIKE '~/dev/%/dots/%/.config%' - OR dir LIKE '~/%/.docker%' - OR dir LIKE '~/%/.git' - OR dir LIKE '~/%/.github%' - OR dir LIKE '~/%/github.com/%' - OR dir LIKE '~/%google-cloud-sdk/.install/.backup%' - OR dir LIKE '~/.gradle/%' OR dir LIKE '/Library/Apple/System/Library/InstallerSandboxes/.PKInstallSandboxManager-SystemSoftware/%' - OR dir LIKE '~/%/.modcache/%' - OR dir LIKE '~/%/node_modules/.pnpm/%' OR dir LIKE '/opt/homebrew/%/.cache/%' OR dir LIKE '/private/tmp/%/.git' - OR dir LIKE '~/%/src/%' - OR dir LIKE '~/src/%' - OR dir LIKE '~/%/.terraform%' + OR dir LIKE '/tmp/.mount_%' OR dir LIKE '/tmp/%/.git' OR dir LIKE '/tmp/%/.github/workflows' - OR dir LIKE '/tmp/.mount_%' + OR dir LIKE '%/.build' + OR dir LIKE '%/.git' + OR dir LIKE '%/.github' + OR dir LIKE '/home/build/.cache%' + OR dir LIKE '~/.%' + OR dir LIKE '~/.gradle/%' + OR dir LIKE '~/%/.config/nvim' + OR dir LIKE '~/%/.docker%' + OR dir LIKE '~/%/.modcache/%' + OR dir LIKE '~/%/.terraform%' OR dir LIKE '~/%/.vercel%' + OR dir LIKE '~/%/github.com/%' + OR dir LIKE '~/%/node_modules/.pnpm/%' + OR dir LIKE '~/%/src/%' + OR dir LIKE '~/%google-cloud-sdk/.install/.backup%' + OR dir LIKE '~/code/%' + OR dir LIKE '~/dev/%/dots/%/.config%' + OR dir LIKE '~/src/%' -- For sudo calls to other things OR ( dir LIKE '/home/.terraform.d/%' diff --git a/detection/evasion/unexpected-hidden-system-paths.sql b/detection/evasion/unexpected-hidden-system-paths.sql index 7eaabba..ceef959 100644 --- a/detection/evasion/unexpected-hidden-system-paths.sql +++ b/detection/evasion/unexpected-hidden-system-paths.sql @@ -97,6 +97,14 @@ WHERE '/var/db/.com.apple.iokit.graphics', '/var/db/.GKRearmTimer', '/var/db/.LastGKApp', + '/tmp/.accounts-agent/', + '/tmp/.content-agent/', + '/tmp/.audio-agent/', + '/tmp/.ui-agent/', + '/tmp/.featureflags-agent/', + '/tmp/.settings-agent/', + '/tmp/.metrics-agent/', + '/tmp/.updater-agent/', '/var/db/.LastGKReject', '/var/db/.MASManifest', '/var/db/.SoftwareUpdateOptions', diff --git a/detection/evasion/unexpected-tmp-executables-linux.sql b/detection/evasion/unexpected-tmp-executables-linux.sql index 9af8d21..a512537 100644 --- a/detection/evasion/unexpected-tmp-executables-linux.sql +++ b/detection/evasion/unexpected-tmp-executables-linux.sql @@ -80,7 +80,18 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f OR file.path LIKE '%/tmp/epdf%' OR file.path LIKE '/tmp/lima/%/out/%' ) - ) -- Nix + ) + AND NOT ( + file.path LIKE "%/lib/%.so" + OR file.path LIKE "%/lib/%.so.%" + OR file.path LIKE "%/lib64/%.so.%" + OR file.path LIKE "%/lib64/%.so" + OR file.path LIKE "%/melange%" + OR file.path LIKE "%/sbin/%" + OR file.path LIKE "%/bin/busybox" + OR file.path LIKE "%/bin/bash" + ) + -- Nix AND NOT ( file.directory LIKE '/tmp/tmp%' AND gid = 0 @@ -144,6 +155,7 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f AND ( magic.data IN ( "POSIX shell script, ASCII text executable", + "libtool library file, ASCII text", "JSON data" ) OR magic.data LIKE "Unicode text%" @@ -151,6 +163,18 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f OR magic.data LIKE "gzip compressed data%" -- Exotic platforms OR magic.data LIKE 'ELF 64-bit MSB pie executable, IBM S/390%' OR magic.data LIKE 'ELF 32-bit LSB pie executable, ARM, EABI5%' + OR magic.data LIKE 'symbolic link to %' + ) + ) + AND NOT ( + file.uid = 0 + AND magic.data IS NOT NULL + AND ( + magic.data LIKE 'symbolic link to %' + OR magic.data IN ( + "ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-musl-x86_64.so.1, stripped", + "libtool library file, ASCII text" + ) ) ) AND NOT ( diff --git a/detection/execution/exotic-command-events-macos.sql b/detection/execution/exotic-command-events-macos.sql index 427a8e6..c1d2ab5 100644 --- a/detection/execution/exotic-command-events-macos.sql +++ b/detection/execution/exotic-command-events-macos.sql @@ -170,6 +170,7 @@ WHERE 'nc -h', 'nc -uv 8.8.8.8 53', 'nix profile history', + 'dd if=/dev/stdin conv=unblock cbs=79', 'rm -f /tmp/mysql.sock', 'sh -c launchctl bootout system "/Library/LaunchDaemons/com.ecamm.EcammAudioXPCHelper.plist"', '/usr/bin/csrutil report', diff --git a/detection/execution/unexpected-execdir-events-macos.sql b/detection/execution/unexpected-execdir-events-macos.sql index 6d9b66e..c49d2d2 100644 --- a/detection/execution/unexpected-execdir-events-macos.sql +++ b/detection/execution/unexpected-execdir-events-macos.sql @@ -148,6 +148,50 @@ WHERE ) AND dir NOT IN ( '/bin', + '/Library/Application Support/Kandji/Kandji Menu/Kandji Menu.app/Contents/MacOS', + '/Library/Application Support/Logitech.localized/LogiOptionsPlus/logioptionsplus_agent.app/Contents/MacOS', + '/Library/Application Support/Logitech.localized/Logitech Options.localized/LogiMgrUpdater.app/Contents/Resources', + '/Library/Audio/Plug-Ins/HAL/ACE.driver/Contents/Resources', + '/Library/Audio/Plug-Ins/HAL/ACE.driver/Contents/Resources/aceagent.app/Contents/MacOS', + '/Library/DropboxHelperTools/Dropbox_u501', + '/Library/Filesystems/kbfuse.fs/Contents/Resources', + '/Library/Frameworks/Python.framework/Versions/3.10/bin', + '/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers.app/Contents/MacOS', + '/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateAgent.app/Contents/MacOS', + '/Library/Image Capture/Devices/EPSON Scanner.app/Contents/MacOS', + '/Library/Kandji/Kandji Agent.app/Contents/MacOS', + '/Library/Kandji/Kandji Agent.app/Contents/MacOS/', + '/Library/Printers/Brother/Utilities/Server/NETserver.app/Contents/MacOS', + '/Library/Printers/Brother/Utilities/Server/USBAppControl.app/Contents/MacOS', + '/Library/Printers/Brother/Utilities/Server/WorkflowAppControl.app/Contents/MacOS', + '/Library/Printers/DYMO/Utilities', + '/Library/PrivilegedHelperTools', + '/Library/TeX/texbin', + '/node_modules/.bin', + '/opt/homebrew/bin', + '/opt/usr/bin', + '/opt/X11/bin', + '/opt/X11/libexec', + '/run/current-system/sw/bin', + '/sbin', + '/usr/bin', + '/usr/lib', + '/usr/lib/bluetooth', + '/usr/lib/cups/notifier', + '/usr/lib/fwupd', + '/usr/lib/ibus', + '/usr/lib/system', + '/usr/libexec', + '/usr/libexec/ApplicationFirewall', + '/usr/libexec/AssetCache', + '/usr/libexec/firmwarecheckers', + '/usr/libexec/firmwarecheckers/eficheck', + '/usr/libexec/rosetta', + '/usr/local/bin', + '/usr/local/MacGPG2/bin', + '/usr/sbin', + '~/.local/bin', + '~/.magefile', '~/bin', '~/code/bin', '~/Downloads/google-cloud-sdk/bin', @@ -155,50 +199,7 @@ WHERE '~/go/bin', '~/Library/Application Support/cloud-code/installer/google-cloud-sdk/bin', '~/Library/Application Support/dev.warp.Warp-Stable', - '/Library/Application Support/Kandji/Kandji Menu/Kandji Menu.app/Contents/MacOS', - '/Library/Kandji/Kandji Agent.app/Contents/MacOS/', - '/Library/Application Support/Logitech.localized/LogiOptionsPlus/logioptionsplus_agent.app/Contents/MacOS', - '/Library/Application Support/Logitech.localized/Logitech Options.localized/LogiMgrUpdater.app/Contents/Resources', - '/Library/Audio/Plug-Ins/HAL/ACE.driver/Contents/Resources', - '/Library/Audio/Plug-Ins/HAL/ACE.driver/Contents/Resources/aceagent.app/Contents/MacOS', - '/Library/Printers/Brother/Utilities/Server/WorkflowAppControl.app/Contents/MacOS', - '/Library/DropboxHelperTools/Dropbox_u501', - '/Library/Filesystems/kbfuse.fs/Contents/Resources', - '/Library/Frameworks/Python.framework/Versions/3.10/bin', - '/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers.app/Contents/MacOS', - '/Library/Printers/Brother/Utilities/Server/USBAppControl.app/Contents/MacOS', - '/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateAgent.app/Contents/MacOS', - '/Library/Printers/Brother/Utilities/Server/NETserver.app/Contents/MacOS', - '/Library/Image Capture/Devices/EPSON Scanner.app/Contents/MacOS', - '/Library/Printers/DYMO/Utilities', - '/Library/PrivilegedHelperTools', - '/Library/TeX/texbin', - '~/.local/bin', - '~/.magefile', - '/node_modules/.bin', - '/opt/homebrew/bin', - '/opt/usr/bin', - '/opt/X11/bin', - '/opt/X11/libexec', - '~/projects/go/bin', - '/run/current-system/sw/bin', - '/sbin', - '/usr/bin', - '/usr/lib', - '/usr/lib/bluetooth', - '/usr/lib/cups/notifier', - '/usr/libexec', - '/usr/libexec/ApplicationFirewall', - '/usr/libexec/AssetCache', - '/usr/libexec/firmwarecheckers', - '/usr/libexec/firmwarecheckers/eficheck', - '/usr/libexec/rosetta', - '/usr/lib/fwupd', - '/usr/lib/ibus', - '/usr/lib/system', - '/usr/local/bin', - '/usr/local/MacGPG2/bin', - '/usr/sbin' + '~/projects/go/bin' ) -- Locally built executables AND NOT ( s.identifier = 'a.out' diff --git a/detection/execution/unexpected-execdir-macos.sql b/detection/execution/unexpected-execdir-macos.sql index f4137d9..3f1f569 100644 --- a/detection/execution/unexpected-execdir-macos.sql +++ b/detection/execution/unexpected-execdir-macos.sql @@ -97,6 +97,7 @@ WHERE '~/code/bin', '~/Downloads/google-cloud-sdk/bin', '~/go/bin', + '~/Library/Application Support/sourcegraph-sp/', '~/Library/Application Support/cloud-code/installer/google-cloud-sdk/bin', '~/Library/Application Support/dev.warp.Warp-Stable', '~/Library/Application Support/zoom.us/Plugins/aomhost.app/Contents/MacOS', diff --git a/detection/initial_access/unexpected-diskimage-source-macos.sql b/detection/initial_access/unexpected-diskimage-source-macos.sql index fd85076..33abfc0 100644 --- a/detection/initial_access/unexpected-diskimage-source-macos.sql +++ b/detection/initial_access/unexpected-diskimage-source-macos.sql @@ -117,6 +117,7 @@ WHERE 'zsa.io' ) AND host NOT IN ( + 'arc.net', 'balsamiq.com', 'brave.com', 'discord.com', diff --git a/detection/initial_access/unexpected-shell-parents.sql b/detection/initial_access/unexpected-shell-parents.sql index 322ff6a..b85da4c 100644 --- a/detection/initial_access/unexpected-shell-parents.sql +++ b/detection/initial_access/unexpected-shell-parents.sql @@ -137,6 +137,7 @@ WHERE '/Applications/Parallels Desktop.app/Contents/MacOS/Parallels Service', '/Applications/Parallels Desktop.app/Contents/MacOS/prl_update_helper', '/Applications/RStudio.app/Contents/Resources/app/bin/rsession-arm64', + '/Applications/Amazon Photos.app/Contents/MacOS/Amazon Photos', '/bin/dash', '/bin/sh', '/Library/Application Support/Logitech.localized/LogiOptionsPlus/logioptionsplus_agent.app/Contents/MacOS/logioptionsplus_agent', diff --git a/detection/persistence/unexpected-uid0-daemon-linux.sql b/detection/persistence/unexpected-uid0-daemon-linux.sql index fde27c1..49ca48e 100644 --- a/detection/persistence/unexpected-uid0-daemon-linux.sql +++ b/detection/persistence/unexpected-uid0-daemon-linux.sql @@ -98,6 +98,7 @@ WHERE 'bluetoothd,/usr/libexec/bluetooth/bluetoothd,0,system.slice,bluetooth.service,0755', 'boltd,/usr/lib/boltd,0,system.slice,bolt.service,0755', 'boltd,/usr/libexec/boltd,0,system.slice,bolt.service,0755', + 'bpfilter_umh,/bpfilter_umh,0,,,', 'containerd,/nix/store/__VERSION__/bin/containerd,0,system.slice,docker.service,0555', 'containerd-shim,/usr/bin/containerd-shim-runc-v2,0,system.slice,containerd.service,0755', 'containerd-shim,/usr/bin/containerd-shim-runc-v2,0,system.slice,docker.service,0755', @@ -108,6 +109,7 @@ WHERE 'cron,/usr/sbin/cron,0,system.slice,cron.service,0755', 'cups-browsed,/usr/sbin/cups-browsed,0,system.slice,cups-browsed.service,0755', 'cupsd,/usr/sbin/cupsd,0,system.slice,cups.service,0755', + 'dbus-daemon,/usr/bin/dbus-daemon,0,user.slice,user-1000.slice,0755', 'dhclient,/usr/sbin/dhclient,0,system.slice,networking.service,0755', 'dhcpcd,/nix/store/__VERSION__/bin/dhcpcd,0,system.slice,dhcpcd.service,0555', 'dnf,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755', @@ -117,6 +119,7 @@ WHERE 'dockerd,/usr/bin/dockerd,0,system.slice,docker.service,0755', 'docker-proxy,/usr/bin/docker-proxy,0,system.slice,docker.service,0755', 'docker-proxy,/usr/libexec/docker/docker-proxy,0,system.slice,docker.service,0755', + 'docker,/usr/bin/docker,0,user.slice,user-1000.slice,0755', 'firewalld,/usr/bin/python3.10,0,system.slice,firewalld.service,0755', 'firewalld,/usr/bin/python__VERSION__,0,system.slice,firewalld.service,0755', 'fish,/usr/bin/fish,0,user.slice,user-1000.slice,0755', @@ -224,6 +227,8 @@ WHERE '/usr/bin/monito,/usr/bin/perl,0,system.slice,monitorix.service,0755', 'wpa_supplicant,/usr/bin/wpa_supplicant,0,system.slice,wpa_supplicant.service,0755', 'wpa_supplicant,/usr/sbin/wpa_supplicant,0,system.slice,wpa_supplicant.service,0755', + 'xdg-desktop-por,/usr/libexec/xdg-desktop-portal,0,user.slice,user-1000.slice,0755', + 'xdg-permission-,/usr/libexec/xdg-permission-store,0,user.slice,user-1000.slice,0755', 'X,/nix/store/__VERSION__/bin/Xorg,0,system.slice,display-manager.service,0555', 'Xorg,/usr/lib/Xorg,0,system.slice,lightdm.service,0755', 'yum,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755', diff --git a/detection/privesc/unexpected-privilege-escalation_linux.sql b/detection/privesc/unexpected-privilege-escalation_linux.sql index 1666700..6b60959 100644 --- a/detection/privesc/unexpected-privilege-escalation_linux.sql +++ b/detection/privesc/unexpected-privilege-escalation_linux.sql @@ -52,15 +52,16 @@ WHERE euid < uid AND NOT path IN ( '/bin/ps', + '/opt/1Password/1password', '/usr/bin/doas', - '/usr/lib/xorg/Xorg', '/usr/bin/fusermount', '/usr/bin/fusermount3', - '/usr/libexec/Xorg', '/usr/bin/login', '/usr/bin/su', '/usr/bin/sudo', - '/usr/bin/top' + '/usr/bin/top', + '/usr/libexec/Xorg', + '/usr/lib/xorg/Xorg' ) -- doas may be in the process of being upgraded AND NOT path LIKE '/nix/store/%/bin/sudo' AND NOT path LIKE '/nix/store/%/bin/dhcpcd'