From 8237521d0d9bc01fd6475e7e97b39176b85de5a8 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Tue, 19 Nov 2024 15:49:30 -0500 Subject: [PATCH] fpr: mark exotic queries as extra, add flatpak/pop-os uid0 procs --- detection/execution/exotic-commands-linux.sql | 2 +- detection/execution/exotic-commands-macos.sql | 2 +- .../unexpected-uid0-daemon-linux.sql | 26 ++++++++++++------- 3 files changed, 18 insertions(+), 12 deletions(-) diff --git a/detection/execution/exotic-commands-linux.sql b/detection/execution/exotic-commands-linux.sql index fc2e636..76b7693 100644 --- a/detection/execution/exotic-commands-linux.sql +++ b/detection/execution/exotic-commands-linux.sql @@ -3,7 +3,7 @@ -- false positives: -- * possible, but none known -- --- tags: transient process state +-- tags: transient process state extra -- platform: linux SELECT DATETIME(f.ctime, 'unixepoch') AS p0_changed, diff --git a/detection/execution/exotic-commands-macos.sql b/detection/execution/exotic-commands-macos.sql index f38a3f0..60946be 100644 --- a/detection/execution/exotic-commands-macos.sql +++ b/detection/execution/exotic-commands-macos.sql @@ -3,7 +3,7 @@ -- false positives: -- * possible, but none known -- --- tags: transient process state +-- tags: transient process state extra -- platform: darwin SELECT s.authority AS p0_auth, diff --git a/detection/persistence/unexpected-uid0-daemon-linux.sql b/detection/persistence/unexpected-uid0-daemon-linux.sql index ef741ac..8e2ae9c 100644 --- a/detection/persistence/unexpected-uid0-daemon-linux.sql +++ b/detection/persistence/unexpected-uid0-daemon-linux.sql @@ -97,8 +97,8 @@ WHERE 'atopacctd,/usr/sbin/atopacctd,0,system.slice,atopacct.service,0755', 'atop,/usr/bin/atop,0,system.slice,atop.service,0755', 'auditd,/usr/bin/auditd,0,system.slice,auditd.service,0755', - 'auditd,/usr/sbin/auditd,0,system.slice,auditd.service,0755', 'auditd,/usr/sbin/auditd,0,system.slice,auditd.service,0750', + 'auditd,/usr/sbin/auditd,0,system.slice,auditd.service,0755', 'bash,/usr/bin/bash,0,user.slice,user-1000.slice,0755', 'blueman-mechanism.service,Bluetooth management mechanism,,200', 'blueman-mechani,/usr/bin/python3.10,0,system.slice,blueman-mechanism.service,0755', @@ -122,10 +122,10 @@ WHERE 'cupsd,/snap/cups/__VERSION__/sbin/cupsd,0,system.slice,snap.cups.cupsd.service,0700', 'cupsd,/usr/bin/cupsd,0,system.slice,cups.service,0700', 'cupsd,/usr/sbin/cupsd,0,system.slice,cups.service,0755', - 'cupsd,/usr/sbin/cupsd,0,system.slice,system-cups.slice,0755', 'cupsd,/usr/sbin/cupsd,0,system.slice,system-cups.slice,0700', - 'dbus-daemon,/usr/bin/dbus-daemon,0,user.slice,user-1000.slice,0755', + 'cupsd,/usr/sbin/cupsd,0,system.slice,system-cups.slice,0755', 'dbus-daemon,/usr/bin/dbus-daemon,0,user.slice,user-0.slice,0755', + 'dbus-daemon,/usr/bin/dbus-daemon,0,user.slice,user-1000.slice,0755', 'dbus-launch,/usr/bin/dbus-launch,0,user.slice,user-1000.slice,0755', 'dconf-service,/usr/libexec/dconf-service,0,user.slice,user-1000.slice,0755', 'dhclient,/usr/sbin/dhclient,0,system.slice,networking.service,0755', @@ -148,12 +148,14 @@ WHERE 'elastic-endpoin,/opt/Elastic/Endpoint/elastic-endpoint,0,elasticendpoint,,0500', 'elastic-endpoin,/opt/Elastic/Endpoint/elastic-endpoint,0,system.slice,ElasticEndpoint.service,0500', 'elastic-endpoin,/var/opt/Elastic/Endpoint/elastic-endpoint,0,elasticendpoint,,0500', + 'execsnoop-bpfcc,/usr/bin/python3.10,0,system.slice,com.system76.Scheduler.service,0755', 'firewalld,/usr/bin/python3.10,0,system.slice,firewalld.service,0755', 'firewalld,/usr/bin/python3.12,0,system.slice,firewalld.service,0755', 'firewalld,/usr/bin/python3.13,0,system.slice,firewalld.service,0755', 'firewalld,/usr/bin/python__VERSION__,0,system.slice,firewalld.service,0755', 'fish,/usr/bin/fish,0,user.slice,user-1000.slice,0755', 'flatpak-system-,/usr/libexec/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755', + 'flatpak-system-,/usr/libexec/flatpak-system-helper,0,user.slice,user-0.slice,0755', 'flatpak-system-,/usr/lib/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755', 'flock,/usr/bin/flock,0,system.slice,system-btrfs\x2ddedup.slice,0755', 'fprintd,/usr/libexec/fprintd,0,system.slice,fprintd.service,0755', @@ -163,17 +165,17 @@ WHERE 'fwupd,/usr/libexec/fwupd/fwupd,0,system.slice,fwupd.service,0755', 'fwupd,/usr/lib/fwupd/fwupd,0,system.slice,fwupd.service,0755', 'gdm3,/usr/sbin/gdm3,0,system.slice,gdm.service,0755', + 'gdm-session-wor,/usr/libexec/gdm/gdm-session-worker,0,user.slice,user-1000.slice,0755', + 'gdm-session-wor,/usr/libexec/gdm/gdm-session-worker,0,user.slice,user-463.slice,0755', 'gdm-session-wor,/usr/libexec/gdm-session-worker,0,user.slice,user-1000.slice,0755', 'gdm-session-wor,/usr/libexec/gdm-session-worker,0,user.slice,user-1001.slice,0755', 'gdm-session-wor,/usr/libexec/gdm-session-worker,0,user.slice,user-120.slice,0755', 'gdm-session-wor,/usr/libexec/gdm-session-worker,0,user.slice,user-42.slice,0755', 'gdm-session-wor,/usr/lib/gdm-session-worker,0,user.slice,user-1000.slice,0755', 'gdm-session-wor,/usr/lib/gdm-session-worker,0,user.slice,user-120.slice,0755', - 'gdm-session-wor,/usr/libexec/gdm/gdm-session-worker,0,user.slice,user-463.slice,0755', - 'gdm-session-wor,/usr/libexec/gdm/gdm-session-worker,0,user.slice,user-1000.slice,0755', 'gdm,/usr/bin/gdm,0,system.slice,gdm.service,0755', - 'gdm,/usr/sbin/gdm,0,system.slice,gdm.service,0755', 'gdm,/usr/sbin/gdm,0,system.slice,display-manager.service,0755', + 'gdm,/usr/sbin/gdm,0,system.slice,gdm.service,0755', 'geoclue.service,Location Lookup Service,geoclue,500', 'gnome-keyring-d,/usr/bin/gnome-keyring-daemon,0,user.slice,user-1000.slice,0755', 'gpg-agent,/usr/bin/gpg-agent,0,system.slice,fwupd.service,0755', @@ -227,6 +229,7 @@ WHERE 'make,/usr/bin/make,0,user.slice,user-1000.slice,0755', 'mbim-proxy,/usr/libexec/mbim-proxy,0,system.slice,ModemManager.service,0755', 'mcelog,/usr/sbin/mcelog,0,system.slice,mcelog.service,0755', + 'mc,/usr/bin/mc,0,user.slice,user-0.slice,0755', 'ModemManager,/usr/sbin/ModemManager,0,system.slice,ModemManager.service,0755', 'multipassd,/snap/multipass/__VERSION__/bin/multipassd,0,system.slice,snap.multipass.multipassd.service,0755', 'multipathd,/usr/sbin/multipathd,0,system.slice,multipathd.service,0755', @@ -265,12 +268,14 @@ WHERE 'pmdaroot,/usr/libexec/pcp/pmdas/root/pmdaroot,0,system.slice,pmcd.service,0755', 'pmdaxfs,/usr/libexec/pcp/pmdas/xfs/pmdaxfs,0,system.slice,pmcd.service,0755', 'polkitd,/usr/libexec/polkitd,0,system.slice,polkit.service,0755', + 'pop-system-upda,/usr/bin/pop-system-updater,0,system.slice,com.system76.SystemUpdater.service,0755', 'power-profiles-,/usr/libexec/power-profiles-daemon,0,system.slice,power-profiles-daemon.service,0755', 'power-profiles-,/usr/lib/power-profiles-daemon,0,system.slice,power-profiles-daemon.service,0755', 'pwrstatd,/usr/sbin/pwrstatd,0,system.slice,pwrstatd.service,0700', + 'python3,/usr/bin/python3.10,0,system.slice,system-dbus\x2d:1.1\x2dorg.pop_os.transition_system.slice,0755', 'python3,/usr/bin/python__VERSION__,0,system.slice,ubuntu-advantage.service,0755', - 'qualys-cloud-ag,/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent,0,system.slice,qualys-cloud-agent.service,0700', 'qemu-ga,/usr/bin/qemu-ga,0,system.slice,qemu-guest-agent.service,0755', + 'qualys-cloud-ag,/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent,0,system.slice,qualys-cloud-agent.service,0700', 'rapid7_endpoint,/opt/rapid7/ir_agent/components/endpoint_broker/__VERSION__/rapid7_endpoint_broker,0,system.slice,ir_agent.service,0744', 'rsyslogd,/usr/sbin/rsyslogd,0,system.slice,rsyslog.service,0755', 'run-cups-browse,/usr/bin/dash,0,system.slice,snap.cups.cups-browsed.service,0755', @@ -308,8 +313,9 @@ WHERE 'supergfxd,/usr/bin/supergfxd,0,system.slice,supergfxd.service,0755', 'su,/usr/bin/su,0,user.slice,user-1000.slice,4755', 'su,/usr/bin/su,1000,user.slice,user-0.slice,4755', - 'mc,/usr/bin/mc,0,user.slice,user-0.slice,0755', 'switcheroo-cont,/usr/libexec/switcheroo-control,0,system.slice,switcheroo-control.service,0755', + 'system76-schedu,/usr/bin/system76-scheduler,0,system.slice,com.system76.Scheduler.service,0755', + 'system76-power,/usr/bin/system76-power,0,system.slice,com.system76.PowerDaemon.service,0755', 'systemd-coredum,/nix/store/__VERSION__/lib/systemd/systemd-coredump,0,,,0555', 'systemd-homed,/usr/lib/systemd/systemd-homed,0,system.slice,systemd-homed.service,0755', 'systemd-hostnam,/usr/lib/systemd/systemd-hostnamed,0,system.slice,systemd-hostnamed.service,0755', @@ -321,7 +327,6 @@ WHERE 'systemd-machine,/usr/lib/systemd/systemd-machined,0,system.slice,systemd-machined.service,0755', 'systemd-nsresou,/usr/lib/systemd/systemd-nsresourced,0,system.slice,systemd-nsresourced.service,0755', 'systemd-nsresou,/usr/lib/systemd/systemd-nsresourcework,0,system.slice,systemd-nsresourced.service,0755', - 'systemd-nsresou,/usr/lib/systemd/systemd-nsresourced,0,system.slice,systemd-nsresourced.service,0755', 'systemd-sleep,/usr/lib/systemd/systemd-sleep,0,system.slice,systemd-suspend.service,0755', 'systemd-udevd,/nix/store/__VERSION__/bin/udevadm,0,system.slice,systemd-udevd.service,0555', 'systemd-udevd,/usr/bin/udevadm,0,system.slice,systemd-udevd.service,0755', @@ -333,6 +338,7 @@ WHERE '.tailscaled-wra,/nix/store/__VERSION__/bin/.tailscaled-wrapped,0,system.slice,tailscaled.service,0555', 'tcpdump,/usr/bin/tcpdump,0,user.slice,user-1000.slice,0755', 'thermald,/usr/sbin/thermald,0,system.slice,thermald.service,0755', + 'touchegg,/usr/bin/touchegg,0,system.slice,touchegg.service,0755', 'tuned,/usr/bin/python3.12,0,system.slice,tuned.service,0755', 'tuned,/usr/bin/python3.13,0,system.slice,tuned.service,0755', 'ubuntu-advantag,/usr/libexec/ubuntu-advantage-desktop-daemon,0,system.slice,ubuntu-advantage-desktop-daemon.service,0755', @@ -359,8 +365,8 @@ WHERE 'xdg-desktop-por,/usr/libexec/xdg-desktop-portal-gnome,0,user.slice,user-1000.slice,0755', 'xdg-desktop-por,/usr/libexec/xdg-desktop-portal-gtk,0,user.slice,user-1000.slice,0755', 'xdg-document-po,/usr/libexec/xdg-document-portal,0,user.slice,user-1000.slice,0755', - 'xdg-permission-,/usr/libexec/xdg-permission-store,0,user.slice,user-1000.slice,0755', 'xdg-permission-,/usr/libexec/xdg-permission-store,0,user.slice,user-0.slice,0755', + 'xdg-permission-,/usr/libexec/xdg-permission-store,0,user.slice,user-1000.slice,0755', 'X,/nix/store/__VERSION__/bin/Xorg,0,system.slice,display-manager.service,0555', 'Xorg,/usr/lib/Xorg,0,system.slice,lightdm.service,0755', 'Xorg,/usr/lib/Xorg,0,system.slice,sddm.service,0755',