Merge pull request #410 from tstromberg/oct25

fpr: kubectl, zoom, /opt, chrome, Autodesk Fusion, GitButler
2024-10-25 16:38:43 -04:00 · 2024-10-25 16:38:43 -04:00 · a695f5d2f5
parent 98d214e2ad 1c17532ae8
commit a695f5d2f5
10 changed files with 40 additions and 14 deletions
--- a/detection/c2/unexpected-https-macos.sql
+++ b/detection/c2/unexpected-https-macos.sql
@ -253,6 +253,7 @@ WHERE
  AND NOT alt_exception_key LIKE '500,terraform-provider-%,terraform-provider-%,500u,20g'
  AND NOT alt_exception_key LIKE '500,plugin_host-%,plugin_host-%,500u,20g'
  AND NOT alt_exception_key LIKE '500,sm-agent-%,sm-agent-%,500u,20g'
+  AND NOT alt_exception_key LIKE '500,kubectl%,kubectl%,500u,20g'
  AND NOT p0.path LIKE '/private/var/folders/%/T/GoLand/%'
  AND NOT (
    exception_key IN (
--- a/detection/c2/unexpected-talkers-linux.sql
+++ b/detection/c2/unexpected-talkers-linux.sql
@ -16,6 +16,7 @@ SELECT s.remote_address,
  p.path,
  p.cmdline AS child_cmd,
  p.cwd,
+  p.euid,
  pp.path AS parent_path,
  p.parent AS parent_pid,
  pp.cmdline AS parent_cmd,
@ -110,6 +111,7 @@ WHERE protocol > 0
    '80,6,0,python3.11,0u,0g,yum',
    '80,6,0,python3.12,0u,0g,dnf',
    '80,6,0,python3.12,0u,0g,yum',
+    '89,6,500,chrome,0u,0g,chrome',
    '80,6,0,python3.9,u,g,yum',
    '80,6,0,rpm-ostree,0u,0g,rpm-ostree',
    '80,6,0,sort,0u,0g,sort',
@ -164,8 +166,10 @@ WHERE protocol > 0
    '80,6,500,slirp4netns,500u,500g,slirp4netns',
    '80,6,500,spotify,0u,0g,spotify',
    '80,6,500,spotify,500u,500g,spotify',
+    '80,6,500,ZoomWebviewHost,0u,0g,ZoomWebviewHost',
    '80,6,500,spotify-launcher,0u,0g,spotify-launche',
    '80,6,500,spotify,u,g,spotify',
+    '80,6,0,dnf5,0u,0g,dnf5',
    '80,6,500,steam,500u,100g,steam',
    '80,6,500,steam,500u,500g,steam',
    '80,6,500,steamwebhelper,500u,500g,steamwebhelper',
@ -207,6 +211,7 @@ WHERE protocol > 0
    AND (
      p.path LIKE '%/bin/%'
      OR p.path LIKE '/app/%'
+      OR p.path LIKE '/opt/%'
    )
  )
  AND NOT (
--- a/detection/c2/unexpected-talkers-macos.sql
+++ b/detection/c2/unexpected-talkers-macos.sql
@ -92,6 +92,7 @@ WHERE pos.pid IN (
  AND NOT signed_exception IN (
    '0,Developer ID Application: Tailscale Inc. (W5364U7YZB)',
    '500,Apple Mac OS Application Signing',
+    '500,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)',
    '500,Developer ID Application: Cisco (DE8Y96K9QP)',
    '500,Developer ID Application: Google LLC (EQHXZ8M8AV)',
    '500,Developer ID Application: Valve Corporation (MXGJJ98X76)'
--- a/detection/evasion/hidden-cwd.sql
+++ b/detection/evasion/hidden-cwd.sql
@ -73,6 +73,7 @@ WHERE p0.pid IN (
        'bindfs',
        'code',
        'Code Helper',
+        'Code Helper (Plugin)',
        'find',
        'git',
        'gitsign',
@ -143,7 +144,12 @@ WHERE p0.pid IN (
      '~/.hunter/_Base',
      '~/.zsh'
    )
-    OR top_dir IN ('~/Sync', '~/src', '~/workspace')
+    OR top_dir IN (
+      '~/Sync',
+      '~/src',
+      '~/workspace',
+      '~/dev'
+    )
    OR dir LIKE '/Library/Apple/System/Library/InstallerSandboxes/.PKInstallSandboxManager-SystemSoftware/%'
    OR dir LIKE '/opt/homebrew/%/.cache/%'
    OR dir LIKE '~/%enterprise-packages/.chainguard'
--- a/detection/evasion/parent-missing-from-disk-linux.sql
+++ b/detection/evasion/parent-missing-from-disk-linux.sql
@ -52,6 +52,7 @@ WHERE
  AND NOT p1_dirname IN (
    '/usr/lib/electron22',
    '/usr/bin',
+    '/opt/google/chrome',
    '/usr/libexec',
    '/usr/lib/systemd',
    '/usr/lib',
@ -60,6 +61,7 @@ WHERE
  AND NOT p1.name IN (
    'bash',
    'dnf',
+    'chrome',
    'ninja',
    'make',
    'electron',
--- a/detection/execution/unexpected-long-running-security-framework-macos.sql
+++ b/detection/execution/unexpected-long-running-security-framework-macos.sql
@ -62,6 +62,7 @@ WHERE -- Focus on longer-running programs
      AND NOT path LIKE '/Users/%/src/%'
      AND NOT path LIKE '/Users/%/bin/%'
      AND NOT path LIKE '/Users/%/Library/Application Support/com.elgato.StreamDeck/Plugins/%'
+      AND NOT path LIKE '/Users/%/Library/Application Support/Zed/supermaven/%'
      AND NOT path LIKE '/private/var/folders%/T/go-build%/exe/%'
      AND NOT path LIKE '/Users/%/.terraform/providers/%'
      AND NOT REGEX_MATCH (path, '(.*)/', 1) LIKE '%/bin'
--- a/detection/exfil/high_disk_bytes_read.sql
+++ b/detection/exfil/high_disk_bytes_read.sql
@ -50,8 +50,9 @@ WHERE
  bytes_read_rate > 2500000
  AND age > 180
  AND p0.path NOT LIKE '/Applications/%.app/Contents/%'
-  AND p0.path NOT LIKE '%/bin/%'
-  AND p0.path NOT LIKE '/usr/%'
+  AND p0.path NOT LIKE '/app/%'
+  -- Don't exclude /usr so that we find things like tar & rsync
+  AND p0.path NOT LIKE '/opt/%'
  AND p0.path NOT LIKE '/home/%/.local/share/Steam/steamapps/%'
  AND p0.path NOT LIKE '/Library/Apple/System/Library/%'
  AND p0.path NOT LIKE '/System/Applications/%'
@ -59,6 +60,7 @@ WHERE
  AND p0.name NOT IN (
    'apko',
    'Autodesk Identity Manager',
+    'Autodesk Fusion 360',
    'baloo_file',
    'baloo_file_extr',
    'bash',
--- a/detection/exfil/yara-unexpected-rust-http-exec-process.sql
+++ b/detection/exfil/yara-unexpected-rust-http-exec-process.sql
@ -46,6 +46,18 @@ WHERE
    WHERE
      start_time > (strftime('%s', 'now') - 7200)
      AND path != ""
+      AND NOT path LIKE '/System/%'
+      AND NOT path LIKE '/usr/libexec/%'
+      AND NOT path LIKE '/usr/sbin/%' -- Regular apps
+      AND NOT path LIKE '/Applications/%.app/Contents/macOS/%'
+      AND NOT path LIKE '/opt/%'
+      AND NOT path LIKE '/Users/%/go/%'
+      AND NOT path LIKE '/Users/%/dev/%'
+      AND NOT path LIKE '/Users/%/src/%'
+      AND NOT path LIKE '/Users/%/bin/%'
+      AND NOT path LIKE '/Users/%/Library/Application Support/com.elgato.StreamDeck/Plugins/%'
+      AND NOT path LIKE '/private/var/folders%/T/go-build%/exe/%'
+      AND NOT path LIKE '/Users/%/.terraform/providers/%'
    GROUP BY
      path
  )
--- a/detection/initial_access/unexpected-diskimage-source-macos.sql
+++ b/detection/initial_access/unexpected-diskimage-source-macos.sql
@ -160,6 +160,7 @@ WHERE
    'webex.com',
    'whatsapp.com',
    'xtom.com',
+    'gitbutler.com',
    'xx.fbcdn.net',
    'yubico.com',
    'zoo.dev',
@ -188,11 +189,13 @@ WHERE
    'emacsformacosx.com',
    'epson.com',
    'evernote.com',
+    'multipass.run',
    'fbcdn.net',
    'figma.com',
    'flipperzero.one',
    'getkap.co',
    'github.com',
+    'gitbutler.com',
    'go.dev',
    'imazing.com',
    'kittycad.io',
--- a/detection/privesc/unexpected-privileged-containers.sql
+++ b/detection/privesc/unexpected-privileged-containers.sql
@ -11,7 +11,7 @@
 -- where the kernel namespaces can be shared. These kind of attacks tend to be
 --
 -- platform: linux
-- tags: transient state container escalation
+-- tags: transient state container escalation extra
 SELECT
  command,
  image_id,
@ -25,24 +25,17 @@ FROM
 WHERE
  privileged = 1
  AND image_name NOT IN (
-    'cgr.dev/chainguard-private/python',
-    'cgr.dev/chainguard/apko',
-    'cgr.dev/chainguard/k3s',
-    'cgr.dev/chainguard/melange',
-    'cgr.dev/chainguard/python',
-    'cgr.dev/chainguard/sdk',
-    'cgr.dev/chainguard/wolfi-base',
    'distroless.dev/melange',
    'docker.io/library/registry',
    'docker.io/rancher/k3s',
    'gcr.io/k8s-minikube/kicbase',
-    'ghcr.io/wolfi-dev/sdk',
-    'ghcr.io/wolfi-dev/sdk@sha256',
    'kindest/node',
    'ligfx/k3d-registry-dockerd',
    'moby/buildkit',
-    'wolfi'
+    'wolfi',
+    'jdk-crac'
  )
+  AND image NOT LIKE 'cgr.dev/chainguard%'
  AND image NOT LIKE 'ghcr.io/k3d-io/k3d-%'
  AND image NOT LIKE 'ghcr.io/wolfi-dev/%'
  AND image NOT LIKE 'melange-%'