From a8b95a2c9e8cd94b2044a5ee8432dc1b01c8b3a5 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Tue, 3 Jan 2023 08:50:19 -0500 Subject: [PATCH] New Years cleanup: monitorix, snap-confine, steam, spotify, etc --- .../c2/unexpected-https-client-linux.sql | 24 ++++++++++--------- detection/c2/unexpected-talkers-linux.sql | 2 ++ ...unexpected-sensitive-file-access-linux.sql | 1 + .../evasion/empty_root_environ_linux.sql | 2 ++ detection/evasion/hidden-cwd.sql | 1 + .../parent-missing-from-disk-linux.sql | 1 + .../evasion/touched-executable-linux.sql | 1 + .../execution/exotic-command-events-macos.sql | 1 + .../recently-created-executables-linux.sql | 1 + .../unexpected-execdir-events-macos.sql | 1 + .../execution/unexpected-osascript-calls.sql | 4 +++- detection/exfil/high_disk_bytes_read.sql | 1 + .../unexpected-shell-parents.sql | 7 ++++-- .../unexpected-chrome-extensions.sql | 1 + .../unexpected-listening-port-linux.sql | 1 + .../unexpected-small-udev-entry.sql | 1 + .../unexpected-uid0-daemon-linux.sql | 4 +++- .../unexpected-privilege-escalation_linux.sql | 1 + 18 files changed, 40 insertions(+), 15 deletions(-) diff --git a/detection/c2/unexpected-https-client-linux.sql b/detection/c2/unexpected-https-client-linux.sql index 3507854..4df97ab 100644 --- a/detection/c2/unexpected-https-client-linux.sql +++ b/detection/c2/unexpected-https-client-linux.sql @@ -87,16 +87,9 @@ WHERE '0,/usr/python3.11,0u,0g,yum', '0,/usr/rpi-imager,0u,0g,rpi-imager', '0,/usr/snapd,0u,0g,snapd', - '500,/sbin/apk,u,g,apk', '0,/usr/tailscaled,0u,0g,tailscaled', '0,/usr/tailscaled,500u,500g,tailscaled', '0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra', - '500,/usr/chainctl,500u,500g,chainctl', - '500,/usr/grype,0u,0g,grype', - '500,/home/krel,500u,500g,krel', - '500,/home/mconvert,500u,500g,mconvert', - '500,/usr/cosign-linux-amd64,0u,0g,cosign', - '500,/home/slirp4netns,500u,500g,slirp4netns', '105,/usr/http,0u,0g,https', '106,/usr/geoclue,0u,0g,geoclue', '500,/app/signal-desktop,u,g,signal-desktop', @@ -111,13 +104,15 @@ WHERE '500,/home/cosign,500u,500g,cosign', '500,/home/gitsign,500u,500g,gitsign', '500,/home/go,500u,500g,go', - '500,/usr/obs-ffmpeg-mux,0u,0g,obs-ffmpeg-mux', '500,/home/grype,500u,500g,grype', '500,/home/java,500u,500g,java', '500,/home/jcef_helper,500u,500g,jcef_helper', '500,/home/ko,500u,500g,ko', + '500,/home/krel,500u,500g,krel', + '500,/home/mconvert,500u,500g,mconvert', '500,/home/promoter,500u,500g,promoter', '500,/home/python3,500u,500g,python3', + '500,/home/slirp4netns,500u,500g,slirp4netns', '500,/home/steam,500u,100g,steam', '500,/home/steamwebhelper,500u,100g,steamwebhelper', '500,/home/terraform,500u,500g,terraform', @@ -136,9 +131,13 @@ WHERE '500,/opt/kubectl,0u,0g,kubectl', '500,/opt/slack,0u,0g,slack', '500,/opt/snap-store,0u,0g,snap-store', + '500,/usr/python3.11,0u,0g,prowler', '500,/opt/spotify,0u,0g,spotify', + '500,/home/steamwebhelper,500u,500g,steamwebhelper', + '500,/opt/spotify,500u,500g,spotify', '500,/opt/todoist,0u,0g,todoist', '500,/opt/zoom,0u,0g,zoom', + '500,/sbin/apk,u,g,apk', '500,/tmp/jetbrains-toolbox,u,g,jetbrains-toolb', '500,/tmp/obsidian,u,g,obsidian', '500,/tmp/terraform,500u,500g,terraform', @@ -146,11 +145,11 @@ WHERE '500,/usr/bom,500u,500g,bom', '500,/usr/cargo,0u,0g,cargo', '500,/usr/chainctl,0u,0g,chainctl', + '500,/usr/chainctl,500u,500g,chainctl', '500,/usr/chrome,0u,0g,chrome', '500,/usr/code,0u,0g,code', '500,/usr/cosign,500u,500g,cosign', - '500,/usr/wget,0u,0g,wget', - '500,/home/slirp4netns,500u,500g,slirp4netns', + '500,/usr/cosign-linux-amd64,0u,0g,cosign', '500,/usr/curl,0u,0g,curl', '500,/usr/electron,0u,0g,electron', '500,/usr/evolution-addressbook-factory,0u,0g,evolution-addre', @@ -170,6 +169,7 @@ WHERE '500,/usr/go,0u,0g,go', '500,/usr/go,500u,500g,go', '500,/usr/goa-daemon,0u,0g,goa-daemon', + '500,/usr/grype,0u,0g,grype', '500,/usr/gsd-datetime,0u,0g,gsd-datetime', '500,/usr/gvfsd-http,0u,0g,gvfsd-http', '500,/usr/io.elementary.appcenter,0u,0g,io.elementary.a', @@ -178,12 +178,13 @@ WHERE '500,/usr/kbfsfuse,0u,0g,kbfsfuse', '500,/usr/keybase,0u,0g,keybase', '500,/usr/ko,u,g,ko', - '500,/usr/node,0u,0g,node', '500,/usr/kubectl,500u,500g,kubectl', '500,/usr/lens,0u,0g,lens', '500,/usr/nautilus,0u,0g,nautilus', '500,/usr/nix,0u,0g,nix', + '500,/usr/node,0u,0g,node', '500,/usr/obs,0u,0g,obs', + '500,/usr/obs-ffmpeg-mux,0u,0g,obs-ffmpeg-mux', '500,/usr/pacman,0u,0g,pacman', '500,/usr/python3,0u,0g,python3', '500,/usr/python3.10,0u,0g,python3', @@ -200,6 +201,7 @@ WHERE '500,/usr/thunderbird,0u,0g,thunderbird', '500,/usr/trivy,0u,0g,trivy', '500,/usr/WebKitNetworkProcess,0u,0g,WebKitNetworkPr', + '500,/usr/wget,0u,0g,wget', '500,/usr/xmobar,0u,0g,xmobar', '500,/usr/yay,0u,0g,yay' ) diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql index 129bfe0..2ba61ce 100644 --- a/detection/c2/unexpected-talkers-linux.sql +++ b/detection/c2/unexpected-talkers-linux.sql @@ -154,8 +154,10 @@ WHERE '8801,17,500,/opt/zoom,0u,0g,zoom', '80,6,500,/usr/signal-desktop,0u,0g,signal-desktop', '80,6,0,/usr/python3.10,0u,0g,dnf-automatic', + '22,6,500,/home/terraform,500u,500g,terraform', '993,6,500,/app/thunderbird,u,g,thunderbird', '993,6,500,/usr/evolution,0u,0g,evolution', + '80,6,500,/home/steam,500u,500g,steam', '993,6,500,/usr/thunderbird,0u,0g,thunderbird' ) AND NOT ( diff --git a/detection/credentials/unexpected-sensitive-file-access-linux.sql b/detection/credentials/unexpected-sensitive-file-access-linux.sql index 41c660f..74afb21 100644 --- a/detection/credentials/unexpected-sensitive-file-access-linux.sql +++ b/detection/credentials/unexpected-sensitive-file-access-linux.sql @@ -81,6 +81,7 @@ WHERE 'firefox,file:// Content,~/.mozilla/firefox', 'firefox,firefox,~/.cache/mozilla', 'firefox,firefox,~/.mozilla/firefox', + 'vim,vim,~/.aws', 'firefox,firefox,~/snap/firefox', 'firefox,.firefox-wrappe,~/.cache/mozilla', 'firefox,.firefox-wrappe,~/.mozilla/firefox', diff --git a/detection/evasion/empty_root_environ_linux.sql b/detection/evasion/empty_root_environ_linux.sql index 5f0069b..d85f81f 100644 --- a/detection/evasion/empty_root_environ_linux.sql +++ b/detection/evasion/empty_root_environ_linux.sql @@ -38,10 +38,12 @@ WHERE 'dhcpcd', 'modprobe', 'dnf', + 'systemd-udevd', 'gdm-session-wor', 'gpg-agent', 'nginx', 'sshd', + 'ssh', 'zypak-sandbox' ) AND NOT ( diff --git a/detection/evasion/hidden-cwd.sql b/detection/evasion/hidden-cwd.sql index 3a71721..11e3b67 100644 --- a/detection/evasion/hidden-cwd.sql +++ b/detection/evasion/hidden-cwd.sql @@ -110,6 +110,7 @@ WHERE OR dir LIKE '~/%/.modcache/%' OR dir LIKE '~/%/src/%' OR dir LIKE '~/src/%' + OR dir LIKE '~/%/node_modules/.pnpm/%' OR dir LIKE '~/%/.terraform%' OR dir LIKE '/tmp/.mount_%' -- For sudo calls to other things diff --git a/detection/evasion/parent-missing-from-disk-linux.sql b/detection/evasion/parent-missing-from-disk-linux.sql index 9fd5973..9828347 100644 --- a/detection/evasion/parent-missing-from-disk-linux.sql +++ b/detection/evasion/parent-missing-from-disk-linux.sql @@ -43,6 +43,7 @@ WHERE AND NOT parent_path IN ( '/opt/google/chrome/chrome', '/usr/lib/systemd/systemd', + '/usr/bin/alacritty', '/usr/bin/dockerd', '/usr/bin/gnome-shell' ) -- long-running launchers diff --git a/detection/evasion/touched-executable-linux.sql b/detection/evasion/touched-executable-linux.sql index 2bfb813..5934020 100644 --- a/detection/evasion/touched-executable-linux.sql +++ b/detection/evasion/touched-executable-linux.sql @@ -35,6 +35,7 @@ WHERE AND f.path NOT LIKE '/snap/%' AND f.path NOT LIKE '/tmp/go-build%/exe/main' AND f.path NOT LIKE '/usr/local/bin/%' + AND f.path NOT LIKE '/usr/local/aws-cli/%/dist/aws' AND f.path NOT LIKE '/usr/local/kolide-k2/bin/%-updates/%' GROUP by p.pid diff --git a/detection/execution/exotic-command-events-macos.sql b/detection/execution/exotic-command-events-macos.sql index 0531dee..b78bdac 100644 --- a/detection/execution/exotic-command-events-macos.sql +++ b/detection/execution/exotic-command-events-macos.sql @@ -138,6 +138,7 @@ WHERE -- The source of these commands is still a mystery to me. OR p.parent = -1 ) + AND NOT cmd LIKE '-history%' AND NOT cmd LIKE '/bin/rm -f /tmp/periodic.%' AND NOT cmd LIKE 'rm -f /tmp/locate%/_updatedb%' AND NOT cmd LIKE 'rm -f /tmp/locate%/mklocate%/_mklocatedb%' diff --git a/detection/execution/recently-created-executables-linux.sql b/detection/execution/recently-created-executables-linux.sql index 15acd65..ba75cd4 100644 --- a/detection/execution/recently-created-executables-linux.sql +++ b/detection/execution/recently-created-executables-linux.sql @@ -113,6 +113,7 @@ WHERE '/usr/sbin/avahi-daemon', '/usr/sbin/chronyd', '/usr/sbin/cupsd', + '/usr/sbin/rngd', '/usr/sbin/tailscaled', '/usr/share/code/chrome_crashpad_handler', '/usr/share/code/code', diff --git a/detection/execution/unexpected-execdir-events-macos.sql b/detection/execution/unexpected-execdir-events-macos.sql index 3844bfe..dae7032 100644 --- a/detection/execution/unexpected-execdir-events-macos.sql +++ b/detection/execution/unexpected-execdir-events-macos.sql @@ -131,6 +131,7 @@ WHERE '~/homebrew/', '~/.kuberlr/', '~/Library/', + '~/.gradle/', '~/.local/', '~/Parallels/', '~/projects/', diff --git a/detection/execution/unexpected-osascript-calls.sql b/detection/execution/unexpected-osascript-calls.sql index 8c11da1..3109de3 100644 --- a/detection/execution/unexpected-osascript-calls.sql +++ b/detection/execution/unexpected-osascript-calls.sql @@ -51,12 +51,14 @@ WHERE AND p.time > (strftime('%s', 'now') -60) AND exception_key NOT IN ( 'com.vng.zalo,Developer ID Application: VNG ONLINE CO.,LTD (CVB6BX97VM),osascript -ss', - 'install,Developer ID Application: Docker Inc (9BNSXJN65R),/usr/bin/osascript -e property exit_code: 0\x0Aproperty ', ',,osascript', ',,osascript openChrome.applescript https://localhost.ch' ) + AND exception_key NOT LIKE 'install,Developer ID Application: Docker Inc (9BNSXJN65R),/usr/bin/osascript -e property exit_code: 0\x0Aproperty ' + AND cmd NOT IN ('osascript -e user locale of (get system info)') AND cmd NOT LIKE '/usr/bin/osascript /Users/%/Library/Caches/com.runningwithcrayons.Alfred/Workflow Scripts/%' + -- We don't want to allow all of Python as an exception AND NOT ( exception_key = 'org.python.python,,osascript' diff --git a/detection/exfil/high_disk_bytes_read.sql b/detection/exfil/high_disk_bytes_read.sql index 63565d5..7b29e44 100644 --- a/detection/exfil/high_disk_bytes_read.sql +++ b/detection/exfil/high_disk_bytes_read.sql @@ -41,6 +41,7 @@ WHERE 'firefox', 'fish', 'fleet_backend', + 'kube-apiserver', 'fsdaemon', 'GoogleSoftwareUpdateAgent', 'com.apple.NRD.UpdateBrainService', diff --git a/detection/initial_access/unexpected-shell-parents.sql b/detection/initial_access/unexpected-shell-parents.sql index 668a3cb..85d011b 100644 --- a/detection/initial_access/unexpected-shell-parents.sql +++ b/detection/initial_access/unexpected-shell-parents.sql @@ -1,4 +1,4 @@ --- Unexpected process that spawns shell processes +-- Unexpected process that spawns shell processes (event based) -- -- false positives: -- * IDE's @@ -7,7 +7,8 @@ -- * https://attack.mitre.org/techniques/T1059/ (Command and Scripting Interpreter) -- * https://attack.mitre.org/techniques/T1204/002/ (User Execution: Malicious File) -- --- tags: transient process state +-- tags: process events +-- interval: 60 -- platform: posix SELECT p.name, @@ -51,6 +52,7 @@ WHERE 'find', 'FinderSyncExtension', 'fish', + 'git', 'go', 'goland', 'helm', @@ -106,6 +108,7 @@ WHERE '/sbin/launchd', '/usr/lib/xorg/Xorg', '/usr/bin/alacritty', + '/Library/Developer/CommandLineTools/usr/bin/git', '/usr/bin/apt-get', '/usr/bin/bash', '/usr/bin/bwrap', diff --git a/detection/persistence/unexpected-chrome-extensions.sql b/detection/persistence/unexpected-chrome-extensions.sql index c9d3bd5..00b4348 100644 --- a/detection/persistence/unexpected-chrome-extensions.sql +++ b/detection/persistence/unexpected-chrome-extensions.sql @@ -183,6 +183,7 @@ WHERE 'true,,Vimium,dbepggeogbaibhgnhhndojpepiihcmeb,tabs, bookmarks, history, clipboardRead, storage, sessions, notifications, webNavigation, ', 'true,,Vimium,dbepggeogbaibhgnhhndojpepiihcmeb,tabs, bookmarks, history, storage, sessions, notifications, webNavigation, ', 'true,,Vue.js devtools,nhdogjmejiglipccpnnnanhbledajbpd,, storage', + 'true,,Vimcal,akopimcimmdmklcmegcflfidpfegngke,activeTab, storage, tabs, identity, https://maps.googleapis.com/*, https://*.vimcal.com/*, webNavigation, , background, history', 'true,Wappalyzer,Wappalyzer - Technology profiler,gppongmhjkpfnbhagpmjfkannfbllamg,cookies, storage, tabs, webNavigation, webRequest', 'true,Wappalyzer,Wappalyzer - Technology profiler,gppongmhjkpfnbhagpmjfkannfbllamg,cookies, storage, tabs, webRequest, webNavigation, http://*/*, https://*/*', 'true,,Windscribe - Free Proxy and Ad Blocker,hnmpcagpplmpfojmgmnngilcnanddlhb,, proxy, management, tabs, webRequest, webRequestBlocking, activeTab, storage, unlimitedStorage, contextMenus, privacy, webNavigation, notifications, cookies', diff --git a/detection/persistence/unexpected-listening-port-linux.sql b/detection/persistence/unexpected-listening-port-linux.sql index 0246422..e28f4a3 100644 --- a/detection/persistence/unexpected-listening-port-linux.sql +++ b/detection/persistence/unexpected-listening-port-linux.sql @@ -83,6 +83,7 @@ WHERE '4191,6,500,linkerd2-proxy', '443,6,500,jcef_helper', '4443,6,500,metrics-server', + '17,255,0,.tailscaled-wra', '5000,6,0,registry', '5000,6,500,ControlCenter', '5001,6,0,registry', diff --git a/detection/persistence/unexpected-small-udev-entry.sql b/detection/persistence/unexpected-small-udev-entry.sql index 25a3a65..f5780df 100644 --- a/detection/persistence/unexpected-small-udev-entry.sql +++ b/detection/persistence/unexpected-small-udev-entry.sql @@ -32,6 +32,7 @@ WHERE AND file.path NOT IN ( '/usr/lib/udev/rules.d/50-apport.rules', '/usr/lib/udev/rules.d/60-net.rules', + '/usr/lib/udev/rules.d/90-rdma-umad.rules', '/usr/lib/udev/rules.d/60-rfkill.rules', '/usr/lib/udev/rules.d/61-mutter.rules', '/usr/lib/udev/rules.d/66-saned.rules', diff --git a/detection/persistence/unexpected-uid0-daemon-linux.sql b/detection/persistence/unexpected-uid0-daemon-linux.sql index 24850fe..3a7afb6 100644 --- a/detection/persistence/unexpected-uid0-daemon-linux.sql +++ b/detection/persistence/unexpected-uid0-daemon-linux.sql @@ -124,6 +124,7 @@ WHERE '/usr/sbin/gssproxy', '/usr/sbin/mcelog', '/usr/sbin/pcscd', + '/usr/sbin/pwrstatd', '/usr/sbin/sshd', '/usr/sbin/tailscaled', '/usr/sbin/thermald', @@ -140,7 +141,8 @@ WHERE '/usr/bin/python3 /usr/sbin/execsnoop-bpfcc', '/usr/bin/python3 /usr/lib/pop-transition/service.py', '/usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal', - '/usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers' + '/usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers', + '/usr/bin/monitorix -c /etc/monitorix/monitorix.conf -p /run/monitorix.pid' ) AND NOT p.cmdline LIKE '/usr/bin/python3 -s% /usr/sbin/firewalld%' AND NOT p.cmdline LIKE '/usr/bin/python3 /usr/bin/dnf %' diff --git a/detection/privesc/unexpected-privilege-escalation_linux.sql b/detection/privesc/unexpected-privilege-escalation_linux.sql index abfa6af..bf8b3be 100644 --- a/detection/privesc/unexpected-privilege-escalation_linux.sql +++ b/detection/privesc/unexpected-privilege-escalation_linux.sql @@ -46,6 +46,7 @@ WHERE ) AND p.path NOT LIKE '/nix/store/%/bin/sudo' AND p.path NOT LIKE '/nix/store/%/bin/dhcpcd' + AND p.path NOT LIKE '/snap/snapd/%/usr/lib/snapd/snap-confine' AND NOT ( p.name = 'polkit-agent-he' AND parent_path = '/usr/bin/gnome-shell'