fpr: Fedora Silverblue, MHLinkServer, new terminals

2025-02-19 19:26:55 +00:00 · 2024-05-23 17:26:33 -04:00 · 2024-05-23 17:26:33 -04:00 · ab2535717f
commit ab2535717f
parent a0c49efb3f
18 changed files with 42 additions and 1 deletions
--- a/detection/c2/unexpected-dns-traffic-events.sql
+++ b/detection/c2/unexpected-dns-traffic-events.sql
@ -82,6 +82,7 @@ WHERE
    'com.docker.vpnkit,8.8.8.8,53',
    'WebexHelper,8.8.8.8,53',
    'Meeting Center,8.8.8.8,53',
+    'ServiceExtension,8.8.8.8,53',
    'nuclei,1.0.0.1,53',
    'limactl,8.8.8.8,53',
    'adguard_dns,1.0.0.1,53',
--- a/detection/c2/unexpected-https-linux.sql
+++ b/detection/c2/unexpected-https-linux.sql
@ -86,6 +86,7 @@ WHERE
    '0,nessusd,0u,0g,nessusd',
    '500,license-detector,500u,500g,license-detecto',
    '0,nix,0u,0g,nix',
+    '500,node,500u,500g,npm run start',
    '0,nix,0u,0g,nix-daemon',
    '0,orbit,0u,0g,orbit',
    '0,osqueryd,0u,0g,osqueryd',
@ -103,6 +104,7 @@ WHERE
    '0,rapid7_endpoint_broker,0u,0g,rapid7_endpoint',
    '0,rpi-imager,0u,0g,rpi-imager',
    '0,snapd,0u,0g,snapd',
+    '128,fwupdmgr,0u,0g,fwupdmgr',
    '0,systemctl,0u,0g,systemctl',
    '0,tailscaled,0u,0g,tailscaled',
    '0,tailscaled,500u,500g,tailscaled',
--- a/detection/c2/unexpected-https-macos.sql
+++ b/detection/c2/unexpected-https-macos.sql
@ -109,6 +109,7 @@ WHERE
    '0,AGSService,AGSService,Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.ags',
    '500,Authy,Authy,Apple iPhone OS Application Signing,com.authy',
    '500,Fleet,~/Library/Caches/JetBrains/Fleet',
+    '500,WebexHelper,WebexHelper,Developer ID Application: Cisco (DE8Y96K9QP),Cisco-Systems.SparkHelper',
    '500,IterableRichNotifications,IterableRichNotifications,Apple iPhone OS Application Signing,com.plexapp.plex.IterableRichNotifications',
    '500,Java Updater,Java Updater,Developer ID Application: Oracle America, Inc. (VB5E2TV963),com.oracle.java.Java-Updater',
    '500,Kindle,Kindle,TestFlight Beta Distribution,com.amazon.Lassen',
@ -119,6 +120,8 @@ WHERE
    '500,trunk,trunk,Developer ID Application: Trunk Technologies, Inc. (LDR5F9BL92),trunk-cli',
    '500,java,java,Developer ID Application: Oracle America, Inc. (VB5E2TV963),com.oracle.java.8u401.java',
    '500,bash,bash,,bash',
+    '500,goland,goland,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland',
+    '500,zed,zed,Developer ID Application: Zed Industries, Inc. (MQ55VZLNZQ),dev.zed.Zed',
    '500,jcef Helper,jcef Helper,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),org.jcef.jcef.helper',
    '500,agent,agent,Developer ID Application: Datadog, Inc. (JKFCB4CN7C),agent',
    '500,Sky Go,Sky Go,Developer ID Application: Sky UK Limited (GJ24C8864F),com.bskyb.skygoplayer',
@ -133,6 +136,7 @@ WHERE
  )
  AND NOT alt_exception_key IN (
    '0,velociraptor,velociraptor,0u,0g',
+    '500,pulumi-resource-github,pulumi-resource-github,500u,20g',
    '0,velociraptor,velociraptor,0u,80g',
    '500,taplo,taplo,500u,20g',
    '500,nodegizmo,nodegizmo,500u,20g',
--- a/detection/c2/unexpected-talkers-linux.sql
+++ b/detection/c2/unexpected-talkers-linux.sql
@ -148,6 +148,7 @@ WHERE
    '80,6,500,wget,0u,0g,wget',
    '80,6,0,gawk,0u,0g,awk',
    '80,6,0,gpg,0u,0g,gpg',
+    '80,6,500,chrome,u,g,chrome',
    '80,6,0,grep,0u,0g,grep',
    '80,6,0,kmod,0u,0g,depmod',
    '80,6,0,kubelet,u,g,kubelet',
--- a/detection/c2/unexpected-talkers-macos.sql
+++ b/detection/c2/unexpected-talkers-macos.sql
@ -133,6 +133,8 @@ WHERE pos.protocol > 0
    '500,6,3389,Microsoft Remote Desktop,Microsoft Remote Desktop,Apple Mac OS Application Signing,com.microsoft.rdc.macos',
    '500,6,4070,Spotify,Spotify,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client',
    '500,6,4317,flyctl,flyctl,,a.out',
+    '500,6,80,Sky Go,Sky Go,Developer ID Application: Sky UK Limited (GJ24C8864F),com.bskyb.skygoplayer',
+    '500,6,80,agent,agent,Developer ID Application: Datadog, Inc. (JKFCB4CN7C),agent',
    '500,6,4318,Code Helper (Plugin),Code Helper (Plugin),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
    '500,6,5053,bridge,bridge,Developer ID Application: Proton Technologies AG (6UN54H93QT),bridge',
    '500,6,5091,ZoomPhone,ZoomPhone,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3),us.zoom.ZoomPhone',
--- a/detection/collection/high-disk-bytes-written.sql
+++ b/detection/collection/high-disk-bytes-written.sql
@ -131,6 +131,7 @@ WHERE
    'baloo_file_extr',
    'bwrap',
    'cargo',
+    'GoogleUpdater',
    'chrome',
    'code',
    'com.apple.MobileSoftwareUpdate.UpdateBrainService',
--- a/detection/credentials/unexpected-dev-opener-macos.sql
+++ b/detection/credentials/unexpected-dev-opener-macos.sql
@ -95,6 +95,7 @@ WHERE
    '/dev/console,launchd_sim,Software Signing,com.apple.xpc.launchd',
    '/dev/cu.BLTH,bluetoothd,Software Signing,com.apple.bluetoothd',
    '/dev/io,ControlCenter,Software Signing,com.apple.controlcenter',
+    '/dev/bpf,MHLinkServer,Developer ID Application: Metric Halo Distribution, Inc. (X7EY8SFM86),com.mhlabs.mhlink.server',
    '/dev/io,PerfPowerServices,Software Signing,com.apple.PerfPowerServices',
    '/dev/io,WiFiAgent,Software Signing,com.apple.wifi.WiFiAgent',
    '/dev/io,WirelessRadioManagerd,Software Signing,com.apple.WirelessRadioManagerd',
--- a/detection/evasion/touched-executable-linux.sql
+++ b/detection/evasion/touched-executable-linux.sql
@ -44,6 +44,7 @@ WHERE
  AND f.path NOT LIKE '/usr/local/kolide-k2/bin/%-updates/%'
  AND f.path NOT LIKE '/var/kolide-k2/k2device.kolide.com/updates/%'
  AND f.path NOT LIKE '/tmp/go-build%'
+  AND f.path NOT LIKE '/var/home/linuxbrew/.linuxbrew/Cellar/%/bin/%'
  AND p.name NOT LIKE 'osqtool%'
 GROUP by
  p.pid
--- a/detection/evasion/unexpected-alf-exceptions-macos.sql
+++ b/detection/evasion/unexpected-alf-exceptions-macos.sql
@ -52,6 +52,7 @@ WHERE -- Filter out stock exceptions to decrease overhead
    ',,/Applications/Visual%20Studio%20Code.app/,',
    ',,/Applications/Visual%20Studio%20Code.app/Contents/Frameworks/Code%20Helper.app/,',
    ',,/usr/local/sbin/iodined,501',
+    ',a.out,/Users/dlorenc/.wash/downloads/nats-server,501',
    ',a.out,/Users/amouat/proj/learning-labs-static/server,501',
    ',a.out,/opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/kubectl,501',
    ',a.out,/opt/homebrew/Cellar/go/1.20.4/libexec/pkg/tool/darwin_arm64/trace,501',
@ -123,6 +124,11 @@ WHERE -- Filter out stock exceptions to decrease overhead
  AND NOT exception_key LIKE ',node,/opt/homebrew/Cellar/nvm/%/versions/node/v%/bin/node,501'
  AND NOT exception_key LIKE ',java,/opt/homebrew/Cellar/openjdk/%/libexec/openjdk.jdk/Contents/Home/bin/java,501'
  AND NOT exception_key LIKE ',python3.%,/nix/store/%-python3-3%/bin/python3.%,0'
+  AND NOT signature.authority IN (
+    'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)',
+    'Developer ID Application: The Foundry (82R497YNSK)',
+    'Developer ID Application: OpenAI, L.L.C. (2DC432GLL2)'
+  )
  AND NOT (
    signature.identifier LIKE 'cargo-%'
    AND ae.path LIKE '/Users/%/.rustup/%'
--- a/detection/evasion/unusual-executable-name-macos.sql
+++ b/detection/evasion/unusual-executable-name-macos.sql
@ -92,6 +92,8 @@ WHERE
  AND NOT pname IN (
    'cpu',
    'BetterTouchToolAppleScriptRunner',
+    'dynamiclinkmanager',
+    'launchd_startx',
    'TwitterNotificationServiceExtension',
    'ThingsWidgetExtensionMacAppStore',
    'com.microsoft.teams2.notificationcenter',
--- a/detection/evasion/unusual-process-name-linux.sql
+++ b/detection/evasion/unusual-process-name-linux.sql
@ -103,6 +103,7 @@ WHERE
    "irqbalance",
    "kactivitymanagerd",
    "com.docker.backend",
+    'xdg-dbus-proxy',
    "com.docker.build",
    "com.docker.extensions",
    "nm-applet",
@ -116,3 +117,4 @@ WHERE
    "xdg-document-portal",
    "xdg-permission-store"
  )
+  AND NOT (basename IN ('nm-dispatcher') AND p1_pid=1)
--- a/detection/evasion/unusually-tainted-kernel-linux.sql
+++ b/detection/evasion/unusually-tainted-kernel-linux.sql
@ -51,7 +51,8 @@ WHERE
    )
    OR (
      -- 12352 is unsigned, out of tree, requested by user space
-      taint = 12352
+      -- 12289 is an unsigned, out of tree, proprietary
+      taint IN (12352, 12289)
      AND modules LIKE "%,v4l2loopback,%"
    )
  )
--- a/detection/execution/exotic-commands-macos.sql
+++ b/detection/execution/exotic-commands-macos.sql
@ -109,6 +109,7 @@ WHERE
  )
  AND NOT p0_cmd IN ('pkill -f Jabra Direct')
  AND NOT p0_cmd LIKE "%dd if=/dev/stdin conv=unblock cbs=79"
+  AND NOT p0_cmd LIKE '%docker% run % tail -f /dev/null'
  AND NOT p1_path LIKE '/Applications/Emacs.app/Contents/MacOS/Emacs-arm64-%'
 GROUP BY
  p0.pid;
--- a/detection/execution/unexpected-chmod-exec-event-linux.sql
+++ b/detection/execution/unexpected-chmod-exec-event-linux.sql
@ -111,6 +111,7 @@ WHERE
      AND cmdline NOT LIKE 'chmod 777 /app/%'
      AND cmdline NOT LIKE 'chmod 700 /tmp/apt-key-gpghome.%'
      AND cmdline NOT LIKE 'chmod 700 /home/%/snap/%/%/.config'
+      AND cmdline NOT LIKE 'chmod +x /home/%/bin/%'
  )
  AND pe.time > (strftime('%s', 'now') -300)
  AND pe.syscall = "execve"
--- a/detection/execution/unexpected-root-signer-macos.sql
+++ b/detection/execution/unexpected-root-signer-macos.sql
@ -78,6 +78,7 @@ WHERE
  )
  AND s.authority NOT IN (
    'Developer ID Application: Adobe Inc. (JQ525L2MZD)',
+    'Developer ID Application: Apple Inc. - XQuartz (NA574AWV7E)',
    'Developer ID Application: Bitdefender SRL (GUNFMW623Y)',
    'Developer ID Application: Canonical Group Limited (X4QN7LTP59)',
    'Developer ID Application: Docker Inc (9BNSXJN65R)',
--- a/detection/initial_access/unexpected-shell-parents.sql
+++ b/detection/initial_access/unexpected-shell-parents.sql
@ -104,6 +104,7 @@ WHERE
    'java',
    'jetbrains_client',
    'kitty',
+    'ptyxis-agent',
    'ko',
    'konsole',
    'kubectl',
--- a/detection/persistence/unexpected-active-systemd-units.sql
+++ b/detection/persistence/unexpected-active-systemd-units.sql
@ -142,6 +142,10 @@ WHERE
        'import-state.service,Import network configuration from initramfs,',
        'incus-lxcfs.service,Incus - LXCFS daemon,',
        'incus.service,Incus - Daemon,',
+        'brew-upgrade.timer,Timer for brew upgrade for on image brew,',
+        'brew-update.timer,Timer for brew update for mutable brew,',
+        'ublue-update.timer,Auto Update System Timer For Universal Blue,',
+        'ublue-system-setup.service,Configure system,',
        'incus.service,Incus - Main daemon,',
        'incus.socket,Incus - Daemon (unix socket),',
        'incus-startup.service,Incus - Startup check,',
--- a/detection/persistence/unexpected-uid0-daemon-linux.sql
+++ b/detection/persistence/unexpected-uid0-daemon-linux.sql
@ -187,6 +187,8 @@ WHERE
    'iwd,/usr/lib/iwd/iwd,0,system.slice,iwd.service,0755',
    'launcher,/usr/local/kolide-k2/bin/launcher,0,system.slice,launcher.kolide-k2.service,0755',
    'launcher,/usr/local/kolide-k2/bin/launcher-updates/__VERSION__/launcher,0,system.slice,launcher.kolide-k2.service,0755',
+    'launcher,/opt/kolide-k2/bin/launcher,0,system.slice,launcher.kolide-k2.service,0755',
+    'launcher,/opt/kolide-k2/bin/launcher-updates/__VERSION__/launcher,0,system.slice,launcher.kolide-k2.service,0755',
    'launcher,/var/kolide-k2/k2device.kolide.com/updates/launcher/__VERSION__/launcher,0,system.slice,launcher.kolide-k2.service,0755',
    'libvirtd,/usr/bin/libvirtd,0,system.slice,libvirtd.service,0755',
    'lightdm,/nix/store/__VERSION__/bin/lightdm,0,system.slice,display-manager.service,0555',
@ -299,6 +301,8 @@ WHERE
    'velociraptor_cl,/usr/local/bin/velociraptor,0,system.slice,velociraptor_client.service,0700',
    'virtiofsd,/opt/incus/bin/virtiofsd,0,system.slice,incus.service,0755',
    'virtlogd,/usr/bin/virtlogd,0,system.slice,virtlogd.service,0755',
+    'osqueryd,/usr/lib/opt/kolide-k2/bin/osqueryd,0,system.slice,launcher.kolide-k2.service,0755',
+    'launcher,/usr/lib/opt/kolide-k2/bin/launcher,0,system.slice,launcher.kolide-k2.service,0755',
    'wpa_supplicant,/usr/bin/wpa_supplicant,0,system.slice,wpa_supplicant.service,0755',
    'wpa_supplicant,/usr/sbin/wpa_supplicant,0,system.slice,wpa_supplicant.service,0755',
    'xdg-desktop-por,/usr/libexec/xdg-desktop-portal,0,user.slice,user-1000.slice,0755',
@ -309,6 +313,7 @@ WHERE
    'yum,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755',
    'zed,/nix/store/__VERSION__/bin/zed,0,system.slice,zfs-zed.service,0555',
    'zed,/usr/sbin/zed,0,system.slice,zfs-zed.service,0755',
+    'elastic-endpoin,/var/opt/Elastic/Endpoint/elastic-endpoint,0,elasticendpoint,,0500',
    'zfs,/nix/store/__VERSION__/bin/zfs,0,system.slice,zfs-snapshot-frequent.service,0555',
    'zfs,/nix/store/__VERSION__/bin/zfs,0,system.slice,zfs-snapshot-hourly.service,0555',
    'zfs,/nix/store/__VERSION__/bin/zfs,0,system.slice,znapzend.service,0555',
@ -317,7 +322,11 @@ WHERE
  )
  AND NOT exception_key LIKE 'abrt-dbus,/usr/sbin/abrt-dbus,0,system.slice,system-dbus%org.freedesktop.problems.slice,0755'
  AND NOT exception_key LIKE 'fusermount3,/usr/bin/fusermount3,%,user.slice,user-%.slice,4755'
+  AND NOT exception_key LIKE 'elastic-agent,/opt/Elastic/Agent/data/elastic-agent%/elastic-agent,0,system.slice,elastic-agent.service,0750'
+  AND NOT exception_key LIKE 'elastic-agent,/var/opt/Elastic/Agent/data/elastic-agent%/elastic-agent,0,system.slice,elastic-agent.service,0750'
+  AND NOT exception_key LIKE 'elastic-agent,/var/opt/Elastic/Agent/data/elastic-agent%/elastic-agent,0,system.slice,elastic-agent.service,0770'
  AND NOT exception_key LIKE '%beat,/opt/Elastic/Agent/data/elastic-%/components/%beat,0,system.slice,elastic-agent.service,0750'
+  AND NOT exception_key LIKE '%beat,/var/opt/Elastic/Agent/data/elastic-%/components/%beat,0,system.slice,elastic-agent.service,0750'
  AND NOT exception_key LIKE 'osquery-extensi,/opt/Elastic/Agent/data/elastic-agent-%/components/osquery-extension.ext,0,system.slice,elastic-agent.service,0750'
  AND NOT exception_key LIKE 'osqueryd,/opt/Elastic/Agent/data/elastic-agent-%/components/osqueryd,0,system.slice,elastic-agent.service,0750'
  AND NOT exception_key LIKE 'elastic-agent,/opt/Elastic/Agent/data/elastic-agent-%/elastic-agent,0,system.slice,elastic-agent.service,0770'