From ab94de777073995c6eab5a459bc25877671bbbf7 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Wed, 19 Oct 2022 16:56:32 -0400 Subject: [PATCH] Add a lot more mitre data --- .../c2/unexpected-listening-port-linux.sql | 2 +- .../c2/unexpected-listening-port-macos.sql | 2 +- detection/c2/unexpected-talkers-linux.sql | 2 +- detection/c2/unexpected-talkers-macos.sql | 2 +- ...unexpected-sensitive-file-access-linux.sql | 10 +- .../evasion/executables-from-the-future.sql | 2 +- detection/evasion/hidden-cwd.sql | 5 +- .../evasion/hidden-launchd-files-macos.sql | 8 +- detection/evasion/hidden-parent-pid.sql | 1 + detection/evasion/missing-from-disk-linux.sql | 3 + detection/evasion/missing-from-disk-macos.sql | 3 + detection/evasion/name_path_mismatch.sql | 3 + detection/evasion/old-binaries-running.sql | 5 +- .../evasion/parent-missing-from-disk.sql | 13 +- detection/evasion/ssh-notty.sql | 4 + .../evasion/touched-executable-linux.sql | 2 +- .../evasion/touched-executable-macos.sql | 3 + detection/exfil/high-disk-bytes-written.sql | 111 ------------------ detection/exfil/high_disk_bytes_read.sql | 3 + .../exfil/spotlight-database-export-macos.sql | 31 ----- detection/impact/evenly-timestomped.sql | 3 + detection/impact/unexpected-etc-hosts.sql | 3 + .../unexpected-diskimage-source-macos.sql | 2 + .../unexpected-shell-parents.sql | 4 + .../unexpected-volume-contents.sql | 2 + .../unexpected-webmail-downloads.sql | 3 + detection/persistence/fake-apple-launchd.sql | 1 + .../unexpected-active-systemd-units.sql | 2 +- .../unexpected-chrome-extensions.sql | 4 +- .../persistence/unexpected-cron-entries.sql | 2 +- .../unexpected-launchd-program-arguments.sql | 4 +- .../unexpected-launchd-program.sql | 2 +- .../unexpected-small-udev-entry.sql | 2 + .../unexpected-uid0-daemon-linux.sql | 3 + .../unexpected-uid0-daemon-macos.sql | 3 + ...unexpected-privilege-escalation-events.sql | 11 +- .../unexpected-privilege-escalation.sql | 11 +- .../unexpected-privileged-containers.sql | 4 + .../privesc/unexpected-setxid-process.sql | 7 ++ incident_response/process_open_sockets.sql | 18 --- 40 files changed, 121 insertions(+), 185 deletions(-) delete mode 100644 detection/exfil/high-disk-bytes-written.sql delete mode 100644 detection/exfil/spotlight-database-export-macos.sql delete mode 100644 incident_response/process_open_sockets.sql diff --git a/detection/c2/unexpected-listening-port-linux.sql b/detection/c2/unexpected-listening-port-linux.sql index 5372e23..bca6ea1 100644 --- a/detection/c2/unexpected-listening-port-linux.sql +++ b/detection/c2/unexpected-listening-port-linux.sql @@ -1,7 +1,7 @@ -- Unexpected programs listening on a TCP port (state-based). -- -- references: --- * https://attack.mitre.org/techniques/T1571/ +-- * https://attack.mitre.org/techniques/T1571/ (Non-Standard Port) -- -- tags: persistent state net SELECT diff --git a/detection/c2/unexpected-listening-port-macos.sql b/detection/c2/unexpected-listening-port-macos.sql index e6a7ad0..636a554 100644 --- a/detection/c2/unexpected-listening-port-macos.sql +++ b/detection/c2/unexpected-listening-port-macos.sql @@ -1,7 +1,7 @@ -- Unexpected programs listening on a TCP port. -- -- references: --- * https://attack.mitre.org/techniques/T1571/ +-- * https://attack.mitre.org/techniques/T1571/ (Non-Standard Port) -- -- tags: persistent state net low -- platform: darwin diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql index 83255d6..2149467 100644 --- a/detection/c2/unexpected-talkers-linux.sql +++ b/detection/c2/unexpected-talkers-linux.sql @@ -1,7 +1,7 @@ -- Programs communicating over the network in unexpected ways (state-based) -- -- references: --- * https://attack.mitre.org/techniques/T1071/ +-- * https://attack.mitre.org/techniques/T1071/ (C&C, Application Layer Protocol) -- -- tags: transient state net rapid -- platform: linux diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql index 7f6fbed..90ed4ef 100644 --- a/detection/c2/unexpected-talkers-macos.sql +++ b/detection/c2/unexpected-talkers-macos.sql @@ -1,7 +1,7 @@ -- Programs communicating over the network in unexpected ways (state-based) -- -- references: --- * https://attack.mitre.org/techniques/T1071/ +-- * https://attack.mitre.org/techniques/T1071/ (C&C, Application Layer Protocol) -- -- tags: transient state net often -- platform: macos diff --git a/detection/credentials/unexpected-sensitive-file-access-linux.sql b/detection/credentials/unexpected-sensitive-file-access-linux.sql index 0721ca6..cdd5529 100644 --- a/detection/credentials/unexpected-sensitive-file-access-linux.sql +++ b/detection/credentials/unexpected-sensitive-file-access-linux.sql @@ -1,8 +1,12 @@ --- This query looks for exotic open file/process combinations +-- Unexpected programs accessing sensitive data stores (state-based) -- --- It's unfortunately of limited use, as the query is slow (250ms) +-- This query is unfortunately of limited use, as the query is slow (250ms) -- and it requires catching a program at the exact moment it has --- the file open. +-- the file open. An event-based version is advised. +-- +-- references: +-- * https://attack.mitre.org/techniques/T1555/ (Credentials from Password Stores) +-- -- tags: transient often state file access SELECT pof.pid, diff --git a/detection/evasion/executables-from-the-future.sql b/detection/evasion/executables-from-the-future.sql index ba1c76e..8a276b7 100644 --- a/detection/evasion/executables-from-the-future.sql +++ b/detection/evasion/executables-from-the-future.sql @@ -1,7 +1,7 @@ -- Programs which claim to be from the future, based on (btime,ctime,mtime) -- -- references: --- * https://attack.mitre.org/techniques/T1070/006/ +-- * https://attack.mitre.org/techniques/T1070/006/ (Indicator Removal on Host: Timestomp) -- -- false positives: -- * None observed diff --git a/detection/evasion/hidden-cwd.sql b/detection/evasion/hidden-cwd.sql index 7143176..abc473c 100644 --- a/detection/evasion/hidden-cwd.sql +++ b/detection/evasion/hidden-cwd.sql @@ -1,8 +1,11 @@ -- Programs running with a hidden current working directory -- --- False positives: +-- false positives: -- * Users rummaging through their configuration files -- +-- references: +-- * https://attack.mitre.org/techniques/T1564/001/ (Hide Artifacts: Hidden Files and Directories) +-- -- tags: transient often SELECT p.pid, diff --git a/detection/evasion/hidden-launchd-files-macos.sql b/detection/evasion/hidden-launchd-files-macos.sql index 7702956..dcdd132 100644 --- a/detection/evasion/hidden-launchd-files-macos.sql +++ b/detection/evasion/hidden-launchd-files-macos.sql @@ -1,6 +1,12 @@ --- osquery can't see hidden launch agents/daemons +-- Reveal launchd services which are located in a hidden directory. +-- +-- This query was written because osquery can't see these entries currently. -- See https://github.com/osquery/osquery/issues/7703 -- +-- references: +-- * https://attack.mitre.org/techniques/T1543/004/ (Create or Modify System Process: Launch Daemon) +-- * https://attack.mitre.org/techniques/T1564/001/ (Hide Artifacts: Hidden Files and Directories) +-- -- platform: darwin -- tags: persistent daemon SELECT diff --git a/detection/evasion/hidden-parent-pid.sql b/detection/evasion/hidden-parent-pid.sql index f87bf45..4c98e3d 100644 --- a/detection/evasion/hidden-parent-pid.sql +++ b/detection/evasion/hidden-parent-pid.sql @@ -2,6 +2,7 @@ -- -- references: -- * https://github.com/krisnova/boopkit +-- * https://attack.mitre.org/techniques/T1014/ (Rootkit) -- -- false positives: -- * None observed diff --git a/detection/evasion/missing-from-disk-linux.sql b/detection/evasion/missing-from-disk-linux.sql index 2afe4bd..9bf7ed4 100644 --- a/detection/evasion/missing-from-disk-linux.sql +++ b/detection/evasion/missing-from-disk-linux.sql @@ -3,6 +3,9 @@ -- false positives: -- * none observed -- +-- references: +-- * https://attack.mitre.org/techniques/T1070/004/ (Indicator Removal on Host: File Deletion) +-- -- tags: persistent process state -- platform: linux SELECT diff --git a/detection/evasion/missing-from-disk-macos.sql b/detection/evasion/missing-from-disk-macos.sql index 12974b3..d154fc2 100644 --- a/detection/evasion/missing-from-disk-macos.sql +++ b/detection/evasion/missing-from-disk-macos.sql @@ -3,6 +3,9 @@ -- false positives: -- * Self-updating programs that remain running -- +-- references: +-- * https://attack.mitre.org/techniques/T1070/004/ (Indicator Removal on Host: File Deletion) +-- -- platform: darwin -- tags: persistent process state SELECT diff --git a/detection/evasion/name_path_mismatch.sql b/detection/evasion/name_path_mismatch.sql index 86770e2..a55c322 100644 --- a/detection/evasion/name_path_mismatch.sql +++ b/detection/evasion/name_path_mismatch.sql @@ -3,6 +3,9 @@ -- false positives: -- * new software, particularly those using interpreted languages -- +-- references: +-- * https://attack.mitre.org/techniques/T1036/004/ (Masquerade Task or Service) +-- -- tags: persistent daemon high SELECT p.name, diff --git a/detection/evasion/old-binaries-running.sql b/detection/evasion/old-binaries-running.sql index 4374090..ff759ee 100644 --- a/detection/evasion/old-binaries-running.sql +++ b/detection/evasion/old-binaries-running.sql @@ -1,7 +1,10 @@ -- Alert on programs running that are unusually old (poor timestomping) -- +-- false positive: +-- * legimitely ancient programs. For instance, printer drivers. +-- -- references: --- * https://attack.mitre.org/techniques/T1070/006/ +-- * https://attack.mitre.org/techniques/T1070/006/ (Indicator Removal on Host: Timestomp) -- -- tags: transient process state SELECT diff --git a/detection/evasion/parent-missing-from-disk.sql b/detection/evasion/parent-missing-from-disk.sql index 7cb7bae..86da2ed 100644 --- a/detection/evasion/parent-missing-from-disk.sql +++ b/detection/evasion/parent-missing-from-disk.sql @@ -1,6 +1,17 @@ --- Parent PID is not on disk +-- A program where the parent PID is not on disk +-- -- Reveals boopkit if a child is spawned -- TODO: Make mount namespace aware +-- +-- false positives: +-- * none observed +-- +-- references: +-- * https://attack.mitre.org/techniques/T1070/004/ (Indicator Removal on Host: File Deletion) +-- +-- false positives: +-- * none observed +-- -- tags: persistent daemon SELECT p.name AS child_name, diff --git a/detection/evasion/ssh-notty.sql b/detection/evasion/ssh-notty.sql index dcacef9..41b0ea6 100644 --- a/detection/evasion/ssh-notty.sql +++ b/detection/evasion/ssh-notty.sql @@ -3,6 +3,10 @@ -- false positives: -- * ssh-driven automation which disables the terminal, such as Znapzend -- +-- references: +-- * https://attack.mitre.org/techniques/T1021/004/ (Remote Services: SSH) +-- * https://attack.mitre.org/techniques/T1564/ (Hide Artifacts) +-- -- tags: transient process state -- platform: posix SELECT diff --git a/detection/evasion/touched-executable-linux.sql b/detection/evasion/touched-executable-linux.sql index 81dd863..6dd6472 100644 --- a/detection/evasion/touched-executable-linux.sql +++ b/detection/evasion/touched-executable-linux.sql @@ -2,7 +2,7 @@ -- on Linux only generally occurs occurs if you run 'touch ' -- -- references: --- * https://attack.mitre.org/techniques/T1070/006/ +-- * https://attack.mitre.org/techniques/T1070/006/ (Timestomping) -- -- tags: transient process state -- platform: linux diff --git a/detection/evasion/touched-executable-macos.sql b/detection/evasion/touched-executable-macos.sql index e51e974..bfed733 100644 --- a/detection/evasion/touched-executable-macos.sql +++ b/detection/evasion/touched-executable-macos.sql @@ -6,6 +6,9 @@ -- false positives: -- * Programs which are packaged weirdly and don't follow the typical Apple app layout -- +-- references: +-- * https://attack.mitre.org/techniques/T1070/006/ (Timestomping) +-- -- tags: transient seldom filesystem state -- platform: darwin SELECT diff --git a/detection/exfil/high-disk-bytes-written.sql b/detection/exfil/high-disk-bytes-written.sql deleted file mode 100644 index f8a592b..0000000 --- a/detection/exfil/high-disk-bytes-written.sql +++ /dev/null @@ -1,111 +0,0 @@ --- Programs which are writing an unusually large amount of data --- --- Can be used to detect ransomware --- --- false positives: --- * Package managers --- * Backup software --- --- tags: transient process -SELECT - p.name, - p.path, - p.pid, - p.cmdline, - p.on_disk, - p.parent, - p.start_time, - hash.sha256, - p.disk_bytes_written, - p.cwd, - (strftime('%s', 'now') - start_time) AS age, - disk_bytes_written / (strftime('%s', 'now') - start_time) AS bytes_per_second -FROM - processes p - LEFT JOIN hash ON p.path = hash.path -WHERE - bytes_per_second > 2500000 - AND age > 120 - AND pid > 2 - AND p.path NOT IN ( - '/bin/bash', - '/opt/homebrew/bin/qemu-system-aarch64', - '/usr/bin/aptd', - '/usr/bin/bash', - '/usr/bin/bwrap', - '/usr/bin/curl', - '/usr/bin/dockerd', - '/usr/bin/fish', - '/usr/bin/gnome-shell', - '/usr/bin/make', - '/usr/bin/melange', - '/usr/bin/qemu-system-x86_64', - '/usr/bin/yay', - '/usr/bin/zsh', - '/usr/lib64/thunderbird/thunderbird', - '/usr/libexec/coreduetd', - '/usr/libexec/packagekitd', - '/usr/libexec/rosetta/oahd', - '/usr/libexec/secd', - '/usr/libexec/sharingd', - '/usr/lib/flatpak-system-helper', - '/usr/lib/systemd/systemd', - '/usr/lib/systemd/systemd-journald', - '/usr/sbin/screencapture' - ) - AND NOT ( - name LIKE 'jbd%/dm-%' - AND on_disk = -1 - ) - AND NOT ( - name = 'bindfs' - AND cmdline LIKE 'bindfs -f -o fsname=%' - ) - AND NOT ( - name = 'btrfs-transaction' - AND on_disk = -1 - ) - AND NOT ( - name = 'kernel_task' - AND p.path = '' - AND parent IN (0, 1) - AND on_disk = -1 - ) - AND NOT ( - name = 'launchd' - AND p.path = '/sbin/launchd' - AND parent = 0 - ) - AND NOT ( - name = 'logd' - AND cmdline = '/usr/libexec/logd' - AND parent = 1 - ) - AND NOT ( - name = 'aptd' - AND cmdline = '/usr/bin/python3 /usr/sbin/aptd' - ) - AND NOT name IN ( - 'chrome', - 'com.apple.MobileSoftwareUpdate.UpdateBrainService', - 'containerd', - 'esbuild', - 'firefox', - 'go', - 'goland', - 'java', - 'launcher', - 'gopls', - 'jetbrains-toolb', - 'slack', - 'slack', - 'wineserver' - ) - AND p.path NOT LIKE '/Applications/%.app/Contents/%' - AND p.path NOT LIKE '/home/%/.local/share/Steam' - AND p.path NOT LIKE '/nix/store/%/bin/%sh' - AND p.path NOT LIKE '/nix/store/%/bin/nix' - AND p.path NOT LIKE '/System/Applications/%' - AND p.path NOT LIKE '/System/Library/%' - AND p.path NOT LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd' - AND p.path NOT LIKE '/nix/store/%kolide-launcher-%/bin/launcher' diff --git a/detection/exfil/high_disk_bytes_read.sql b/detection/exfil/high_disk_bytes_read.sql index 6b7237c..a5d6d86 100644 --- a/detection/exfil/high_disk_bytes_read.sql +++ b/detection/exfil/high_disk_bytes_read.sql @@ -6,6 +6,9 @@ -- * Virtual Machine managers -- * Backup software -- +-- references: +-- * https://attack.mitre.org/tactics/TA0010/ (Exfiltration) +-- -- tags: transient process SELECT p.name, diff --git a/detection/exfil/spotlight-database-export-macos.sql b/detection/exfil/spotlight-database-export-macos.sql deleted file mode 100644 index 77dc2a6..0000000 --- a/detection/exfil/spotlight-database-export-macos.sql +++ /dev/null @@ -1,31 +0,0 @@ --- Find database exports. Will need tuning based on your table names. --- --- false positives: --- * none observed --- --- platform: darwin --- tags: persistent filesystem spotlight -SELECT - f.path, - f.size, - datetime(f.btime, 'unixepoch') AS file_created, - magic.data -FROM - file f - JOIN mdfind ON mdfind.path = f.path - LEFT JOIN magic ON f.path = magic.path -WHERE - ( - ( - mdfind.query = 'kMDItemFSName == ''*enforce*'' && kMDItemTextContent == ''CREATE TABLE''' - ) - OR ( - mdfind.query = 'kMDItemFSName == ''*iam*'' && kMDItemTextContent == ''CREATE TABLE''' - ) - OR ( - mdfind.query = 'kMDItemFSName == ''*tenant*'' && kMDItemTextContent == ''CREATE TABLE''' - ) - ) - AND f.path NOT LIKE '%.json' - AND f.path NOT LIKE '%.log' - AND f.size > 32768 diff --git a/detection/impact/evenly-timestomped.sql b/detection/impact/evenly-timestomped.sql index 23797d1..a142fe4 100644 --- a/detection/impact/evenly-timestomped.sql +++ b/detection/impact/evenly-timestomped.sql @@ -3,6 +3,9 @@ -- false positives: -- * 1 in 43200 chance per binary -- +-- references: +-- * https://attack.mitre.org/techniques/T1070/006/ (Indicator Removal on Host: Timestomp) +-- -- tags: persistent seldom filesystem -- platform: linux SELECT diff --git a/detection/impact/unexpected-etc-hosts.sql b/detection/impact/unexpected-etc-hosts.sql index 793936e..c7d04c4 100644 --- a/detection/impact/unexpected-etc-hosts.sql +++ b/detection/impact/unexpected-etc-hosts.sql @@ -3,6 +3,9 @@ -- false positives: -- * developers adding entries for their own use -- +-- references: +-- * https://attack.mitre.org/techniques/T1565/001/ (Data Manipulation: Stored Data Manipulation) +-- -- tags: persistent seldom filesystem net SELECT * diff --git a/detection/initial_access/unexpected-diskimage-source-macos.sql b/detection/initial_access/unexpected-diskimage-source-macos.sql index e6009b3..e17fa70 100644 --- a/detection/initial_access/unexpected-diskimage-source-macos.sql +++ b/detection/initial_access/unexpected-diskimage-source-macos.sql @@ -1,6 +1,8 @@ -- Surface ISO/DMG disk images that were downloaded from unexpected places -- -- references: +-- * https://attack.mitre.org/techniques/T1566/001/ (Phishing: Spearphishing Attachment) +-- * https://attack.mitre.org/techniques/T1204/002/ (User Execution: Malicious File) -- * https://unit42.paloaltonetworks.com/chromeloader-malware/ -- -- false positives: diff --git a/detection/initial_access/unexpected-shell-parents.sql b/detection/initial_access/unexpected-shell-parents.sql index 3ee8d46..cfacd84 100644 --- a/detection/initial_access/unexpected-shell-parents.sql +++ b/detection/initial_access/unexpected-shell-parents.sql @@ -3,6 +3,10 @@ -- false positives: -- * IDE's -- +-- references: +-- * https://attack.mitre.org/techniques/T1059/ (Command and Scripting Interpreter) +-- * https://attack.mitre.org/techniques/T1204/002/ (User Execution: Malicious File) +-- -- tags: transient process state -- platform: posix SELECT diff --git a/detection/initial_access/unexpected-volume-contents.sql b/detection/initial_access/unexpected-volume-contents.sql index 46024a7..d4700b3 100644 --- a/detection/initial_access/unexpected-volume-contents.sql +++ b/detection/initial_access/unexpected-volume-contents.sql @@ -4,6 +4,8 @@ -- * Installer packages with hidden files -- -- references: +-- * https://attack.mitre.org/techniques/T1566/001/ (Phishing: Spearphishing Attachment) +-- * https://attack.mitre.org/techniques/T1204/002/ (User Execution: Malicious File) -- * https://www.crowdstrike.com/blog/how-crowdstrike-uncovered-a-new-macos-browser-hijacking-campaign/ -- -- tags: transient volume filesystem diff --git a/detection/initial_access/unexpected-webmail-downloads.sql b/detection/initial_access/unexpected-webmail-downloads.sql index 03650f9..76bf354 100644 --- a/detection/initial_access/unexpected-webmail-downloads.sql +++ b/detection/initial_access/unexpected-webmail-downloads.sql @@ -3,6 +3,9 @@ -- false positives: -- * Files without an extension or extensions not explicitly added to the allow list -- +-- references: +-- * https://attack.mitre.org/techniques/T1566/001/ (Phishing: Spearphishing Attachment) +-- -- platform: darwin -- tags: persistent filesystem spotlight SELECT diff --git a/detection/persistence/fake-apple-launchd.sql b/detection/persistence/fake-apple-launchd.sql index 8af6c9e..94c2b81 100644 --- a/detection/persistence/fake-apple-launchd.sql +++ b/detection/persistence/fake-apple-launchd.sql @@ -1,6 +1,7 @@ -- Find launchd entries which purport to be by Apple, but are not signed by Apple. -- -- references: +-- * https://attack.mitre.org/techniques/T1543/004/ (Create or Modify System Process: Launch Daemon) -- * https://posts.specterops.io/hunting-for-bad-apples-part-1-22ef2b44c0aa -- -- false positives: diff --git a/detection/persistence/unexpected-active-systemd-units.sql b/detection/persistence/unexpected-active-systemd-units.sql index c4d892a..38c2b89 100644 --- a/detection/persistence/unexpected-active-systemd-units.sql +++ b/detection/persistence/unexpected-active-systemd-units.sql @@ -1,7 +1,7 @@ -- Unexpected systemd units, may be evidence of persistence -- -- references: --- * https://attack.mitre.org/techniques/T1543/002/ +-- * https://attack.mitre.org/techniques/T1543/002/ (Create or Modify System Process: Systemd Service) -- -- false positives: -- * System updates diff --git a/detection/persistence/unexpected-chrome-extensions.sql b/detection/persistence/unexpected-chrome-extensions.sql index cdafa27..2b5234c 100644 --- a/detection/persistence/unexpected-chrome-extensions.sql +++ b/detection/persistence/unexpected-chrome-extensions.sql @@ -1,10 +1,10 @@ -- Highlight chrome extensions with wide-ranging permissions that are not part of your whitelist -- -- references: --- * https://attack.mitre.org/techniques/T1176/ +-- * https://attack.mitre.org/techniques/T1176/ (Browser Extensions) -- -- false positives: --- * anything that isn't on your whitelist +-- * Almost unlimited: any extension that isn't on your whitelist -- -- tags: persistent seldom browser SELECT diff --git a/detection/persistence/unexpected-cron-entries.sql b/detection/persistence/unexpected-cron-entries.sql index 9cc006b..87e75e9 100644 --- a/detection/persistence/unexpected-cron-entries.sql +++ b/detection/persistence/unexpected-cron-entries.sql @@ -1,7 +1,7 @@ -- Unexpected crontab entries -- -- references: --- * https://attack.mitre.org/techniques/T1053/003/ +-- * https://attack.mitre.org/techniques/T1053/003/ (Scheduled Task/Job: Cron) -- -- false positives: -- * crontab entries added by the user diff --git a/detection/persistence/unexpected-launchd-program-arguments.sql b/detection/persistence/unexpected-launchd-program-arguments.sql index bbf7884..487b62d 100644 --- a/detection/persistence/unexpected-launchd-program-arguments.sql +++ b/detection/persistence/unexpected-launchd-program-arguments.sql @@ -1,7 +1,7 @@ -- Unexpected launchd scripts that use the 'program_arguments' field ----- +-- -- references: --- * https://attack.mitre.org/techniques/T1543/004/ +-- * https://attack.mitre.org/techniques/T1543/004/ (Create or Modify System Process: Launch Daemon) -- -- false positives: -- * Software by new vendors which have not yet been added to the allow list diff --git a/detection/persistence/unexpected-launchd-program.sql b/detection/persistence/unexpected-launchd-program.sql index 2beaade..0b8d481 100644 --- a/detection/persistence/unexpected-launchd-program.sql +++ b/detection/persistence/unexpected-launchd-program.sql @@ -1,7 +1,7 @@ -- Unexpected launchd scripts that use the 'program' field -- -- references: --- * https://attack.mitre.org/techniques/T1543/004/ +-- * https://attack.mitre.org/techniques/T1543/004/ (Create or Modify System Process: Launch Daemon) -- -- false positives: -- * Software by new vendors which have not yet been added to the allow list diff --git a/detection/persistence/unexpected-small-udev-entry.sql b/detection/persistence/unexpected-small-udev-entry.sql index 28e9f49..56ae2f5 100644 --- a/detection/persistence/unexpected-small-udev-entry.sql +++ b/detection/persistence/unexpected-small-udev-entry.sql @@ -4,6 +4,8 @@ -- -- references: -- * https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf +-- * https://attack.mitre.org/techniques/T1547/ (Boot or Logon Autostart Execution) +-- -- false positives: -- * rules installed by 3rd party software -- diff --git a/detection/persistence/unexpected-uid0-daemon-linux.sql b/detection/persistence/unexpected-uid0-daemon-linux.sql index cf85569..9106f49 100644 --- a/detection/persistence/unexpected-uid0-daemon-linux.sql +++ b/detection/persistence/unexpected-uid0-daemon-linux.sql @@ -3,6 +3,9 @@ -- false positives: -- * new software requiring escalated privileges -- +-- references: +-- * https://attack.mitre.org/techniques/T1543/ +-- -- tags: persistent process state -- platform: linux SELECT diff --git a/detection/persistence/unexpected-uid0-daemon-macos.sql b/detection/persistence/unexpected-uid0-daemon-macos.sql index b9194f0..12ab9be 100644 --- a/detection/persistence/unexpected-uid0-daemon-macos.sql +++ b/detection/persistence/unexpected-uid0-daemon-macos.sql @@ -3,6 +3,9 @@ -- false positives: -- * new software requiring escalated privileges -- +-- references: +-- * https://attack.mitre.org/techniques/T1543/ +-- -- tags: persistent process state -- platform: darwin SELECT diff --git a/detection/privesc/unexpected-privilege-escalation-events.sql b/detection/privesc/unexpected-privilege-escalation-events.sql index 318ed88..c7cf69a 100644 --- a/detection/privesc/unexpected-privilege-escalation-events.sql +++ b/detection/privesc/unexpected-privilege-escalation-events.sql @@ -1,5 +1,14 @@ --- Designed for execution every 30 seconds (where the parent may still be around) +-- Find processes that run with a lower effective UID than their parent (event-based) -- +-- references: +-- * https://attack.mitre.org/techniques/T1548/001/ (Setuid and Setgid) +-- * https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux +-- +-- related: +-- * unexpected-privilege-escalation.sql +-- +-- tags: events process escalation +-- platform: posix -- interval: 30 SELECT p.pid AS child_pid, diff --git a/detection/privesc/unexpected-privilege-escalation.sql b/detection/privesc/unexpected-privilege-escalation.sql index 829a577..2d4ea21 100644 --- a/detection/privesc/unexpected-privilege-escalation.sql +++ b/detection/privesc/unexpected-privilege-escalation.sql @@ -1,11 +1,14 @@ --- Find processes that run with a lower effective UID than their parent +-- Find processes that run with a lower effective UID than their parent (state-based) -- --- Example Malware Threats detected: --- * Shikitega --- Related: +-- references: +-- * https://attack.mitre.org/techniques/T1548/001/ (Setuid and Setgid) +-- * https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux +-- +-- related: -- * unexpected-privilege-escalation-events.sql -- -- tags: transient rapid state process escalation +-- platform: posix SELECT p.pid AS child_pid, p.path AS child_path, diff --git a/detection/privesc/unexpected-privileged-containers.sql b/detection/privesc/unexpected-privileged-containers.sql index 6d1f020..c5caa63 100644 --- a/detection/privesc/unexpected-privileged-containers.sql +++ b/detection/privesc/unexpected-privileged-containers.sql @@ -3,6 +3,10 @@ -- references: -- * https://attack.mitre.org/techniques/T1611/ -- +-- false-positives: +-- * Nested Kubernetes Environments +-- * Containerized builds +-- -- This query works on macOS as well, but is only an in-the-wild security problem on Linux, -- where the kernel namespaces can be shared. These kind of attacks tend to be -- diff --git a/detection/privesc/unexpected-setxid-process.sql b/detection/privesc/unexpected-setxid-process.sql index 2a36cc3..33ab427 100644 --- a/detection/privesc/unexpected-setxid-process.sql +++ b/detection/privesc/unexpected-setxid-process.sql @@ -1,6 +1,13 @@ -- Processes running that originate from setuid/setgid programs -- +-- false-positives: +-- * an unlisted setuid binary +-- +-- references: +-- * https://attack.mitre.org/techniques/T1548/001/ (Setuid and Setgid) +-- -- tags: persistent state process escalation +-- platform: posix SELECT p.pid, p.name, diff --git a/incident_response/process_open_sockets.sql b/incident_response/process_open_sockets.sql deleted file mode 100644 index 8b09e2d..0000000 --- a/incident_response/process_open_sockets.sql +++ /dev/null @@ -1,18 +0,0 @@ --- Retrieves all the open sockets per process in the target system. --- --- tags: postmortem --- platform: posix -SELECT DISTINCT - pid, - family, - protocol, - local_address, - local_port, - remote_address, - remote_port, - path -FROM - process_open_sockets -WHERE - path <> '' - or remote_address <> '';