From 12a55753b56245dc1d44bb6ce7b69d3ccf0f4d33 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Mon, 5 Feb 2024 10:45:17 -0500 Subject: [PATCH 1/2] fpr: Elastic Defend, gcloud, Warp, etc --- detection/c2/unexpected-https-linux.sql | 3 +- detection/c2/unexpected-https-macos.sql | 1 + detection/c2/unexpected-talker-events.sql | 12 ++++++ detection/c2/unexpected-talkers-linux.sql | 39 ++++++++++--------- detection/c2/unexpected-talkers-macos.sql | 12 +++--- .../unexpected-dev-opener-macos.sql | 1 + detection/evasion/missing-from-disk-linux.sql | 2 +- .../unexpected-hidden-system-paths.sql | 6 +++ .../unexpected-tmp-executables-macos.sql | 1 + .../unexpected-user-executables-macos.sql | 6 +++ ...y-created-executables-long-lived-macos.sql | 1 + .../unexpected-execdir-events-macos.sql | 1 + .../unexpected-executable-permissions.sql | 4 ++ .../execution/unexpected-osascript-calls.sql | 1 + detection/exfil/high_disk_bytes_read.sql | 17 ++++---- .../yara-unexpected-go-crypt-exec-process.sql | 1 + .../unexpected-chrome-extensions.sql | 4 +- detection/persistence/unexpected-device.sql | 17 ++++---- .../unexpected-uid0-daemon-linux.sql | 2 + 19 files changed, 90 insertions(+), 41 deletions(-) diff --git a/detection/c2/unexpected-https-linux.sql b/detection/c2/unexpected-https-linux.sql index 8213970..2b746ed 100644 --- a/detection/c2/unexpected-https-linux.sql +++ b/detection/c2/unexpected-https-linux.sql @@ -303,6 +303,7 @@ WHERE '500,wolfictl,500u,500g,wolfictl', '500,xmobar,0u,0g,xmobar', '500,yay,0u,0g,yay', + '0,packetbeat,0u,0g,packetbeat', '500,zdup,500u,500g,zdup', '500,zoom,0u,0g,zoom', '500,zoom.real,u,g,zoom.real' @@ -335,7 +336,7 @@ WHERE ) AND NOT ( exception_key = '0,curl,0u,0g,curl' - AND p.cmdline = 'curl --fail https://ipinfo.io/timezone' + AND p.cmdline LIKE 'curl --fail %' ) -- Exclude processes running inside of containers AND NOT p.cgroup_path LIKE '/system.slice/docker-%' AND NOT p.cgroup_path LIKE '/system.slice/system.slice:docker:%' diff --git a/detection/c2/unexpected-https-macos.sql b/detection/c2/unexpected-https-macos.sql index 1c5cff3..92039df 100644 --- a/detection/c2/unexpected-https-macos.sql +++ b/detection/c2/unexpected-https-macos.sql @@ -215,6 +215,7 @@ WHERE '500,Python,Python,,org.python.python', '500,Python,Python,,Python', '500,Python,Python,,', + '500,Python,Python,0u,80g', '500,Python,Python,Developer ID Application: Ned Deily (DJ3H93M7VJ),org.python.python' ) AND ( diff --git a/detection/c2/unexpected-talker-events.sql b/detection/c2/unexpected-talker-events.sql index 8914bd7..6237ca0 100644 --- a/detection/c2/unexpected-talker-events.sql +++ b/detection/c2/unexpected-talker-events.sql @@ -115,6 +115,7 @@ WHERE '500,0,1234,spotify', '500,0,20480,io.tailscale.ipn.macsys.network-extension', '500,0,22,ssh', + '500,0,27668,com.adguard.mac.adguard.network-extension', '500,0,31488,sntp', '500,0,32768,Authy', '500,0,32768,BDLDaemon', @@ -134,9 +135,11 @@ WHERE '500,0,443,Authy', '500,0,443,BDCoreIssues', '500,0,443,BDLDaemon', + '500,0,443,BDUpdDaemon', '500,0,443,Brackets', '500,0,443,OneDriveStandaloneUpdater', '500,0,443,Python', + '500,0,443,bdredline', '500,0,443,chrome', '500,0,443,chrome_crashpad_handler', '500,0,443,com.adguard.mac.adguard.network-extension', @@ -157,6 +160,7 @@ WHERE '500,0,443,gnome-software', '500,0,443,go', '500,0,443,http', + '500,0,443,incusd', '500,0,443,io.tailscale.ipn.macsys.network-extension', '500,0,443,ir_agent', '500,0,443,kioslave5', @@ -164,8 +168,10 @@ WHERE '500,0,443,launcher', '500,0,443,metricbeat', '500,0,443,nessusd', + '500,500,32768,old', '500,0,443,networkQuality', '500,0,443,node', + '500,0,443,packetbeat', '500,0,443,pingsender', '500,0,443,rapid7_endpoint_broker', '500,0,443,slack', @@ -177,6 +183,7 @@ WHERE '500,0,443,velociraptor', '500,0,443,wget', '500,0,5228,chrome', + '500,0,443,packetbeat', '500,0,53,Brackets', '500,0,53,NetworkManager', '500,0,53,chrome', @@ -190,7 +197,9 @@ WHERE '500,0,53,wget', '500,0,5632,ssh', '500,0,80,BDUpdDaemon', + '500,0,27668,com.adguard.mac.adguard.network-extension', '500,0,80,chrome', + '500,0,80,com.adguard.mac.adguard.network-extension', '500,0,80,com.apple.NRD.UpdateBrainService', '500,0,80,electron', '500,0,80,firefox', @@ -277,6 +286,8 @@ WHERE '500,500,80,firefox-bin', '500,500,80,ksfetch', '500,500,80,node', + '500,500,32768,Microsoft.ServiceHub.Controller', + '500,500,32768,Microsoft.VisualStudio.Code.ServiceHost', '500,99,13568,Slack Helper', '500,99,32768,Slack Helper', '500,99,32768,Slack', @@ -285,6 +296,7 @@ WHERE '500,99,53,Slack Helper' ) AND NOT exception_key LIKE '500,500,443,terraform%' + AND NOT exception_key LIKE '500,500,32768,terraform-provider-%' AND NOT exception_key LIKE '500,500,2304,terraform%' AND NOT exception_key LIKE '500,500,53,terraform%' AND NOT exception_key LIKE '500,500,80,terraform%' diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql index 8f47788..ef8c6f5 100644 --- a/detection/c2/unexpected-talkers-linux.sql +++ b/detection/c2/unexpected-talkers-linux.sql @@ -87,10 +87,9 @@ WHERE '123,17,500,chronyd,0u,0g,chronyd', '143,6,500,thunderbird,0u,0g,thunderbird', '143,6,500,thunderbird,u,g,thunderbird', - '19305,6,500,firefox,0u,0g,firefox', '19305,6,500,firefox,0u,0g,.firefox-wrappe', + '19305,6,500,firefox,0u,0g,firefox', '1983,6,500,dleyna-renderer-service,0u,0g,dleyna-renderer', - '22000,6,500,syncthing,0u,0g,syncthing', '22,6,0,ssh,0u,0g,ssh', '22,6,0,tailscaled,0u,0g,tailscaled', '22,6,500,cargo,0u,0g,cargo', @@ -99,6 +98,8 @@ WHERE '22,6,500,netcat,0u,0g,nc', '22,6,500,ssh,0u,0g,ssh', '22,6,500,terraform,500u,500g,terraform', + '80,6,500,firefox-bin,500u,500g,firefox-bin', + '22000,6,500,syncthing,0u,0g,syncthing', '3000,6,500,brave,0u,0g,brave', '3000,6,500,chrome,0u,0g,chrome', '32768,17,500,traceroute,0u,0g,traceroute', @@ -107,8 +108,6 @@ WHERE '3306,6,500,java,u,g,java', '3307,6,500,cloud_sql_proxy,0u,0g,cloud_sql_proxy', '3443,6,500,chrome,0u,0g,chrome', - '500,0,32768,com.apple.MobileSoftwareUpdate.UpdateBrainService', - '500,0,80,com.apple.NRD.UpdateBrainService', '3478,6,500,chrome,0u,0g,chrome', '3478,6,500,firefox,0u,0g,firefox', '4070,6,500,spotify,0u,0g,spotify', @@ -119,18 +118,21 @@ WHERE '444,6,500,firefox,0u,0g,firefox', '4460,6,114,chronyd,0u,0g,chronyd', '465,6,500,thunderbird,0u,0g,thunderbird', - '5004,6,500,brave,0u,0g,brave', - '5006,6,500,brave,0u,0g,brave', + '500,0,32768,com.apple.MobileSoftwareUpdate.UpdateBrainService', + '500,0,80,com.apple.NRD.UpdateBrainService', '500,htop,0u,0g,htop', '500,syft,0u,0g,syft', + '5004,6,500,brave,0u,0g,brave', + '5006,6,500,brave,0u,0g,brave', '5228,6,500,chrome,0u,0g,chrome', '587,6,500,thunderbird,0u,0g,thunderbird', '587,6,500,thunderbird,u,g,thunderbird', '6443,6,500,kubectl,0u,0g,kubectl', '67,17,0,NetworkManager,0u,0g,NetworkManager', - '8000,6,500,brave,0u,0g,brave', - '8000,6,500,chrome,0u,0g,chrome', - '8000,6,500,firefox,0u,0g,firefox', + '80,6,0,.tailscaled-wrapped,0u,0g,.tailscaled-wra', + '80,6,0,/usr/python2.7,u,g,yum', + '80,6,0,/usr/xargs,0u,0g,xargs', + '80,6,0,NetworkManager,0u,0g,NetworkManager', '80,6,0,applydeltarpm,0u,0g,applydeltarpm', '80,6,0,appstreamcli,0u,0g,appstreamcli', '80,6,0,bash,0u,0g,bash', @@ -146,7 +148,6 @@ WHERE '80,6,0,kmod,0u,0g,depmod', '80,6,0,kubelet,u,g,kubelet', '80,6,0,ldconfig,0u,0g,ldconfig', - '80,6,0,NetworkManager,0u,0g,NetworkManager', '80,6,0,packagekitd,0u,0g,packagekitd', '80,6,0,pacman,0u,0g,pacman', '80,6,0,pdftex,0u,0g,pdftex', @@ -156,18 +157,17 @@ WHERE '80,6,0,python3.11,0u,0g,dnf', '80,6,0,python3.11,0u,0g,dnf-automatic', '80,6,0,python3.11,0u,0g,yum', + '80,6,0,python3.12,0u,0g,yum', '80,6,0,python3.9,u,g,yum', '80,6,0,sort,0u,0g,sort', '80,6,0,systemd-hwdb,0u,0g,systemd-hwdb', '80,6,0,tailscaled,0u,0g,tailscaled', - '80,6,0,.tailscaled-wrapped,0u,0g,.tailscaled-wra', - '80,6,0,/usr/python2.7,u,g,yum', - '80,6,0,/usr/xargs,0u,0g,xargs', '80,6,0,wget,0u,0g,wget', '80,6,0,zstd,0u,0g,zstd', '80,6,100,http,0u,0g,http', '80,6,105,http,0u,0g,http', '80,6,42,http,0u,0g,http', + '80,6,500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr', '80,6,500,aws-iam-authenticator,0u,0g,aws-iam-authent', '80,6,500,brave,0u,0g,brave', '80,6,500,chrome,0u,0g,chrome', @@ -175,8 +175,9 @@ WHERE '80,6,500,copilot-agent-linux,500u,500g,copilot-agent-l', '80,6,500,curl,0u,0g,curl', '80,6,500,electron,0u,0g,electron', - '80,6,500,firefox,0u,0g,firefox', '80,6,500,firefox,0u,0g,.firefox-wrappe', + '80,6,500,firefox,0u,0g,firefox', + '80,6,500,firefox-bin,500u,500g,firefox-bin', '80,6,500,firefox-bin,u,g,firefox-bin', '80,6,500,git-remote-http,0u,0g,git-remote-http', '80,6,500,gnome-software,0u,0g,gnome-software', @@ -201,9 +202,8 @@ WHERE '80,6,500,slirp4netns,500u,500g,slirp4netns', '80,6,500,spotify,0u,0g,spotify', '80,6,500,spotify,500u,500g,spotify', - '80,6,500,spotify-launcher,0u,0g,spotify-launche', - '80,6,0,python3.12,0u,0g,yum', '80,6,500,spotify,u,g,spotify', + '80,6,500,spotify-launcher,0u,0g,spotify-launche', '80,6,500,steam,500u,100g,steam', '80,6,500,steam,500u,500g,steam', '80,6,500,steamwebhelper,500u,500g,steamwebhelper', @@ -211,10 +211,12 @@ WHERE '80,6,500,terraform,500u,500g,terraform', '80,6,500,thunderbird,0u,0g,thunderbird', '80,6,500,thunderbird,u,g,thunderbird', - '80,6,500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr', '80,6,500,wine64-preloader,0u,0g,control.exe', '80,6,500,zoom,0u,0g,zoom', '80,6,500,zoom.real,u,g,zoom.real', + '8000,6,500,brave,0u,0g,brave', + '8000,6,500,chrome,0u,0g,chrome', + '8000,6,500,firefox,0u,0g,firefox', '8080,6,500,brave,0u,0g,brave', '8080,6,500,chrome,0u,0g,chrome', '8080,6,500,firefox,0u,0g,firefox', @@ -222,9 +224,9 @@ WHERE '8080,6,500,speedtest,500u,500g,speedtest', '8443,6,500,chrome,0u,0g,chrome', '8443,6,500,firefox,0u,0g,firefox', + '88,6,500,syncthing,0u,0g,syncthing', '8801,17,500,zoom,0u,0g,zoom', '8801,17,500,zoom.real,u,g,zoom.real', - '88,6,500,syncthing,0u,0g,syncthing', '8987,6,500,whois,0u,0g,whois', '9418,6,500,git,0u,0g,git', '993,6,500,evolution,0u,0g,evolution', @@ -234,6 +236,7 @@ WHERE ) AND NOT exception_key LIKE '80,6,500,terraform_1.1.5,500u,500g,terraform' AND NOT exception_key LIKE '%,6,500,nuclei,500u,500g,nuclei' + AND NOT exception_key LIKE '%,6,500,ssh,0u,0g,ssh' AND NOT ( p.name = 'java' AND p.cmdline LIKE '/home/%/.local/share/JetBrains/Toolbox/%' diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql index f928800..cd7675f 100644 --- a/detection/c2/unexpected-talkers-macos.sql +++ b/detection/c2/unexpected-talkers-macos.sql @@ -143,6 +143,7 @@ WHERE '500,6,5222,Telegram,Telegram,Apple Mac OS Application Signing,ru.keepcoder.Telegram', '500,6,5222,WhatsApp,WhatsApp,Developer ID Application: WhatsApp Inc. (57T9237FN3),net.whatsapp.WhatsApp', '500,6,5223,KakaoTalk,KakaoTalk,Apple Mac OS Application Signing,com.kakao.KakaoTalkMac', + '500,6,995,KakaoTalk,KakaoTalk,Apple Mac OS Application Signing,com.kakao.KakaoTalkMac', '500,6,5228,Clay,Clay,Developer ID Application: Clay Software, Inc. (C68GA48KN3),com.clay.mac', '500,6,5228,com.adguard.mac.adguard.network-extension,com.adguard.mac.adguard.network-extension,0u,0g', '500,6,5228,com.adguard.mac.adguard.network-extension,com.adguard.mac.adguard.network-extension,Developer ID Application: Adguard Software Limited (TC3Q7MAJXF),com.adguard.mac.adguard.network-extension', @@ -224,10 +225,10 @@ WHERE AND NOT ( alt_exception_key = '500,6,80,main,main,500u,20g' AND p0.path LIKE '/var/folders/%/T/go-build%/b001/exe/main' - ) -- Known Web Browsers + ) -- Wider AND NOT ( ( - pos.remote_port IN (80, 587, 999) + pos.remote_port IN (80, 123, 587, 999) OR pos.remote_port > 1024 ) AND id_exception_key IN ( @@ -235,7 +236,7 @@ WHERE 'Apple Mac OS Application Signing,com.ookla.speedtest-macos', 'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.AdobeResourceSynchronizer', 'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.Reader', - 'Developer ID Application: WhatsApp Inc. (57T9237FN3),net.whatsapp.WhatsApp.ServiceExtension', + 'Developer ID Application: Bitdefender SRL (GUNFMW623Y),com.bitdefender.cst.net.dci.dci-network-extension', 'Developer ID Application: Bookry Ltd (4259LE8SU5),com.bookry.wavebox.helper', 'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4),com.brave.Browser.helper', 'Developer ID Application: Cloudflare Inc. (68WVV388M8),CloudflareWARP', @@ -244,13 +245,13 @@ WHERE 'Developer ID Application: Epic Games International, S.a.r.l. (96DBZ92D3Y),com.epicgames.EpicGamesLauncher', 'Developer ID Application: Epic Games International, S.a.r.l. (96DBZ92D3Y),com.epicgames.UE4EditorServices', 'Developer ID Application: Fortinet, Inc (AH4XFXJ7DK),fctupdate', + 'Developer ID Application: Adguard Software Limited (TC3Q7MAJXF),com.adguard.mac.adguard.network-extension', 'Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D),com.googlecode.iterm2', 'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.Chrome.helper', 'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.GoogleUpdater', - 'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.teams2.helper', - 'Developer ID Application: Bitdefender SRL (GUNFMW623Y),com.bitdefender.cst.net.dci.dci-network-extension', 'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.one.NetworkExtension', 'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.edgemac.helper', + 'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.teams2.helper', 'Developer ID Application: Microsoft Corporation (UBF8T346G9),net.java.openjdk.java', 'Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.firefox', 'Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.firefoxdeveloperedition', @@ -266,6 +267,7 @@ WHERE 'Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G),company.thebrowser.browser.helper', 'Developer ID Application: Valve Corporation (MXGJJ98X76),com.valvesoftware.steam', 'Developer ID Application: Vladimir Prelovac (TFVG979488),com.apple.WebKit.Networking', + 'Developer ID Application: WhatsApp Inc. (57T9237FN3),net.whatsapp.WhatsApp.ServiceExtension', 'Developer ID Application: Zwift, Inc (C2GM8Y9VFM),ZwiftAppSilicon' ) ) diff --git a/detection/credentials/unexpected-dev-opener-macos.sql b/detection/credentials/unexpected-dev-opener-macos.sql index 1c88b97..7eccf21 100644 --- a/detection/credentials/unexpected-dev-opener-macos.sql +++ b/detection/credentials/unexpected-dev-opener-macos.sql @@ -79,6 +79,7 @@ WHERE '/dev/auditpipe,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF),io.osquery.agent', '/dev/auditpipe,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF),osqueryd', '/dev/auditsessions,GSSCred,Software Signing,com.apple.GSSCred', + '/dev/bpf,packetbeat,Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z),packetbeat', '/dev/auditsessions,TouchBarServer,Software Signing,com.apple.touchbarserver', '/dev/auditsessions,authd,Software Signing,com.apple.authd', '/dev/auditsessions,securityd,Software Signing,com.apple.securityd', diff --git a/detection/evasion/missing-from-disk-linux.sql b/detection/evasion/missing-from-disk-linux.sql index 7420f4d..2159397 100644 --- a/detection/evasion/missing-from-disk-linux.sql +++ b/detection/evasion/missing-from-disk-linux.sql @@ -49,4 +49,4 @@ WHERE -- Snap packages? AND p.path NOT LIKE '/tmp/.mount_%' AND p.path NOT LIKE '/home/%/.cache/yay/1password-cli/pkg/1password-cli/usr/bin/op' - AND p.path NOT IN ('/usr/bin/python3.10') + AND p.path NOT IN ('/usr/bin/python3.10', '/opt/Synergy/resources/synergy-tray') diff --git a/detection/evasion/unexpected-hidden-system-paths.sql b/detection/evasion/unexpected-hidden-system-paths.sql index e6e158e..d8e40cc 100644 --- a/detection/evasion/unexpected-hidden-system-paths.sql +++ b/detection/evasion/unexpected-hidden-system-paths.sql @@ -221,3 +221,9 @@ WHERE file.path = '/var/root/.oracle_jre_usage/' AND file.size = 96 ) + AND NOT ( + file.path LIKE '/tmp/.ssh-%' + AND file.type = "socket" + AND file.mode = '0600' + + ) diff --git a/detection/evasion/unexpected-tmp-executables-macos.sql b/detection/evasion/unexpected-tmp-executables-macos.sql index ee639eb..e0c18af 100644 --- a/detection/evasion/unexpected-tmp-executables-macos.sql +++ b/detection/evasion/unexpected-tmp-executables-macos.sql @@ -59,6 +59,7 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f OR file.path LIKE '/tmp/%ctl' OR file.path LIKE '%/CCLBS/%' OR file.path LIKE '%/checkout/%' + OR file.path LIKE '/tmp/lima/%' OR file.path LIKE '%/ci/%' OR file.path LIKE '%/debug/%' OR file.path LIKE '%/dist/%' diff --git a/detection/evasion/unexpected-user-executables-macos.sql b/detection/evasion/unexpected-user-executables-macos.sql index 1dbd717..f5abe58 100644 --- a/detection/evasion/unexpected-user-executables-macos.sql +++ b/detection/evasion/unexpected-user-executables-macos.sql @@ -54,6 +54,9 @@ WHERE directory = '/Users/Shared/' OR directory LIKE '/Users/Shared/%' OR directory LIKE '/Users/Shared/.%' + OR directory = '/var/root/' + OR directory LIKE '/var/root/%%' + OR directory LIKE '/var/root/.%' OR directory LIKE '/Users/%/Library' OR directory LIKE '/Users/%/Library/%' OR directory LIKE '/Users/%/Library/%/.%' @@ -137,11 +140,14 @@ WHERE '~/.config/nvim.bak', '~/.docker/cli-plugins', '~/.emacs.d/backups', + '~/Library/Logs/com.logmein.GoToOpener', '~/.emacs.d.bak/bin', '~/.fig/bin', '~/.fzf', '~/.fzf/bin', '~/.gvm/bin', + '~/.vs-tekton', + '~/.dotnet/tools', '~/.kn/plugins', '~/Library/Mobile Documents/com~apple~CloudDocs', '~/.kuberlr/darwin-amd64', diff --git a/detection/execution/recently-created-executables-long-lived-macos.sql b/detection/execution/recently-created-executables-long-lived-macos.sql index 575d795..17c864b 100644 --- a/detection/execution/recently-created-executables-long-lived-macos.sql +++ b/detection/execution/recently-created-executables-long-lived-macos.sql @@ -180,6 +180,7 @@ WHERE 'Developer ID Application: Keybase, Inc. (99229SGT5K)', 'Developer ID Application: Kolide Inc (YZ3EM74M78)', 'Developer ID Application: Kolide, Inc (X98UFR7HA3)', + 'Developer ID Application: Fumihiko Takayama (G43BCU2T37)', 'Developer ID Application: Logitech Inc. (QED4VVPZWA)', 'Developer ID Application: Michael Jones (YD6LEYT6WZ)', 'Developer ID Application: Microsoft Corporation (UBF8T346G9)', diff --git a/detection/execution/unexpected-execdir-events-macos.sql b/detection/execution/unexpected-execdir-events-macos.sql index 5623b97..88e9c8a 100644 --- a/detection/execution/unexpected-execdir-events-macos.sql +++ b/detection/execution/unexpected-execdir-events-macos.sql @@ -332,6 +332,7 @@ WHERE 'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', 'Developer ID Application: Docker Inc (9BNSXJN65R)', 'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)', + 'Developer ID Application: Silicon Laboratories Inc (52444FG85C)', 'Developer ID Application: Epic Games International, S.a.r.l. (96DBZ92D3Y)', 'Developer ID Application: Figma, Inc. (T8RA8NE3B7)', 'Developer ID Application: Fortinet, Inc (AH4XFXJ7DK)', diff --git a/detection/execution/unexpected-executable-permissions.sql b/detection/execution/unexpected-executable-permissions.sql index 466309d..f6f62ad 100644 --- a/detection/execution/unexpected-executable-permissions.sql +++ b/detection/execution/unexpected-executable-permissions.sql @@ -123,4 +123,8 @@ WHERE AND NOT ( f.path = '/Library/Bitdefender/AVP/product/bin/EndpointSecurityforMac.app/Contents/MacOS/EndpointSecurityforMac' AND f.mode = '0655' + ) + AND NOT ( + p0.name = 'ShortcutDroplet' + AND f.mode = '0751' ) \ No newline at end of file diff --git a/detection/execution/unexpected-osascript-calls.sql b/detection/execution/unexpected-osascript-calls.sql index 125168d..0995725 100644 --- a/detection/execution/unexpected-osascript-calls.sql +++ b/detection/execution/unexpected-osascript-calls.sql @@ -102,6 +102,7 @@ WHERE OR p0_cmd LIKE '/usr/bin/osascript /Users/%/osx-trash/trashfile.AppleScript %' OR p1_cmd LIKE '%aws %sso%' OR p1_cmd LIKE '%gcloud% auth %login%' + OR p1_cmd LIKE '%gcloud% init' OR p1_cmd LIKE '% /opt/homebrew/bin/jupyter%notebook' OR p1_cmd LIKE '/bin/sh %/opt/homebrew/bin/git-gui%' OR p1_authority = 'Developer ID Application: Docker Inc (9BNSXJN65R)' diff --git a/detection/exfil/high_disk_bytes_read.sql b/detection/exfil/high_disk_bytes_read.sql index 217b8a7..13fb28a 100644 --- a/detection/exfil/high_disk_bytes_read.sql +++ b/detection/exfil/high_disk_bytes_read.sql @@ -138,32 +138,33 @@ WHERE AND NOT p0.path IN ( '/System/Volumes/Preboot/Cryptexes/App/System/Applications/Safari.app/Contents/XPCServices/com.apple.Safari.BrowserDataImportingService.xpc/Contents/MacOS/com.apple.Safari.BrowserDataImportingService', '/System/Volumes/Preboot/Cryptexes/Incoming/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent', - '/usr/bin/apt', '/app/libexec/mediawriter/helper', - '/usr/libexec/diskimagesiod', + '/usr/bin/apt', '/usr/bin/darktable', - '/usr/libexec/snapd/snapd', - '/usr/bin/rsync', '/usr/bin/dockerd', '/usr/bin/gnome-shell', - '/usr/bin/teskdisk', '/usr/bin/gnome-software', + '/usr/bin/rsync', + '/usr/bin/teskdisk', '/usr/bin/udevadm', '/usr/bin/update-notifier', + '/usr/lib/systemd/systemd', '/usr/lib64/electron/electron', + '/usr/libexec/PerfPowerServices', '/usr/libexec/aned', + '/usr/libexec/biomesyncd', '/usr/libexec/coreduetd', + '/usr/libexec/diskimagesiod', '/usr/libexec/diskmanagementd', '/usr/libexec/flatpak-system-helper', '/usr/libexec/logd', '/usr/libexec/logd_helper', '/usr/libexec/packagekitd', - '/usr/libexec/PerfPowerServices', '/usr/libexec/signpost_reporter', + '/usr/libexec/snapd/snapd', '/usr/libexec/syspolicyd', - '/usr/libexec/tracker-miner-fs-3', '/usr/libexec/tracker-extract-3', - '/usr/lib/systemd/systemd', + '/usr/libexec/tracker-miner-fs-3', '/usr/sbin/spindump', '/usr/sbin/systemstats' ) diff --git a/detection/exfil/yara-unexpected-go-crypt-exec-process.sql b/detection/exfil/yara-unexpected-go-crypt-exec-process.sql index 52850d8..e63f79e 100644 --- a/detection/exfil/yara-unexpected-go-crypt-exec-process.sql +++ b/detection/exfil/yara-unexpected-go-crypt-exec-process.sql @@ -94,6 +94,7 @@ WHERE 'kubectl', 'yay', 'syft', + 'Proton Mail Bridge', 'syncthing', 'go', 'grype', diff --git a/detection/persistence/unexpected-chrome-extensions.sql b/detection/persistence/unexpected-chrome-extensions.sql index 18267d3..70929ed 100644 --- a/detection/persistence/unexpected-chrome-extensions.sql +++ b/detection/persistence/unexpected-chrome-extensions.sql @@ -74,7 +74,7 @@ WHERE ) ) AND NOT exception_key IN ( - "true,Daniel Kladnik @ kiboke studio,I don't care about cookies,fihnjjcciajhdojfnbdddfaoknhalnja", + "true,Gareth Stephenson,My O'Reilly Downloader,deebiaolijlopiocielojiipnpnaldlk", 'false,privacybadger-owner@eff.org,Privacy Badger,mkejgcgkdlddbggjhhflekkondicpnop', 'true,,Acorns Earn,facncfnojagdpibmijfjdmhkklabakgd', @@ -138,6 +138,7 @@ WHERE 'true,,Google Mail Checker,mihcahmgecmbnbcchbopgniflfhgnkff', 'true,,Google Optimize,bhdplaindhdkiflmbfbciehdccfhegci', 'true,,Google Play Books,mmimngoggfoobjdlefbcabngfnmieonb', + 'true,,Grammarly: AI Writing and Grammar Checker App,kbfnbcaeplbcioakkpcpgfkobkghlhen', 'true,,Grammarly: Grammar Checker and AI Writing App,kbfnbcaeplbcioakkpcpgfkobkghlhen', 'true,,Grammarly: Grammar Checker and Writing App,kbfnbcaeplbcioakkpcpgfkobkghlhen', 'true,,Gravit Designer,pdagghjnpkeagmlbilmjmclfhjeaapaa', @@ -242,6 +243,7 @@ WHERE 'true,,uBlock,epcnnfbjfcgphgdmggkamkmgojdagdnn', 'true,,writeGPT - ChatGPT Prompt Engineer Assistant,dflcdbibjghipieemcligeelbmackgco', 'true,Adaware,Safe Torrent Scanner,aegnopegbbhjeeiganiajffnalhlkkjb', + 'true,Adblock for Chrome Team,Adblock for Chrome™,onomjaelhagjjojbkcafidnepbfkpnee', 'true,Adblock, Inc.,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom', 'true,Adguard Software Ltd,AdGuard AdBlocker,bgnkhhnnamicmpeenaelnjfhikgbkllg', 'true,AgileBits,1Password extension (desktop app required),aomjjhallfgjeglblehebfpbcfeobpgk', diff --git a/detection/persistence/unexpected-device.sql b/detection/persistence/unexpected-device.sql index 45b97e1..6b53082 100644 --- a/detection/persistence/unexpected-device.sql +++ b/detection/persistence/unexpected-device.sql @@ -50,6 +50,7 @@ WHERE OR directory LIKE '/dev/%' ) AND path_expr NOT IN ( + '/dev/HID-SENSOR-e..auto', '/dev/acpi_thermal_rel', '/dev/autofs', '/dev/block/', @@ -66,8 +67,8 @@ WHERE '/dev/console', '/dev/core', '/dev/cpu/', - '/dev/cpu_dma_latency', '/dev/cpu/microcode', + '/dev/cpu_dma_latency', '/dev/cros_ec', '/dev/cuse', '/dev/disk/', @@ -96,11 +97,8 @@ WHERE '/dev/fuse', '/dev/gpiochip', '/dev/hidraw', - '/dev/HID-SENSOR-e..auto', '/dev/hpet', '/dev/hugepages/', - '/dev/mtd/', - '/dev/mtd/by-name', '/dev/hugepages/libvirt', '/dev/hvc', '/dev/hwrng', @@ -137,6 +135,8 @@ WHERE '/dev/mmcblk', '/dev/mqueue/', '/dev/mtd', + '/dev/mtd/', + '/dev/mtd/by-name', '/dev/mtdro', '/dev/net/', '/dev/net/tun', @@ -145,10 +145,10 @@ WHERE '/dev/nvidia', '/dev/nvidia-caps/', '/dev/nvidia-caps/nvidia-cap', - '/dev/nvidiactl', '/dev/nvidia-modeset', '/dev/nvidia-uvm', '/dev/nvidia-uvm-tools', + '/dev/nvidiactl', '/dev/nvme', '/dev/nvme-fabrics', '/dev/nvmen', @@ -201,9 +201,9 @@ WHERE '/dev/tty', '/dev/ttyACM', '/dev/ttyAMA', - '/dev/ttyprintk', '/dev/ttyS', '/dev/ttyUSB', + '/dev/ttyprintk', '/dev/ubuntu-vg/', '/dev/udmabuf', '/dev/uhid', @@ -225,11 +225,13 @@ WHERE '/dev/vfio/', '/dev/vfio/vfio', '/dev/vg/', - '/dev/vga_arbiter', '/dev/vg/root', '/dev/vg/swap', + '/dev/vga_arbiter', '/dev/vgubuntu/', + '/dev/vgubuntu/incus-default', '/dev/vgubuntu/root', + '/dev/vgubuntu/swap', '/dev/vgubuntu/swap_', '/dev/vhci', '/dev/vhost-net', @@ -240,6 +242,7 @@ WHERE '/dev/vl/by-path', '/dev/vlloopback', '/dev/vportp', + '/dev/vsock', '/dev/watchdog', '/dev/wmi/', '/dev/wmi/dell-smbios', diff --git a/detection/persistence/unexpected-uid0-daemon-linux.sql b/detection/persistence/unexpected-uid0-daemon-linux.sql index 553e75a..a03c592 100644 --- a/detection/persistence/unexpected-uid0-daemon-linux.sql +++ b/detection/persistence/unexpected-uid0-daemon-linux.sql @@ -293,6 +293,8 @@ WHERE AND NOT exception_key LIKE 'abrt-dbus,/usr/sbin/abrt-dbus,0,system.slice,system-dbus%org.freedesktop.problems.slice,0755' AND NOT exception_key LIKE 'fusermount3,/usr/bin/fusermount3,%,user.slice,user-%.slice,4755' AND NOT exception_key LIKE '%beat,/opt/Elastic/Agent/data/elastic-%/components/%beat,0,system.slice,elastic-agent.service,0750' + AND NOT exception_key LIKE 'osquery-extensi,/opt/Elastic/Agent/data/elastic-agent-%/components/osquery-extension.ext,0,system.slice,elastic-agent.service,0750' + AND NOT exception_key LIKE 'osqueryd,/opt/Elastic/Agent/data/elastic-agent-%/components/osqueryd,0,system.slice,elastic-agent.service,0750' AND NOT exception_key LIKE 'elastic-agent,/opt/Elastic/Agent/data/elastic-agent-%/elastic-agent,0,system.slice,elastic-agent.service,0770' AND NOT p0.path IN ('/bin/bash', '/usr/bin/bash') AND NOT p0.cgroup_path LIKE '/system.slice/docker-%' From a0624c08706ea7e36d9e4ab5faa576afaca1a8f3 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Mon, 5 Feb 2024 10:49:52 -0500 Subject: [PATCH 2/2] Add Elastic exceptions for osqueryd/packetbeat --- detection/execution/sketchy-fetcher.sql | 3 ++- detection/execution/unexpected-packet-sniffer.sql | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/detection/execution/sketchy-fetcher.sql b/detection/execution/sketchy-fetcher.sql index 2f3bb10..c939db6 100644 --- a/detection/execution/sketchy-fetcher.sql +++ b/detection/execution/sketchy-fetcher.sql @@ -161,4 +161,5 @@ WHERE AND p2.path = "/usr/local/qualys/cloud-agent/bin/qualys-scan-util" ) -- Elastic Agent - AND NOT p0.path LIKE '/Library/Elastic/Agent/%' \ No newline at end of file + AND NOT p0.path LIKE '/Library/Elastic/Agent/%' + AND NOt p0.cmdline LIKE '%/osqueryd %' \ No newline at end of file diff --git a/detection/execution/unexpected-packet-sniffer.sql b/detection/execution/unexpected-packet-sniffer.sql index 4f09f17..a63d0a0 100644 --- a/detection/execution/unexpected-packet-sniffer.sql +++ b/detection/execution/unexpected-packet-sniffer.sql @@ -43,6 +43,7 @@ WHERE 'systemd-network', 'NetworkManager', 'dhclient', + 'packetbeat', 'dhcpcd', 'tcpdump' )