diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql index e730f98..7b93e5e 100644 --- a/detection/c2/unexpected-talkers-linux.sql +++ b/detection/c2/unexpected-talkers-linux.sql @@ -93,6 +93,7 @@ WHERE '3443,6,500,/opt/chrome,0u,0g,chrome', '3478,6,500,/opt/chrome,0u,0g,chrome', '4070,6,500,/opt/spotify,0u,0g,spotify', + '3478,6,500,/usr/firefox,0u,0g,firefox', '43,6,500,/usr/whois,0u,0g,whois', '5228,6,500,/opt/chrome,0u,0g,chrome', '5228,6,500,/usr/chrome,0u,0g,chrome', diff --git a/detection/evasion/empty_environ_linux.sql b/detection/evasion/empty_environ_linux.sql index ea90f0b..4c2b396 100644 --- a/detection/evasion/empty_environ_linux.sql +++ b/detection/evasion/empty_environ_linux.sql @@ -43,6 +43,7 @@ WHERE -- This time should match the interval '/usr/bin/bwrap', '/usr/lib/slack/slack', '/usr/sbin/nginx', + '/usr/lib/systemd/systemd-userdbd', '/opt/google/chrome/chrome', '/opt/spotify/spotify' ) diff --git a/detection/evasion/hidden-cwd.sql b/detection/evasion/hidden-cwd.sql index bbefe20..b42b65d 100644 --- a/detection/evasion/hidden-cwd.sql +++ b/detection/evasion/hidden-cwd.sql @@ -81,6 +81,7 @@ WHERE '~/.vim', '~/.terraform.d', '~/.cache/yay', + '~/.emacs.d', '~/.local/share/chezmoi', '~/.local/share/Steam', '~/.local/share/nvim', diff --git a/detection/evasion/unexpected-kernel-modules-linux.sql b/detection/evasion/unexpected-kernel-modules-linux.sql index 74cb926..dd6a3cc 100644 --- a/detection/evasion/unexpected-kernel-modules-linux.sql +++ b/detection/evasion/unexpected-kernel-modules-linux.sql @@ -10,7 +10,9 @@ SELECT FROM kernel_modules WHERE - name NOT IN ( + -- Filter out kernel modules that are required by another kernel module to reduce false-positives + used_by != NULL + AND name NOT IN ( '8021q', 'ac97_bus', 'acpi_cpufreq', @@ -55,6 +57,7 @@ WHERE 'ccm', 'ccp', 'cdc_ether', + 'cdrom', 'cec', 'cfg80211', 'cmac', diff --git a/detection/evasion/unexpected-var-executables-macos.sql b/detection/evasion/unexpected-var-executables-macos.sql index 9079580..1b3ceed 100644 --- a/detection/evasion/unexpected-var-executables-macos.sql +++ b/detection/evasion/unexpected-var-executables-macos.sql @@ -48,6 +48,7 @@ WHERE AND file.path NOT LIKE '/var/tmp/epdfinfo%' AND file.path NOT LIKE '/var/folders/%/T/jansi-%-libjansi.jnilib' AND file.path NOT LIKE '/var/tmp/IN_PROGRESS_sysdiagnose_%.tmp/mddiagnose.mdsdiagnostic/diagnostic.log' + AND file.path NOT LIKE '/var/folders/%/T/freefn-%_emacs_%.eln' AND ( file.mode LIKE '%7%' or file.mode LIKE '%5%' diff --git a/detection/execution/recently-created-executables-linux.sql b/detection/execution/recently-created-executables-linux.sql index c15b88f..fec78b7 100644 --- a/detection/execution/recently-created-executables-linux.sql +++ b/detection/execution/recently-created-executables-linux.sql @@ -73,10 +73,12 @@ WHERE '/usr/lib/gdm-x-session', '/usr/lib/google-cloud-sdk/platform/bundledpythonunix/bin/python3', '/usr/lib/polkit-1/polkitd', + '/usr/bin/wpa_supplicant', '/usr/lib/slack/chrome_crashpad_handler', '/usr/lib/slack/slack', '/usr/lib/snapd/snapd', '/usr/lib/systemd/systemd', + '/usr/lib64/google-cloud-sdk/platform/bundledpythonunix/bin/python3', '/usr/lib/systemd/systemd-journald', '/usr/lib/systemd/systemd-logind', '/usr/lib/systemd/systemd-oomd', diff --git a/detection/execution/tiny-executable.sql b/detection/execution/tiny-executable.sql index 80e594c..54f3c60 100644 --- a/detection/execution/tiny-executable.sql +++ b/detection/execution/tiny-executable.sql @@ -31,3 +31,4 @@ WHERE AND NOT file.path LIKE '/home/%/.zsh/completion' AND NOT file.path LIKE '/home/%/.local/share/Steam/ubuntu%' AND NOT file.path LIKE '/home/%/.local/share/Steam/steamapps/%' + AND NOT file.path = '/' diff --git a/detection/execution/unexpected-execdir-events-macos.sql b/detection/execution/unexpected-execdir-events-macos.sql index 5def58b..c62128d 100644 --- a/detection/execution/unexpected-execdir-events-macos.sql +++ b/detection/execution/unexpected-execdir-events-macos.sql @@ -14,7 +14,9 @@ SELECT p.pid, p.path, REGEX_MATCH (p.path, '(.*)/', 1) AS dir, + REGEX_MATCH (p.path, '(/.*?/.*?/.*?)/', 1) AS top_dir, -- 3 levels deep REPLACE(file.directory, u.directory, '~') AS homedir, + REGEX_MATCH (REPLACE(file.directory, u.directory, '~'), '(~/.*?/.*?/)', 1) AS top_homedir, -- 2 levels deep p.cmdline, p.mode, p.cwd, @@ -69,28 +71,79 @@ WHERE '/usr/libexec', '/usr/libexec/ApplicationFirewall', '/usr/libexec/AssetCache', + '/usr/libexec/firmwarecheckers', '/usr/libexec/firmwarecheckers/eficheck', '/usr/libexec/rosetta', '/usr/lib/fwupd', '/usr/lib/ibus', '/usr/lib/system', + '/usr/local/bin', '/usr/sbin' ) + AND top_dir NOT IN ( + '/Applications/Firefox.app/Contents', + '/Applications/Google Chrome.app/Contents', + '/Library/Apple/System', + '/Library/Application Support/Adobe', + '/Library/Application Support/GPGTools', + '/Library/Google/GoogleSoftwareUpdate', + '/System/Applications/Mail.app', + '/System/Applications/Music.app', + '/System/Applications/News.app', + '/System/Applications/TV.app', + '/System/Applications/Weather.app', + '/System/Library/CoreServices', + '/System/Library/Filesystems', + '/System/Library/Frameworks', + '/System/Library/PrivateFrameworks', + '/System/Library/SystemConfiguration', + '/System/Library/SystemProfiler', + '/System/Volumes/Preboot', + '/usr/local/kolide-k2' + ) AND homedir NOT IN ( '~/bin', '~/code/bin', + '~/.magefile', '~/go/bin', - '~/Library/Application Support/cloud-code/installer/google-cloud-sdk/bin', - '~/Library/Application Support/Code/User/globalStorage/grafana.vscode-jsonnet/bin', - '~/Library/Application Support/com.elgato.StreamDeck/Plugins/com.lostdomain.zoom.sdPlugin', - '~/Library/Application Support/dev.warp.Warp-Stable', - '~/Library/Printers/Brother MFC-J5330DW.app/Contents/MacOS', '~/.local/bin', - '~/.local/share/nvim/mason/packages/tflint', - '~/.local/share/nvim.old/mason/packages/tflint', - '~/.vs-kubernetes/tools/kubectl', '~/projects/go/bin' ) + AND top_homedir NOT IN ( + '~/Applications/Chrome Apps.localized/', + '~/.config/nvm/', + '~/homebrew/Cellar/', + '~/Library/Application Support/', + '~/Library/Printers', + '~/.local/share', + '~/projects/go', + '~/code/src', + '~/.tflint.d/plugins', + '~/.vscode/extensions', + '~/.vs-kubernetes/tools' + ) + -- Locally built executables + AND NOT ( + signature.identifier = "a.out" + AND homedir LIKE '~/%' + AND pp.name LIKE '%sh' + ) + AND dir NOT LIKE '../%' -- data issue + AND dir NOT LIKE '/Applications/%' + AND dir NOT LIKE '/private/tmp/%.app/Contents/MacOS' + AND dir NOT LIKE '/private/tmp/go-build%/exe' + AND dir NOT LIKE '/private/tmp/KSInstallAction.%/Install Google Software Update.app/Contents/Helpers' + AND dir NOT LIKE '/private/tmp/nix-build-%' + AND dir NOT LIKE '/private/tmp/PKInstallSandbox.%/Scripts/com.microsoft.OneDrive.%' + AND dir NOT LIKE '/private/var/db/com.apple.xpc.roleaccountd.staging/%.xpc/Contents/MacOS' + AND dir NOT LIKE '/private/var/folders/%/bin' + AND dir NOT LIKE '/private/var/folders/%/Contents/%' + AND dir NOT LIKE '/private/var/folders/%/d/Wrapper/%.app' + AND dir NOT LIKE '/private/var/folders/%/go-build%' + AND dir NOT LIKE '/private/var/folders/%/GoLand' + AND dir NOT LIKE '/Volumes/com.getdropbox.dropbox-%' + AND homedir NOT LIKE '~/Library/Caches/ms-playwright/%' + AND homedir NOT LIKE '~/%/node_modules/.pnpm/esbuild-%/node_modules/esbuild-darwin-arm64/bin' AND signature.authority NOT IN ( 'Apple iPhone OS Application Signing', 'Apple Mac OS Application Signing', @@ -118,51 +171,6 @@ WHERE 'Developer ID Application: Wireshark Foundation, Inc. (7Z6EMTD2C6)', 'Software Signing' ) - AND dir NOT LIKE '../%' -- data issue - - AND dir NOT LIKE '/Applications/%.app/%' - AND dir NOT LIKE '/Applications/Utilities/Adobe Creative Cloud/%' - AND dir NOT LIKE '/etc/profiles/per-user/%/bin' - AND dir NOT LIKE '/home/%' - AND dir NOT LIKE '/Library/Apple/System/%' - AND dir NOT LIKE '/Library/Application Support/Adobe/%' - AND dir NOT LIKE '/Library/Application Support/%/Contents/MacOS' - AND dir NOT LIKE '/Library/Audio/Plug-Ins/%/Contents/MacOS' - AND dir NOT LIKE '/Library/%/%.bundle/Contents/Helpers' - AND dir NOT LIKE '/Library/CoreMediaIO/Plug-Ins/%' - AND dir NOT LIKE '/Library/Developer/%' - AND dir NOT LIKE '/Library/Internet Plug-Ins/%/Contents/MacOS' - AND dir NOT LIKE '/Library/Java/JavaVirtualMachines/%' - AND dir NOT LIKE '/Library/Printers/%.app/Contents/MacOS' - AND dir NOT LIKE '/Library/PrivilegedHelperTools/com.%' - AND dir NOT LIKE '/Library/%/Resources/%/Contents/MacOS' - AND dir NOT LIKE '/Library/%/sbin' -- Nessus - AND dir NOT LIKE '/Library/SystemExtensions/%' - AND dir NOT LIKE '/nix/store/%' - AND dir NOT LIKE '/opt/homebrew/Caskroom/%' - AND dir NOT LIKE '/opt/homebrew/Cellar/%' - AND dir NOT LIKE '/private/tmp/%.app/Contents/MacOS' - AND dir NOT LIKE '/private/tmp/go-build%/exe' - AND dir NOT LIKE '/private/tmp/KSInstallAction.%/Install Google Software Update.app/Contents/Helpers' - AND dir NOT LIKE '/private/tmp/nix-build-%' - AND dir NOT LIKE '/private/tmp/PKInstallSandbox.%/Scripts/com.microsoft.OneDrive.%' - AND dir NOT LIKE '/private/var/db/com.apple.xpc.roleaccountd.staging/%.xpc/Contents/MacOS' - AND dir NOT LIKE '/private/var/folders/%/bin' - AND dir NOT LIKE '/private/var/folders/%/Contents/%' - AND dir NOT LIKE '/private/var/folders/%/d/Wrapper/%.app' - AND dir NOT LIKE '/private/var/folders/%/go-build%' - AND dir NOT LIKE '/private/var/folders/%/GoLand' - AND dir NOT LIKE '/snap/%' - AND dir NOT LIKE '/store/%/bin' - AND dir NOT LIKE '/System/%' - AND dir NOT LIKE '/usr/libexec/%' - AND dir NOT LIKE '/usr/local/%' - AND dir NOT LIKE '/Volumes/com.getdropbox.dropbox-%' - AND homedir NOT LIKE '~/homebrew/Cellar/%' - AND homedir NOT LIKE '~/Library/Caches/ms-playwright/%' - AND homedir NOT LIKE '~/.local/share/%' - AND homedir NOT LIKE '~/%/node_modules/.pnpm/esbuild-%/node_modules/esbuild-darwin-arm64/bin' - AND homedir NOT LIKE '~/.tflint.d/plugins/%' -- Don't spam alerts with repeated invocations of the same command-line GROUP BY p.cmdline, diff --git a/detection/execution/unexpected-execdir-macos.sql b/detection/execution/unexpected-execdir-macos.sql index 8d0aa7b..651db0d 100644 --- a/detection/execution/unexpected-execdir-macos.sql +++ b/detection/execution/unexpected-execdir-macos.sql @@ -15,7 +15,9 @@ SELECT p.gid, f.ctime, f.directory AS dir, + REGEX_MATCH (p.path, '(/.*?/.*?/.*?)/', 1) AS top_dir, -- 3 levels deep REPLACE(f.directory, u.directory, '~') AS homedir, + REGEX_MATCH (REPLACE(f.directory, u.directory, '~'), '(~/.*?/.*?/)', 1) AS top_homedir, -- 2 levels deep p.cmdline, hash.sha256, pp.path AS parent_path, @@ -60,27 +62,80 @@ WHERE '/usr/libexec', '/usr/libexec/ApplicationFirewall', '/usr/libexec/AssetCache', + '/usr/libexec/firmwarecheckers', '/usr/libexec/firmwarecheckers/eficheck', '/usr/libexec/rosetta', '/usr/lib/fwupd', '/usr/lib/ibus', '/usr/lib/system', + '/usr/local/bin', '/usr/sbin' ) + AND top_dir NOT IN ( + '/Applications/Firefox.app/Contents', + '/Applications/Google Chrome.app/Contents', + '/Library/Apple/System', + '/Library/Application Support/Adobe', + '/Library/Application Support/GPGTools', + '/Library/Google/GoogleSoftwareUpdate', + '/System/Applications/Mail.app', + '/System/Applications/Music.app', + '/System/Applications/News.app', + '/System/Applications/TV.app', + '/System/Applications/Weather.app', + '/System/Library/CoreServices', + '/System/Library/Filesystems', + '/System/Library/Frameworks', + '/System/Library/PrivateFrameworks', + '/System/Library/SystemConfiguration', + '/System/Library/SystemProfiler', + '/System/Volumes/Preboot', + '/usr/local/kolide-k2' + ) AND homedir NOT IN ( '~/bin', '~/code/bin', + '~/.magefile', '~/go/bin', - '~/Library/Application Support/cloud-code/installer/google-cloud-sdk/bin', - '~/Library/Application Support/Code/User/globalStorage/grafana.vscode-jsonnet/bin', - '~/Library/Application Support/com.elgato.StreamDeck/Plugins/com.lostdomain.zoom.sdPlugin', - '~/Library/Application Support/dev.warp.Warp-Stable', - '~/Library/Printers/Brother MFC-J5330DW.app/Contents/MacOS', '~/.local/bin', - '~/.local/share/nvim/mason/packages/tflint', - '~/.local/share/nvim.old/mason/packages/tflint', '~/projects/go/bin' ) + AND top_homedir NOT IN ( + '~/Applications/Chrome Apps.localized/', + '~/.config/nvm/', + '~/homebrew/Cellar/', + '~/Library/Application Support/', + '~/Library/Printers', + '~/.local/share', + '~/projects/go', + '~/code/src', + '~/.tflint.d/plugins', + '~/.vscode/extensions', + '~/.vs-kubernetes/tools' + ) + -- Locally built executables + AND NOT ( + signature.identifier = "a.out" + AND homedir LIKE '~/%' + AND pp.name LIKE '%sh' + ) + AND dir NOT LIKE '/Applications/%' + AND dir NOT LIKE '/private/tmp/%.app/Contents/MacOS' + AND dir NOT LIKE '/private/tmp/go-build%/exe' + AND dir NOT LIKE '/private/tmp/KSInstallAction.%/Install Google Software Update.app/Contents/Helpers' + AND dir NOT LIKE '/private/tmp/nix-build-%' + AND dir NOT LIKE '/private/tmp/PKInstallSandbox.%/Scripts/com.microsoft.OneDrive.%' + AND dir NOT LIKE '/private/var/db/com.apple.xpc.roleaccountd.staging/%.xpc/Contents/MacOS' + AND dir NOT LIKE '/private/var/folders/%/bin' + AND dir NOT LIKE '/private/var/folders/%/Contents/%' + AND dir NOT LIKE '/private/var/folders/%/d/Wrapper/%.app' + AND dir NOT LIKE '/private/var/folders/%/go-build%' + AND dir NOT LIKE '/private/var/folders/%/GoLand' + AND dir NOT LIKE '/Volumes/com.getdropbox.dropbox-%' + AND homedir NOT LIKE '~/Library/Caches/ms-playwright/%' + AND homedir NOT LIKE '~/%/node_modules/.pnpm/esbuild-%/node_modules/esbuild-darwin-arm64/bin' + + -- Allow these anywhere (put last because it's slow to query signatures) AND signature.authority NOT IN ( 'Apple iPhone OS Application Signing', 'Apple Mac OS Application Signing', @@ -106,50 +161,4 @@ WHERE 'Developer ID Application: Valve Corporation (MXGJJ98X76)', 'Developer ID Application: Wireshark Foundation, Inc. (7Z6EMTD2C6)', 'Software Signing' - ) - AND dir NOT LIKE '/Applications/%.app/%' - AND dir NOT LIKE '/Applications/Utilities/Adobe Creative Cloud/%' - AND dir NOT LIKE '/etc/profiles/per-user/%/bin' - AND dir NOT LIKE '/home/%' - AND dir NOT LIKE '/Library/Apple/System/%' - AND dir NOT LIKE '/Library/Application Support/Adobe/%' - AND dir NOT LIKE '/Library/Application Support/%/Contents/MacOS' - AND dir NOT LIKE '/Library/Audio/Plug-Ins/%/Contents/MacOS' - AND dir NOT LIKE '/Library/%/%.bundle/Contents/Helpers' - AND dir NOT LIKE '/Library/CoreMediaIO/Plug-Ins/%' - AND dir NOT LIKE '/Library/Developer/%' - AND dir NOT LIKE '/Library/Internet Plug-Ins/%/Contents/MacOS' - AND dir NOT LIKE '/Library/Java/JavaVirtualMachines/%' - AND dir NOT LIKE '/Library/Printers/%.app/Contents/MacOS' - AND dir NOT LIKE '/Library/PrivilegedHelperTools/com.%' - AND dir NOT LIKE '/Library/%/Resources/%/Contents/MacOS' - AND dir NOT LIKE '/Library/%/sbin' -- Nessus - AND dir NOT LIKE '/Library/SystemExtensions/%' - AND dir NOT LIKE '/nix/store/%' - AND dir NOT LIKE '/opt/%/bin' - AND dir NOT LIKE '/opt/homebrew/Caskroom/%' - AND dir NOT LIKE '/opt/homebrew/Cellar/%' - AND dir NOT LIKE '/private/tmp/%.app/Contents/MacOS' - AND dir NOT LIKE '/private/tmp/go-build%/exe' - AND dir NOT LIKE '/private/tmp/KSInstallAction.%/Install Google Software Update.app/Contents/Helpers' - AND dir NOT LIKE '/private/tmp/nix-build-%' - AND dir NOT LIKE '/private/tmp/PKInstallSandbox.%/Scripts/com.microsoft.OneDrive.%' - AND dir NOT LIKE '/private/var/db/com.apple.xpc.roleaccountd.staging/%.xpc/Contents/MacOS' - AND dir NOT LIKE '/private/var/folders/%/bin' - AND dir NOT LIKE '/private/var/folders/%/Contents/%' - AND dir NOT LIKE '/private/var/folders/%/d/Wrapper/%.app' - AND dir NOT LIKE '/private/var/folders/%/go-build%' - AND dir NOT LIKE '/private/var/folders/%/GoLand' - AND dir NOT LIKE '/snap/%' - AND dir NOT LIKE '/store/%/bin' - AND dir NOT LIKE '/System/%' - AND dir NOT LIKE '/Users/%' - AND dir NOT LIKE '/usr/libexec/%' - AND dir NOT LIKE '/usr/local/%' - AND dir NOT LIKE '/Volumes/com.getdropbox.dropbox-%' - AND homedir NOT LIKE '~/homebrew/Cellar/%' - AND homedir NOT LIKE '~/Library/Caches/ms-playwright/%' - AND homedir NOT LIKE '~/.local/share/%' - AND homedir NOT LIKE '~/%/node_modules/.pnpm/esbuild-%/node_modules/esbuild-darwin-arm64/bin' - AND homedir NOT LIKE '~/.tflint.d/plugins/%' - + ) \ No newline at end of file diff --git a/detection/impact/evenly-timestomped.sql b/detection/impact/evenly-timestomped.sql index eaf0586..8799b96 100644 --- a/detection/impact/evenly-timestomped.sql +++ b/detection/impact/evenly-timestomped.sql @@ -40,7 +40,8 @@ WHERE '/etc/master.passwd', '/usr/share/doc/strace/NEWS', '/bin/strace-log-merge', - '/usr/bin/strace-log-merge' + '/usr/bin/strace-log-merge', + '/bin/X11/strace-log-merge' ) AND file.path NOT LIKE '%/lynis%' AND file.path NOT LIKE '%/yelp-xsl%' diff --git a/detection/persistence/unexpected-active-systemd-units.sql b/detection/persistence/unexpected-active-systemd-units.sql index 97c00b4..2fecb59 100644 --- a/detection/persistence/unexpected-active-systemd-units.sql +++ b/detection/persistence/unexpected-active-systemd-units.sql @@ -102,6 +102,7 @@ WHERE 'dkms.service,Builds and install new kernel modules through DKMS,,200', 'dm-event.socket,Device-mapper event daemon FIFOs,,200', 'dnf-automatic-install.timer,dnf-automatic-install timer,,200', + 'dnf-automatic-install.service,dnf automatic install updates,,300', 'dnf-makecache.service,dnf makecache,,400', 'dnf-makecache.timer,dnf makecache --timer,,300', 'docker.service,Docker Application Container Engine,,1100', diff --git a/detection/persistence/unexpected-uid0-daemon-linux.sql b/detection/persistence/unexpected-uid0-daemon-linux.sql index c38e3b2..9853cac 100644 --- a/detection/persistence/unexpected-uid0-daemon-linux.sql +++ b/detection/persistence/unexpected-uid0-daemon-linux.sql @@ -118,6 +118,7 @@ WHERE '/usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers' ) AND NOT p.cmdline LIKE '/usr/bin/python3 /usr/bin/dnf %' + AND NOT p.cmdline LIKE '/usr/bin/python3 /usr/bin/yum %' AND p.path NOT LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd' AND p.path NOT LIKE '/usr/local/kolide-k2/bin/launcher-updates/%/launcher' AND p.path NOT LIKE '/nix/store/%/bin/%'