From ca768ca4fa6f713443c659dcbb9b52d1b6c07621 Mon Sep 17 00:00:00 2001 From: Dave Smith Date: Tue, 12 Nov 2024 07:37:29 -0500 Subject: [PATCH] fpr: mostly uid0 things --- detection/c2/unexpected-talkers-linux.sql | 1 + detection/persistence/unexpected-uid0-daemon-linux.sql | 9 +++++++++ 2 files changed, 10 insertions(+) diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql index b05a22c..bb72303 100644 --- a/detection/c2/unexpected-talkers-linux.sql +++ b/detection/c2/unexpected-talkers-linux.sql @@ -159,6 +159,7 @@ WHERE protocol > 0 '80,6,500,python3.11,0u,0g,dnf', '80,6,500,python3.11,0u,0g,yum', '80,6,500,python3.12,0u,0g,pull-lp-source', + '80,6,0,python3.12,0u,0g,dnf-automatic', '80,6,500,qemu-system-x86_64,0u,0g,qemu-system-x86', '80,6,500,qemu-system-x86_64,500u,500g,qemu-system-x86', '80,6,500,rpi-imager,0u,0g,rpi-imager', diff --git a/detection/persistence/unexpected-uid0-daemon-linux.sql b/detection/persistence/unexpected-uid0-daemon-linux.sql index 151942f..64a4919 100644 --- a/detection/persistence/unexpected-uid0-daemon-linux.sql +++ b/detection/persistence/unexpected-uid0-daemon-linux.sql @@ -125,6 +125,7 @@ WHERE 'cupsd,/usr/sbin/cupsd,0,system.slice,system-cups.slice,0755', 'cupsd,/usr/sbin/cupsd,0,system.slice,system-cups.slice,0700', 'dbus-daemon,/usr/bin/dbus-daemon,0,user.slice,user-1000.slice,0755', + 'dbus-daemon,/usr/bin/dbus-daemon,0,user.slice,user-0.slice,0755', 'dbus-launch,/usr/bin/dbus-launch,0,user.slice,user-1000.slice,0755', 'dconf-service,/usr/libexec/dconf-service,0,user.slice,user-1000.slice,0755', 'dhclient,/usr/sbin/dhclient,0,system.slice,networking.service,0755', @@ -143,17 +144,20 @@ WHERE 'docker-proxy,/usr/libexec/docker/docker-proxy,0,system.slice,docker.service,0755', 'docker,/usr/bin/docker,0,user.slice,user-1000.slice,0755', 'docker,/usr/local/bin/docker,0,user.slice,user-1000.slice,0755', + 'dpkg,/usr/bin/dpkg,0,user.slice,user-1000.slice,0755', 'elastic-endpoin,/opt/Elastic/Endpoint/elastic-endpoint,0,elasticendpoint,,0500', 'elastic-endpoin,/opt/Elastic/Endpoint/elastic-endpoint,0,system.slice,ElasticEndpoint.service,0500', 'elastic-endpoin,/var/opt/Elastic/Endpoint/elastic-endpoint,0,elasticendpoint,,0500', 'firewalld,/usr/bin/python3.10,0,system.slice,firewalld.service,0755', 'firewalld,/usr/bin/python3.12,0,system.slice,firewalld.service,0755', + 'firewalld,/usr/bin/python3.13,0,system.slice,firewalld.service,0755', 'firewalld,/usr/bin/python__VERSION__,0,system.slice,firewalld.service,0755', 'fish,/usr/bin/fish,0,user.slice,user-1000.slice,0755', 'flatpak-system-,/usr/libexec/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755', 'flatpak-system-,/usr/lib/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755', 'flock,/usr/bin/flock,0,system.slice,system-btrfs\x2ddedup.slice,0755', 'fprintd,/usr/libexec/fprintd,0,system.slice,fprintd.service,0755', + 'frontend,/usr/bin/perl,0,user.slice,user-1000.slice,0755', 'fstrim,/usr/sbin/fstrim,0,system.slice,fstrim.service,0755', 'fusermount,/usr/bin/fusermount,1000,user.slice,user-1000.slice,4755', 'fwupd,/usr/libexec/fwupd/fwupd,0,system.slice,fwupd.service,0755', @@ -190,6 +194,7 @@ WHERE 'incusd,/usr/libexec/incus/incusd,0,lxc.monitor.pure-dodo,,0755', 'incusd,/usr/libexec/incus/incusd,0,system.slice,incus.service,0755', 'input-remapper-,/usr/bin/python3.12,0,system.slice,input-remapper.service,0755', + 'input-remapper-,/usr/bin/python3.13,0,system.slice,input-remapper.service,0755', 'ir_agent,/opt/rapid7/ir_agent/components/insight_agent/__VERSION__/ir_agent,0,system.slice,ir_agent.service,', 'ir_agent,/opt/rapid7/ir_agent/components/insight_agent/__VERSION__/ir_agent,0,system.slice,ir_agent.service,0700', 'ir_agent,/opt/rapid7/ir_agent/ir_agent,0,system.slice,ir_agent.service,', @@ -313,7 +318,9 @@ WHERE 'systemd-logind,/nix/store/__VERSION__/lib/systemd/systemd-logind,0,system.slice,systemd-logind.service,0555', 'systemd-logind,/usr/lib/systemd/systemd-logind,0,system.slice,systemd-logind.service,0755', 'systemd-machine,/usr/lib/systemd/systemd-machined,0,system.slice,systemd-machined.service,0755', + 'systemd-nsresou,/usr/lib/systemd/systemd-nsresourced,0,system.slice,systemd-nsresourced.service,0755', 'systemd-nsresou,/usr/lib/systemd/systemd-nsresourcework,0,system.slice,systemd-nsresourced.service,0755', + 'systemd-nsresou,/usr/lib/systemd/systemd-nsresourced,0,system.slice,systemd-nsresourced.service,0755', 'systemd-sleep,/usr/lib/systemd/systemd-sleep,0,system.slice,systemd-suspend.service,0755', 'systemd-udevd,/nix/store/__VERSION__/bin/udevadm,0,system.slice,systemd-udevd.service,0555', 'systemd-udevd,/usr/bin/udevadm,0,system.slice,systemd-udevd.service,0755', @@ -326,6 +333,7 @@ WHERE 'tcpdump,/usr/bin/tcpdump,0,user.slice,user-1000.slice,0755', 'thermald,/usr/sbin/thermald,0,system.slice,thermald.service,0755', 'tuned,/usr/bin/python3.12,0,system.slice,tuned.service,0755', + 'tuned,/usr/bin/python3.13,0,system.slice,tuned.service,0755', 'ubuntu-advantag,/usr/libexec/ubuntu-advantage-desktop-daemon,0,system.slice,ubuntu-advantage-desktop-daemon.service,0755', 'udisksd,/nix/store/__VERSION__/libexec/udisks2/udisksd,0,system.slice,udisks2.service,0555', 'udisksd,/usr/libexec/udisks2/udisksd,0,system.slice,udisks2.service,0755', @@ -351,6 +359,7 @@ WHERE 'xdg-desktop-por,/usr/libexec/xdg-desktop-portal-gtk,0,user.slice,user-1000.slice,0755', 'xdg-document-po,/usr/libexec/xdg-document-portal,0,user.slice,user-1000.slice,0755', 'xdg-permission-,/usr/libexec/xdg-permission-store,0,user.slice,user-1000.slice,0755', + 'xdg-permission-,/usr/libexec/xdg-permission-store,0,user.slice,user-0.slice,0755', 'X,/nix/store/__VERSION__/bin/Xorg,0,system.slice,display-manager.service,0555', 'Xorg,/usr/lib/Xorg,0,system.slice,lightdm.service,0755', 'Xorg,/usr/lib/Xorg,0,system.slice,sddm.service,0755',