Merge pull request #41 from tstromberg/fpos

Reduce in-the-wild false positives, improve performance
2025-01-10 07:39:26 +00:00 · 2022-10-28 16:11:58 -04:00 · 2022-10-28 16:11:58 -04:00 · d5c7352344
commit d5c7352344
parent 208383ccd6 897c96bd33
11 changed files with 36 additions and 8 deletions
--- a/detection/c2/unexpected-https-client-linux.sql
+++ b/detection/c2/unexpected-https-client-linux.sql
@ -84,10 +84,12 @@ WHERE
    '500,/home/chainctl,500u,500g,chainctl',
    '500,/home/gitsign,500u,500g,gitsign',
    '500,/home/go,500u,500g,go',
+    '500,/home/grype,500u,500g,grype',
    '500,/home/jcef_helper,500u,500g,jcef_helper',
    '500,/ko-app/chainctl,u,g,chainctl',
    '500,/ko-app/controlplane,u,g,controlplane',
    '500,/opt/1password,0u,0g,1password',
+    '500,/opt/Brackets,0u,0g,Brackets',
    '500,/opt/chrome,0u,0g,chrome',
    '500,/opt/firefox,0u,0g,firefox',
    '500,/opt/firefox,0u,0g,Socket Process',
@ -106,6 +108,7 @@ WHERE
    '500,/usr/firefox,0u,0g,Socket Process',
    '500,/usr/flatpak-oci-authenticator,0u,0g,flatpak-oci-aut',
    '500,/usr/geoclue,0u,0g,geoclue',
+    '500,/usr/git-remote-http,0u,0g,git-remote-http',
    '500,/usr/gitsign,0u,0g,gitsign',
    '500,/usr/gnome-recipes,0u,0g,gnome-recipes',
    '500,/usr/gnome-software,0u,0g,gnome-software',
@ -113,7 +116,6 @@ WHERE
    '500,/usr/go,500u,500g,go',
    '500,/usr/gvfsd-http,0u,0g,gvfsd-http',
    '500,/usr/java,0u,0g,java',
-    '500,/home/grype,500u,500g,grype',
    '500,/usr/kubectl,500u,500g,kubectl',
    '500,/usr/signal-desktop,0u,0g,signal-desktop',
    '500,/usr/slack,0u,0g,slack',
--- a/detection/c2/unexpected-talkers-linux.sql
+++ b/detection/c2/unexpected-talkers-linux.sql
@ -97,6 +97,7 @@ WHERE
    '80,6,0,/usr/packagekitd,0u,0g,packagekitd',
    '80,6,0,/usr/pacman,0u,0g,pacman',
    '80,6,0,/usr/python3.10,0u,0g,dnf',
+    '80,6,500,/usr/python3.10,0u,0g,yum',
    '80,6,0,/usr/python3.10,0u,0g,yum',
    '80,6,0,/usr/tailscaled,0u,0g,tailscaled',
    '80,6,0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra',
--- a/detection/c2/unexpected-talkers-macos.sql
+++ b/detection/c2/unexpected-talkers-macos.sql
@ -157,6 +157,7 @@ WHERE
    '443,6,500,cloud_sql_proxy,a.out,',
    '443,6,500,Code Helper,com.microsoft.VSCode.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
    '443,6,500,Code Helper (Renderer),com.github.Electron.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
+    '443,6,500,com.docker.backend,com.docker,Developer ID Application: Docker Inc (9BNSXJN65R)',
    '443,6,500,cosign,,',
    '443,6,500,cosign,a.out,',
    '443,6,500,cosign,cosign,',
--- a/detection/evasion/unexpected-dev-executables-linux.sql
+++ b/detection/evasion/unexpected-dev-executables-linux.sql
@ -42,3 +42,11 @@ WHERE
    or file.mode LIKE '%5%'
    or file.mode LIKE '%1%'
  )
+  -- Seen on Ubuntu
+  AND NOT (
+    file.uid = 1000
+    AND file.gid = 1000
+    AND file.mode = 0700
+    AND file.path LIKE '/dev/shm/pulse-shm-%'
+    AND file.size > 60000000
+  )
--- a/detection/execution/recently-created-executables-linux.sql
+++ b/detection/execution/recently-created-executables-linux.sql
@ -54,6 +54,7 @@ WHERE
    '/usr/bin/pipewire',
    '/usr/bin/tailscaled',
    '/usr/bin/udevadm',
+    '/usr/bin/cargo',
    '/usr/lib/at-spi2-registryd',
    '/usr/lib/at-spi-bus-launcher',
    '/usr/libexec/docker/docker-proxy',
--- a/detection/execution/unexpected-env-values-macos.sql
+++ b/detection/execution/unexpected-env-values-macos.sql
@ -5,7 +5,7 @@
 --
 -- WARNING: This query is known to require a higher than average wall time.
 --
-- tags: transient state rapid
+-- interval: 20
 -- platform: darwin
 SELECT
  key,
@ -15,12 +15,14 @@ SELECT
  p.cmdline,
  p.parent AS parent_pid,
  pp.cmdline AS parent_cmd
-FROM
-  process_envs pe
-  LEFT JOIN processes p ON pe.pid = p.pid
+-- Querying processes first and filtering by time gives a massive 20X speed improvement
+-- over querying process_envs first and JOIN'ing against processes
+FROM processes p
+  LEFT JOIN process_envs pe ON p.pid = pe.pid
  LEFT JOIN processes pp ON p.parent = pp.pid
-WHERE
-  (
+WHERE -- This time should match the interval
+  p.start_time > (strftime('%s', 'now') - 20)
+  AND (
    key = 'HISTFILE'
    AND NOT VALUE LIKE '/Users/%/.%_history'
  )
--- a/detection/execution/unexpected-osascript-calls.sql
+++ b/detection/execution/unexpected-osascript-calls.sql
@ -49,6 +49,7 @@ WHERE
  AND p.time > (strftime('%s', 'now') -60)
  AND exception_key NOT IN (
    ',,osascript',
+    ',,osascript openChrome.applescript https://localhost.ch',
    'com.vng.zalo,Developer ID Application: VNG ONLINE CO.,LTD (CVB6BX97VM),osascript -ss'
  )
  AND cmd NOT IN ('osascript -e user locale of (get system info)')
@ -58,6 +59,11 @@ WHERE
    exception_key = 'org.python.python,,osascript'
    AND parent_cmd LIKE '% /opt/homebrew/bin/jupyter-notebook'
  )
+  AND NOT (
+    exception_key = 'org.python.python,Software Signing,osascript'
+    AND parent_cmd LIKE '%/Contents/MacOS/Python -S %/google-cloud-sdk/lib/gcloud.py auth login'
+  )
  AND NOT cmd LIKE 'osascript -e set zoomStatus to "closed"%'
+  AND NOT cmd LIKE 'osascript openChrome.applescript http://127.0.0.1:%'
 GROUP BY
  p.pid
--- a/detection/initial_access/unexpected-shell-parents.sql
+++ b/detection/initial_access/unexpected-shell-parents.sql
@ -54,6 +54,7 @@ WHERE
    'java',
    'ko',
    'kubectl',
+    'lightdm',
    'make',
    'monorail',
    'nix',
--- a/detection/persistence/unexpected-launchd-program-arguments.sql
+++ b/detection/persistence/unexpected-launchd-program-arguments.sql
@ -62,5 +62,6 @@ WHERE
    '/opt/homebrew/opt/yubikey-agent/bin/yubikey-agent -l /opt/homebrew/var/run/yubikey-agent.sock',
    '/usr/local/MacGPG2/libexec/fixGpgHome'
  )
+  AND program_arguments NOT LIKE '/Users/%/Library/Application Support/com.grammarly.ProjectLlama/Scripts/Grammarly Uninstaller'
  AND program_arguments NOT LIKE '/Users/%/Library/Application Support/com.grammarly.ProjectLlama/Scripts/post-uninstall.sh'
  AND program_arguments NOT LIKE '%/mysqld_safe --datadir=%'
--- a/detection/persistence/unexpected-uid0-daemon-linux.sql
+++ b/detection/persistence/unexpected-uid0-daemon-linux.sql
@ -47,6 +47,7 @@ WHERE
    '/usr/bin/abrt-dump-journal-xorg',
    '/usr/bin/anacron',
    '/usr/bin/apcupsd',
+    '/usr/bin/clamscan',
    '/usr/bin/containerd',
    '/usr/bin/containerd-shim-runc-v2',
    '/usr/bin/crond',
@ -106,6 +107,8 @@ WHERE
  )
  -- Because I don't want to whitelist all of Python3
  AND p.cmdline NOT IN (
+    'xargs logger -s',
+    '/usr/bin/xargs',
    '/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid',
    '/usr/bin/python /usr/bin/firewalld --nofork --nopid',
    '/usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal',
--- a/detection/privesc/unexpected-privilege-escalation-events.sql
+++ b/detection/privesc/unexpected-privilege-escalation-events.sql
@ -44,7 +44,9 @@ WHERE
    '/usr/bin/sudo',
    '/usr/bin/top',
    '/usr/lib/snapd/snap-confine',
-    '/usr/lib/snapd/snap-update-ns'
+    '/usr/lib/snapd/snap-update-ns',
+    '/usr/lib/systemd/systemd',
+    '/usr/lib/Xorg.wrap'
  )
  AND p.path NOT LIKE '/nix/store/%/bin/sudo'
  AND p.path NOT LIKE '/nix/store/%/bin/dhcpcd'