From e90dc53072f529a09bc9feac9e4920a8ebf7a9d9 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Fri, 21 Oct 2022 17:37:35 -0400 Subject: [PATCH 1/9] Add newline --- detection/privesc/unexpected-privileged-containers.sql | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/detection/privesc/unexpected-privileged-containers.sql b/detection/privesc/unexpected-privileged-containers.sql index 221333d..6248a9a 100644 --- a/detection/privesc/unexpected-privileged-containers.sql +++ b/detection/privesc/unexpected-privileged-containers.sql @@ -27,5 +27,4 @@ WHERE AND image NOT LIKE 'ghcr.io/k3d-io/k3d-%' AND image NOT LIKE 'docker.io/rancher/k3s:%' -- this one makes me sad. It's due to limitations running bubblewrap in a container - AND image NOT IN ('cgr.dev/chainguard/melange', 'wolfi:test') -; \ No newline at end of file + AND image NOT IN ('cgr.dev/chainguard/melange', 'wolfi:test'); From eedfdfb23d12336342fb8e7228a4c65d71e4614a Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Fri, 21 Oct 2022 17:38:29 -0400 Subject: [PATCH 2/9] Fix table joins: hash->phash --- detection/privesc/unexpected-privilege-escalation-events.sql | 4 ++-- detection/privesc/unexpected-privilege-escalation.sql | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/detection/privesc/unexpected-privilege-escalation-events.sql b/detection/privesc/unexpected-privilege-escalation-events.sql index c7cf69a..9b00ef0 100644 --- a/detection/privesc/unexpected-privilege-escalation-events.sql +++ b/detection/privesc/unexpected-privilege-escalation-events.sql @@ -30,8 +30,8 @@ FROM JOIN processes pp ON p.parent = pp.pid LEFT JOIN file ON p.path = file.path LEFT JOIN hash ON p.path = hash.path - LEFT JOIN file AS pfile ON pp.path = file.path - LEFT JOIN hash AS phash ON pp.path = hash.path + LEFT JOIN file AS pfile ON pp.path = pfile.path + LEFT JOIN hash AS phash ON pp.path = phash.path WHERE p.time > (strftime('%s', 'now') -30) AND p.euid < pp.euid diff --git a/detection/privesc/unexpected-privilege-escalation.sql b/detection/privesc/unexpected-privilege-escalation.sql index 2d4ea21..8d14db1 100644 --- a/detection/privesc/unexpected-privilege-escalation.sql +++ b/detection/privesc/unexpected-privilege-escalation.sql @@ -30,8 +30,8 @@ FROM JOIN processes pp ON p.parent = pp.pid LEFT JOIN file ON p.path = file.path LEFT JOIN hash ON p.path = hash.path - LEFT JOIN file AS pfile ON pp.path = file.path - LEFT JOIN hash AS phash ON pp.path = hash.path + LEFT JOIN file AS pfile ON pp.path = pfile.path + LEFT JOIN hash AS phash ON pp.path = phash.path WHERE p.euid < pp.euid AND p.path NOT IN ( From 3a944b2af8a0744b8722194d13d4ff0f2db9c259 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Fri, 21 Oct 2022 17:38:47 -0400 Subject: [PATCH 3/9] Fix platform name: darwin --- detection/c2/unexpected-talkers-macos.sql | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql index 8bab443..f44a1f3 100644 --- a/detection/c2/unexpected-talkers-macos.sql +++ b/detection/c2/unexpected-talkers-macos.sql @@ -4,8 +4,9 @@ -- * https://attack.mitre.org/techniques/T1071/ (C&C, Application Layer Protocol) -- -- tags: transient state net often --- platform: macos -SELECT protocol, +-- platform: darwin +SELECT + protocol, s.local_port, s.remote_port, s.remote_address, @@ -31,12 +32,14 @@ SELECT protocol, ',', signature.authority ) AS exception_key -FROM process_open_sockets s +FROM + process_open_sockets s LEFT JOIN processes p ON s.pid = p.pid LEFT JOIN processes pp ON pp.pid = p.parent LEFT JOIN hash ON p.path = hash.path LEFT JOIN signature ON p.path = signature.path -WHERE protocol > 0 +WHERE + protocol > 0 AND s.remote_port > 0 AND s.remote_address NOT IN ('127.0.0.1', '::ffff:127.0.0.1', '::1') AND s.remote_address NOT LIKE 'fe80:%' @@ -239,7 +242,6 @@ WHERE protocol > 0 '80,6,500,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV)', '80,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)', '80,6,500,webhook.test,a.out,' - ) -- nix-shell infects children with open connections AND NOT ( parent_cmd LIKE '%/tmp/nix-shell%' @@ -332,4 +334,5 @@ WHERE protocol > 0 remote_port IN (53, 443) AND p.path LIKE '/private/var/folders/%/T/GoLand/%' ) -GROUP BY s.pid \ No newline at end of file +GROUP BY + s.pid From 878f6e1b71a1ad09cb03e75bee24e3f39fde4541 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Fri, 21 Oct 2022 17:39:01 -0400 Subject: [PATCH 4/9] Fix hash JOIN table name --- detection/execution/exotic-command-events-linux.sql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection/execution/exotic-command-events-linux.sql b/detection/execution/exotic-command-events-linux.sql index 7afc2a7..60188a1 100644 --- a/detection/execution/exotic-command-events-linux.sql +++ b/detection/execution/exotic-command-events-linux.sql @@ -35,7 +35,7 @@ FROM process_events p LEFT JOIN processes pp ON p.parent = pp.pid LEFT JOIN hash ON p.path = hash.path - LEFT JOIN hash AS phash ON pp.path = hash.path + LEFT JOIN hash AS phash ON pp.path = phash.path WHERE p.time > (strftime('%s', 'now') -60) AND ( From dab3b3b8780ae0fc079c68d9793f17a4337dbedb Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Fri, 21 Oct 2022 17:39:35 -0400 Subject: [PATCH 5/9] Fix platform name: darwin instead of macos --- detection/execution/unexpected-gatekeeper-approvals-macos.sql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection/execution/unexpected-gatekeeper-approvals-macos.sql b/detection/execution/unexpected-gatekeeper-approvals-macos.sql index b640b87..b36d6d2 100644 --- a/detection/execution/unexpected-gatekeeper-approvals-macos.sql +++ b/detection/execution/unexpected-gatekeeper-approvals-macos.sql @@ -6,7 +6,7 @@ -- false positives: -- * developers downloading binaries from Github -- --- platform: macos +-- platform: darwin -- tags: persistent filesystem state gatekeeper SELECT gap.ctime, From 13d10c6af1bd0c314c2a584c7c287678a3d675c2 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Fri, 21 Oct 2022 17:39:53 -0400 Subject: [PATCH 6/9] Add spacing (sqlformat) --- detection/privesc/docker-container-mounting-root.sql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection/privesc/docker-container-mounting-root.sql b/detection/privesc/docker-container-mounting-root.sql index d0d037b..73dc499 100644 --- a/detection/privesc/docker-container-mounting-root.sql +++ b/detection/privesc/docker-container-mounting-root.sql @@ -22,4 +22,4 @@ FROM docker_container_mounts AS dcm LEFT JOIN docker_containers dc ON dcm.id = dc.id WHERE - dcm.source="/" + dcm.source = "/" From 8516aec8c3e96c815cd0f6bce97979e084c2211b Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Fri, 21 Oct 2022 17:42:44 -0400 Subject: [PATCH 7/9] Fix broken osascript script, move duplicate check out of exotic --- .../execution/exotic-command-events-macos.sql | 38 +++++++++---------- .../execution/unexpected-osascript-calls.sql | 8 +++- 2 files changed, 25 insertions(+), 21 deletions(-) diff --git a/detection/execution/exotic-command-events-macos.sql b/detection/execution/exotic-command-events-macos.sql index e93309b..01334d5 100644 --- a/detection/execution/exotic-command-events-macos.sql +++ b/detection/execution/exotic-command-events-macos.sql @@ -51,21 +51,17 @@ WHERE 'rshell', 'rsh', 'incbit', - 'osascript', 'kmod', 'lushput', 'mkfifo', 'msfvenom', 'nc', 'socat' - ) - -- Chrome Stealer + ) -- Chrome Stealer OR cmd LIKE '%set visible of front window to false%' - OR cmd LIKE '%chrome%-load-extension%' - -- Known attack scripts + OR cmd LIKE '%chrome%-load-extension%' -- Known attack scripts OR basename LIKE '%pwn%' - OR basename LIKE '%attack%' - -- Unusual behaviors + OR basename LIKE '%attack%' -- Unusual behaviors OR cmd LIKE '%chattr -ia%' OR cmd LIKE '%chmod 777 %' OR cmd LIKE '%touch%acmr%' @@ -83,17 +79,25 @@ WHERE OR cmd LIKE '%nohup /bin/bash%' OR cmd LIKE '%echo%|%base64 --decode %|%' OR cmd LIKE '%launchctl list%' - OR (cmd LIKE '%UserKnownHostsFile=/dev/null%' AND NOT parent_name='limactl') - -- Random keywords - OR cmd LIKE '%ransom%' - -- Reverse shells + OR ( + cmd LIKE '%UserKnownHostsFile=/dev/null%' + AND NOT parent_name = 'limactl' + ) -- Random keywords + OR cmd LIKE '%ransom%' -- Reverse shells OR cmd LIKE '%fsockopen%' OR cmd LIKE '%openssl%quiet%' OR cmd LIKE '%pty.spawn%' - OR (cmd LIKE '%sh -i' AND NOT parent_name='sh') + OR ( + cmd LIKE '%sh -i' + AND NOT parent_name = 'sh' + ) OR cmd LIKE '%socat%' OR cmd LIKE '%SOCK_STREAM%' - OR (cmd LIKE '%Socket.%' AND NOT basename='compile') + OR ( + cmd LIKE '%Socket.%' + AND NOT basename IN ('compile', 'sed', 'mv') + AND NOT cmd LIKE "%sys/socket.h%" + ) ) -- Things that could reasonably happen at boot. AND NOT ( p.path = '/usr/bin/mkfifo' @@ -102,8 +106,7 @@ WHERE AND NOT ( cmd LIKE '%csrutil status' AND parent_name IN ('Dropbox') - ) - -- The source of these commands is still a mystery to me. + ) -- The source of these commands is still a mystery to me. AND NOT ( cmd IN ( '/usr/bin/csrutil status', @@ -111,9 +114,4 @@ WHERE ) AND p.parent = -1 ) - AND NOT cmd LIKE 'osascript -e set zoomStatus%' AND NOT cmd LIKE '/bin/rm -f /tmp/periodic.%' - AND NOT cmd IN ( - 'osascript -e user locale of (get system info)', - 'osascript' - ) diff --git a/detection/execution/unexpected-osascript-calls.sql b/detection/execution/unexpected-osascript-calls.sql index b6be6f8..bff1943 100644 --- a/detection/execution/unexpected-osascript-calls.sql +++ b/detection/execution/unexpected-osascript-calls.sql @@ -26,7 +26,13 @@ FROM process_events p LEFT JOIN processes pp ON p.parent = pp.pid LEFT JOIN hash ON p.path = hash.path - LEFT JOIN hash AS phash ON pp.path = hash.path + LEFT JOIN hash AS phash ON pp.path = phash.path WHERE p.path = '/usr/bin/osascript' AND p.time > (strftime('%s', 'now') -60) + AND NOT cmd LIKE 'osascript -e set zoomStatus%' + AND NOT cmd LIKE 'osascript openChrome.applescript http://127.0.0.1:%' + AND NOT cmd IN ( + 'osascript -e user locale of (get system info)', + 'osascript' + ) From 7d3590f9a1ed4f2c519551cb7a2dc08c969cef88 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Fri, 21 Oct 2022 17:44:53 -0400 Subject: [PATCH 8/9] Add another firefox & chainctl exception --- detection/c2/unexpected-https-client-linux.sql | 3 ++- detection/c2/unexpected-talkers-linux.sql | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/detection/c2/unexpected-https-client-linux.sql b/detection/c2/unexpected-https-client-linux.sql index 52413c2..44588a1 100644 --- a/detection/c2/unexpected-https-client-linux.sql +++ b/detection/c2/unexpected-https-client-linux.sql @@ -70,12 +70,13 @@ WHERE '0,/usr/nix,0u,0g,nix', '0,/usr/packagekitd,0u,0g,packagekitd', '0,/usr/pacman,0u,0g,pacman', + '0,/usr/python3.10,0u,0g,dnf', '0,/usr/tailscaled,0u,0g,tailscaled', '0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra', '500,/app/slack,u,g,slack', '500,/app/thunderbird,u,g,thunderbird', '500,/app/zoom.real,u,g,zoom.real', - '0,/usr/python3.10,0u,0g,dnf', + '500,/home/chainctl,500u,100g,chainctl', '500,/home/chainctl,500u,500g,chainctl', '500,/home/gitsign,500u,500g,gitsign', '500,/home/go,500u,500g,go', diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql index 581afad..2a9d06a 100644 --- a/detection/c2/unexpected-talkers-linux.sql +++ b/detection/c2/unexpected-talkers-linux.sql @@ -100,6 +100,7 @@ WHERE '80,6,500,/usr/chrome,0u,0g,chrome', '80,6,500,/usr/curl,0u,0g,curl', '80,6,500,/usr/firefox,0u,0g,firefox', + '80,6,500,/usr/firefox,0u,0g,.firefox-wrappe', '8080,6,500,/opt/chrome,0u,0g,chrome', '8080,6,500,/usr/firefox,0u,0g,firefox', '8443,6,500,/opt/chrome,0u,0g,chrome', From f305aae1ca7eb322b5abbb63a339322de06a6980 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Fri, 21 Oct 2022 17:45:43 -0400 Subject: [PATCH 9/9] noop: Run 'make reformat' --- detection/execution/exotic-commands.sql | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/detection/execution/exotic-commands.sql b/detection/execution/exotic-commands.sql index 2dee7e2..f74367a 100644 --- a/detection/execution/exotic-commands.sql +++ b/detection/execution/exotic-commands.sql @@ -48,7 +48,10 @@ WHERE OR cmd LIKE '%nohup%tmp%' OR cmd LIKE '%set visible of front window to false%' OR cmd LIKE '%chrome%--load-extension%' - OR (cmd LIKE '%UserKnownHostsFile=/dev/null%' AND NOT parent_name='limactl') + OR ( + cmd LIKE '%UserKnownHostsFile=/dev/null%' + AND NOT parent_name = 'limactl' + ) -- Crypto miners OR cmd LIKE '%c3pool%' OR cmd LIKE '%cryptonight%' @@ -70,7 +73,10 @@ WHERE OR cmd LIKE '%fsockopen%' OR cmd LIKE '%openssl%quiet%' OR cmd LIKE '%pty.spawn%' - OR (cmd LIKE '%sh -i' AND NOT parent_name='sh') + OR ( + cmd LIKE '%sh -i' + AND NOT parent_name = 'sh' + ) OR cmd LIKE '%socat%' OR cmd LIKE '%SOCK_STREAM%' OR cmd LIKE '%Socket.fork%'