Add exceptions for Microsoft teams, ldconfig, fix go build paths

2025-02-03 03:01:45 +00:00 · 2022-11-17 07:20:19 -05:00 · 2022-11-17 07:20:19 -05:00 · eeeaeecda1
commit eeeaeecda1
parent 60d66a5e41
12 changed files with 45 additions and 30 deletions
--- a/detection/c2/unexpected-https-client-linux.sql
+++ b/detection/c2/unexpected-https-client-linux.sql
@ -98,10 +98,13 @@ WHERE
    '500,/home/java,500u,500g,java',
    '500,/home/jcef_helper,500u,500g,jcef_helper',
    '500,/home/ko,500u,500g,ko',
+    '500,/home/python3,500u,500g,python3',
    '500,/home/steam,500u,100g,steam',
    '500,/home/steamwebhelper,500u,100g,steamwebhelper',
+    '500,/home/terraform,500u,500g,terraform',
    '500,/home/WPILibInstaller,500u,500g,WPILibInstaller',
    '500,/ko-app/chainctl,u,g,chainctl',
+    '500,/ko-app/controller,u,g,controller',
    '500,/ko-app/controlplane,u,g,controlplane',
    '500,/opt/1password,0u,0g,1password',
    '500,/opt/Brackets,0u,0g,Brackets',
@ -109,6 +112,7 @@ WHERE
    '500,/opt/Discord,0u,0g,Discord',
    '500,/opt/firefox,0u,0g,firefox',
    '500,/opt/firefox,0u,0g,Socket Process',
+    '500,/opt/Keybase,0u,0g,Keybase',
    '500,/opt/kubectl,0u,0g,kubectl',
    '500,/opt/slack,0u,0g,slack',
    '500,/opt/snap-store,0u,0g,snap-store',
@ -116,6 +120,8 @@ WHERE
    '500,/opt/todoist,0u,0g,todoist',
    '500,/opt/zoom,0u,0g,zoom',
    '500,/tmp/jetbrains-toolbox,u,g,jetbrains-toolb',
+    '500,/tmp/obsidian,u,g,obsidian',
+    '500,/tmp/terraform,500u,500g,terraform',
    '500,/usr/abrt-action-generate-core-backtrace,0u,0g,abrt-action-gen',
    '500,/usr/bom,500u,500g,bom',
    '500,/usr/cargo,0u,0g,cargo',
@ -143,25 +149,22 @@ WHERE
    '500,/usr/gsd-datetime,0u,0g,gsd-datetime',
    '500,/usr/gvfsd-http,0u,0g,gvfsd-http',
    '500,/usr/java,0u,0g,java',
-    '500,/ko-app/controller,u,g,controller',
    '500,/usr/java,u,g,java',
    '500,/usr/kbfsfuse,0u,0g,kbfsfuse',
    '500,/usr/keybase,0u,0g,keybase',
+    '500,/usr/ko,u,g,ko',
    '500,/usr/kubectl,500u,500g,kubectl',
    '500,/usr/lens,0u,0g,lens',
-    '500,/usr/signal-desktop,u,g,signal-desktop',
    '500,/usr/nautilus,0u,0g,nautilus',
    '500,/usr/obs,0u,0g,obs',
    '500,/usr/reporter-ureport,0u,0g,reporter-urepor',
    '500,/usr/rpi-imager,0u,0g,rpi-imager',
-    '500,/usr/ko,u,g,ko',
    '500,/usr/signal-desktop,0u,0g,signal-desktop',
-    '500,/tmp/terraform,500u,500g,terraform',
-    '500,/home/terraform,500u,500g,terraform',
+    '500,/usr/signal-desktop,u,g,signal-desktop',
    '500,/usr/slack,0u,0g,slack',
    '500,/usr/spotify,0u,0g,spotify',
-    '500,/tmp/obsidian,u,g,obsidian',
    '500,/usr/syncthing,0u,0g,syncthing',
+    '500,/usr/teams,0u,0g,teams',
    '500,/usr/terraform,0u,0g,terraform',
    '500,/usr/trivy,0u,0g,trivy',
    '500,/usr/WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
--- a/detection/collection/high-disk-bytes-written.sql
+++ b/detection/collection/high-disk-bytes-written.sql
@ -106,6 +106,7 @@ WHERE
    'fsdaemon',
    'go',
    'goland',
+    'qemu-system-aarch64',
    'gopls',
    'grype',
    'java',
--- a/detection/evasion/empty_environ_linux.sql
+++ b/detection/evasion/empty_environ_linux.sql
@ -42,6 +42,7 @@ WHERE -- This time should match the interval
    'gnome-terminal-',
    'sshd',
    'zoom.real',
+    'teams',
    'zoom',
    'zypak-sandbox'
  )
--- a/detection/evasion/hidden-cwd.sql
+++ b/detection/evasion/hidden-cwd.sql
@ -103,11 +103,12 @@ WHERE
    OR dir LIKE '~/.%'
    OR dir LIKE '~/code/%'
    OR dir LIKE '~/%/.github%'
-    OR dir LIKE '~/%/src/%'
-    OR dir LIKE '~/%/.modcache/%'
-    OR dir LIKE '~/.gradle/%'
    OR dir LIKE '~/%/github.com/%'
+    OR dir LIKE '~/%google-cloud-sdk/.install/.backup%'
+    OR dir LIKE '~/.gradle/%'
    OR dir LIKE '/Library/Apple/System/Library/InstallerSandboxes/.PKInstallSandboxManager-SystemSoftware/%'
+    OR dir LIKE '~/%/.modcache/%'
+    OR dir LIKE '~/%/src/%'
    OR dir LIKE '~/src/%'
    OR dir LIKE '~/%/.terraform%'
    OR dir LIKE '/tmp/.mount_%'
--- a/detection/evasion/name_path_mismatch.sql
+++ b/detection/evasion/name_path_mismatch.sql
@ -40,7 +40,7 @@ FROM
 WHERE
  short_filename != short_name
  AND NOT cmd LIKE '/nix/store/%/bin/bash%' -- Serial masqueraders
-  AND NOT short_filename IN ('bash', 'ruby', 'python', 'python3')
+  AND NOT short_filename IN ('bash', 'ruby', 'python', 'python3', 'perl')
  AND exception_key NOT IN (
    'name=blueman-applet,file=python3,500',
    'name=blueman-tray,file=python3,500',
--- a/detection/evasion/parent-missing-from-disk.sql
+++ b/detection/evasion/parent-missing-from-disk.sql
@ -59,6 +59,7 @@ WHERE
  AND parent_path NOT LIKE '/app/extra/%'
  AND parent_path NOT LIKE '/opt/homebrew/Cellar/%'
  AND parent_path NOT LIKE '/tmp/.mount_%/%'
+  AND parent_path NOT LIKE '%google-cloud-sdk/.install/.backup%'
  AND NOT (
    parent_name LIKE 'kworker/%+events_unbound'
    AND child_name IN ('modprobe')
--- a/detection/evasion/touched-executable-linux.sql
+++ b/detection/evasion/touched-executable-linux.sql
@ -33,7 +33,10 @@ WHERE
  AND f.path NOT LIKE '/usr/local/kolide-k2/bin/%-updates/%'
  AND f.path NOT LIKE '/snap/%'
  AND f.path NOT LIKE '/home/%'
-  AND f.path != '/usr/local/bin/chainctl'
+  AND f.path NOT IN (
+    '/usr/local/bin/chainctl',
+    '/opt/google/endpoint-verification/bin/apihelper'
+  )
  AND f.path NOT LIKE '/tmp/go-build%/exe/main'
 GROUP by
  p.pid
--- a/detection/execution/exotic-command-events-linux.sql
+++ b/detection/execution/exotic-command-events-linux.sql
@ -101,7 +101,10 @@ WHERE
    OR cmd LIKE '%fsockopen%'
    OR cmd LIKE '%openssl%quiet%'
    OR cmd LIKE '%pty.spawn%'
-    OR cmd LIKE '%sh -i'
+    OR (
+      cmd LIKE '%sh -i'
+      AND NOT parent_name IN ('sh', 'java')
+    )
    OR cmd LIKE '%socat%'
    OR cmd LIKE '%SOCK_STREAM%'
    OR (
--- a/detection/execution/exotic-command-events-macos.sql
+++ b/detection/execution/exotic-command-events-macos.sql
@ -95,7 +95,7 @@ WHERE
    OR cmd LIKE '%pty.spawn%'
    OR (
      cmd LIKE '%sh -i'
-      AND NOT parent_name = 'sh'
+      AND NOT parent_name IN ('sh', 'java')
    )
    OR cmd LIKE '%socat%'
    OR cmd LIKE '%SOCK_STREAM%'
--- a/detection/execution/exotic-commands.sql
+++ b/detection/execution/exotic-commands.sql
@ -75,7 +75,7 @@ WHERE
  OR cmd LIKE '%pty.spawn%'
  OR (
    cmd LIKE '%sh -i'
-    AND NOT parent_name = 'sh'
+    AND NOT parent_name IN ('sh', 'java')
  )
  OR cmd LIKE '%socat%'
  OR cmd LIKE '%SOCK_STREAM%'
--- a/detection/execution/recently-created-executables-linux.sql
+++ b/detection/execution/recently-created-executables-linux.sql
@ -45,25 +45,29 @@ WHERE
    '/opt/google/chrome/chrome',
    '/opt/google/chrome/chrome_crashpad_handler',
    '/opt/google/chrome/nacl_helper',
+    '/opt/Lens/chrome_crashpad_handler',
+    '/opt/Lens/lens',
+    '/opt/sublime_text/sublime_text',
+    '/usr/bin/alacritty',
    '/usr/bin/bash',
    '/usr/bin/cargo',
-    '/usr/bin/kbfsfuse',
    '/usr/bin/containerd',
    '/usr/bin/containerd-shim-runc-v2',
+    '/usr/bin/docker',
    '/usr/bin/dockerd',
-    '/usr/bin/keybase',
-    'usr/bin/keybase-redirector',
    '/usr/bin/docker-proxy',
-    '/opt/Lens/chrome_crashpad_handler',
    '/usr/bin/gedit',
    '/usr/bin/gnome-keyring-daemon',
+    '/usr/bin/kbfsfuse',
+    '/usr/bin/keybase',
+    'usr/bin/keybase-redirector',
+    '/usr/bin/nm-applet',
    '/usr/bin/obs',
    '/usr/bin/pavucontrol',
    '/usr/bin/pipewire',
    '/usr/bin/rpi-imager',
    '/usr/bin/tailscaled',
    '/usr/bin/udevadm',
-    '/opt/sublime_text/sublime_text',
    '/usr/bin/wpa_supplicant',
    '/usr/lib64/firefox/firefox',
    '/usr/lib64/google-cloud-sdk/platform/bundledpythonunix/bin/python3',
@ -73,38 +77,35 @@ WHERE
    '/usr/libexec/fwupd/fwupd',
    '/usr/libexec/snapd/snapd',
    '/usr/libexec/sssd/sssd_kcm',
-    '/usr/bin/nm-applet',
-    '/usr/share/code/chrome_crashpad_handler',
    '/usr/lib/fwupd/fwupd',
    '/usr/lib/gdm',
    '/usr/lib/gdm-session-worker',
    '/usr/lib/gdm-x-session',
    '/usr/lib/google-cloud-sdk/platform/bundledpythonunix/bin/python3',
-    '/usr/lib/polkit-1/polkitd',
    '/usr/lib/libreoffice/program/oosplash',
+    '/usr/lib/libreoffice/program/soffice.bin',
+    '/usr/lib/polkit-1/polkitd',
    '/usr/lib/slack/chrome_crashpad_handler',
-    '/usr/share/code/code',
    '/usr/lib/slack/slack',
-    '/opt/Lens/lens',
    '/usr/lib/snapd/snapd',
    '/usr/lib/systemd/systemd',
    '/usr/lib/systemd/systemd-journald',
-    '/usr/bin/docker',
-    '/usr/local/bin/kind',
    '/usr/lib/systemd/systemd-logind',
-    '/usr/lib/libreoffice/program/soffice.bin',
-    '/usr/lib/libreoffice/program/oosplash',
    '/usr/lib/systemd/systemd-oomd',
    '/usr/lib/systemd/systemd-resolved',
    '/usr/lib/systemd/systemd-timesyncd',
    '/usr/lib/x86_64-linux-gnu/obs-plugins/obs-browser-page',
    '/usr/lib/xf86-video-intel-backlight-helper',
+    '/usr/local/bin/kind',
    '/usr/sbin/chronyd',
    '/usr/sbin/cupsd',
    '/usr/sbin/tailscaled',
-    '/usr/share/spotify-client/spotify'
+    '/usr/share/code/chrome_crashpad_handler',
+    '/usr/share/code/code',
+    '/usr/share/spotify-client/spotify',
+    '/usr/share/teams/team'
  )
-  AND NOT p.path LIKE '%-go-build%'
+  AND NOT p.path LIKE '/tmp/go-build%'
  AND NOT p.path LIKE '/home/%/bin/%'
  AND NOT p.path LIKE '/home/%/terraform-provider-%'
  AND NOT p.path LIKE '/home/%/%.test'
--- a/detection/execution/tiny-executable-events.sql
+++ b/detection/execution/tiny-executable-events.sql
@ -38,6 +38,7 @@ WHERE
  AND p.path NOT LIKE '%.sh'
  AND p.path NOT LIKE '%.py'
  AND p.path NOT LIKE '%.rb'
+  AND p.path != '/sbin/ldconfig'
  AND NOT (
    p.path LIKE '/Users/%'
    AND magic.data LIKE 'POSIX shell script%'