From f72e6424c0717a7a8d310a1d61423bc8ca6e743c Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Fri, 16 Feb 2024 17:21:00 -0500 Subject: [PATCH] Run reformat --- detection/c2/unexpected-talker-events.sql | 4 +- detection/c2/unexpected-talkers-macos.sql | 2 +- .../excess-google-drive-downloads-macos.sql | 10 +- .../collection/high-disk-bytes-written.sql | 10 +- .../discovery/unexpected-pcap-user-macos.sql | 12 ++- detection/evasion/missing-from-disk-linux.sql | 6 +- .../parent-missing-from-disk-linux.sql | 8 +- .../parent-pid-missing-from-procfs.sql | 15 ++- .../unexpected-alf-exceptions-macos.sql | 9 +- .../unexpected-hidden-system-paths.sql | 1 - .../evasion/unusual-executable-name-linux.sql | 2 +- detection/execution/sketchy-fetcher.sql | 2 +- detection/execution/tiny-executable.sql | 5 +- .../unexpected-executable-permissions.sql | 2 +- .../sketchy-mounted-diskimage.sql | 4 +- .../yara-recently-downloaded-miner.sql | 2 +- .../yara-recently-downloaded-ransom.sql | 2 +- ...ara-recently-downloaded-rust-http-exec.sql | 2 +- .../yara-recently-downloaded-stealer.sql | 2 +- .../yara-recently-downloaded-upx.sql | 2 +- detection/persistence/low-fd-socket.sql | 91 ++++++++-------- .../minimal-socket-client-linux.sql | 102 ++++++++++-------- .../unexpected-chrome-extensions.sql | 22 ++-- .../unexpected-listening-port-macos.sql | 4 +- incident_response/file_events.sql | 9 +- incident_response/files-downloads.sql | 2 +- incident_response/files-recently-written.sql | 88 +++++++-------- incident_response/socket_events.sql | 3 +- policy/unexpected-rsa-keys.sql | 4 +- 29 files changed, 233 insertions(+), 194 deletions(-) diff --git a/detection/c2/unexpected-talker-events.sql b/detection/c2/unexpected-talker-events.sql index 06ef34e..768c4ea 100644 --- a/detection/c2/unexpected-talker-events.sql +++ b/detection/c2/unexpected-talker-events.sql @@ -110,7 +110,7 @@ WHERE '/opt/spotify', '/usr/lib/google-cloud-sdk/platform/bundledpythonunix/bin' ) - AND NOT exception_key IN ( + AND NOT exception_key IN ( '0,velociraptor,velociraptor,500u,80g', '500,0,110,syncthing', '500,0,123,sntp', @@ -303,7 +303,7 @@ WHERE '500,99,443,Slack Helper', '500,99,443,Slack', '500,99,53,Slack Helper' - ) + ) AND NOT exception_key LIKE '500,500,443,terraform%' AND NOT exception_key LIKE '500,500,32768,terraform-provider-%' AND NOT exception_key LIKE '500,500,2304,terraform%' diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql index 1a40e69..d277e59 100644 --- a/detection/c2/unexpected-talkers-macos.sql +++ b/detection/c2/unexpected-talkers-macos.sql @@ -186,7 +186,7 @@ WHERE '500,6,993,Mimestream,Mimestream,Developer ID Application: Mimestream, LLC (P2759L65T8),com.mimestream.Mimestream', '500,6,993,Spark Desktop Helper,Spark Desktop Helper,Developer ID Application: Readdle Technologies Limited (3L68KQB4HG),com.readdle.SparkDesktop.helper', '500,6,993,thunderbird,thunderbird,Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird' - ) -- Useful for unsigned binaries + ) -- Useful for unsigned binaries AND NOT alt_exception_key IN ( '0,6,80,tailscaled,tailscaled,500u,80g', '500,6,22,ssh,ssh,0u,500g', diff --git a/detection/collection/excess-google-drive-downloads-macos.sql b/detection/collection/excess-google-drive-downloads-macos.sql index 568cb55..d987dc3 100644 --- a/detection/collection/excess-google-drive-downloads-macos.sql +++ b/detection/collection/excess-google-drive-downloads-macos.sql @@ -20,9 +20,11 @@ WHERE -- this does it the slow way. AND ea.value LIKE "https://doc-%googleusercontent.com%" -- this seems excessive, but I was having issues with kMDItemFSCreationDate not filtering appropriately - AND MAX(file.btime, file.ctime, file.mtime) > (strftime('%s', 'now') -86400) + AND MAX(file.btime, file.ctime, file.mtime) > (strftime('%s', 'now') -86400) -- Common, low-risk for exfil AND file.filename NOT LIKE '%.csv' --- "GROUP BY" should be unnecessary, but Kolide seems to require it -GROUP BY ea.key -HAVING num_downloads > 8 \ No newline at end of file + -- "GROUP BY" should be unnecessary, but Kolide seems to require it +GROUP BY + ea.key +HAVING + num_downloads > 8 diff --git a/detection/collection/high-disk-bytes-written.sql b/detection/collection/high-disk-bytes-written.sql index a0c243a..7867651 100644 --- a/detection/collection/high-disk-bytes-written.sql +++ b/detection/collection/high-disk-bytes-written.sql @@ -52,7 +52,6 @@ WHERE AND p0.pid > 2 AND p0.parent != 2 AND p0.path NOT IN ( - '/Library/Application Support/Adobe/Adobe Desktop Common/HDBox/Setup', '/bin-busybox', '/bin/bash', @@ -92,7 +91,7 @@ WHERE '/usr/libexec/sharingd', '/usr/sbin/screencapture', '/usr/share/spotify-client/spotify' - ) + ) AND NOT ( p0.name LIKE 'jbd%/dm-%' AND p0.on_disk = -1 @@ -125,7 +124,7 @@ WHERE p0.name = 'aptd' AND p0.cmdline = '/usr/bin/python3 /usr/sbin/aptd' ) - AND NOT p0.name IN ( + AND NOT p0.name IN ( 'Cisco WebEx Start', 'Install', 'baloo_file_extr', @@ -188,7 +187,7 @@ WHERE 'wineserver', 'wolfictl', 'yum' - ) + ) AND p0.path NOT LIKE '/Applications/%.app/Contents/%' AND p0.path NOT LIKE '/home/%/.local/share/Steam' AND p0.path NOT LIKE '/nix/store/%/bin/%sh' @@ -200,6 +199,5 @@ WHERE AND p0.path NOT LIKE '/nix/store/%kolide-launcher-%/bin/launcher' AND NOT p0.cmdline LIKE '%/lib/gcloud.py components update' AND NOT p0.cmdline LIKE '%/gsutil %rsync%' - AND NOT p0.cmdline LIKE '%brew.rb upgrade' + AND NOT p0.cmdline LIKE '%brew.rb upgrade' AND NOT p0.cgroup_path LIKE '/system.slice/docker-%' - \ No newline at end of file diff --git a/detection/discovery/unexpected-pcap-user-macos.sql b/detection/discovery/unexpected-pcap-user-macos.sql index e470733..1df872f 100644 --- a/detection/discovery/unexpected-pcap-user-macos.sql +++ b/detection/discovery/unexpected-pcap-user-macos.sql @@ -40,7 +40,11 @@ FROM LEFT JOIN hash p2_hash ON p2.path = p2_hash.path WHERE p0.pid IN ( - SELECT pid FROM processes WHERE + SELECT + pid + FROM + processes + WHERE euid = 0 AND path NOT LIKE '/System/%' AND path NOT LIKE '/Library/Apple/%' @@ -56,9 +60,11 @@ WHERE AND path NOT LIKE '/opt/homebrew/Cellar/socket_vmnet/%/bin/socket_vmnet' AND path NOT LIKE '/usr/local/Cellar/htop/%/bin/htop' AND path NOT LIKE '/opt/homebrew/Cellar/btop/%/bin/btop' - AND path NOT IN ('/opt/socket_vmnet/bin/socket_vmnet', '/usr/local/sbin/velociraptor') + AND path NOT IN ( + '/opt/socket_vmnet/bin/socket_vmnet', + '/usr/local/sbin/velociraptor' + ) ) - AND pmm.path LIKE '%libpcap%' -- These are all protected directories AND NOT s.authority IN ( diff --git a/detection/evasion/missing-from-disk-linux.sql b/detection/evasion/missing-from-disk-linux.sql index e1defe5..f43815a 100644 --- a/detection/evasion/missing-from-disk-linux.sql +++ b/detection/evasion/missing-from-disk-linux.sql @@ -49,4 +49,8 @@ WHERE -- Snap packages? AND p.path NOT LIKE '/tmp/.mount_%' AND p.path NOT LIKE '/home/%/.cache/yay/1password-cli/pkg/1password-cli/usr/bin/op' - AND p.path NOT IN ('/usr/bin/python3.10', '/opt/google/chrome/nacl_helper', '/opt/Synergy/resources/synergy-tray') + AND p.path NOT IN ( + '/usr/bin/python3.10', + '/opt/google/chrome/nacl_helper', + '/opt/Synergy/resources/synergy-tray' + ) diff --git a/detection/evasion/parent-missing-from-disk-linux.sql b/detection/evasion/parent-missing-from-disk-linux.sql index 187f92e..dea74cd 100644 --- a/detection/evasion/parent-missing-from-disk-linux.sql +++ b/detection/evasion/parent-missing-from-disk-linux.sql @@ -35,13 +35,15 @@ SELECT -- Child p2.path AS p2_path, p2.cmdline AS p2_cmd, p2_hash.sha256 AS p2_sha256 -FROM processes p0 +FROM + processes p0 LEFT JOIN hash p0_hash ON p0.path = p0_hash.path LEFT JOIN processes p1 ON p0.parent = p1.pid LEFT JOIN hash p1_hash ON p1.path = p1_hash.path LEFT JOIN processes p2 ON p1.parent = p2.pid LEFT JOIN hash p2_hash ON p2.path = p2_hash.path -WHERE p1.on_disk != 1 +WHERE + p1.on_disk != 1 AND p0.on_disk = 1 AND NOT p0.pid IN (1, 2) AND NOT p1.pid IN (1, 2) -- launchd, kthreadd @@ -105,4 +107,4 @@ WHERE p1.on_disk != 1 AND NOT ( p1.name LIKE 'kworker/%+events_unbound' AND p0.name IN ('modprobe') - ) \ No newline at end of file + ) diff --git a/detection/evasion/parent-pid-missing-from-procfs.sql b/detection/evasion/parent-pid-missing-from-procfs.sql index 69e6400..733fc69 100644 --- a/detection/evasion/parent-pid-missing-from-procfs.sql +++ b/detection/evasion/parent-pid-missing-from-procfs.sql @@ -10,18 +10,23 @@ -- * Can by racy if child and parent exit at the right time -- -- tags: persistent daemon -SELECT p.*, +SELECT + p.*, hash.sha256, GROUP_CONCAT(DISTINCT pof.path) AS open_files -FROM processes p +FROM + processes p LEFT JOIN hash ON p.path = hash.path LEFT JOIN process_open_files pof ON p.pid = pof.pid WHERE -- Prevent false positives by avoiding short-lived commands p.start_time < (strftime('%s', 'now') -1) AND p.parent NOT IN ( - SELECT pid - FROM processes + SELECT + pid + FROM + processes ) AND p.parent != 0 AND p.parent IS NOT NULL -GROUP BY p.pid \ No newline at end of file +GROUP BY + p.pid diff --git a/detection/evasion/unexpected-alf-exceptions-macos.sql b/detection/evasion/unexpected-alf-exceptions-macos.sql index 0110746..922df53 100644 --- a/detection/evasion/unexpected-alf-exceptions-macos.sql +++ b/detection/evasion/unexpected-alf-exceptions-macos.sql @@ -5,7 +5,8 @@ -- -- tags: persistent state filesystem -- platform: darwin -SELECT ae.path, +SELECT + ae.path, ae.state, file.mtime, file.ctime, @@ -25,7 +26,8 @@ SELECT ae.path, ',', MIN(file.uid, 501) ) AS exception_key -FROM alf_exceptions ae +FROM + alf_exceptions ae LEFT JOIN file ON ae.path = file.path LEFT JOIN hash ON ae.path = hash.path LEFT JOIN signature ON ae.path = signature.path @@ -170,4 +172,5 @@ WHERE -- Filter out stock exceptions to decrease overhead OR file.directory LIKE '/private/var/folders/%/T/go-build%/exe' ) ) -GROUP BY exception_key \ No newline at end of file +GROUP BY + exception_key diff --git a/detection/evasion/unexpected-hidden-system-paths.sql b/detection/evasion/unexpected-hidden-system-paths.sql index d8e40cc..ccac576 100644 --- a/detection/evasion/unexpected-hidden-system-paths.sql +++ b/detection/evasion/unexpected-hidden-system-paths.sql @@ -225,5 +225,4 @@ WHERE file.path LIKE '/tmp/.ssh-%' AND file.type = "socket" AND file.mode = '0600' - ) diff --git a/detection/evasion/unusual-executable-name-linux.sql b/detection/evasion/unusual-executable-name-linux.sql index 5e587dd..2ca4129 100644 --- a/detection/evasion/unusual-executable-name-linux.sql +++ b/detection/evasion/unusual-executable-name-linux.sql @@ -100,4 +100,4 @@ WHERE "kactivitymanagerd", "gmenudbusmenuproxy", "irqbalance" - ) \ No newline at end of file + ) diff --git a/detection/execution/sketchy-fetcher.sql b/detection/execution/sketchy-fetcher.sql index c939db6..09e3f1e 100644 --- a/detection/execution/sketchy-fetcher.sql +++ b/detection/execution/sketchy-fetcher.sql @@ -162,4 +162,4 @@ WHERE ) -- Elastic Agent AND NOT p0.path LIKE '/Library/Elastic/Agent/%' - AND NOt p0.cmdline LIKE '%/osqueryd %' \ No newline at end of file + AND NOt p0.cmdline LIKE '%/osqueryd %' diff --git a/detection/execution/tiny-executable.sql b/detection/execution/tiny-executable.sql index a857341..6f404a1 100644 --- a/detection/execution/tiny-executable.sql +++ b/detection/execution/tiny-executable.sql @@ -32,7 +32,4 @@ WHERE AND NOT file.path LIKE '/home/%/.zsh/completion' AND NOT file.path LIKE '/home/%/.local/share/Steam/ubuntu%' AND NOT file.path LIKE '/home/%/.local/share/Steam/steamapps/%' - AND NOT file.path IN ( - '/', - '/usr/bin/ruby' - ) + AND NOT file.path IN ('/', '/usr/bin/ruby') diff --git a/detection/execution/unexpected-executable-permissions.sql b/detection/execution/unexpected-executable-permissions.sql index f6f62ad..53e518a 100644 --- a/detection/execution/unexpected-executable-permissions.sql +++ b/detection/execution/unexpected-executable-permissions.sql @@ -127,4 +127,4 @@ WHERE AND NOT ( p0.name = 'ShortcutDroplet' AND f.mode = '0751' - ) \ No newline at end of file + ) diff --git a/detection/initial_access/sketchy-mounted-diskimage.sql b/detection/initial_access/sketchy-mounted-diskimage.sql index be6ba8f..37a3683 100644 --- a/detection/initial_access/sketchy-mounted-diskimage.sql +++ b/detection/initial_access/sketchy-mounted-diskimage.sql @@ -35,8 +35,8 @@ FROM LEFT JOIN signature ON file.path = signature.path WHERE file.path IN ( - SELECT - DISTINCT file.path + SELECT DISTINCT + file.path FROM block_devices JOIN mounts ON mounts.device = block_devices.name diff --git a/detection/initial_access/yara-recently-downloaded-miner.sql b/detection/initial_access/yara-recently-downloaded-miner.sql index fccd1cc..3b799f7 100644 --- a/detection/initial_access/yara-recently-downloaded-miner.sql +++ b/detection/initial_access/yara-recently-downloaded-miner.sql @@ -37,4 +37,4 @@ WHERE condition: filesize < 10MB and 1 of them }' - AND yara.count > 0 \ No newline at end of file + AND yara.count > 0 diff --git a/detection/initial_access/yara-recently-downloaded-ransom.sql b/detection/initial_access/yara-recently-downloaded-ransom.sql index 90fbbd0..985c5aa 100644 --- a/detection/initial_access/yara-recently-downloaded-ransom.sql +++ b/detection/initial_access/yara-recently-downloaded-ransom.sql @@ -45,4 +45,4 @@ WHERE filesize < 10MB and 2 of them }' AND yara.count > 0 - AND file.path NOT LIKE "%.csv" \ No newline at end of file + AND file.path NOT LIKE "%.csv" diff --git a/detection/initial_access/yara-recently-downloaded-rust-http-exec.sql b/detection/initial_access/yara-recently-downloaded-rust-http-exec.sql index 9dd2ec0..a345875 100644 --- a/detection/initial_access/yara-recently-downloaded-rust-http-exec.sql +++ b/detection/initial_access/yara-recently-downloaded-rust-http-exec.sql @@ -39,4 +39,4 @@ rule http_exec { condition: all of them }' - AND yara.count > 0 \ No newline at end of file + AND yara.count > 0 diff --git a/detection/initial_access/yara-recently-downloaded-stealer.sql b/detection/initial_access/yara-recently-downloaded-stealer.sql index b4a88ec..bc7202d 100644 --- a/detection/initial_access/yara-recently-downloaded-stealer.sql +++ b/detection/initial_access/yara-recently-downloaded-stealer.sql @@ -45,4 +45,4 @@ WHERE }' AND yara.count > 0 AND file.path NOT LIKE "%.csv" - AND file.filename != 'RIT_Wireless.dmg' \ No newline at end of file + AND file.filename != 'RIT_Wireless.dmg' diff --git a/detection/initial_access/yara-recently-downloaded-upx.sql b/detection/initial_access/yara-recently-downloaded-upx.sql index 64329a3..ad7247e 100644 --- a/detection/initial_access/yara-recently-downloaded-upx.sql +++ b/detection/initial_access/yara-recently-downloaded-upx.sql @@ -34,4 +34,4 @@ WHERE condition: $upx_sig in (0..1024) }' - AND yara.count > 0 \ No newline at end of file + AND yara.count > 0 diff --git a/detection/persistence/low-fd-socket.sql b/detection/persistence/low-fd-socket.sql index 9822f17..64b7e86 100644 --- a/detection/persistence/low-fd-socket.sql +++ b/detection/persistence/low-fd-socket.sql @@ -8,45 +8,52 @@ -- -- tags: process state -- platform: posix -SELECT pos.protocol, - pos.pid, - pos.remote_address, - pos.local_address, - pos.local_port, - pos.remote_port, - pos.state, - -- Child - p0.pid AS p0_pid, - p0.path AS p0_path, - p0.name AS p0_name, - p0.start_time AS p0_start, - p0.cmdline AS p0_cmd, - p0.cwd AS p0_cwd, - p0.cgroup_path AS p0_cgroup, - p0.euid AS p0_euid, - p0_hash.sha256 AS p0_sha256, - -- Parent - p0.parent AS p1_pid, - p1.path AS p1_path, - p1.name AS p1_name, - p1.start_time AS p1_start, - p1.euid AS p1_euid, - p1.cmdline AS p1_cmd, - p1_hash.sha256 AS p1_sha256, - -- Grandparent - p1.parent AS p2_pid, - p2.name AS p2_name, - p2.start_time AS p2_start, - p2.path AS p2_path, - p2.cmdline AS p2_cmd, - p2_hash.sha256 AS p2_sha256 -FROM process_open_sockets pos - JOIN processes p0 ON pos.pid = p0.pid - LEFT JOIN hash p0_hash ON p0.path = p0_hash.path - LEFT JOIN processes p1 ON p0.parent = p1.pid - LEFT JOIN hash p1_hash ON p1.path = p1_hash.path - LEFT JOIN processes p2 ON p1.parent = p2.pid - LEFT JOIN hash p2_hash ON p2.path = p2_hash.path -WHERE pos.fd < 3 - AND pos.family != 1 - AND p0.path NOT IN ('/usr/libexec/bootpd', '/usr/local/bin/velociraptor', '/Applications/NetSpot.app/Contents/MacOS/NetSpot') \ No newline at end of file +SELECT + pos.protocol, + pos.pid, + pos.remote_address, + pos.local_address, + pos.local_port, + pos.remote_port, + pos.state, + -- Child + p0.pid AS p0_pid, + p0.path AS p0_path, + p0.name AS p0_name, + p0.start_time AS p0_start, + p0.cmdline AS p0_cmd, + p0.cwd AS p0_cwd, + p0.cgroup_path AS p0_cgroup, + p0.euid AS p0_euid, + p0_hash.sha256 AS p0_sha256, + -- Parent + p0.parent AS p1_pid, + p1.path AS p1_path, + p1.name AS p1_name, + p1.start_time AS p1_start, + p1.euid AS p1_euid, + p1.cmdline AS p1_cmd, + p1_hash.sha256 AS p1_sha256, + -- Grandparent + p1.parent AS p2_pid, + p2.name AS p2_name, + p2.start_time AS p2_start, + p2.path AS p2_path, + p2.cmdline AS p2_cmd, + p2_hash.sha256 AS p2_sha256 +FROM + process_open_sockets pos + JOIN processes p0 ON pos.pid = p0.pid + LEFT JOIN hash p0_hash ON p0.path = p0_hash.path + LEFT JOIN processes p1 ON p0.parent = p1.pid + LEFT JOIN hash p1_hash ON p1.path = p1_hash.path + LEFT JOIN processes p2 ON p1.parent = p2.pid + LEFT JOIN hash p2_hash ON p2.path = p2_hash.path +WHERE + pos.fd < 3 + AND pos.family != 1 + AND p0.path NOT IN ( + '/usr/libexec/bootpd', + '/usr/local/bin/velociraptor', + '/Applications/NetSpot.app/Contents/MacOS/NetSpot' + ) diff --git a/detection/persistence/minimal-socket-client-linux.sql b/detection/persistence/minimal-socket-client-linux.sql index b6c54c3..bcb1a44 100644 --- a/detection/persistence/minimal-socket-client-linux.sql +++ b/detection/persistence/minimal-socket-client-linux.sql @@ -8,49 +8,59 @@ -- -- tags: persistent process state seldom -- platform: linux -SELECT pos.protocol, - pos.pid, - pos.remote_address, - pos.local_address, - pos.local_port, - pos.remote_port, - pos.state, - GROUP_CONCAT(DISTINCT pmm.path) AS libs, - COUNT(DISTINCT pmm.path) AS lib_count, - -- Child - p0.pid AS p0_pid, - p0.path AS p0_path, - p0.name AS p0_name, - p0.start_time AS p0_start, - p0.cmdline AS p0_cmd, - p0.cwd AS p0_cwd, - p0.cgroup_path AS p0_cgroup, - p0.euid AS p0_euid, - p0_hash.sha256 AS p0_sha256 -FROM processes p0 - JOIN process_open_sockets pos ON p0.pid = pos.pid - JOIN process_memory_map pmm ON p0.pid = pmm.pid - LEFT JOIN hash p0_hash ON p0.path = p0_hash.path -WHERE p0.path != '' -- optimization: focus on longer running processes - AND p0.start_time < (strftime('%s', 'now') - 900) - AND p0.path NOT IN ( - '/usr/bin/containerd', - '/usr/bin/fusermount3', - '/usr/sbin/acpid', - '/usr/bin/dash', - '/usr/bin/docker', - '/usr/sbin/mcelog', - '/usr/libexec/docker/docker-proxy', - '/usr/bin/docker-proxy', - '/usr/bin/cat', - '/usr/lib/electron/chrome-sandbox', - '/usr/bin/i3blocks' - ) - AND p0.name NOT IN ('chrome_crashpad', 'dhcpcd', 'stern', 'Brackets-node') -- optimization: minimalistic daemons typically only run 1 pid per path - AND p0.path NOT LIKE '/home/%/go/bin/%' - AND pos.family != 1 - AND pos.pid > 0 - AND pos.state != 'LISTEN' - AND pmm.path LIKE "%.so.%" -GROUP BY pos.pid -- libc.so, ld-linux -HAVING lib_count IN (1, 2) \ No newline at end of file +SELECT + pos.protocol, + pos.pid, + pos.remote_address, + pos.local_address, + pos.local_port, + pos.remote_port, + pos.state, + GROUP_CONCAT(DISTINCT pmm.path) AS libs, + COUNT(DISTINCT pmm.path) AS lib_count, + -- Child + p0.pid AS p0_pid, + p0.path AS p0_path, + p0.name AS p0_name, + p0.start_time AS p0_start, + p0.cmdline AS p0_cmd, + p0.cwd AS p0_cwd, + p0.cgroup_path AS p0_cgroup, + p0.euid AS p0_euid, + p0_hash.sha256 AS p0_sha256 +FROM + processes p0 + JOIN process_open_sockets pos ON p0.pid = pos.pid + JOIN process_memory_map pmm ON p0.pid = pmm.pid + LEFT JOIN hash p0_hash ON p0.path = p0_hash.path +WHERE + p0.path != '' -- optimization: focus on longer running processes + AND p0.start_time < (strftime('%s', 'now') - 900) + AND p0.path NOT IN ( + '/usr/bin/containerd', + '/usr/bin/fusermount3', + '/usr/sbin/acpid', + '/usr/bin/dash', + '/usr/bin/docker', + '/usr/sbin/mcelog', + '/usr/libexec/docker/docker-proxy', + '/usr/bin/docker-proxy', + '/usr/bin/cat', + '/usr/lib/electron/chrome-sandbox', + '/usr/bin/i3blocks' + ) + AND p0.name NOT IN ( + 'chrome_crashpad', + 'dhcpcd', + 'stern', + 'Brackets-node' + ) -- optimization: minimalistic daemons typically only run 1 pid per path + AND p0.path NOT LIKE '/home/%/go/bin/%' + AND pos.family != 1 + AND pos.pid > 0 + AND pos.state != 'LISTEN' + AND pmm.path LIKE "%.so.%" +GROUP BY + pos.pid -- libc.so, ld-linux +HAVING + lib_count IN (1, 2) diff --git a/detection/persistence/unexpected-chrome-extensions.sql b/detection/persistence/unexpected-chrome-extensions.sql index 1729fc1..cff9840 100644 --- a/detection/persistence/unexpected-chrome-extensions.sql +++ b/detection/persistence/unexpected-chrome-extensions.sql @@ -74,7 +74,6 @@ WHERE ) ) AND NOT exception_key IN ( - "true,Gareth Stephenson,My O'Reilly Downloader,deebiaolijlopiocielojiipnpnaldlk", 'false,privacybadger-owner@eff.org,Privacy Badger,mkejgcgkdlddbggjhhflekkondicpnop', 'true,,Acorns Earn,facncfnojagdpibmijfjdmhkklabakgd', @@ -125,16 +124,16 @@ WHERE 'true,,Event Merge for Google Calendar™,idehaflielbgpaokehlhidbjlehlfcep', 'true,,Extensity,jjmflmamggggndanpgfnpelongoepncg', 'true,,Facebook Pixel Helper,fdgfkebogiimcoedlicjlajpkdmockpc', - 'true,,Fake Filler,bnjjngeaknajbdcgpfkgnonkmififhfo', + 'true,,Fake Filler,bnjjngeaknajbdcgpfkgnonkmififhfo', 'true,,Fakespot Fake Amazon Reviews and eBay Sellers,nakplnnackehceedgkgkokbgbmfghain', 'true,,FoxyProxy Basic,dookpfaalaaappcdneeahomimbllocnb', 'true,,Free Maps Ruler,ejpahoknghmacibohhgleeacndkglgmo', 'true,,GSConnect,jfnifeihccihocjbfcfhicmmgpjicaec', 'true,,GitHub Red Alert,kmiekjkmkbhbnlempjkaombjjcfhdnfe', 'true,,Github Absolute Dates,iepecohjelcmdnahbddleblfphbaheno', - 'true,,Gmail™ Email Templates by cloudHQ,llccdnmbipddnkhmldacpcjjcnljpoij', - 'true,,GoToMeeting for Google Calendar,gaonpiemcjiihedemhopdoefaohcjoch', - 'true,,GoToTraining Screensharing,copcmbdalilphnaiajfmonkegedhkndd', + 'true,,Gmail™ Email Templates by cloudHQ,llccdnmbipddnkhmldacpcjjcnljpoij', + 'true,,GoToMeeting for Google Calendar,gaonpiemcjiihedemhopdoefaohcjoch', + 'true,,GoToTraining Screensharing,copcmbdalilphnaiajfmonkegedhkndd', 'true,,Google Analytics Parameter Stripper,jbgedkkfkohoehhkknnmlodlobbhafge', 'true,,Google Docs Offline,ghbmnnjooekpmoecnnnilnnbdlolhkhi', 'true,,Google Drive,apdfllckaahabafndbhieahigkjlhalf', @@ -144,12 +143,9 @@ WHERE 'true,,Google Mail Checker,mihcahmgecmbnbcchbopgniflfhgnkff', 'true,,Google Optimize,bhdplaindhdkiflmbfbciehdccfhegci', 'true,,Google Play Books,mmimngoggfoobjdlefbcabngfnmieonb', -<<<<<<< HEAD - 'true,,Grammarly: AI Writing and Grammar Checker App,kbfnbcaeplbcioakkpcpgfkobkghlhen', -======= - 'true,,Grammarly: AI Writing and Grammar Checker App,kbfnbcaeplbcioakkpcpgfkobkghlhen', ->>>>>>> main - 'true,,Grammarly: Grammar Checker and AI Writing App,kbfnbcaeplbcioakkpcpgfkobkghlhen', + << << << < HEAD 'true,,Grammarly: AI Writing and Grammar Checker App,kbfnbcaeplbcioakkpcpgfkobkghlhen', + == == == = 'true,,Grammarly: AI Writing and Grammar Checker App,kbfnbcaeplbcioakkpcpgfkobkghlhen', + >> >> >> > main 'true,,Grammarly: Grammar Checker and AI Writing App,kbfnbcaeplbcioakkpcpgfkobkghlhen', 'true,,Grammarly: Grammar Checker and Writing App,kbfnbcaeplbcioakkpcpgfkobkghlhen', 'true,,Gravit Designer,pdagghjnpkeagmlbilmjmclfhjeaapaa', 'true,,HTTPS Everywhere,gcbommkclmclpchllfjekcdonpmejbdp', @@ -226,13 +222,13 @@ WHERE 'true,,TickTick - Todo & Task List,diankknpkndanachmlckaikddgcehkod', 'true,,Todoist for Chrome,jldhpllghnbhlbpcmnajkpdmadaolakh', 'true,,Todoist for Gmail,clgenfnodoocmhnlnpknojdbjjnmecff', - 'true,,Trend Micro Ad Blocker: Powerful Ad Blocker,pmekfefnodgilnnjcfkkdjlebokonhpm', + 'true,,Trend Micro Ad Blocker: Powerful Ad Blocker,pmekfefnodgilnnjcfkkdjlebokonhpm', 'true,,UET Tag Helper (by Microsoft Advertising),naijndjklgmffmpembnkfbcjbognokbf', 'true,,Ubiquiti Device Discovery Tool,hmpigflbjeapnknladcfphgkemopofig', 'true,,Universal Video Downloader,cogmkaeijeflocngklepoknelfjpdjng', 'true,,User-Agent Switcher for Chrome,djflhoibgkdhkhhcedjiklpkjnoahfmg', 'true,,Utime,kpcibgnngaaabebmcabmkocdokepdaki', - 'true,,Vidyard - Webcam & Screen Recorder for Sales,jiihcciniecimeajcniapbngjjbonjan', + 'true,,Vidyard - Webcam & Screen Recorder for Sales,jiihcciniecimeajcniapbngjjbonjan', 'true,,VidyoWebConnector,mmedphfiemffkinodeemalghecnicmnh', 'true,,Vimcal,akopimcimmdmklcmegcflfidpfegngke', 'true,,Vimium,dbepggeogbaibhgnhhndojpepiihcmeb', diff --git a/detection/persistence/unexpected-listening-port-macos.sql b/detection/persistence/unexpected-listening-port-macos.sql index c227fc6..2b69a67 100644 --- a/detection/persistence/unexpected-listening-port-macos.sql +++ b/detection/persistence/unexpected-listening-port-macos.sql @@ -150,8 +150,8 @@ WHERE '7000,6,500,ControlCenter,Software Signing', '7265,6,500,Raycast,Developer ID Application: Raycast Technologies Inc (SY64MV22J9)', '80,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)', - '80,6,500,limactl,', - '8055,6,500,java,Developer ID Application: Eclipse Foundation, Inc. (JCDTMS22B4)', + '80,6,500,limactl,', + '8055,6,500,java,Developer ID Application: Eclipse Foundation, Inc. (JCDTMS22B4)', '111,17,1,rpcbind,Software Signing', '111,6,1,rpcbind,Software Signing', '3492,6,500,MuteDeck,Developer ID Application: Martijn Smit (GX645XXEAX)', diff --git a/incident_response/file_events.sql b/incident_response/file_events.sql index caefc55..319e677 100644 --- a/incident_response/file_events.sql +++ b/incident_response/file_events.sql @@ -3,6 +3,9 @@ -- tags: postmortem -- platform: posix -- interval: 900 -SELECT * -FROM file_events -WHERE time > (strftime('%s', 'now') -900) \ No newline at end of file +SELECT + * +FROM + file_events +WHERE + time > (strftime('%s', 'now') -900) diff --git a/incident_response/files-downloads.sql b/incident_response/files-downloads.sql index f07db23..835db01 100644 --- a/incident_response/files-downloads.sql +++ b/incident_response/files-downloads.sql @@ -20,4 +20,4 @@ WHERE mtime > (strftime('%s', 'now') -3600) OR ctime > (strftime('%s', 'now') -3600) OR btime > (strftime('%s', 'now') -3600) - ) \ No newline at end of file + ) diff --git a/incident_response/files-recently-written.sql b/incident_response/files-recently-written.sql index fef8988..ba9e955 100644 --- a/incident_response/files-recently-written.sql +++ b/incident_response/files-recently-written.sql @@ -3,46 +3,50 @@ -- tags: postmortem -- platform: posix -- interval: 3600 -SELECT * -FROM file -WHERE ( - path LIKE "/var/tmp/%" - OR path LIKE "/var/tmp/%/%" - OR path LIKE "/Applications/%" - OR path LIKE "/Applications/%/%" - OR path LIKE "/home/%/%" - OR path LIKE "/home/%/.%/%" - OR path LIKE "/home/%/.%/%/%" - OR path LIKE "/home/%/.config/%" - OR path LIKE "/home/%/.config/%/%" - OR path LIKE "/Library/%/%" - OR path LIKE "/Library/.%" - OR path LIKE "/Library/Application Support/%" - OR path LIKE "/Library/Application Support/.%" - OR path LIKE "/tmp/%" - OR path LIKE "/tmp/%/%" - OR path LIKE "/tmp/.%/%%" - OR path LIKE "/Users/%/%" - OR path LIKE "/Users/%/%/%" - OR path LIKE "/Users/%/.%/%" - OR path LIKE "/Users/%/.%/%/%" - OR path LIKE "/Users/Library/%" - OR path LIKE "/Users/Library/%/%" - OR path LIKE "/Users/Library/.%" - OR path LIKE "/Users/Library/Application Support/%" - OR path LIKE "/Users/Library/Application Support/%/%" - OR path LIKE "/Users/Library/Application Support/.%" - OR path LIKE "/var/%" - OR path LIKE "/var/%/%" +SELECT + * +FROM + file +WHERE + ( + path LIKE "/var/tmp/%" + OR path LIKE "/var/tmp/%/%" + OR path LIKE "/Applications/%" + OR path LIKE "/Applications/%/%" + OR path LIKE "/home/%/%" + OR path LIKE "/home/%/.%/%" + OR path LIKE "/home/%/.%/%/%" + OR path LIKE "/home/%/.config/%" + OR path LIKE "/home/%/.config/%/%" + OR path LIKE "/Library/%/%" + OR path LIKE "/Library/.%" + OR path LIKE "/Library/Application Support/%" + OR path LIKE "/Library/Application Support/.%" + OR path LIKE "/tmp/%" + OR path LIKE "/tmp/%/%" + OR path LIKE "/tmp/.%/%%" + OR path LIKE "/Users/%/%" + OR path LIKE "/Users/%/%/%" + OR path LIKE "/Users/%/.%/%" + OR path LIKE "/Users/%/.%/%/%" + OR path LIKE "/Users/Library/%" + OR path LIKE "/Users/Library/%/%" + OR path LIKE "/Users/Library/.%" + OR path LIKE "/Users/Library/Application Support/%" + OR path LIKE "/Users/Library/Application Support/%/%" + OR path LIKE "/Users/Library/Application Support/.%" + OR path LIKE "/var/%" + OR path LIKE "/var/%/%" + ) + AND ( + mtime > (strftime('%s', 'now') -3600) + OR ( + atime > (strftime('%s', 'now') -3600) + AND file.type = "regular" ) - AND ( - mtime > (strftime('%s', 'now') -3600) - OR ( - atime > (strftime('%s', 'now') -3600) - AND file.type = "regular" - ) - OR ctime > (strftime('%s', 'now') -3600) - OR btime > (strftime('%s', 'now') -3600) - ) - AND NOT path LIKE "%/../%" -GROUP BY inode; \ No newline at end of file + OR ctime > (strftime('%s', 'now') -3600) + OR btime > (strftime('%s', 'now') -3600) + ) + AND NOT path LIKE "%/../%" +GROUP BY + inode; diff --git a/incident_response/socket_events.sql b/incident_response/socket_events.sql index 557d224..4d65a02 100644 --- a/incident_response/socket_events.sql +++ b/incident_response/socket_events.sql @@ -7,4 +7,5 @@ SELECT * FROM socket_events -WHERE time > (strftime('%s', 'now') -600) +WHERE + time > (strftime('%s', 'now') -600) diff --git a/policy/unexpected-rsa-keys.sql b/policy/unexpected-rsa-keys.sql index 71840be..def8750 100644 --- a/policy/unexpected-rsa-keys.sql +++ b/policy/unexpected-rsa-keys.sql @@ -47,4 +47,6 @@ WHERE AND NOT INSTR(file.filename, 'melange.rsa') > 0 AND NOT INSTR(file.filename, 'local-melange-enterprise.rsa') > 0 -- Demo keys - AND NOT sha256 IN ('a68b29401730a9c5f3e06099f6703a43797ee5c6ad6c741961c6eb8ab39786de') + AND NOT sha256 IN ( + 'a68b29401730a9c5f3e06099f6703a43797ee5c6ad6c741961c6eb8ab39786de' + )