From f73263beceb330b0e9dbaab4346973d1ded603c5 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Tue, 26 Sep 2023 15:14:38 -0400 Subject: [PATCH] fpr: docker, fish, Stream Deck, rsync, lima, macOS --- detection/c2/unexpected-dns-traffic-events.sql | 1 + detection/c2/unexpected-https-linux.sql | 1 + detection/c2/unexpected-talker-events.sql | 15 +++++++++++++++ detection/c2/unexpected-talkers-linux.sql | 9 ++++++++- detection/evasion/hidden-cwd-events-linux.sql | 2 ++ .../evasion/unexpected-user-shared-entries.sql | 1 + detection/evasion/unusual-process-name-linux.sql | 1 + detection/execution/exotic-commands-macos.sql | 2 +- detection/exfil/high_disk_bytes_read.sql | 2 ++ .../yara-unexpected-rust-http-exec-process.sql | 1 + .../unexpected-diskimage-source-macos.sql | 1 + .../persistence/minimal-socket-client-linux.sql | 3 ++- .../unexpected-launchd-program-macos.sql | 1 + .../unexpected-listening-port-macos.sql | 1 + .../persistence/unexpected-uid0-daemon-linux.sql | 1 + .../yara-suspicious-strings-process-linux.sql | 8 +++++++- 16 files changed, 46 insertions(+), 4 deletions(-) diff --git a/detection/c2/unexpected-dns-traffic-events.sql b/detection/c2/unexpected-dns-traffic-events.sql index 8f53c16..0a15438 100644 --- a/detection/c2/unexpected-dns-traffic-events.sql +++ b/detection/c2/unexpected-dns-traffic-events.sql @@ -79,6 +79,7 @@ WHERE 'ZaloCall,8.8.8.8,53', 'Telegram,8.8.8.8,53', 'Meeting Center,8.8.8.8,53', + 'limactl,8.8.8.8,53', 'signal-desktop,8.8.8.8,53', 'slack,8.8.8.8,53', 'EpicWebHelper,8.8.4.4,53', diff --git a/detection/c2/unexpected-https-linux.sql b/detection/c2/unexpected-https-linux.sql index 72c16dd..fbaa85d 100644 --- a/detection/c2/unexpected-https-linux.sql +++ b/detection/c2/unexpected-https-linux.sql @@ -172,6 +172,7 @@ WHERE '500,git,0u,0g,git', '500,git-remote-http,0u,0g,git-remote-http', '500,git-remote-http,u,g,git-remote-http', + '500,com.docker.backend,0u,0g,com.docker.back', '500,gitsign,0u,0g,gitsign', '500,gitsign,500u,0g,gitsign', '500,gitsign,500u,500g,gitsign', diff --git a/detection/c2/unexpected-talker-events.sql b/detection/c2/unexpected-talker-events.sql index 0c15b60..9936617 100644 --- a/detection/c2/unexpected-talker-events.sql +++ b/detection/c2/unexpected-talker-events.sql @@ -100,7 +100,9 @@ WHERE ) AND NOT exception_key IN ( '500,0,123,sntp', + '500,0,443,com.google.one.NetworkExtension', '500,0,22,ssh', + '500,0,443,com.apple.NRD.UpdateBrainService', '500,0,31488,sntp', '500,0,32768,ksfetch', '500,0,32768,syncthing', @@ -132,14 +134,25 @@ WHERE '500,500,32768,cloud-sql-proxy', '500,500,32768,ksfetch', '500,500,4318,Code Helper (Plugin)', + '500,500,80,Code Helper (Plugin)', '500,500,443,aws', '500,500,443,cloud_sql_proxy', '500,500,443,Code Helper (Plugin)', '500,500,443,Code Helper', + '500,500,443,grype', '500,500,443,copilot-agent-macos-arm64', '500,500,443,Electron', + '500,500,443,chainctl', + '500,0,80,http', + '500,500,443,figma_agent', + '500,0,443,fwupdmgr', + '500,500,443,GitX', + '500,0,110,syncthing', + '500,500,80,Code Helper (Plugin)', + '500,500,80,ksfetch', '500,500,443,gitsign', '500,500,443,go', + '500,0,443,OneDriveStandaloneUpdater', '500,500,443,ksfetch', '500,500,443,node', '500,500,443,old', @@ -148,6 +161,8 @@ WHERE '500,500,80,copilot-agent-macos-arm64', '500,500,80,node' ) + AND NOT exception_key LIKE '500,500,443,terraform%' + AND NOT exception_key LIKE '500,0,%,chrome' AND NOT ( basename = "Python" AND ( diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql index c6ff483..7856be7 100644 --- a/detection/c2/unexpected-talkers-linux.sql +++ b/detection/c2/unexpected-talkers-linux.sql @@ -237,10 +237,17 @@ WHERE AND s.protocol = 6 AND p.euid > 500 ) + AND NOT ( + p.name = 'ruby' + AND p.cmdline LIKE '%fluentd%' + AND s.remote_port > 1024 + AND s.protocol = 6 + AND p.euid > 500 + ) AND NOT ( p.name = 'java' AND p.cmdline LIKE '/home/%/PhpStorm%' - AND s.remote_port > 1024 + AND s.remote_port > 79 AND s.protocol = 6 AND p.euid > 500 ) diff --git a/detection/evasion/hidden-cwd-events-linux.sql b/detection/evasion/hidden-cwd-events-linux.sql index 1d1a902..64aa588 100644 --- a/detection/evasion/hidden-cwd-events-linux.sql +++ b/detection/evasion/hidden-cwd-events-linux.sql @@ -71,6 +71,8 @@ WHERE ) OR exception_key LIKE '%sh,~/.Trash' ) + AND NOT pe.cwd LIKE '%/build/%' + AND NOT pe.cwd LIKE '%/out/%' GROUP BY p.cmdline, p.cwd; \ No newline at end of file diff --git a/detection/evasion/unexpected-user-shared-entries.sql b/detection/evasion/unexpected-user-shared-entries.sql index b901e9a..3ad59d7 100644 --- a/detection/evasion/unexpected-user-shared-entries.sql +++ b/detection/evasion/unexpected-user-shared-entries.sql @@ -79,6 +79,7 @@ WHERE '/Users/Shared/Relocated Items', '/Users/Shared/TechSmith' ) + OR file.path LIKE '/Users/Shared/Epic Games/%' OR file.path LIKE "/Users/Shared/Previously Relocated Items %/%" OR ( file.path LIKE "%.plist" diff --git a/detection/evasion/unusual-process-name-linux.sql b/detection/evasion/unusual-process-name-linux.sql index 1165dbe..edbcfc8 100644 --- a/detection/evasion/unusual-process-name-linux.sql +++ b/detection/evasion/unusual-process-name-linux.sql @@ -94,6 +94,7 @@ WHERE "xdg-permission-store", "xdg-desktop-portal", "xdg-document-portal", + 'udevadm', "xdg-desktop-portal-gnome", "xdg-desktop-portal-gtk", "nm-applet", diff --git a/detection/execution/exotic-commands-macos.sql b/detection/execution/exotic-commands-macos.sql index e0cbcad..387e0b9 100644 --- a/detection/execution/exotic-commands-macos.sql +++ b/detection/execution/exotic-commands-macos.sql @@ -95,7 +95,7 @@ WHERE ) AND NOT ( p0_cmd LIKE '%UserKnownHostsFile=/dev/null%' - AND p1.name LIKE 'limactl%' + AND p0_cmd LIKE "%lima/%" ) AND NOT ( p0_cmd LIKE '%UserKnownHostsFile=/dev/null%' diff --git a/detection/exfil/high_disk_bytes_read.sql b/detection/exfil/high_disk_bytes_read.sql index 6b84f8f..7b813d3 100644 --- a/detection/exfil/high_disk_bytes_read.sql +++ b/detection/exfil/high_disk_bytes_read.sql @@ -106,6 +106,7 @@ WHERE 'Safari', 'sh', 'plasmashell', + 'rsync', 'slack', 'spotify', 'steam', @@ -131,6 +132,7 @@ WHERE '/app/libexec/mediawriter/helper', '/usr/bin/darktable', '/usr/libexec/snapd/snapd', + '/usr/bin/rsync', '/usr/bin/dockerd', '/usr/bin/gnome-shell', '/usr/bin/teskdisk', diff --git a/detection/exfil/yara-unexpected-rust-http-exec-process.sql b/detection/exfil/yara-unexpected-rust-http-exec-process.sql index 694acd6..036e72b 100644 --- a/detection/exfil/yara-unexpected-rust-http-exec-process.sql +++ b/detection/exfil/yara-unexpected-rust-http-exec-process.sql @@ -51,6 +51,7 @@ WHERE AND yara.count > 0 AND p0.name NOT IN ( 'old', + 'stable', 'fig-darwin-universal', 'wezterm-gui' ) diff --git a/detection/initial_access/unexpected-diskimage-source-macos.sql b/detection/initial_access/unexpected-diskimage-source-macos.sql index a264c03..c764f7f 100644 --- a/detection/initial_access/unexpected-diskimage-source-macos.sql +++ b/detection/initial_access/unexpected-diskimage-source-macos.sql @@ -144,6 +144,7 @@ WHERE 'flipperzero.one', 'dl.google.com', 'duckduckgo.com', + 'go.dev', 'dygma.com', 'emacsformacosx.com', 'getkap.co', diff --git a/detection/persistence/minimal-socket-client-linux.sql b/detection/persistence/minimal-socket-client-linux.sql index 6e644c6..b6c54c3 100644 --- a/detection/persistence/minimal-socket-client-linux.sql +++ b/detection/persistence/minimal-socket-client-linux.sql @@ -46,7 +46,8 @@ WHERE p0.path != '' -- optimization: focus on longer running processes '/usr/lib/electron/chrome-sandbox', '/usr/bin/i3blocks' ) - AND p0.name NOT IN ('chrome_crashpad', 'dhcpcd', 'Brackets-node') -- optimization: minimalistic daemons typically only run 1 pid per path + AND p0.name NOT IN ('chrome_crashpad', 'dhcpcd', 'stern', 'Brackets-node') -- optimization: minimalistic daemons typically only run 1 pid per path + AND p0.path NOT LIKE '/home/%/go/bin/%' AND pos.family != 1 AND pos.pid > 0 AND pos.state != 'LISTEN' diff --git a/detection/persistence/unexpected-launchd-program-macos.sql b/detection/persistence/unexpected-launchd-program-macos.sql index e1578d0..784a367 100644 --- a/detection/persistence/unexpected-launchd-program-macos.sql +++ b/detection/persistence/unexpected-launchd-program-macos.sql @@ -34,6 +34,7 @@ WHERE 'Developer ID Application: Canonical Group Limited (X4QN7LTP59)', 'Developer ID Application: Creative Labs Pte. Ltd. (5Q3552844F)', 'Developer ID Application: Docker Inc (9BNSXJN65R)', + 'Developer ID Application: Jonathan Bullard (Z2SG5H3HC8)', 'Developer ID Application: Ilya Parniuk (ACC5R6RH47)', 'Developer ID Application: Fortinet, Inc (AH4XFXJ7DK)', 'Developer ID Application: Hercules Labs Inc. (B8PC799ZGU)', diff --git a/detection/persistence/unexpected-listening-port-macos.sql b/detection/persistence/unexpected-listening-port-macos.sql index 93c04c8..d338b15 100644 --- a/detection/persistence/unexpected-listening-port-macos.sql +++ b/detection/persistence/unexpected-listening-port-macos.sql @@ -125,6 +125,7 @@ WHERE '53,6,65,mDNSResponder,Software Signing', '5454,6,0,xrdd,Developer ID Application: X-Rite, Incorporated (2K7GT73B4R)', '546,17,0,configd,Software Signing', + '49152,6,500,Stream Deck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', '547,17,500,dhcp6d,Software Signing', '5900,6,0,launchd,Software Signing', '5900,6,0,screensharingd,Software Signing', diff --git a/detection/persistence/unexpected-uid0-daemon-linux.sql b/detection/persistence/unexpected-uid0-daemon-linux.sql index 0af96cd..43dece8 100644 --- a/detection/persistence/unexpected-uid0-daemon-linux.sql +++ b/detection/persistence/unexpected-uid0-daemon-linux.sql @@ -76,6 +76,7 @@ WHERE AND exception_key NOT IN ( '(sd-pam),/usr/lib/systemd/systemd,0,user.slice,user-0.slice,0755', 'sshd,/usr/sbin/sshd,0,user.slice,user-501.slice,0755', + 'docker,/usr/local/bin/docker,0,user.slice,user-1000.slice,0755', 'launcher,/usr/local/kolide-k2/bin/launcher,0,system.slice,launcher.kolide-k2.service,0755', '.tailscaled-wra,/nix/store/__VERSION__/bin/.tailscaled-wrapped,0,system.slice,tailscaled.service,0555', '/usr/bin/monito,/usr/bin/perl,0,system.slice,monitorix.service,0755', diff --git a/detection/persistence/yara-suspicious-strings-process-linux.sql b/detection/persistence/yara-suspicious-strings-process-linux.sql index 6f26279..b848f8e 100644 --- a/detection/persistence/yara-suspicious-strings-process-linux.sql +++ b/detection/persistence/yara-suspicious-strings-process-linux.sql @@ -67,7 +67,7 @@ WHERE $avahi = "avahi-daemon:" $redhat4 = "Red Hat 4" condition: - filesize < 10MB and 2 of them + filesize < 25MB and 3 of them }' AND yara.count > 0 AND p0.name NOT IN ( @@ -88,12 +88,18 @@ WHERE '/usr/bin/bash', '/usr/bin/gnome-software', '/usr/bin/gpg-agent', + '/bin/fish', + '/usr/bin/fish', '/usr/bin/ibus-daemon', '/usr/bin/make', + '/usr/bin/docker-proxy', '/usr/bin/NetworkManager', '/usr/bin/nvidia-persistenced', + '/usr/lib/systemd/systemd-machined', '/usr/bin/pulseaudio', '/usr/bin/udevadm', + '/usr/sbin/crond', + '/usr/sbin/gdm', '/usr/bin/update-notifier', '/usr/bin/Xwayland', '/usr/lib/bluetooth/bluetoothd',