RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

False positive flush, particularly in talkers

This commit is contained in:
Thomas Stromberg 2023-02-17 11:57:23 -05:00
parent 8976bfecf2
commit f87541c945
Failed to extract signature
23 changed files with 423 additions and 449 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

383
detection/c2/unexpected-https-client-linux.sql
View File

@ -26,16 +26,6 @@ SELECT
CONCAT (
MIN(p.euid, 500),
',',
REPLACE(
REPLACE(
REGEX_MATCH (p.path, '(/.*?)/', 1),
'/nix',
'/usr'
),
'/snap',
'/opt'
),
'/',
REGEX_MATCH (p.path, '.*/(.*?)$', 1),
',',
MIN(f.uid, 500),
@ -67,203 +57,182 @@ WHERE
AND s.remote_address NOT LIKE 'fc00:%'
AND p.path != ''
AND NOT exception_key IN (
'0,/opt/nessusd,0u,0g,nessusd',
'0,/opt/snapd,0u,0g,snapd',
'0,/sbin/apk,u,g,apk',
'0,/usr/applydeltarpm,0u,0g,applydeltarpm',
'0,/usr/bash,0u,0g,bash',
'0,/usr/bash,0u,0g,mkinitcpio',
'0,/usr/bash,0u,0g,sh',
'0,/usr/chainctl,0u,0g,chainctl',
'0,/usr/cmake,u,g,cmake',
'0,/usr/containerd,u,g,containerd',
'0,/usr/dirmngr,0u,0g,dirmngr',
'0,/usr/dockerd,0u,0g,dockerd',
'0,/usr/flatpak-system-helper,0u,0g,flatpak-system-',
'0,/usr/kmod,0u,0g,depmod',
'0,/usr/launcher,0u,0g,launcher',
'0,/usr/launcher,500u,500g,launcher',
'0,/usr/nix,0u,0g,nix',
'0,/usr/nix,0u,0g,nix-daemon',
'0,/usr/packagekitd,0u,0g,packagekitd',
'0,/usr/pacman,0u,0g,pacman',
'0,/usr/python3.10,0u,0g,dnf',
'0,/usr/python3.10,0u,0g,dnf-automatic',
'0,/usr/python3.10,0u,0g,yum',
'0,/usr/python3.11,0u,0g,dnf',
'0,/usr/python3.11,0u,0g,dnf-automatic',
'0,/usr/python3.11,0u,0g,yum',
'0,/usr/rpi-imager,0u,0g,rpi-imager',
'0,/usr/snapd,0u,0g,snapd',
'0,/usr/tailscaled,0u,0g,tailscaled',
'0,/usr/tailscaled,500u,500g,tailscaled',
'0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra',
'105,/usr/http,0u,0g,https',
'106,/usr/geoclue,0u,0g,geoclue',
'500,/app/Discord,u,g,Discord',
'500,/app/signal-desktop,u,g,signal-desktop',
'500,/app/slack,u,g,slack',
'500,/app/spotify,u,g,spotify',
'500,/app/thunderbird,u,g,thunderbird',
'500,/app/zoom.real,u,g,zoom.real',
'500,/home/bom,500u,500g,bom',
'500,/home/buildkitd,500u,500g,buildkitd',
'500,/home/cargo,500u,500g,cargo',
'500,/home/chainctl,500u,100g,chainctl',
'500,/home/chainctl,500u,500g,chainctl',
'500,/home/code,500u,500g,code',
'500,/home/cosign,500u,500g,cosign',
'500,/home/crane,500u,500g,crane',
'500,/home/gitsign,500u,500g,gitsign',
'500,/home/go,500u,500g,go',
'500,/home/grype,500u,500g,grype',
'500,/home/hugo,500u,500g,hugo',
'500,/home/java,500u,500g,java',
'500,/home/jcef_helper,500u,500g,jcef_helper',
'500,/home/ko,500u,500g,ko',
'500,/home/krel,500u,500g,krel',
'500,/home/mconvert,500u,500g,mconvert',
'500,/home/Melvor Idle,500u,500g,exe',
'500,/home/nerdctl,500u,500g,nerdctl',
'500,/home/promoter,500u,500g,promoter',
'500,/home/publish-release,500u,500g,publish-release',
'500,/home/python3,500u,500g,python3',
'500,/home/slirp4netns,500u,500g,slirp4netns',
'500,/home/spotify,500u,500g,spotify',
'500,/home/steam,500u,100g,steam',
'500,/home/steam,500u,500g,steam',
'500,/home/steamwebhelper,500u,100g,steamwebhelper',
'500,/home/steamwebhelper,500u,500g,steamwebhelper',
'500,/home/terraform,500u,500g,terraform',
'500,/home/trivy,500u,500g,trivy',
'500,/home/WPILibInstaller,500u,500g,WPILibInstaller',
'500,/home/zdup,500u,500g,zdup',
'500,/ko-app/chainctl,u,g,chainctl',
'500,/ko-app/controller,u,g,controller',
'500,/ko-app/controlplane,u,g,controlplane',
'500,/opt/1password,0u,0g,1password',
'500,/opt/Brackets,0u,0g,Brackets',
'500,/opt/brave,0u,0g,brave',
'500,/opt/chrome,0u,0g,chrome',
'500,/opt/Discord,0u,0g,Discord',
'500,/opt/firefox,0u,0g,firefox',
'500,/opt/firefox,0u,0g,Socket Process',
'500,/opt/Keybase,0u,0g,Keybase',
'500,/opt/kubectl,0u,0g,kubectl',
'500,/opt/python3,500u,500g,python3',
'500,/opt/signal-desktop,0u,0g,signal-desktop',
'500,/opt/slack,0u,0g,slack',
'500,/opt/snap-store,0u,0g,snap-store',
'500,/opt/spotify,0u,0g,spotify',
'500,/opt/spotify,500u,500g,spotify',
'500,/opt/terraform,0u,0g,terraform',
'500,/opt/todoist,0u,0g,todoist',
'500,/opt/zoom,0u,0g,zoom',
'500,/sbin/apk,500u,500g,apk',
'500,/sbin/apk,u,g,apk',
'500,/tmp/istioctl,500u,500g,istioctl',
'500,/tmp/jetbrains-toolbox,u,g,jetbrains-toolb',
'500,/tmp/obsidian,u,g,obsidian',
'500,/tmp/scoville,500u,500g,scoville',
'500,/tmp/terraform,500u,500g,terraform',
'500,/tmp/wolfictl,500u,500g,wolfictl',
'500,/usr/abrt-action-generate-core-backtrace,0u,0g,abrt-action-gen',
'500,/usr/apko,u,g,apko',
'500,/usr/aws,0u,0g,aws',
'500,/usr/bom,500u,500g,bom',
'500,/usr/cargo,0u,0g,cargo',
'500,/usr/chainctl,0u,0g,chainctl',
'500,/usr/chainctl,500u,493g,chainctl',
'500,/usr/chainctl,500u,500g,chainctl',
'500,/usr/chrome,0u,0g,chrome',
'500,/usr/code,0u,0g,code',
'500,/usr/cosign,500u,500g,cosign',
'500,/usr/cosign-linux-amd64,0u,0g,cosign',
'500,/usr/crane,0u,0g,crane',
'500,/usr/crane,500u,500g,crane',
'500,/usr/curl,0u,0g,curl',
'500,/usr/docker,0u,0g,docker',
'500,/usr/eksctl,0u,0g,eksctl',
'500,/usr/electron,0u,0g,electron',
'500,/usr/evolution-addressbook-factory,0u,0g,evolution-addre',
'500,/usr/evolution-calendar-factory,0u,0g,evolution-calen',
'500,/usr/firefox,0u,0g,firefox',
'500,/usr/firefox,0u,0g,.firefox-wrappe',
'500,/usr/firefox,0u,0g,Socket Process',
'500,/usr/flameshot,0u,0g,flameshot',
'500,/usr/flatpak-oci-authenticator,0u,0g,flatpak-oci-aut',
'500,/usr/geoclue,0u,0g,geoclue',
'500,/usr/git,0u,0g,git',
'500,/usr/git-remote-http,0u,0g,git-remote-http',
'500,/usr/gitsign,0u,0g,gitsign',
'500,/usr/gitsign,500u,0g,gitsign',
'500,/usr/gjs-console,0u,0g,org.gnome.Maps',
'500,/usr/gnome-recipes,0u,0g,gnome-recipes',
'500,/usr/gnome-shell,0u,0g,gnome-shell',
'500,/usr/gnome-software,0u,0g,gnome-software',
'500,/usr/go,0u,0g,go',
'500,/usr/go,500u,500g,go',
'500,/usr/goa-daemon,0u,0g,goa-daemon',
'500,/usr/go,u,g,go',
'500,/usr/grype,0u,0g,grype',
'500,/usr/gsd-datetime,0u,0g,gsd-datetime',
'500,/usr/gvfsd-google,0u,0g,gvfsd-google',
'500,/usr/gvfsd-http,0u,0g,gvfsd-http',
'500,/usr/htop,0u,0g,htop',
'500,/usr/io.elementary.appcenter,0u,0g,io.elementary.a',
'500,/usr/java,0u,0g,java',
'500,/usr/java,u,g,java',
'500,/usr/kbfsfuse,0u,0g,kbfsfuse',
'500,/usr/keybase,0u,0g,keybase',
'500,/usr/ko,u,g,ko',
'500,/usr/kubectl,0u,0g,kubectl',
'500,/usr/kubectl,500u,500g,kubectl',
'500,/usr/lens,0u,0g,lens',
'500,/usr/melange,u,g,melange',
'500,/usr/minikube,0u,0g,minikube',
'500,/usr/nautilus,0u,0g,nautilus',
'500,/usr/nix,0u,0g,nix',
'500,/usr/node,0u,0g,node',
'500,/usr/node,0u,0g,.node2nix-wrapp',
'500,/usr/node,u,g,node',
'500,/usr/obs,0u,0g,obs',
'500,/usr/obs-ffmpeg-mux,0u,0g,obs-ffmpeg-mux',
'500,/usr/pacman,0u,0g,pacman',
'500,/usr/php8.1,0u,0g,php',
'500,/usr/python3,0u,0g,python3',
'500,/usr/python3.10,0u,0g,python',
'500,/usr/python3.10,0u,0g,python3',
'500,/usr/python3.11,0u,0g,gnome-abrt',
'500,/usr/python3.11,0u,0g,protonvpn',
'500,/usr/python3.11,0u,0g,prowler',
'500,/usr/reporter-ureport,0u,0g,reporter-urepor',
'500,/usr/rpi-imager,0u,0g,rpi-imager',
'500,/usr/rustup,0u,0g,rustup',
'500,/usr/signal-desktop,0u,0g,signal-desktop',
'500,/usr/signal-desktop,u,g,signal-desktop',
'500,/usr/slack,0u,0g,slack',
'500,/usr/spotify,0u,0g,spotify',
'500,/usr/step,500u,500g,step',
'500,/usr/step-cli,0u,0g,step',
'500,/usr/syncthing,0u,0g,syncthing',
'500,/usr/teams,0u,0g,teams',
'500,/usr/gjs-console,0u,0g,org.gnome.Maps',
'500,/home/cloud_sql_proxy,0u,0g,cloud_sql_proxy',
'500,/usr/terraform,0u,0g,terraform',
'500,/usr/thunderbird,0u,0g,thunderbird',
'500,/usr/trivy,0u,0g,trivy',
'500,/usr/WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
'500,/usr/wget,0u,0g,wget',
'500,/usr/xmobar,0u,0g,xmobar',
'500,/usr/yay,0u,0g,yay',
'88,6,500,/usr/syncthing,0u,0g,syncthing'
'0,apk,u,g,apk',
'0,applydeltarpm,0u,0g,applydeltarpm',
'0,bash,0u,0g,bash',
'0,bash,0u,0g,mkinitcpio',
'0,bash,0u,0g,sh',
'0,chainctl,0u,0g,chainctl',
'0,cmake,u,g,cmake',
'0,containerd,u,g,containerd',
'0,dirmngr,0u,0g,dirmngr',
'0,dockerd,0u,0g,dockerd',
'0,flatpak-system-helper,0u,0g,flatpak-system-',
'0,kmod,0u,0g,depmod',
'0,launcher,0u,0g,launcher',
'0,launcher,500u,500g,launcher',
'0,nessusd,0u,0g,nessusd',
'0,nix,0u,0g,nix',
'0,nix,0u,0g,nix-daemon',
'0,packagekitd,0u,0g,packagekitd',
'0,pacman,0u,0g,pacman',
'0,python3.10,0u,0g,dnf',
'0,python3.10,0u,0g,dnf-automatic',
'0,python3.10,0u,0g,yum',
'0,python3.11,0u,0g,dnf',
'0,python3.11,0u,0g,dnf-automatic',
'0,python3.11,0u,0g,yum',
'0,rpi-imager,0u,0g,rpi-imager',
'0,snapd,0u,0g,snapd',
'0,tailscaled,0u,0g,tailscaled',
'0,tailscaled,500u,500g,tailscaled',
'0,.tailscaled-wrapped,0u,0g,.tailscaled-wra',
'105,http,0u,0g,https',
'106,geoclue,0u,0g,geoclue',
'500,1password,0u,0g,1password',
'500,abrt-action-generate-core-backtrace,0u,0g,abrt-action-gen',
'500,apk,500u,500g,apk',
'500,apko,u,g,apko',
'500,apk,u,g,apk',
'500,aws,0u,0g,aws',
'500,bom,500u,500g,bom',
'500,Brackets,0u,0g,Brackets',
'500,brave,0u,0g,brave',
'500,buildkitd,500u,500g,buildkitd',
'500,cargo,0u,0g,cargo',
'500,cargo,500u,500g,cargo',
'500,chainctl,0u,0g,chainctl',
'500,chainctl,500u,100g,chainctl',
'500,chainctl,500u,493g,chainctl',
'500,chainctl,500u,500g,chainctl',
'500,chrome,0u,0g,chrome',
'500,cloud_sql_proxy,0u,0g,cloud_sql_proxy',
'500,code,0u,0g,code',
'500,code,500u,500g,code',
'500,cosign,500u,500g,cosign',
'500,cosign-linux-amd64,0u,0g,cosign',
'500,crane,0u,0g,crane',
'500,crane,500u,500g,crane',
'500,curl,0u,0g,curl',
'500,Discord,0u,0g,Discord',
'500,Discord,u,g,Discord',
'500,docker,0u,0g,docker',
'500,eksctl,0u,0g,eksctl',
'500,electron,0u,0g,electron',
'500,evolution-addressbook-factory,0u,0g,evolution-addre',
'500,evolution-calendar-factory,0u,0g,evolution-calen',
'500,firefox,0u,0g,firefox',
'500,firefox,0u,0g,.firefox-wrappe',
'500,firefox,0u,0g,Socket Process',
'500,flameshot,0u,0g,flameshot',
'500,flatpak-oci-authenticator,0u,0g,flatpak-oci-aut',
'500,geoclue,0u,0g,geoclue',
'500,git,0u,0g,git',
'500,git-remote-http,0u,0g,git-remote-http',
'500,gitsign,0u,0g,gitsign',
'500,gitsign,500u,0g,gitsign',
'500,gitsign,500u,500g,gitsign',
'500,gjs-console,0u,0g,org.gnome.Maps',
'500,gnome-recipes,0u,0g,gnome-recipes',
'500,gnome-shell,0u,0g,gnome-shell',
'500,gnome-software,0u,0g,gnome-software',
'500,go,0u,0g,go',
'500,go,500u,500g,go',
'500,goa-daemon,0u,0g,goa-daemon',
'500,go,u,g,go',
'500,grype,0u,0g,grype',
'500,grype,500u,500g,grype',
'500,gsd-datetime,0u,0g,gsd-datetime',
'500,gvfsd-google,0u,0g,gvfsd-google',
'500,gvfsd-http,0u,0g,gvfsd-http',
'500,htop,0u,0g,htop',
'500,hugo,500u,500g,hugo',
'500,io.elementary.appcenter,0u,0g,io.elementary.a',
'500,istioctl,500u,500g,istioctl',
'500,java,0u,0g,java',
'500,java,500u,500g,java',
'500,java,u,g,java',
'500,jcef_helper,500u,500g,jcef_helper',
'500,jetbrains-toolbox,u,g,jetbrains-toolb',
'500,kbfsfuse,0u,0g,kbfsfuse',
'500,keybase,0u,0g,keybase',
'500,Keybase,0u,0g,Keybase',
'500,ko,500u,500g,ko',
'500,ko,u,g,ko',
'500,krel,500u,500g,krel',
'500,kubectl,0u,0g,kubectl',
'500,kubectl,500u,500g,kubectl',
'500,lens,0u,0g,lens',
'500,mconvert,500u,500g,mconvert',
'500,melange,u,g,melange',
'500,Melvor Idle,500u,500g,exe',
'500,minikube,0u,0g,minikube',
'500,nautilus,0u,0g,nautilus',
'500,nerdctl,500u,500g,nerdctl',
'500,nix,0u,0g,nix',
'500,node,0u,0g,node',
'500,node,0u,0g,.node2nix-wrapp',
'500,node,u,g,node',
'500,obs,0u,0g,obs',
'500,obs,u,g,obs',
'500,obs-ffmpeg-mux,0u,0g,obs-ffmpeg-mux',
'500,obs-ffmpeg-mux,u,g,obs-ffmpeg-mux',
'500,obsidian,u,g,obsidian',
'500,pacman,0u,0g,pacman',
'500,php8.1,0u,0g,php',
'500,promoter,500u,500g,promoter',
'500,publish-release,500u,500g,publish-release',
'500,python3,0u,0g,python3',
'500,python3.10,0u,0g,python',
'500,python3.10,0u,0g,python3',
'500,python3.11,0u,0g,gnome-abrt',
'500,python3.11,0u,0g,protonvpn',
'500,python3.11,0u,0g,prowler',
'500,python3,500u,500g,python3',
'500,reporter-ureport,0u,0g,reporter-urepor',
'500,rpi-imager,0u,0g,rpi-imager',
'500,rustup,0u,0g,rustup',
'500,scoville,500u,500g,scoville',
'500,signal-desktop,0u,0g,signal-desktop',
'500,signal-desktop,u,g,signal-desktop',
'500,slack,0u,0g,slack',
'500,slack,u,g,slack',
'500,slirp4netns,500u,500g,slirp4netns',
'500,snap-store,0u,0g,snap-store',
'500,spotify,0u,0g,spotify',
'500,spotify,500u,500g,spotify',
'500,spotify,u,g,spotify',
'500,steam,500u,100g,steam',
'500,steam,500u,500g,steam',
'500,steamwebhelper,500u,100g,steamwebhelper',
'500,steamwebhelper,500u,500g,steamwebhelper',
'500,step,500u,500g,step',
'500,step-cli,0u,0g,step',
'500,syncthing,0u,0g,syncthing',
'500,teams,0u,0g,teams',
'500,terraform,0u,0g,terraform',
'500,terraform,500u,500g,terraform',
'500,thunderbird,0u,0g,thunderbird',
'500,thunderbird,u,g,thunderbird',
'500,todoist,0u,0g,todoist',
'500,trivy,0u,0g,trivy',
'500,trivy,500u,500g,trivy',
'500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
'500,wget,0u,0g,wget',
'500,wolfictl,500u,500g,wolfictl',
'500,WPILibInstaller,500u,500g,WPILibInstaller',
'500,xmobar,0u,0g,xmobar',
'500,yay,0u,0g,yay',
'500,zdup,500u,500g,zdup',
'500,zoom,0u,0g,zoom',
'500,zoom.real,u,g,zoom.real',
'88,6,500,syncthing,0u,0g,syncthing'
)
-- Exceptions where we have to be more flexible for the process name
AND NOT exception_key LIKE '500,/usr/node,0u,0g,npm exec %'
AND NOT exception_key LIKE '500,/usr/node,0u,0g,npm install %'
AND NOT exception_key LIKE '500,/usr/cosign-%,500u,500g,cosign-%'
AND NOT exception_key LIKE '500,%/terraform-provider-%,500u,500g,terraform-provi'
AND NOT exception_key LIKE '0,/ko-app/%,u,g,%'
AND NOT exception_key LIKE '500,node,0u,0g,npm exec %'
AND NOT exception_key LIKE '500,node,0u,0g,npm install %'
AND NOT exception_key LIKE '500,cosign-%,500u,500g,cosign-%'
AND NOT exception_key LIKE '500,terraform-provider-%,500u,500g,terraform-provi'
-- stay weird, NixOS (Fastly nix mirror)
AND NOT (
pp.cmdline = '/run/current-system/sw/bin/bash'
@ -272,11 +241,11 @@ WHERE
AND s.state = 'ESTABLISHED'
)
AND NOT (
exception_key = '500,/tmp/%,500u,500g,%'
exception_key = '500,%,500u,500g,%'
AND p.path LIKE '/tmp/go-build%/exe/%'
)
AND NOT (
exception_key = '0,/usr/curl,0u,0g,curl'
exception_key = '0,curl,0u,0g,curl'
AND p.cmdline = 'curl --fail https://ipinfo.io/timezone'
)
-- Exclude processes running inside of containers

234
detection/c2/unexpected-talkers-linux.sql
View File

@ -31,16 +31,6 @@ SELECT
',',
MIN(p.euid, 500),
',',
REPLACE(
REPLACE(
REGEX_MATCH (p.path, '(/.*?)/', 1),
'/nix',
'/usr'
),
'/snap',
'/opt'
),
'/',
REGEX_MATCH (p.path, '.*/(.*?)$', 1),
',',
MIN(f.uid, 500),
@ -87,118 +77,115 @@ WHERE
AND s.remote_address NOT LIKE 'fc00:%'
AND p.path != ''
AND NOT exception_key IN (
'123,17,114,/usr/chronyd,0u,0g,chronyd',
'123,17,500,/usr/chronyd,0u,0g,chronyd',
'4070,6,500,/home/spotify,500u,500g,spotify',
'143,6,500,/app/thunderbird,u,g,thunderbird',
'143,6,500,/usr/thunderbird,0u,0g,thunderbird',
'19305,6,500,/opt/firefox,0u,0g,firefox',
'19305,6,500,/usr/firefox,0u,0g,firefox',
'80,6,500,/usr/aws-iam-authenticator,0u,0g,aws-iam-authent',
'19305,6,500,/usr/firefox,0u,0g,.firefox-wrappe',
'22000,6,500,/usr/syncthing,0u,0g,syncthing',
'80,6,500,/home/slirp4netns,500u,500g,slirp4netns',
'22,6,0,/usr/ssh,0u,0g,ssh',
'22,6,0,/usr/tailscaled,0u,0g,tailscaled',
'22,6,500,/home/cargo,500u,500g,cargo',
'80,6,0,/usr/appstreamcli,0u,0g,appstreamcli',
'22,6,500,/home/terraform,500u,500g,terraform',
'22,6,500,/usr/cargo,0u,0g,cargo',
'22,6,500,/usr/ssh,0u,0g,ssh',
'3000,6,500,/opt/brave,0u,0g,brave',
'3000,6,500,/opt/chrome,0u,0g,chrome',
'32768,6,0,/usr/tailscaled,0u,0g,tailscaled',
'32768,6,500,/usr/ssh,0u,0g,ssh',
'3443,6,500,/opt/chrome,0u,0g,chrome',
'3478,6,500,/opt/chrome,0u,0g,chrome',
'3478,6,500,/opt/firefox,0u,0g,firefox',
'3478,6,500,/usr/chrome,0u,0g,chrome',
'3478,6,500,/usr/firefox,0u,0g,firefox',
'4070,6,500,/app/spotify,u,g,spotify',
'4070,6,500,/opt/spotify,0u,0g,spotify',
'4070,6,500,/opt/spotify,500u,500g,spotify',
'4070,6,500,/usr/spotify,0u,0g,spotify',
'43,6,500,/usr/whois,0u,0g,whois',
'4460,6,114,/usr/chronyd,0u,0g,chronyd',
'5004,6,500,/opt/brave,0u,0g,brave',
'5006,6,500,/opt/brave,0u,0g,brave',
'500,/usr/htop,0u,0g,htop',
'5228,6,500,/opt/chrome,0u,0g,chrome',
'80,6,0,/usr/zstd,0u,0g,zstd',
'5228,6,500,/usr/chrome,0u,0g,chrome',
'6443,6,500,/usr/kubectl,0u,0g,kubectl',
'67,17,0,/usr/NetworkManager,0u,0g,NetworkManager',
'8000,6,500,/opt/chrome,0u,0g,chrome',
'8000,6,500,/usr/firefox,0u,0g,firefox',
'80,6,0,/usr/applydeltarpm,0u,0g,applydeltarpm',
'80,6,0,/usr/bash,0u,0g,bash',
'80,6,0,/usr/bash,0u,0g,mkinitcpio',
'80,6,0,/usr/bash,0u,0g,sh',
'80,6,0,/usr/bash,0u,0g,update-ca-trust',
'80,6,0,/usr/cp,0u,0g,cp',
'80,6,0,/usr/fc-cache,0u,0g,fc-cache',
'22,6,500,/usr/netcat,0u,0g,nc',
'80,6,0,/usr/find,0u,0g,find',
'80,6,0,/usr/gpg,0u,0g,gpg',
'80,6,0,/usr/kmod,0u,0g,depmod',
'80,6,0,/usr/kubelet,u,g,kubelet',
'80,6,0,/usr/ldconfig,0u,0g,ldconfig',
'80,6,0,/usr/NetworkManager,0u,0g,NetworkManager',
'80,6,0,/usr/packagekitd,0u,0g,packagekitd',
'80,6,0,/usr/pacman,0u,0g,pacman',
'9999,6,500,/opt/firefox,0u,0g,firefox',
'80,6,0,/usr/python3.10,0u,0g,dnf',
'80,6,0,/usr/python3.10,0u,0g,dnf-automatic',
'80,6,0,/usr/python3.10,0u,0g,yum',
'80,6,0,/usr/python3.11,0u,0g,dnf',
'80,6,0,/usr/python3.11,0u,0g,yum',
'80,6,0,/usr/tailscaled,0u,0g,tailscaled',
'80,6,0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra',
'80,6,0,/usr/wget,0u,0g,wget',
'80,6,100,/usr/http,0u,0g,http',
'80,6,105,/usr/http,0u,0g,http',
'80,6,500,/app/signal-desktop,u,g,signal-desktop',
'80,6,500,/app/spotify,u,g,spotify',
'80,6,500,/app/thunderbird,u,g,thunderbird',
'80,6,500,/home/mconvert,500u,500g,mconvert',
'80,6,500,/home/steam,500u,100g,steam',
'80,6,500,/home/steam,500u,500g,steam',
'80,6,500,/home/steamwebhelper,500u,500g,steamwebhelper',
'80,6,500,/home/terraform,500u,500g,terraform',
'80,6,500,/opt/brave,0u,0g,brave',
'80,6,500,/opt/chrome,0u,0g,chrome',
'80,6,500,/opt/firefox,0u,0g,firefox',
'80,6,500,/opt/spotify,0u,0g,spotify',
'80,6,0,/usr/bash,0u,0g,bash',
'80,6,500,/home/cloud_sql_proxy,0u,0g,cloud_sql_proxy',
'80,6,500,/opt/zoom,0u,0g,zoom',
'80,6,500,/usr/python3.10,0u,0g,aws',
'80,6,500,/usr/spotify-launcher,0u,0g,spotify-launche',
'80,6,500,/usr/chrome,0u,0g,chrome',
'80,6,500,/usr/curl,0u,0g,curl',
'80,6,500,/usr/electron,0u,0g,electron',
'80,6,500,/usr/firefox,0u,0g,firefox',
'80,6,500,/usr/firefox,0u,0g,.firefox-wrappe',
'80,6,500,/usr/gnome-software,0u,0g,gnome-software',
'80,6,500,/usr/pacman,0u,0g,pacman',
'80,6,500,/usr/python3.10,0u,0g,yum',
'80,6,500,/usr/python3.11,0u,0g,abrt-action-ins',
'80,6,500,/usr/rpi-imager,0u,0g,rpi-imager',
'80,6,500,/usr/signal-desktop,0u,0g,signal-desktop',
'80,6,500,/usr/thunderbird,0u,0g,thunderbird',
'80,6,500,/usr/WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
'8080,6,500,/opt/chrome,0u,0g,chrome',
'8080,6,500,/usr/firefox,0u,0g,firefox',
'8080,6,500,/usr/python3.11,0u,0g,speedtest-cli',
'8080,6,500,/usr/speedtest,500u,500g,speedtest',
'8443,6,500,/opt/chrome,0u,0g,chrome',
'8443,6,500,/usr/firefox,0u,0g,firefox',
'8801,17,500,/app/zoom.real,u,g,zoom.real',
'8801,17,500,/opt/zoom,0u,0g,zoom',
'88,6,500,/usr/syncthing,0u,0g,syncthing',
'993,6,500,/app/thunderbird,u,g,thunderbird',
'993,6,500,/usr/evolution,0u,0g,evolution',
'993,6,500,/usr/thunderbird,0u,0g,thunderbird'
'123,17,114,chronyd,0u,0g,chronyd',
'123,17,500,chronyd,0u,0g,chronyd',
'143,6,500,thunderbird,0u,0g,thunderbird',
'143,6,500,thunderbird,u,g,thunderbird',
'19305,6,500,firefox,0u,0g,firefox',
'19305,6,500,firefox,0u,0g,.firefox-wrappe',
'22000,6,500,syncthing,0u,0g,syncthing',
'22,6,0,ssh,0u,0g,ssh',
'22,6,0,tailscaled,0u,0g,tailscaled',
'22,6,500,cargo,0u,0g,cargo',
'22,6,500,cargo,500u,500g,cargo',
'22,6,500,netcat,0u,0g,nc',
'22,6,500,ssh,0u,0g,ssh',
'22,6,500,terraform,500u,500g,terraform',
'3000,6,500,brave,0u,0g,brave',
'3000,6,500,chrome,0u,0g,chrome',
'32768,6,0,tailscaled,0u,0g,tailscaled',
'32768,6,500,ssh,0u,0g,ssh',
'3443,6,500,chrome,0u,0g,chrome',
'3478,6,500,chrome,0u,0g,chrome',
'3478,6,500,firefox,0u,0g,firefox',
'4070,6,500,spotify,0u,0g,spotify',
'4070,6,500,spotify,500u,500g,spotify',
'4070,6,500,spotify,u,g,spotify',
'43,6,500,whois,0u,0g,whois',
'4460,6,114,chronyd,0u,0g,chronyd',
'5004,6,500,brave,0u,0g,brave',
'5006,6,500,brave,0u,0g,brave',
'500,htop,0u,0g,htop',
'5228,6,500,chrome,0u,0g,chrome',
'6443,6,500,kubectl,0u,0g,kubectl',
'67,17,0,NetworkManager,0u,0g,NetworkManager',
'8000,6,500,brave,0u,0g,brave',
'8000,6,500,chrome,0u,0g,chrome',
'8000,6,500,firefox,0u,0g,firefox',
'80,6,0,applydeltarpm,0u,0g,applydeltarpm',
'80,6,0,appstreamcli,0u,0g,appstreamcli',
'80,6,0,bash,0u,0g,bash',
'80,6,0,bash,0u,0g,mkinitcpio',
'80,6,0,bash,0u,0g,sh',
'80,6,0,bash,0u,0g,update-ca-trust',
'80,6,0,cp,0u,0g,cp',
'80,6,0,fc-cache,0u,0g,fc-cache',
'80,6,0,find,0u,0g,find',
'80,6,0,gawk,0u,0g,awk',
'80,6,0,gpg,0u,0g,gpg',
'80,6,0,kmod,0u,0g,depmod',
'80,6,0,kubelet,u,g,kubelet',
'80,6,0,ldconfig,0u,0g,ldconfig',
'80,6,0,NetworkManager,0u,0g,NetworkManager',
'80,6,0,packagekitd,0u,0g,packagekitd',
'80,6,0,pacman,0u,0g,pacman',
'80,6,0,python3.10,0u,0g,dnf',
'80,6,0,python3.10,0u,0g,dnf-automatic',
'80,6,0,python3.10,0u,0g,yum',
'80,6,0,python3.11,0u,0g,dnf',
'80,6,0,python3.11,0u,0g,yum',
'80,6,0,tailscaled,0u,0g,tailscaled',
'80,6,0,.tailscaled-wrapped,0u,0g,.tailscaled-wra',
'80,6,0,/usr/python2.7,u,g,yum',
'80,6,0,/usr/xargs,0u,0g,xargs',
'80,6,0,wget,0u,0g,wget',
'80,6,0,zstd,0u,0g,zstd',
'80,6,100,http,0u,0g,http',
'80,6,105,http,0u,0g,http',
'80,6,500,aws-iam-authenticator,0u,0g,aws-iam-authent',
'80,6,500,brave,0u,0g,brave',
'80,6,500,chrome,0u,0g,chrome',
'80,6,500,cloud_sql_proxy,0u,0g,cloud_sql_proxy',
'80,6,500,curl,0u,0g,curl',
'80,6,500,electron,0u,0g,electron',
'80,6,500,firefox,0u,0g,firefox',
'80,6,500,firefox,0u,0g,.firefox-wrappe',
'80,6,500,gnome-software,0u,0g,gnome-software',
'80,6,500,mconvert,500u,500g,mconvert',
'80,6,500,obs-browser-page,u,g,obs-browser-pag',
'80,6,500,pacman,0u,0g,pacman',
'80,6,500,python3.10,0u,0g,aws',
'80,6,500,python3.10,0u,0g,yum',
'80,6,500,python3.11,0u,0g,abrt-action-ins',
'80,6,500,rpi-imager,0u,0g,rpi-imager',
'80,6,500,signal-desktop,0u,0g,signal-desktop',
'80,6,500,signal-desktop,u,g,signal-desktop',
'80,6,500,slirp4netns,500u,500g,slirp4netns',
'80,6,500,spotify,0u,0g,spotify',
'80,6,500,spotify-launcher,0u,0g,spotify-launche',
'80,6,500,spotify,u,g,spotify',
'80,6,500,steam,500u,100g,steam',
'80,6,500,steam,500u,500g,steam',
'80,6,500,steamwebhelper,500u,500g,steamwebhelper',
'80,6,500,terraform,500u,500g,terraform',
'80,6,500,thunderbird,0u,0g,thunderbird',
'80,6,500,thunderbird,u,g,thunderbird',
'80,6,500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
'80,6,500,zoom,0u,0g,zoom',
'8080,6,500,brave,0u,0g,brave',
'8080,6,500,chrome,0u,0g,chrome',
'8080,6,500,firefox,0u,0g,firefox',
'8080,6,500,python3.11,0u,0g,speedtest-cli',
'8080,6,500,speedtest,500u,500g,speedtest',
'8443,6,500,chrome,0u,0g,chrome',
'8443,6,500,firefox,0u,0g,firefox',
'8801,17,500,zoom,0u,0g,zoom',
'8801,17,500,zoom.real,u,g,zoom.real',
'88,6,500,syncthing,0u,0g,syncthing',
'993,6,500,evolution,0u,0g,evolution',
'993,6,500,thunderbird,0u,0g,thunderbird',
'993,6,500,thunderbird,u,g,thunderbird',
'9999,6,500,firefox,0u,0g,firefox'
)
AND NOT (
p.name = 'java'
@ -230,9 +217,8 @@ WHERE
)
-- TODO: Move this to a custom override overlay, as it is extremely obscure (small ISP)
AND NOT (
exception_key = '32768,6,500,/usr/ssh,0u,0g,ssh'
exception_key = '32768,6,500,ssh,0u,0g,ssh'
AND s.remote_port = 40022
AND s.remote_address = '104.131.84.33' -- gatekeeper.uservers.net
)
AND NOT (
s.remote_port = 80

6
detection/c2/unexpected-talkers-macos.sql
View File

@ -69,6 +69,7 @@ WHERE
AND p.path NOT LIKE '/opt/homebrew/Cellar/%/bin/%'
AND p.path NOT LIKE '/usr/libexec/%'
AND p.path NOT LIKE '/usr/sbin/%'
AND p.path NOT LIKE '/usr/local/kolide-k2/bin/%'
AND p.path NOT LIKE '/private/var/folders/%/go-build%/%'
-- Apple programs running from weird places, like the UpdateBrainService
AND NOT (
@ -179,11 +180,14 @@ WHERE
'443,6,500,bom,,',
'443,6,500,chainctl,,',
'443,6,500,chainctl,a.out,',
'443,6,0,launcher,launcher,Developer ID Application: Kolide, Inc (X98UFR7HA3)',
'443,6,500,chainctl,chainctl,',
'443,6,500,trivy,,',
'443,6,500,chainctl_darwin_arm64,a.out,',
'443,6,500,chainctl_Darwin_arm64,a.out,',
'443,6,500,civo,a.out,',
'443,6,500,cloud_sql_proxy,a.out,',
'443,6,500,Paintbrush,com.soggywaffles.paintbrush,Developer ID Application: Michael Schreiber (G966ML7VBG)',
'443,6,500,Code Helper,com.microsoft.VSCode.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'443,6,500,Code Helper (Renderer),com.github.Electron.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'443,6,500,com.docker.backend,com.docker,Developer ID Application: Docker Inc (9BNSXJN65R)',
@ -192,7 +196,9 @@ WHERE
'443,6,500,cosign,a.out,',
'443,6,500,cosign,cosign,',
'443,6,500,crane,,',
'443,17,500,Signal Helper,org.whispersystems.signal-desktop.helper,Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR)',
'443,6,500,crane,a.out,',
'443,6,500,Amazon Photos Installer,com.amazon.clouddrive.mac.installer,Developer ID Application: AMZN Mobile LLC (94KV3E626L)',
'443,6,500,crane,crane,',
'443,6,500,ctclient,a.out,',
'443,6,500,curl,com.apple.curl,Software Signing',

3
detection/collection/high-disk-bytes-written.sql
View File

@ -28,7 +28,7 @@ FROM
processes p
LEFT JOIN hash ON p.path = hash.path
WHERE
bytes_per_second > 6500000
bytes_per_second > 7500000
AND age > 30
AND pid > 2
AND p.path NOT IN (
@ -123,6 +123,7 @@ WHERE
'fsdaemon',
'go',
'goland',
'trivy-db',
'golangci-lint-v',
'gopls',
'grype',

1
detection/evasion/hidden-cwd.sql
View File

@ -34,6 +34,7 @@ SELECT
) AS exception_key,
-- Child
p0.pid AS p0_pid,
p0.cgroup_path AS p0_cgroup,
p0.path AS p0_path,
p0.name AS p0_name,
p0.cmdline AS p0_cmd,

1
detection/evasion/unexpected-hidden-system-paths.sql
View File

@ -99,6 +99,7 @@ WHERE
'/var/db/.StagedAppleUpgrade',
'/var/db/.SystemPolicy-default',
'/var/.ntw_cache',
'/var/setup/.TemporaryItems',
'/var/.Parallels_swap/',
'/var/.pwd_cache',
'/var/root/.bash_history',

1
detection/execution/exotic-command-events-linux.sql
View File

@ -109,6 +109,7 @@ WHERE
OR (
INSTR(p0_cmd, 'history') > 0
AND p0_cmd LIKE '%history'
AND p0_cmd NOT LIKE 'man %'
)
OR p0_cmd LIKE '%touch%acmr%'
OR p0_cmd LIKE '%touch -r%'

181
detection/execution/exotic-commands-linux.sql
View File

@ -41,97 +41,94 @@ FROM
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE
-- Known attack scripts
p0.name IN (
'bitspin',
'bpftool',
'heyoka',
'nstx',
'dnscat2',
'tuns',
'iodine',
'esxcli',
'vim-cmd',
'minerd',
'cpuminer-multi',
'cpuminer',
'httpdns',
'rshell',
'rsh',
'xmrig',
'incbit',
'insmod',
'kmod',
'lushput',
'mkfifo',
'msfvenom',
'nc',
'socat'
WHERE -- Known attack scripts
(
p0.name IN (
'bitspin',
'bpftool',
'heyoka',
'nstx',
'dnscat2',
'tuns',
'iodine',
'esxcli',
'vim-cmd',
'minerd',
'cpuminer-multi',
'cpuminer',
'httpdns',
'rshell',
'rsh',
'xmrig',
'incbit',
'insmod',
'kmod',
'lushput',
'mkfifo',
'msfvenom',
'nc',
'socat'
)
OR p0.name LIKE '%pwn%'
OR p0.name LIKE '%xig%'
OR p0.name LIKE '%xmr%'
OR p0.cmdline LIKE '%--pool%'
OR p0.cmdline LIKE '%--algo%'
OR p0.cmdline LIKE '%--wss%'
OR p0.cmdline LIKE '%bitspin%'
OR p0.cmdline LIKE '%lushput%'
OR p0.cmdline LIKE '%incbit%'
OR p0.cmdline LIKE '%traitor%'
OR p0.cmdline LIKE '%msfvenom%' -- Unusual behaviors
OR p0.cmdline LIKE '%ufw disable%'
OR p0.cmdline LIKE '%iptables -P % ACCEPT%'
OR p0.cmdline LIKE '%iptables -F%'
OR p0.cmdline LIKE '%chattr -ia%'
OR p0.cmdline LIKE '%chflags uchg%'
OR p0.cmdline LIKE '%chmod 777 %'
OR p0.cmdline LIKE '%bpftool%'
OR p0.cmdline LIKE '%touch%acmr%'
OR p0.cmdline LIKE '%ld.so.preload%'
OR p0.cmdline LIKE '%urllib.urlopen%'
OR p0.cmdline LIKE '%nohup%tmp%'
OR p0.cmdline LIKE '%chrome%--load-extension%'
OR (
p0.cmdline LIKE '%UserKnownHostsFile=/dev/null%'
AND NOT p1.name = 'limactl'
) -- Crypto miners
OR p0.cmdline LIKE '%c3pool%'
OR p0.cmdline LIKE '%cryptonight%'
OR p0.cmdline LIKE '%f2pool%'
OR p0.cmdline LIKE '%hashrate%'
OR p0.cmdline LIKE '%hashvault%'
OR p0.cmdline LIKE '%minerd%'
OR p0.cmdline LIKE '%monero%'
OR p0.cmdline LIKE '%nanopool%'
OR p0.cmdline LIKE '%nicehash%'
OR p0.cmdline LIKE '%stratum%' -- Random keywords
OR p0.cmdline LIKE '%ransom%'
OR p0.cmdline LIKE '%malware%'
OR p0.cmdline LIKE '%plant%' -- Reverse shells
OR p0.cmdline LIKE '%/dev/tcp/%'
OR p0.cmdline LIKE '%/dev/udp/%'
OR p0.cmdline LIKE '%fsockopen%'
OR p0.cmdline LIKE '%openssl%quiet%'
OR p0.cmdline LIKE '%pty.spawn%'
OR (
p0.cmdline LIKE '%sh -i'
AND NOT p0.path = '/usr/bin/docker'
AND NOT p1.name IN ('sh', 'java', 'containerd-shim')
AND NOT p1.cmdline LIKE '%pipenv shell'
AND NOT p0.cgroup_path LIKE '/system.slice/docker-%'
AND NOT p0.cgroup_path LIKE '/user.slice/user-1000.slice/user@1000.service/user.slice/nerdctl-%'
)
OR p0.cmdline LIKE '%socat '
OR p0.cmdline LIKE '%SOCK_STREAM%'
OR INSTR(p0.cmdline, '%Socket.%') > 0 -- Keep the shell running, as in https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability
OR (
p0.cmdline LIKE '%tail -f /dev/null%'
AND p0.cgroup_path NOT LIKE '/system.slice/docker-%'
)
)
OR p0.name LIKE '%pwn%'
OR p0.name LIKE '%xig%'
OR p0.name LIKE '%xmr%'
OR p0.cmdline LIKE '%--pool%'
OR p0.cmdline LIKE '%--algo%'
OR p0.cmdline LIKE '%--wss%'
OR p0.cmdline LIKE '%bitspin%'
OR p0.cmdline LIKE '%lushput%'
OR p0.cmdline LIKE '%incbit%'
OR p0.cmdline LIKE '%traitor%'
OR p0.cmdline LIKE '%msfvenom%'
-- Unusual behaviors
OR p0.cmdline LIKE '%ufw disable%'
OR p0.cmdline LIKE '%iptables -P % ACCEPT%'
OR p0.cmdline LIKE '%iptables -F%'
OR p0.cmdline LIKE '%chattr -ia%'
OR p0.cmdline LIKE '%chflags uchg%'
OR p0.cmdline LIKE '%chmod 777 %'
OR p0.cmdline LIKE '%bpftool%'
OR p0.cmdline LIKE '%touch%acmr%'
OR p0.cmdline LIKE '%ld.so.preload%'
OR p0.cmdline LIKE '%urllib.urlopen%'
OR p0.cmdline LIKE '%nohup%tmp%'
OR p0.cmdline LIKE '%chrome%--load-extension%'
OR (
p0.cmdline LIKE '%UserKnownHostsFile=/dev/null%'
AND NOT p1.name = 'limactl'
)
-- Crypto miners
OR p0.cmdline LIKE '%c3pool%'
OR p0.cmdline LIKE '%cryptonight%'
OR p0.cmdline LIKE '%f2pool%'
OR p0.cmdline LIKE '%hashrate%'
OR p0.cmdline LIKE '%hashvault%'
OR p0.cmdline LIKE '%minerd%'
OR p0.cmdline LIKE '%monero%'
OR p0.cmdline LIKE '%nanopool%'
OR p0.cmdline LIKE '%nicehash%'
OR p0.cmdline LIKE '%stratum%'
-- Random keywords
OR p0.cmdline LIKE '%ransom%'
OR p0.cmdline LIKE '%malware%'
OR p0.cmdline LIKE '%plant%'
-- Reverse shells
OR p0.cmdline LIKE '%/dev/tcp/%'
OR p0.cmdline LIKE '%/dev/udp/%'
OR p0.cmdline LIKE '%fsockopen%'
OR p0.cmdline LIKE '%openssl%quiet%'
OR p0.cmdline LIKE '%pty.spawn%'
OR (
p0.cmdline LIKE '%sh -i'
AND NOT p0.path = '/usr/bin/docker'
AND NOT p1.name IN ('sh', 'java', 'containerd-shim')
AND NOT p1.cmdline LIKE '%pipenv shell'
AND NOT p0.cgroup_path LIKE '/system.slice/docker-%'
)
OR p0.cmdline LIKE '%socat%'
OR p0.cmdline LIKE '%SOCK_STREAM%'
OR INSTR(p0.cmdline, '%Socket.%') > 0
-- Keep the shell running, as in https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability
OR (
p0.cmdline LIKE '%tail -f /dev/null%'
AND p0.cgroup_path NOT LIKE '/system.slice/docker-%'
)
AND NOT p0.cmdline like 'socat UNIX-LISTEN:%/com.discordapp%fork UNIX-CONNECT:%'
AND NOT p0.cmdline like '%socat UNIX-LISTEN:%com.discordapp%discord-ipc%'
AND NOT p0.name IN ('cc1', 'compile', 'cmake', 'cc1plus')

2
detection/execution/recently-created-executables-linux.sql
View File

@ -106,6 +106,8 @@ WHERE
'/usr/lib/flatpak-session-helper',
'/usr/lib/fwupd/fwupd',
'/usr/lib/gdm',
'/usr/bin/gnome-shell',
'/usr/lib/gnome-shell-calendar-server',
'/usr/lib/gdm-session-worker',
'/usr/lib/gdm-x-session',
'/usr/lib/google-cloud-sdk/platform/bundledpythonunix/bin/python3',

1
detection/execution/recently-created-executables-macos.sql
View File

@ -106,6 +106,7 @@ WHERE
'Developer ID Application: CodeWeavers Inc. (9C6B7X7Z8E)',
'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
'Developer ID Application: Objective-See, LLC (VBG97UB4TA)',
'Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R)',
'Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'Developer ID Application: Docker Inc (9BNSXJN65R)',
'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)',

1
detection/execution/unexpected-fetcher-parents.sql
View File

@ -46,6 +46,7 @@ WHERE -- NOTE: The remainder of this query is synced with unexpected-fetcher-par
'curl,500,bash,nix-daemon',
'wget,500,zsh,bash',
'wget,500,sh,bwrap',
'curl,500,eos-connection-,eos-update-noti',
'curl,500,bash,ShellLauncher',
'curl,500,Slack,launchd',
'curl,500,bash,zsh',

5
detection/execution/unexpected-osascript-calls.sql
View File

@ -90,9 +90,8 @@ WHERE
OR p0_cmd LIKE '/usr/bin/osascript /Users/%/Library/Caches/com.runningwithcrayons.Alfred/Workflow Scripts/%'
OR p0_cmd LIKE '/usr/bin/osascript /Users/%/osx-trash/trashfile.AppleScript %'
OR p0_cmd LIKE '/usr/bin/osascript /Applications/Amazon Photos.app/Contents/Resources/quit_and_restart_app.scpt /Applications/Amazon Photos.app com.amazon.clouddrive.mac%'
OR p1_cmd LIKE '%/bin/gcloud auth%login'
OR p1_cmd LIKE '%/google-cloud-sdk/lib/gcloud.py auth%login'
OR p1_cmd LIKE '%aws configure sso%'
OR p1_cmd LIKE '%gcloud% auth %login'
OR p1_cmd LIKE '%aws %sso%'
OR p1_cmd LIKE '% /opt/homebrew/bin/jupyter%notebook'
OR p1_authority = 'Developer ID Application: Docker Inc (9BNSXJN65R)'
OR p1_name IN ('yubikey-agent')

1
detection/execution/unexpected-security-framework-program-macos.sql
View File

@ -143,5 +143,6 @@ WHERE
AND NOT exception_key LIKE '500,Runner.%,apphost-%,'
AND NOT exception_key LIKE '500,kubectl.%,a.out,'
AND NOT exception_key LIKE '500,rustlings,rustlings-%,'
AND NOT exception_key LIKE '500,rust-analyzer,rust-analyzer-%,'
GROUP BY
p0.pid

19
detection/execution/unexpected-xattr-calls-macos.sql
View File

@ -79,21 +79,10 @@ WHERE
AND pe.cmdline IS NOT NULL
AND pe.status == 0
AND pe.path = '/usr/bin/xattr'
AND p0_cmd NOT IN (
'/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app',
'/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app/Contents/Library/LoginItems/1Password Launcher.app',
'/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app/Contents/XPCServices/OP Updater Service.xpc',
'/usr/bin/xattr -r -d com.apple.quarantine /Applications/1Password.app',
'/usr/bin/xattr -d -r com.apple.quarantine /Applications/iTerm.app',
'/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app/Contents/XPCServices/OP Updater Service.xpc/Contents/Helpers/1Password Updater.app',
'/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app/Contents/Frameworks/1Password Helper.app',
'/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app/Contents/Frameworks/1Password Helper (GPU).app',
'/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app/Contents/Frameworks/1Password Helper (Plugin).app',
'/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app/Contents/Frameworks/1Password Helper (Renderer).app',
'/usr/bin/xattr -d com.apple.quarantine /Applications/Keybase.app',
'/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app/Contents/Library/LoginItems/1Password Browser Helper.app',
'xattr -d -r com.apple.quarantine /Applications/Google Chrome.app'
)
AND p0_cmd NOT LIKE '%xattr -d -r com.apple.quarantine /Applications/%.app'
AND p0_cmd NOT LIKE '%xattr -r -d com.apple.quarantine /Applications/%.app'
AND p0_cmd NOT LIKE '%xattr -d com.apple.quarantine /Applications/%.app'
AND p0_cmd NOT LIKE '%xattr -d com.apple.quarantine /Applications/%.app/%.xpc'
AND NOT (
pe.euid > 500
AND p0_cmd LIKE '%xattr -l %'

1
detection/initial_access/sketchy-mounted-diskimage.sql
View File

@ -105,6 +105,7 @@ WHERE
AND file.filename NOT IN ('.Trashes', '.background')
AND file.filename NOT LIKE '%.previous'
AND file.filename NOT LIKE '%.interrupted'
AND file.filename NOT LIKE '%.backup'
) -- 7. Volumes containing a top-level symlink to something other than /Applications, such as yWnBJLaF (1302.app)
OR (
file.symlink = 1

1
detection/initial_access/unexpected-shell-parent-events.sql
View File

@ -249,6 +249,7 @@ WHERE
'sh,500,docs,zsh',
'sh,500,Google Drive,launchd',
'dash,0,snapd,systemd',
'bash,500,xdg-desktop-portal,systemd',
'sh,500,snyk-macos,snyk',
'sh,500,ssh,mosh-client',
'sh,500,updater,Foxit PDF Reader',

2
detection/initial_access/unexpected-shell-parents.sql
View File

@ -130,6 +130,7 @@ WHERE
'/Applications/Docker.app/Contents/Resources/bin/docker-credential-desktop',
'/Applications/IntelliJ IDEA.app/Contents/MacOS/idea',
'/Applications/Parallels Desktop.app/Contents/MacOS/Parallels Service',
'/Applications/Parallels Desktop.app/Contents/MacOS/prl_update_helper',
'/bin/dash',
'/bin/sh',
'/Library/Developer/CommandLineTools/usr/bin/git',
@ -202,3 +203,4 @@ WHERE
AND NOT parent_path LIKE '/nix/store/%sh'
AND NOT parent_path LIKE '/opt/homebrew/%'
AND NOT p.cgroup_path LIKE '/system.slice/docker-%'
AND NOT p.cgroup_path LIKE '/system.slice/system.slice:docker:%'

9
detection/persistence/unexpected-active-systemd-units.sql
View File

@ -67,6 +67,8 @@ WHERE
'anacron.timer,Trigger anacron every hour,,100',
'apcupsd.service,APC UPS Power Control Daemon for Linux,,300',
'apparmor.service,Load AppArmor profiles,,1100',
'apport-autoreport.path,Process error reports when automatic reporting is enabled (file watch),,200',
'apport-autoreport.timer,Process error reports when automatic reporting is enabled (timer based),,200',
'apport.service,LSB: automatic crash report generation,,500',
'apt-daily.service,Daily apt download activities,,300',
'apt-daily.timer,Daily apt download activities,,100',
@ -87,8 +89,6 @@ WHERE
'bluetooth.service,Bluetooth service,,700',
'bluetooth.target,Bluetooth Support,,400',
'bolt.service,Thunderbolt system service,,600',
'nessusd.service,The Nessus Vulnerability Scanner,,800',
'setroubleshootd.service,SETroubleshoot daemon for processing new SELinux denial logs,setroubleshoot,200',
'chronyd.service,NTP client/server,,1500',
"chrony.service,chrony, an NTP client/server,,1600",
'colord.service,Manage, Install and Generate Color Profiles,colord,200',
@ -200,6 +200,7 @@ WHERE
'motd-news.timer,Message of the Day,,100',
'mount-pstore.service,mount-pstore.service,,1100',
'multi-user.target,Multi-User System,,500',
'nessusd.service,The Nessus Vulnerability Scanner,,800',
'netcf-transaction.service,Rollback uncommitted netcf network config change transactions,,300',
'networkd-dispatcher.service,Dispatcher daemon for systemd-networkd,,200',
"networking.service,Raise network interfaces,,600",
@ -266,6 +267,7 @@ WHERE
'rsyslog.service,System Logging Service,,400',
'rsyslog.service,System Logging Service,,500',
'rtkit-daemon.service,RealtimeKit Scheduling Policy Service,,1000',
'setroubleshootd.service,SETroubleshoot daemon for processing new SELinux denial logs,setroubleshoot,200',
'setvtrgb.service,Set console scheme,,300',
'shadow.service,Verify integrity of password and group files,,300',
'shadow.service,Verify integrity of password and group files,,900',
@ -276,6 +278,8 @@ WHERE
'smartcard.target,Smart Card,,400',
'smartd.service,Self Monitoring and Reporting Technology (SMART) Daemon,,400',
'snapd.apparmor.service,Load AppArmor profiles managed internally by snapd,,800',
'snapd.mounts-pre.target,Mounting snaps,,100',
'snapd.mounts.target,Mounted snaps,,100',
'snapd.seeded.service,Wait until snapd is fully seeded,,300',
'snapd.service,Snap Daemon,,400',
'snapd.service,Snap Daemon,,500',
@ -420,6 +424,7 @@ WHERE
'zfs-mount.service,Mount ZFS filesystems,,400',
'zfs-scrub.service,ZFS pools scrubbing,,1000',
'zfs-scrub.timer,zfs-scrub.timer,,0',
'geoclue.service,Location Lookup Service,geoclue,500',
'zfs-share.service,ZFS file system shares,,400',
'zfs-share.service,ZFS file system shares,,500',
'zfs-snapshot-daily.service,ZFS auto-snapshotting every day,,1000',

1
detection/persistence/unexpected-chrome-extensions.sql
View File

@ -59,6 +59,7 @@ WHERE
'false,julienv3@gmail.com,treasure-clicker,',
"true,Gareth Stephenson,My O'Reilly Downloader,deebiaolijlopiocielojiipnpnaldlk",
'false,juverm@chainguard.dev,auto-close-gitsign,',
'true,,Jamstash,jccdpflnecheidefpofmlblgebobbloc',
'false,,Trotto go links,nkeoojidblilnkcbbmfhaeebndapehjk',
'false,,YouTube,agimnkijcaahngcdmfeangaknmldooml', -- Deprecated Google Extension
'true,Adaware,Safe Torrent Scanner,aegnopegbbhjeeiganiajffnalhlkkjb',

9
detection/persistence/unexpected-listening-port-linux.sql
View File

@ -69,12 +69,12 @@ WHERE
p.name
) IN (
'10250,6,0,kubelet',
'1,255,500,mtr-packet',
'10250,6,500,kubelet',
'10254,6,101,nginx-ingress-c',
'10256,6,0,kube-proxy',
'255,255,500,mtr-packet',
'10256,6,500,kube-proxy',
'1,1,500,ping',
'1,255,500,mtr-packet',
'1716,6,500,kdeconnectd',
'17,255,0,dhcpcd',
'17,255,0,tailscaled',
@ -86,6 +86,7 @@ WHERE
'22,6,0,sshd',
'2379,6,500,etcd',
'2380,6,500,etcd',
'255,255,500,mtr-packet',
'27036,6,500,steam',
'3000,6,472,grafana-server',
'3000,6,500,grafana-server',
@ -96,7 +97,6 @@ WHERE
'32768,6,500,dleyna-renderer',
'32768,6,500,jetbrains-toolb',
'32768,6,500,spotify',
'8834,6,0,nessusd',
'3551,6,0,apcupsd',
'4143,6,500,linkerd2-proxy',
'4191,6,500,linkerd2-proxy',
@ -107,8 +107,8 @@ WHERE
'5000,6,0,registry',
'5000,6,500,ControlCenter',
'5001,6,0,registry',
'53,17,0,coredns',
'5050,6,500,rootlesskit',
'53,17,0,coredns',
'53,17,500,aardvark-dns',
'53,17,500,dnsmasq',
'5355,6,193,systemd-resolve',
@ -150,6 +150,7 @@ WHERE
'8443,6,500,controller',
'8443,6,500,controlplane',
'8443,6,500,webhook',
'8834,6,0,nessusd',
'9000,6,500,authentik-proxy',
'9000,6,500,main',
'9090,6,500,controlplane',

3
detection/persistence/unexpected-systemctl-calls-linux.sql
View File

@ -86,7 +86,7 @@ WHERE
AND NOT p0_cmd IN (
'/bin/systemctl is-enabled -q whoopsie.path',
'/bin/systemctl -q is-enabled whoopsie.path',
'systemctl reboot',
'/bin/systemctl --quiet is-enabled whoopsie.path',
'/bin/systemctl stop --no-block nvidia-persistenced',
'/sbin/runlevel',
'systemctl is-active systemd-resolved.service',
@ -99,6 +99,7 @@ WHERE
'systemctl -p LoadState show cups.service',
'systemctl -q is-enabled whoopsie',
'systemctl --quiet is-enabled cups.service',
'systemctl reboot',
'systemctl restart cups.service',
'systemctl status kubelet',
'systemctl stop kubelet',

3
detection/persistence/unexpected-uid0-daemon-linux.sql
View File

@ -162,6 +162,7 @@ WHERE
'pacman,/usr/bin/pacman,0,user.slice,user-1000.slice,0755',
'pcscd,/snap/yubioath-desktop/__VERSION__/usr/sbin/pcscd,0,system.slice,snap.yubioath-desktop.pcscd.service,0755',
'pcscd,/usr/sbin/pcscd,0,system.slice,pcscd.service,0755',
'gdm-session-wor,/usr/lib/gdm-session-worker,0,user.slice,user-120.slice,0755',
'perl,/nix/store/__VERSION__/bin/perl,0,system.slice,znapzend.service,0555',
'polkitd,/usr/libexec/polkitd,0,system.slice,polkit.service,0755',
'power-profiles-,/usr/libexec/power-profiles-daemon,0,system.slice,power-profiles-daemon.service,0755',
@ -170,10 +171,12 @@ WHERE
'rsyslogd,/usr/sbin/rsyslogd,0,system.slice,rsyslog.service,0755',
'scdaemon,/usr/libexec/scdaemon,0,system.slice,packagekit.service,0755',
'scdaemon,/usr/libexec/scdaemon,0,user.slice,user-1000.slice,0755',
'fish,/usr/bin/fish,0,user.slice,user-1000.slice,0755',
'sedispatch,/usr/sbin/sedispatch,0,system.slice,auditd.service,0755',
'sh,/nix/store/__VERSION__/bin/bash,0,system.slice,znapzend.service,0555',
'smartd,/usr/sbin/smartd,0,system.slice,smartd.service,0755',
'snapd,/snap/snapd/__VERSION__/usr/lib/snapd/snapd,0,system.slice,snapd.service,0755',
'snapd,/usr/lib/snapd/snapd,0,system.slice,snapd.service,0755',
'sshd,/nix/store/__VERSION__/bin/sshd,0,system.slice,sshd.service,0555',
'sshd,/nix/store/__VERSION__/bin/sshd,0,user.slice,user-1000.slice,0555',
'sshd,/usr/bin/sshd,0,system.slice,sshd.service,0755',

4
detection/privesc/unexpected-elevated-children-events_macos.sql
View File

@ -80,6 +80,10 @@ FROM
WHERE
pe.time > (strftime('%s', 'now') -300)
AND p0_euid < p1_euid
AND pe.status = 0
AND pe.parent > 0
AND pe.cmdline != ''
AND pe.cmdline IS NOT NULL
AND p1_path NOT IN (
'/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mdworker_shared',
'/usr/libexec/PerfPowerServicesExtended',