From f87541c945a0995e904417d2da46557a96b7b4e0 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Fri, 17 Feb 2023 11:57:23 -0500 Subject: [PATCH] False positive flush, particularly in talkers --- .../c2/unexpected-https-client-linux.sql | 383 ++++++++---------- detection/c2/unexpected-talkers-linux.sql | 234 +++++------ detection/c2/unexpected-talkers-macos.sql | 6 + .../collection/high-disk-bytes-written.sql | 3 +- detection/evasion/hidden-cwd.sql | 1 + .../unexpected-hidden-system-paths.sql | 1 + .../execution/exotic-command-events-linux.sql | 1 + detection/execution/exotic-commands-linux.sql | 181 ++++----- .../recently-created-executables-linux.sql | 2 + .../recently-created-executables-macos.sql | 1 + .../execution/unexpected-fetcher-parents.sql | 1 + .../execution/unexpected-osascript-calls.sql | 5 +- ...ected-security-framework-program-macos.sql | 1 + .../unexpected-xattr-calls-macos.sql | 19 +- .../sketchy-mounted-diskimage.sql | 1 + .../unexpected-shell-parent-events.sql | 1 + .../unexpected-shell-parents.sql | 2 + .../unexpected-active-systemd-units.sql | 9 +- .../unexpected-chrome-extensions.sql | 1 + .../unexpected-listening-port-linux.sql | 9 +- .../unexpected-systemctl-calls-linux.sql | 3 +- .../unexpected-uid0-daemon-linux.sql | 3 + ...xpected-elevated-children-events_macos.sql | 4 + 23 files changed, 423 insertions(+), 449 deletions(-) diff --git a/detection/c2/unexpected-https-client-linux.sql b/detection/c2/unexpected-https-client-linux.sql index c548351..ef4eeb0 100644 --- a/detection/c2/unexpected-https-client-linux.sql +++ b/detection/c2/unexpected-https-client-linux.sql @@ -26,16 +26,6 @@ SELECT CONCAT ( MIN(p.euid, 500), ',', - REPLACE( - REPLACE( - REGEX_MATCH (p.path, '(/.*?)/', 1), - '/nix', - '/usr' - ), - '/snap', - '/opt' - ), - '/', REGEX_MATCH (p.path, '.*/(.*?)$', 1), ',', MIN(f.uid, 500), @@ -67,203 +57,182 @@ WHERE AND s.remote_address NOT LIKE 'fc00:%' AND p.path != '' AND NOT exception_key IN ( - '0,/opt/nessusd,0u,0g,nessusd', - '0,/opt/snapd,0u,0g,snapd', - '0,/sbin/apk,u,g,apk', - '0,/usr/applydeltarpm,0u,0g,applydeltarpm', - '0,/usr/bash,0u,0g,bash', - '0,/usr/bash,0u,0g,mkinitcpio', - '0,/usr/bash,0u,0g,sh', - '0,/usr/chainctl,0u,0g,chainctl', - '0,/usr/cmake,u,g,cmake', - '0,/usr/containerd,u,g,containerd', - '0,/usr/dirmngr,0u,0g,dirmngr', - '0,/usr/dockerd,0u,0g,dockerd', - '0,/usr/flatpak-system-helper,0u,0g,flatpak-system-', - '0,/usr/kmod,0u,0g,depmod', - '0,/usr/launcher,0u,0g,launcher', - '0,/usr/launcher,500u,500g,launcher', - '0,/usr/nix,0u,0g,nix', - '0,/usr/nix,0u,0g,nix-daemon', - '0,/usr/packagekitd,0u,0g,packagekitd', - '0,/usr/pacman,0u,0g,pacman', - '0,/usr/python3.10,0u,0g,dnf', - '0,/usr/python3.10,0u,0g,dnf-automatic', - '0,/usr/python3.10,0u,0g,yum', - '0,/usr/python3.11,0u,0g,dnf', - '0,/usr/python3.11,0u,0g,dnf-automatic', - '0,/usr/python3.11,0u,0g,yum', - '0,/usr/rpi-imager,0u,0g,rpi-imager', - '0,/usr/snapd,0u,0g,snapd', - '0,/usr/tailscaled,0u,0g,tailscaled', - '0,/usr/tailscaled,500u,500g,tailscaled', - '0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra', - '105,/usr/http,0u,0g,https', - '106,/usr/geoclue,0u,0g,geoclue', - '500,/app/Discord,u,g,Discord', - '500,/app/signal-desktop,u,g,signal-desktop', - '500,/app/slack,u,g,slack', - '500,/app/spotify,u,g,spotify', - '500,/app/thunderbird,u,g,thunderbird', - '500,/app/zoom.real,u,g,zoom.real', - '500,/home/bom,500u,500g,bom', - '500,/home/buildkitd,500u,500g,buildkitd', - '500,/home/cargo,500u,500g,cargo', - '500,/home/chainctl,500u,100g,chainctl', - '500,/home/chainctl,500u,500g,chainctl', - '500,/home/code,500u,500g,code', - '500,/home/cosign,500u,500g,cosign', - '500,/home/crane,500u,500g,crane', - '500,/home/gitsign,500u,500g,gitsign', - '500,/home/go,500u,500g,go', - '500,/home/grype,500u,500g,grype', - '500,/home/hugo,500u,500g,hugo', - '500,/home/java,500u,500g,java', - '500,/home/jcef_helper,500u,500g,jcef_helper', - '500,/home/ko,500u,500g,ko', - '500,/home/krel,500u,500g,krel', - '500,/home/mconvert,500u,500g,mconvert', - '500,/home/Melvor Idle,500u,500g,exe', - '500,/home/nerdctl,500u,500g,nerdctl', - '500,/home/promoter,500u,500g,promoter', - '500,/home/publish-release,500u,500g,publish-release', - '500,/home/python3,500u,500g,python3', - '500,/home/slirp4netns,500u,500g,slirp4netns', - '500,/home/spotify,500u,500g,spotify', - '500,/home/steam,500u,100g,steam', - '500,/home/steam,500u,500g,steam', - '500,/home/steamwebhelper,500u,100g,steamwebhelper', - '500,/home/steamwebhelper,500u,500g,steamwebhelper', - '500,/home/terraform,500u,500g,terraform', - '500,/home/trivy,500u,500g,trivy', - '500,/home/WPILibInstaller,500u,500g,WPILibInstaller', - '500,/home/zdup,500u,500g,zdup', - '500,/ko-app/chainctl,u,g,chainctl', - '500,/ko-app/controller,u,g,controller', - '500,/ko-app/controlplane,u,g,controlplane', - '500,/opt/1password,0u,0g,1password', - '500,/opt/Brackets,0u,0g,Brackets', - '500,/opt/brave,0u,0g,brave', - '500,/opt/chrome,0u,0g,chrome', - '500,/opt/Discord,0u,0g,Discord', - '500,/opt/firefox,0u,0g,firefox', - '500,/opt/firefox,0u,0g,Socket Process', - '500,/opt/Keybase,0u,0g,Keybase', - '500,/opt/kubectl,0u,0g,kubectl', - '500,/opt/python3,500u,500g,python3', - '500,/opt/signal-desktop,0u,0g,signal-desktop', - '500,/opt/slack,0u,0g,slack', - '500,/opt/snap-store,0u,0g,snap-store', - '500,/opt/spotify,0u,0g,spotify', - '500,/opt/spotify,500u,500g,spotify', - '500,/opt/terraform,0u,0g,terraform', - '500,/opt/todoist,0u,0g,todoist', - '500,/opt/zoom,0u,0g,zoom', - '500,/sbin/apk,500u,500g,apk', - '500,/sbin/apk,u,g,apk', - '500,/tmp/istioctl,500u,500g,istioctl', - '500,/tmp/jetbrains-toolbox,u,g,jetbrains-toolb', - '500,/tmp/obsidian,u,g,obsidian', - '500,/tmp/scoville,500u,500g,scoville', - '500,/tmp/terraform,500u,500g,terraform', - '500,/tmp/wolfictl,500u,500g,wolfictl', - '500,/usr/abrt-action-generate-core-backtrace,0u,0g,abrt-action-gen', - '500,/usr/apko,u,g,apko', - '500,/usr/aws,0u,0g,aws', - '500,/usr/bom,500u,500g,bom', - '500,/usr/cargo,0u,0g,cargo', - '500,/usr/chainctl,0u,0g,chainctl', - '500,/usr/chainctl,500u,493g,chainctl', - '500,/usr/chainctl,500u,500g,chainctl', - '500,/usr/chrome,0u,0g,chrome', - '500,/usr/code,0u,0g,code', - '500,/usr/cosign,500u,500g,cosign', - '500,/usr/cosign-linux-amd64,0u,0g,cosign', - '500,/usr/crane,0u,0g,crane', - '500,/usr/crane,500u,500g,crane', - '500,/usr/curl,0u,0g,curl', - '500,/usr/docker,0u,0g,docker', - '500,/usr/eksctl,0u,0g,eksctl', - '500,/usr/electron,0u,0g,electron', - '500,/usr/evolution-addressbook-factory,0u,0g,evolution-addre', - '500,/usr/evolution-calendar-factory,0u,0g,evolution-calen', - '500,/usr/firefox,0u,0g,firefox', - '500,/usr/firefox,0u,0g,.firefox-wrappe', - '500,/usr/firefox,0u,0g,Socket Process', - '500,/usr/flameshot,0u,0g,flameshot', - '500,/usr/flatpak-oci-authenticator,0u,0g,flatpak-oci-aut', - '500,/usr/geoclue,0u,0g,geoclue', - '500,/usr/git,0u,0g,git', - '500,/usr/git-remote-http,0u,0g,git-remote-http', - '500,/usr/gitsign,0u,0g,gitsign', - '500,/usr/gitsign,500u,0g,gitsign', - '500,/usr/gjs-console,0u,0g,org.gnome.Maps', - '500,/usr/gnome-recipes,0u,0g,gnome-recipes', - '500,/usr/gnome-shell,0u,0g,gnome-shell', - '500,/usr/gnome-software,0u,0g,gnome-software', - '500,/usr/go,0u,0g,go', - '500,/usr/go,500u,500g,go', - '500,/usr/goa-daemon,0u,0g,goa-daemon', - '500,/usr/go,u,g,go', - '500,/usr/grype,0u,0g,grype', - '500,/usr/gsd-datetime,0u,0g,gsd-datetime', - '500,/usr/gvfsd-google,0u,0g,gvfsd-google', - '500,/usr/gvfsd-http,0u,0g,gvfsd-http', - '500,/usr/htop,0u,0g,htop', - '500,/usr/io.elementary.appcenter,0u,0g,io.elementary.a', - '500,/usr/java,0u,0g,java', - '500,/usr/java,u,g,java', - '500,/usr/kbfsfuse,0u,0g,kbfsfuse', - '500,/usr/keybase,0u,0g,keybase', - '500,/usr/ko,u,g,ko', - '500,/usr/kubectl,0u,0g,kubectl', - '500,/usr/kubectl,500u,500g,kubectl', - '500,/usr/lens,0u,0g,lens', - '500,/usr/melange,u,g,melange', - '500,/usr/minikube,0u,0g,minikube', - '500,/usr/nautilus,0u,0g,nautilus', - '500,/usr/nix,0u,0g,nix', - '500,/usr/node,0u,0g,node', - '500,/usr/node,0u,0g,.node2nix-wrapp', - '500,/usr/node,u,g,node', - '500,/usr/obs,0u,0g,obs', - '500,/usr/obs-ffmpeg-mux,0u,0g,obs-ffmpeg-mux', - '500,/usr/pacman,0u,0g,pacman', - '500,/usr/php8.1,0u,0g,php', - '500,/usr/python3,0u,0g,python3', - '500,/usr/python3.10,0u,0g,python', - '500,/usr/python3.10,0u,0g,python3', - '500,/usr/python3.11,0u,0g,gnome-abrt', - '500,/usr/python3.11,0u,0g,protonvpn', - '500,/usr/python3.11,0u,0g,prowler', - '500,/usr/reporter-ureport,0u,0g,reporter-urepor', - '500,/usr/rpi-imager,0u,0g,rpi-imager', - '500,/usr/rustup,0u,0g,rustup', - '500,/usr/signal-desktop,0u,0g,signal-desktop', - '500,/usr/signal-desktop,u,g,signal-desktop', - '500,/usr/slack,0u,0g,slack', - '500,/usr/spotify,0u,0g,spotify', - '500,/usr/step,500u,500g,step', - '500,/usr/step-cli,0u,0g,step', - '500,/usr/syncthing,0u,0g,syncthing', - '500,/usr/teams,0u,0g,teams', - '500,/usr/gjs-console,0u,0g,org.gnome.Maps', - '500,/home/cloud_sql_proxy,0u,0g,cloud_sql_proxy', - '500,/usr/terraform,0u,0g,terraform', - '500,/usr/thunderbird,0u,0g,thunderbird', - '500,/usr/trivy,0u,0g,trivy', - '500,/usr/WebKitNetworkProcess,0u,0g,WebKitNetworkPr', - '500,/usr/wget,0u,0g,wget', - '500,/usr/xmobar,0u,0g,xmobar', - '500,/usr/yay,0u,0g,yay', - '88,6,500,/usr/syncthing,0u,0g,syncthing' + '0,apk,u,g,apk', + '0,applydeltarpm,0u,0g,applydeltarpm', + '0,bash,0u,0g,bash', + '0,bash,0u,0g,mkinitcpio', + '0,bash,0u,0g,sh', + '0,chainctl,0u,0g,chainctl', + '0,cmake,u,g,cmake', + '0,containerd,u,g,containerd', + '0,dirmngr,0u,0g,dirmngr', + '0,dockerd,0u,0g,dockerd', + '0,flatpak-system-helper,0u,0g,flatpak-system-', + '0,kmod,0u,0g,depmod', + '0,launcher,0u,0g,launcher', + '0,launcher,500u,500g,launcher', + '0,nessusd,0u,0g,nessusd', + '0,nix,0u,0g,nix', + '0,nix,0u,0g,nix-daemon', + '0,packagekitd,0u,0g,packagekitd', + '0,pacman,0u,0g,pacman', + '0,python3.10,0u,0g,dnf', + '0,python3.10,0u,0g,dnf-automatic', + '0,python3.10,0u,0g,yum', + '0,python3.11,0u,0g,dnf', + '0,python3.11,0u,0g,dnf-automatic', + '0,python3.11,0u,0g,yum', + '0,rpi-imager,0u,0g,rpi-imager', + '0,snapd,0u,0g,snapd', + '0,tailscaled,0u,0g,tailscaled', + '0,tailscaled,500u,500g,tailscaled', + '0,.tailscaled-wrapped,0u,0g,.tailscaled-wra', + '105,http,0u,0g,https', + '106,geoclue,0u,0g,geoclue', + '500,1password,0u,0g,1password', + '500,abrt-action-generate-core-backtrace,0u,0g,abrt-action-gen', + '500,apk,500u,500g,apk', + '500,apko,u,g,apko', + '500,apk,u,g,apk', + '500,aws,0u,0g,aws', + '500,bom,500u,500g,bom', + '500,Brackets,0u,0g,Brackets', + '500,brave,0u,0g,brave', + '500,buildkitd,500u,500g,buildkitd', + '500,cargo,0u,0g,cargo', + '500,cargo,500u,500g,cargo', + '500,chainctl,0u,0g,chainctl', + '500,chainctl,500u,100g,chainctl', + '500,chainctl,500u,493g,chainctl', + '500,chainctl,500u,500g,chainctl', + '500,chrome,0u,0g,chrome', + '500,cloud_sql_proxy,0u,0g,cloud_sql_proxy', + '500,code,0u,0g,code', + '500,code,500u,500g,code', + '500,cosign,500u,500g,cosign', + '500,cosign-linux-amd64,0u,0g,cosign', + '500,crane,0u,0g,crane', + '500,crane,500u,500g,crane', + '500,curl,0u,0g,curl', + '500,Discord,0u,0g,Discord', + '500,Discord,u,g,Discord', + '500,docker,0u,0g,docker', + '500,eksctl,0u,0g,eksctl', + '500,electron,0u,0g,electron', + '500,evolution-addressbook-factory,0u,0g,evolution-addre', + '500,evolution-calendar-factory,0u,0g,evolution-calen', + '500,firefox,0u,0g,firefox', + '500,firefox,0u,0g,.firefox-wrappe', + '500,firefox,0u,0g,Socket Process', + '500,flameshot,0u,0g,flameshot', + '500,flatpak-oci-authenticator,0u,0g,flatpak-oci-aut', + '500,geoclue,0u,0g,geoclue', + '500,git,0u,0g,git', + '500,git-remote-http,0u,0g,git-remote-http', + '500,gitsign,0u,0g,gitsign', + '500,gitsign,500u,0g,gitsign', + '500,gitsign,500u,500g,gitsign', + '500,gjs-console,0u,0g,org.gnome.Maps', + '500,gnome-recipes,0u,0g,gnome-recipes', + '500,gnome-shell,0u,0g,gnome-shell', + '500,gnome-software,0u,0g,gnome-software', + '500,go,0u,0g,go', + '500,go,500u,500g,go', + '500,goa-daemon,0u,0g,goa-daemon', + '500,go,u,g,go', + '500,grype,0u,0g,grype', + '500,grype,500u,500g,grype', + '500,gsd-datetime,0u,0g,gsd-datetime', + '500,gvfsd-google,0u,0g,gvfsd-google', + '500,gvfsd-http,0u,0g,gvfsd-http', + '500,htop,0u,0g,htop', + '500,hugo,500u,500g,hugo', + '500,io.elementary.appcenter,0u,0g,io.elementary.a', + '500,istioctl,500u,500g,istioctl', + '500,java,0u,0g,java', + '500,java,500u,500g,java', + '500,java,u,g,java', + '500,jcef_helper,500u,500g,jcef_helper', + '500,jetbrains-toolbox,u,g,jetbrains-toolb', + '500,kbfsfuse,0u,0g,kbfsfuse', + '500,keybase,0u,0g,keybase', + '500,Keybase,0u,0g,Keybase', + '500,ko,500u,500g,ko', + '500,ko,u,g,ko', + '500,krel,500u,500g,krel', + '500,kubectl,0u,0g,kubectl', + '500,kubectl,500u,500g,kubectl', + '500,lens,0u,0g,lens', + '500,mconvert,500u,500g,mconvert', + '500,melange,u,g,melange', + '500,Melvor Idle,500u,500g,exe', + '500,minikube,0u,0g,minikube', + '500,nautilus,0u,0g,nautilus', + '500,nerdctl,500u,500g,nerdctl', + '500,nix,0u,0g,nix', + '500,node,0u,0g,node', + '500,node,0u,0g,.node2nix-wrapp', + '500,node,u,g,node', + '500,obs,0u,0g,obs', + '500,obs,u,g,obs', + '500,obs-ffmpeg-mux,0u,0g,obs-ffmpeg-mux', + '500,obs-ffmpeg-mux,u,g,obs-ffmpeg-mux', + '500,obsidian,u,g,obsidian', + '500,pacman,0u,0g,pacman', + '500,php8.1,0u,0g,php', + '500,promoter,500u,500g,promoter', + '500,publish-release,500u,500g,publish-release', + '500,python3,0u,0g,python3', + '500,python3.10,0u,0g,python', + '500,python3.10,0u,0g,python3', + '500,python3.11,0u,0g,gnome-abrt', + '500,python3.11,0u,0g,protonvpn', + '500,python3.11,0u,0g,prowler', + '500,python3,500u,500g,python3', + '500,reporter-ureport,0u,0g,reporter-urepor', + '500,rpi-imager,0u,0g,rpi-imager', + '500,rustup,0u,0g,rustup', + '500,scoville,500u,500g,scoville', + '500,signal-desktop,0u,0g,signal-desktop', + '500,signal-desktop,u,g,signal-desktop', + '500,slack,0u,0g,slack', + '500,slack,u,g,slack', + '500,slirp4netns,500u,500g,slirp4netns', + '500,snap-store,0u,0g,snap-store', + '500,spotify,0u,0g,spotify', + '500,spotify,500u,500g,spotify', + '500,spotify,u,g,spotify', + '500,steam,500u,100g,steam', + '500,steam,500u,500g,steam', + '500,steamwebhelper,500u,100g,steamwebhelper', + '500,steamwebhelper,500u,500g,steamwebhelper', + '500,step,500u,500g,step', + '500,step-cli,0u,0g,step', + '500,syncthing,0u,0g,syncthing', + '500,teams,0u,0g,teams', + '500,terraform,0u,0g,terraform', + '500,terraform,500u,500g,terraform', + '500,thunderbird,0u,0g,thunderbird', + '500,thunderbird,u,g,thunderbird', + '500,todoist,0u,0g,todoist', + '500,trivy,0u,0g,trivy', + '500,trivy,500u,500g,trivy', + '500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr', + '500,wget,0u,0g,wget', + '500,wolfictl,500u,500g,wolfictl', + '500,WPILibInstaller,500u,500g,WPILibInstaller', + '500,xmobar,0u,0g,xmobar', + '500,yay,0u,0g,yay', + '500,zdup,500u,500g,zdup', + '500,zoom,0u,0g,zoom', + '500,zoom.real,u,g,zoom.real', + '88,6,500,syncthing,0u,0g,syncthing' ) -- Exceptions where we have to be more flexible for the process name - AND NOT exception_key LIKE '500,/usr/node,0u,0g,npm exec %' - AND NOT exception_key LIKE '500,/usr/node,0u,0g,npm install %' - AND NOT exception_key LIKE '500,/usr/cosign-%,500u,500g,cosign-%' - AND NOT exception_key LIKE '500,%/terraform-provider-%,500u,500g,terraform-provi' - AND NOT exception_key LIKE '0,/ko-app/%,u,g,%' + AND NOT exception_key LIKE '500,node,0u,0g,npm exec %' + AND NOT exception_key LIKE '500,node,0u,0g,npm install %' + AND NOT exception_key LIKE '500,cosign-%,500u,500g,cosign-%' + AND NOT exception_key LIKE '500,terraform-provider-%,500u,500g,terraform-provi' -- stay weird, NixOS (Fastly nix mirror) AND NOT ( pp.cmdline = '/run/current-system/sw/bin/bash' @@ -272,11 +241,11 @@ WHERE AND s.state = 'ESTABLISHED' ) AND NOT ( - exception_key = '500,/tmp/%,500u,500g,%' + exception_key = '500,%,500u,500g,%' AND p.path LIKE '/tmp/go-build%/exe/%' ) AND NOT ( - exception_key = '0,/usr/curl,0u,0g,curl' + exception_key = '0,curl,0u,0g,curl' AND p.cmdline = 'curl --fail https://ipinfo.io/timezone' ) -- Exclude processes running inside of containers diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql index 3c56b8a..fab1f34 100644 --- a/detection/c2/unexpected-talkers-linux.sql +++ b/detection/c2/unexpected-talkers-linux.sql @@ -31,16 +31,6 @@ SELECT ',', MIN(p.euid, 500), ',', - REPLACE( - REPLACE( - REGEX_MATCH (p.path, '(/.*?)/', 1), - '/nix', - '/usr' - ), - '/snap', - '/opt' - ), - '/', REGEX_MATCH (p.path, '.*/(.*?)$', 1), ',', MIN(f.uid, 500), @@ -87,118 +77,115 @@ WHERE AND s.remote_address NOT LIKE 'fc00:%' AND p.path != '' AND NOT exception_key IN ( - '123,17,114,/usr/chronyd,0u,0g,chronyd', - '123,17,500,/usr/chronyd,0u,0g,chronyd', - '4070,6,500,/home/spotify,500u,500g,spotify', - '143,6,500,/app/thunderbird,u,g,thunderbird', - '143,6,500,/usr/thunderbird,0u,0g,thunderbird', - '19305,6,500,/opt/firefox,0u,0g,firefox', - '19305,6,500,/usr/firefox,0u,0g,firefox', - '80,6,500,/usr/aws-iam-authenticator,0u,0g,aws-iam-authent', - '19305,6,500,/usr/firefox,0u,0g,.firefox-wrappe', - '22000,6,500,/usr/syncthing,0u,0g,syncthing', - '80,6,500,/home/slirp4netns,500u,500g,slirp4netns', - '22,6,0,/usr/ssh,0u,0g,ssh', - '22,6,0,/usr/tailscaled,0u,0g,tailscaled', - '22,6,500,/home/cargo,500u,500g,cargo', - '80,6,0,/usr/appstreamcli,0u,0g,appstreamcli', - '22,6,500,/home/terraform,500u,500g,terraform', - '22,6,500,/usr/cargo,0u,0g,cargo', - '22,6,500,/usr/ssh,0u,0g,ssh', - '3000,6,500,/opt/brave,0u,0g,brave', - '3000,6,500,/opt/chrome,0u,0g,chrome', - '32768,6,0,/usr/tailscaled,0u,0g,tailscaled', - '32768,6,500,/usr/ssh,0u,0g,ssh', - '3443,6,500,/opt/chrome,0u,0g,chrome', - '3478,6,500,/opt/chrome,0u,0g,chrome', - '3478,6,500,/opt/firefox,0u,0g,firefox', - '3478,6,500,/usr/chrome,0u,0g,chrome', - '3478,6,500,/usr/firefox,0u,0g,firefox', - '4070,6,500,/app/spotify,u,g,spotify', - '4070,6,500,/opt/spotify,0u,0g,spotify', - '4070,6,500,/opt/spotify,500u,500g,spotify', - '4070,6,500,/usr/spotify,0u,0g,spotify', - '43,6,500,/usr/whois,0u,0g,whois', - '4460,6,114,/usr/chronyd,0u,0g,chronyd', - '5004,6,500,/opt/brave,0u,0g,brave', - '5006,6,500,/opt/brave,0u,0g,brave', - '500,/usr/htop,0u,0g,htop', - '5228,6,500,/opt/chrome,0u,0g,chrome', - '80,6,0,/usr/zstd,0u,0g,zstd', - '5228,6,500,/usr/chrome,0u,0g,chrome', - '6443,6,500,/usr/kubectl,0u,0g,kubectl', - '67,17,0,/usr/NetworkManager,0u,0g,NetworkManager', - '8000,6,500,/opt/chrome,0u,0g,chrome', - '8000,6,500,/usr/firefox,0u,0g,firefox', - '80,6,0,/usr/applydeltarpm,0u,0g,applydeltarpm', - '80,6,0,/usr/bash,0u,0g,bash', - '80,6,0,/usr/bash,0u,0g,mkinitcpio', - '80,6,0,/usr/bash,0u,0g,sh', - '80,6,0,/usr/bash,0u,0g,update-ca-trust', - '80,6,0,/usr/cp,0u,0g,cp', - '80,6,0,/usr/fc-cache,0u,0g,fc-cache', - '22,6,500,/usr/netcat,0u,0g,nc', - '80,6,0,/usr/find,0u,0g,find', - '80,6,0,/usr/gpg,0u,0g,gpg', - '80,6,0,/usr/kmod,0u,0g,depmod', - '80,6,0,/usr/kubelet,u,g,kubelet', - '80,6,0,/usr/ldconfig,0u,0g,ldconfig', - '80,6,0,/usr/NetworkManager,0u,0g,NetworkManager', - '80,6,0,/usr/packagekitd,0u,0g,packagekitd', - '80,6,0,/usr/pacman,0u,0g,pacman', - '9999,6,500,/opt/firefox,0u,0g,firefox', - '80,6,0,/usr/python3.10,0u,0g,dnf', - '80,6,0,/usr/python3.10,0u,0g,dnf-automatic', - '80,6,0,/usr/python3.10,0u,0g,yum', - '80,6,0,/usr/python3.11,0u,0g,dnf', - '80,6,0,/usr/python3.11,0u,0g,yum', - '80,6,0,/usr/tailscaled,0u,0g,tailscaled', - '80,6,0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra', - '80,6,0,/usr/wget,0u,0g,wget', - '80,6,100,/usr/http,0u,0g,http', - '80,6,105,/usr/http,0u,0g,http', - '80,6,500,/app/signal-desktop,u,g,signal-desktop', - '80,6,500,/app/spotify,u,g,spotify', - '80,6,500,/app/thunderbird,u,g,thunderbird', - '80,6,500,/home/mconvert,500u,500g,mconvert', - '80,6,500,/home/steam,500u,100g,steam', - '80,6,500,/home/steam,500u,500g,steam', - '80,6,500,/home/steamwebhelper,500u,500g,steamwebhelper', - '80,6,500,/home/terraform,500u,500g,terraform', - '80,6,500,/opt/brave,0u,0g,brave', - '80,6,500,/opt/chrome,0u,0g,chrome', - '80,6,500,/opt/firefox,0u,0g,firefox', - '80,6,500,/opt/spotify,0u,0g,spotify', - '80,6,0,/usr/bash,0u,0g,bash', - '80,6,500,/home/cloud_sql_proxy,0u,0g,cloud_sql_proxy', - '80,6,500,/opt/zoom,0u,0g,zoom', - '80,6,500,/usr/python3.10,0u,0g,aws', - '80,6,500,/usr/spotify-launcher,0u,0g,spotify-launche', - '80,6,500,/usr/chrome,0u,0g,chrome', - '80,6,500,/usr/curl,0u,0g,curl', - '80,6,500,/usr/electron,0u,0g,electron', - '80,6,500,/usr/firefox,0u,0g,firefox', - '80,6,500,/usr/firefox,0u,0g,.firefox-wrappe', - '80,6,500,/usr/gnome-software,0u,0g,gnome-software', - '80,6,500,/usr/pacman,0u,0g,pacman', - '80,6,500,/usr/python3.10,0u,0g,yum', - '80,6,500,/usr/python3.11,0u,0g,abrt-action-ins', - '80,6,500,/usr/rpi-imager,0u,0g,rpi-imager', - '80,6,500,/usr/signal-desktop,0u,0g,signal-desktop', - '80,6,500,/usr/thunderbird,0u,0g,thunderbird', - '80,6,500,/usr/WebKitNetworkProcess,0u,0g,WebKitNetworkPr', - '8080,6,500,/opt/chrome,0u,0g,chrome', - '8080,6,500,/usr/firefox,0u,0g,firefox', - '8080,6,500,/usr/python3.11,0u,0g,speedtest-cli', - '8080,6,500,/usr/speedtest,500u,500g,speedtest', - '8443,6,500,/opt/chrome,0u,0g,chrome', - '8443,6,500,/usr/firefox,0u,0g,firefox', - '8801,17,500,/app/zoom.real,u,g,zoom.real', - '8801,17,500,/opt/zoom,0u,0g,zoom', - '88,6,500,/usr/syncthing,0u,0g,syncthing', - '993,6,500,/app/thunderbird,u,g,thunderbird', - '993,6,500,/usr/evolution,0u,0g,evolution', - '993,6,500,/usr/thunderbird,0u,0g,thunderbird' + '123,17,114,chronyd,0u,0g,chronyd', + '123,17,500,chronyd,0u,0g,chronyd', + '143,6,500,thunderbird,0u,0g,thunderbird', + '143,6,500,thunderbird,u,g,thunderbird', + '19305,6,500,firefox,0u,0g,firefox', + '19305,6,500,firefox,0u,0g,.firefox-wrappe', + '22000,6,500,syncthing,0u,0g,syncthing', + '22,6,0,ssh,0u,0g,ssh', + '22,6,0,tailscaled,0u,0g,tailscaled', + '22,6,500,cargo,0u,0g,cargo', + '22,6,500,cargo,500u,500g,cargo', + '22,6,500,netcat,0u,0g,nc', + '22,6,500,ssh,0u,0g,ssh', + '22,6,500,terraform,500u,500g,terraform', + '3000,6,500,brave,0u,0g,brave', + '3000,6,500,chrome,0u,0g,chrome', + '32768,6,0,tailscaled,0u,0g,tailscaled', + '32768,6,500,ssh,0u,0g,ssh', + '3443,6,500,chrome,0u,0g,chrome', + '3478,6,500,chrome,0u,0g,chrome', + '3478,6,500,firefox,0u,0g,firefox', + '4070,6,500,spotify,0u,0g,spotify', + '4070,6,500,spotify,500u,500g,spotify', + '4070,6,500,spotify,u,g,spotify', + '43,6,500,whois,0u,0g,whois', + '4460,6,114,chronyd,0u,0g,chronyd', + '5004,6,500,brave,0u,0g,brave', + '5006,6,500,brave,0u,0g,brave', + '500,htop,0u,0g,htop', + '5228,6,500,chrome,0u,0g,chrome', + '6443,6,500,kubectl,0u,0g,kubectl', + '67,17,0,NetworkManager,0u,0g,NetworkManager', + '8000,6,500,brave,0u,0g,brave', + '8000,6,500,chrome,0u,0g,chrome', + '8000,6,500,firefox,0u,0g,firefox', + '80,6,0,applydeltarpm,0u,0g,applydeltarpm', + '80,6,0,appstreamcli,0u,0g,appstreamcli', + '80,6,0,bash,0u,0g,bash', + '80,6,0,bash,0u,0g,mkinitcpio', + '80,6,0,bash,0u,0g,sh', + '80,6,0,bash,0u,0g,update-ca-trust', + '80,6,0,cp,0u,0g,cp', + '80,6,0,fc-cache,0u,0g,fc-cache', + '80,6,0,find,0u,0g,find', + '80,6,0,gawk,0u,0g,awk', + '80,6,0,gpg,0u,0g,gpg', + '80,6,0,kmod,0u,0g,depmod', + '80,6,0,kubelet,u,g,kubelet', + '80,6,0,ldconfig,0u,0g,ldconfig', + '80,6,0,NetworkManager,0u,0g,NetworkManager', + '80,6,0,packagekitd,0u,0g,packagekitd', + '80,6,0,pacman,0u,0g,pacman', + '80,6,0,python3.10,0u,0g,dnf', + '80,6,0,python3.10,0u,0g,dnf-automatic', + '80,6,0,python3.10,0u,0g,yum', + '80,6,0,python3.11,0u,0g,dnf', + '80,6,0,python3.11,0u,0g,yum', + '80,6,0,tailscaled,0u,0g,tailscaled', + '80,6,0,.tailscaled-wrapped,0u,0g,.tailscaled-wra', + '80,6,0,/usr/python2.7,u,g,yum', + '80,6,0,/usr/xargs,0u,0g,xargs', + '80,6,0,wget,0u,0g,wget', + '80,6,0,zstd,0u,0g,zstd', + '80,6,100,http,0u,0g,http', + '80,6,105,http,0u,0g,http', + '80,6,500,aws-iam-authenticator,0u,0g,aws-iam-authent', + '80,6,500,brave,0u,0g,brave', + '80,6,500,chrome,0u,0g,chrome', + '80,6,500,cloud_sql_proxy,0u,0g,cloud_sql_proxy', + '80,6,500,curl,0u,0g,curl', + '80,6,500,electron,0u,0g,electron', + '80,6,500,firefox,0u,0g,firefox', + '80,6,500,firefox,0u,0g,.firefox-wrappe', + '80,6,500,gnome-software,0u,0g,gnome-software', + '80,6,500,mconvert,500u,500g,mconvert', + '80,6,500,obs-browser-page,u,g,obs-browser-pag', + '80,6,500,pacman,0u,0g,pacman', + '80,6,500,python3.10,0u,0g,aws', + '80,6,500,python3.10,0u,0g,yum', + '80,6,500,python3.11,0u,0g,abrt-action-ins', + '80,6,500,rpi-imager,0u,0g,rpi-imager', + '80,6,500,signal-desktop,0u,0g,signal-desktop', + '80,6,500,signal-desktop,u,g,signal-desktop', + '80,6,500,slirp4netns,500u,500g,slirp4netns', + '80,6,500,spotify,0u,0g,spotify', + '80,6,500,spotify-launcher,0u,0g,spotify-launche', + '80,6,500,spotify,u,g,spotify', + '80,6,500,steam,500u,100g,steam', + '80,6,500,steam,500u,500g,steam', + '80,6,500,steamwebhelper,500u,500g,steamwebhelper', + '80,6,500,terraform,500u,500g,terraform', + '80,6,500,thunderbird,0u,0g,thunderbird', + '80,6,500,thunderbird,u,g,thunderbird', + '80,6,500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr', + '80,6,500,zoom,0u,0g,zoom', + '8080,6,500,brave,0u,0g,brave', + '8080,6,500,chrome,0u,0g,chrome', + '8080,6,500,firefox,0u,0g,firefox', + '8080,6,500,python3.11,0u,0g,speedtest-cli', + '8080,6,500,speedtest,500u,500g,speedtest', + '8443,6,500,chrome,0u,0g,chrome', + '8443,6,500,firefox,0u,0g,firefox', + '8801,17,500,zoom,0u,0g,zoom', + '8801,17,500,zoom.real,u,g,zoom.real', + '88,6,500,syncthing,0u,0g,syncthing', + '993,6,500,evolution,0u,0g,evolution', + '993,6,500,thunderbird,0u,0g,thunderbird', + '993,6,500,thunderbird,u,g,thunderbird', + '9999,6,500,firefox,0u,0g,firefox' ) AND NOT ( p.name = 'java' @@ -230,9 +217,8 @@ WHERE ) -- TODO: Move this to a custom override overlay, as it is extremely obscure (small ISP) AND NOT ( - exception_key = '32768,6,500,/usr/ssh,0u,0g,ssh' + exception_key = '32768,6,500,ssh,0u,0g,ssh' AND s.remote_port = 40022 - AND s.remote_address = '104.131.84.33' -- gatekeeper.uservers.net ) AND NOT ( s.remote_port = 80 diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql index fafc33f..d5794dc 100644 --- a/detection/c2/unexpected-talkers-macos.sql +++ b/detection/c2/unexpected-talkers-macos.sql @@ -69,6 +69,7 @@ WHERE AND p.path NOT LIKE '/opt/homebrew/Cellar/%/bin/%' AND p.path NOT LIKE '/usr/libexec/%' AND p.path NOT LIKE '/usr/sbin/%' + AND p.path NOT LIKE '/usr/local/kolide-k2/bin/%' AND p.path NOT LIKE '/private/var/folders/%/go-build%/%' -- Apple programs running from weird places, like the UpdateBrainService AND NOT ( @@ -179,11 +180,14 @@ WHERE '443,6,500,bom,,', '443,6,500,chainctl,,', '443,6,500,chainctl,a.out,', + '443,6,0,launcher,launcher,Developer ID Application: Kolide, Inc (X98UFR7HA3)', '443,6,500,chainctl,chainctl,', + '443,6,500,trivy,,', '443,6,500,chainctl_darwin_arm64,a.out,', '443,6,500,chainctl_Darwin_arm64,a.out,', '443,6,500,civo,a.out,', '443,6,500,cloud_sql_proxy,a.out,', + '443,6,500,Paintbrush,com.soggywaffles.paintbrush,Developer ID Application: Michael Schreiber (G966ML7VBG)', '443,6,500,Code Helper,com.microsoft.VSCode.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)', '443,6,500,Code Helper (Renderer),com.github.Electron.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)', '443,6,500,com.docker.backend,com.docker,Developer ID Application: Docker Inc (9BNSXJN65R)', @@ -192,7 +196,9 @@ WHERE '443,6,500,cosign,a.out,', '443,6,500,cosign,cosign,', '443,6,500,crane,,', + '443,17,500,Signal Helper,org.whispersystems.signal-desktop.helper,Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR)', '443,6,500,crane,a.out,', + '443,6,500,Amazon Photos Installer,com.amazon.clouddrive.mac.installer,Developer ID Application: AMZN Mobile LLC (94KV3E626L)', '443,6,500,crane,crane,', '443,6,500,ctclient,a.out,', '443,6,500,curl,com.apple.curl,Software Signing', diff --git a/detection/collection/high-disk-bytes-written.sql b/detection/collection/high-disk-bytes-written.sql index ec0cb84..56a5b2b 100644 --- a/detection/collection/high-disk-bytes-written.sql +++ b/detection/collection/high-disk-bytes-written.sql @@ -28,7 +28,7 @@ FROM processes p LEFT JOIN hash ON p.path = hash.path WHERE - bytes_per_second > 6500000 + bytes_per_second > 7500000 AND age > 30 AND pid > 2 AND p.path NOT IN ( @@ -123,6 +123,7 @@ WHERE 'fsdaemon', 'go', 'goland', + 'trivy-db', 'golangci-lint-v', 'gopls', 'grype', diff --git a/detection/evasion/hidden-cwd.sql b/detection/evasion/hidden-cwd.sql index de047fc..7cb1450 100644 --- a/detection/evasion/hidden-cwd.sql +++ b/detection/evasion/hidden-cwd.sql @@ -34,6 +34,7 @@ SELECT ) AS exception_key, -- Child p0.pid AS p0_pid, + p0.cgroup_path AS p0_cgroup, p0.path AS p0_path, p0.name AS p0_name, p0.cmdline AS p0_cmd, diff --git a/detection/evasion/unexpected-hidden-system-paths.sql b/detection/evasion/unexpected-hidden-system-paths.sql index 53c9356..0a9eb33 100644 --- a/detection/evasion/unexpected-hidden-system-paths.sql +++ b/detection/evasion/unexpected-hidden-system-paths.sql @@ -99,6 +99,7 @@ WHERE '/var/db/.StagedAppleUpgrade', '/var/db/.SystemPolicy-default', '/var/.ntw_cache', + '/var/setup/.TemporaryItems', '/var/.Parallels_swap/', '/var/.pwd_cache', '/var/root/.bash_history', diff --git a/detection/execution/exotic-command-events-linux.sql b/detection/execution/exotic-command-events-linux.sql index ee6c845..dae9fa9 100644 --- a/detection/execution/exotic-command-events-linux.sql +++ b/detection/execution/exotic-command-events-linux.sql @@ -109,6 +109,7 @@ WHERE OR ( INSTR(p0_cmd, 'history') > 0 AND p0_cmd LIKE '%history' + AND p0_cmd NOT LIKE 'man %' ) OR p0_cmd LIKE '%touch%acmr%' OR p0_cmd LIKE '%touch -r%' diff --git a/detection/execution/exotic-commands-linux.sql b/detection/execution/exotic-commands-linux.sql index ad484ef..248a6df 100644 --- a/detection/execution/exotic-commands-linux.sql +++ b/detection/execution/exotic-commands-linux.sql @@ -41,97 +41,94 @@ FROM LEFT JOIN hash p1_hash ON p1.path = p1_hash.path LEFT JOIN processes p2 ON p1.parent = p2.pid LEFT JOIN hash p2_hash ON p2.path = p2_hash.path -WHERE - -- Known attack scripts - p0.name IN ( - 'bitspin', - 'bpftool', - 'heyoka', - 'nstx', - 'dnscat2', - 'tuns', - 'iodine', - 'esxcli', - 'vim-cmd', - 'minerd', - 'cpuminer-multi', - 'cpuminer', - 'httpdns', - 'rshell', - 'rsh', - 'xmrig', - 'incbit', - 'insmod', - 'kmod', - 'lushput', - 'mkfifo', - 'msfvenom', - 'nc', - 'socat' +WHERE -- Known attack scripts + ( + p0.name IN ( + 'bitspin', + 'bpftool', + 'heyoka', + 'nstx', + 'dnscat2', + 'tuns', + 'iodine', + 'esxcli', + 'vim-cmd', + 'minerd', + 'cpuminer-multi', + 'cpuminer', + 'httpdns', + 'rshell', + 'rsh', + 'xmrig', + 'incbit', + 'insmod', + 'kmod', + 'lushput', + 'mkfifo', + 'msfvenom', + 'nc', + 'socat' + ) + OR p0.name LIKE '%pwn%' + OR p0.name LIKE '%xig%' + OR p0.name LIKE '%xmr%' + OR p0.cmdline LIKE '%--pool%' + OR p0.cmdline LIKE '%--algo%' + OR p0.cmdline LIKE '%--wss%' + OR p0.cmdline LIKE '%bitspin%' + OR p0.cmdline LIKE '%lushput%' + OR p0.cmdline LIKE '%incbit%' + OR p0.cmdline LIKE '%traitor%' + OR p0.cmdline LIKE '%msfvenom%' -- Unusual behaviors + OR p0.cmdline LIKE '%ufw disable%' + OR p0.cmdline LIKE '%iptables -P % ACCEPT%' + OR p0.cmdline LIKE '%iptables -F%' + OR p0.cmdline LIKE '%chattr -ia%' + OR p0.cmdline LIKE '%chflags uchg%' + OR p0.cmdline LIKE '%chmod 777 %' + OR p0.cmdline LIKE '%bpftool%' + OR p0.cmdline LIKE '%touch%acmr%' + OR p0.cmdline LIKE '%ld.so.preload%' + OR p0.cmdline LIKE '%urllib.urlopen%' + OR p0.cmdline LIKE '%nohup%tmp%' + OR p0.cmdline LIKE '%chrome%--load-extension%' + OR ( + p0.cmdline LIKE '%UserKnownHostsFile=/dev/null%' + AND NOT p1.name = 'limactl' + ) -- Crypto miners + OR p0.cmdline LIKE '%c3pool%' + OR p0.cmdline LIKE '%cryptonight%' + OR p0.cmdline LIKE '%f2pool%' + OR p0.cmdline LIKE '%hashrate%' + OR p0.cmdline LIKE '%hashvault%' + OR p0.cmdline LIKE '%minerd%' + OR p0.cmdline LIKE '%monero%' + OR p0.cmdline LIKE '%nanopool%' + OR p0.cmdline LIKE '%nicehash%' + OR p0.cmdline LIKE '%stratum%' -- Random keywords + OR p0.cmdline LIKE '%ransom%' + OR p0.cmdline LIKE '%malware%' + OR p0.cmdline LIKE '%plant%' -- Reverse shells + OR p0.cmdline LIKE '%/dev/tcp/%' + OR p0.cmdline LIKE '%/dev/udp/%' + OR p0.cmdline LIKE '%fsockopen%' + OR p0.cmdline LIKE '%openssl%quiet%' + OR p0.cmdline LIKE '%pty.spawn%' + OR ( + p0.cmdline LIKE '%sh -i' + AND NOT p0.path = '/usr/bin/docker' + AND NOT p1.name IN ('sh', 'java', 'containerd-shim') + AND NOT p1.cmdline LIKE '%pipenv shell' + AND NOT p0.cgroup_path LIKE '/system.slice/docker-%' + AND NOT p0.cgroup_path LIKE '/user.slice/user-1000.slice/user@1000.service/user.slice/nerdctl-%' + ) + OR p0.cmdline LIKE '%socat ' + OR p0.cmdline LIKE '%SOCK_STREAM%' + OR INSTR(p0.cmdline, '%Socket.%') > 0 -- Keep the shell running, as in https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability + OR ( + p0.cmdline LIKE '%tail -f /dev/null%' + AND p0.cgroup_path NOT LIKE '/system.slice/docker-%' + ) ) - OR p0.name LIKE '%pwn%' - OR p0.name LIKE '%xig%' - OR p0.name LIKE '%xmr%' - OR p0.cmdline LIKE '%--pool%' - OR p0.cmdline LIKE '%--algo%' - OR p0.cmdline LIKE '%--wss%' - OR p0.cmdline LIKE '%bitspin%' - OR p0.cmdline LIKE '%lushput%' - OR p0.cmdline LIKE '%incbit%' - OR p0.cmdline LIKE '%traitor%' - OR p0.cmdline LIKE '%msfvenom%' - -- Unusual behaviors - OR p0.cmdline LIKE '%ufw disable%' - OR p0.cmdline LIKE '%iptables -P % ACCEPT%' - OR p0.cmdline LIKE '%iptables -F%' - OR p0.cmdline LIKE '%chattr -ia%' - OR p0.cmdline LIKE '%chflags uchg%' - OR p0.cmdline LIKE '%chmod 777 %' - OR p0.cmdline LIKE '%bpftool%' - OR p0.cmdline LIKE '%touch%acmr%' - OR p0.cmdline LIKE '%ld.so.preload%' - OR p0.cmdline LIKE '%urllib.urlopen%' - OR p0.cmdline LIKE '%nohup%tmp%' - OR p0.cmdline LIKE '%chrome%--load-extension%' - OR ( - p0.cmdline LIKE '%UserKnownHostsFile=/dev/null%' - AND NOT p1.name = 'limactl' - ) - -- Crypto miners - OR p0.cmdline LIKE '%c3pool%' - OR p0.cmdline LIKE '%cryptonight%' - OR p0.cmdline LIKE '%f2pool%' - OR p0.cmdline LIKE '%hashrate%' - OR p0.cmdline LIKE '%hashvault%' - OR p0.cmdline LIKE '%minerd%' - OR p0.cmdline LIKE '%monero%' - OR p0.cmdline LIKE '%nanopool%' - OR p0.cmdline LIKE '%nicehash%' - OR p0.cmdline LIKE '%stratum%' - -- Random keywords - OR p0.cmdline LIKE '%ransom%' - OR p0.cmdline LIKE '%malware%' - OR p0.cmdline LIKE '%plant%' - -- Reverse shells - OR p0.cmdline LIKE '%/dev/tcp/%' - OR p0.cmdline LIKE '%/dev/udp/%' - OR p0.cmdline LIKE '%fsockopen%' - OR p0.cmdline LIKE '%openssl%quiet%' - OR p0.cmdline LIKE '%pty.spawn%' - OR ( - p0.cmdline LIKE '%sh -i' - AND NOT p0.path = '/usr/bin/docker' - AND NOT p1.name IN ('sh', 'java', 'containerd-shim') - AND NOT p1.cmdline LIKE '%pipenv shell' - AND NOT p0.cgroup_path LIKE '/system.slice/docker-%' - ) - OR p0.cmdline LIKE '%socat%' - OR p0.cmdline LIKE '%SOCK_STREAM%' - OR INSTR(p0.cmdline, '%Socket.%') > 0 - -- Keep the shell running, as in https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability - OR ( - p0.cmdline LIKE '%tail -f /dev/null%' - AND p0.cgroup_path NOT LIKE '/system.slice/docker-%' - ) - AND NOT p0.cmdline like 'socat UNIX-LISTEN:%/com.discordapp%fork UNIX-CONNECT:%' + AND NOT p0.cmdline like '%socat UNIX-LISTEN:%com.discordapp%discord-ipc%' AND NOT p0.name IN ('cc1', 'compile', 'cmake', 'cc1plus') diff --git a/detection/execution/recently-created-executables-linux.sql b/detection/execution/recently-created-executables-linux.sql index b87dbd7..e0ed751 100644 --- a/detection/execution/recently-created-executables-linux.sql +++ b/detection/execution/recently-created-executables-linux.sql @@ -106,6 +106,8 @@ WHERE '/usr/lib/flatpak-session-helper', '/usr/lib/fwupd/fwupd', '/usr/lib/gdm', + '/usr/bin/gnome-shell', + '/usr/lib/gnome-shell-calendar-server', '/usr/lib/gdm-session-worker', '/usr/lib/gdm-x-session', '/usr/lib/google-cloud-sdk/platform/bundledpythonunix/bin/python3', diff --git a/detection/execution/recently-created-executables-macos.sql b/detection/execution/recently-created-executables-macos.sql index 07987eb..87372da 100644 --- a/detection/execution/recently-created-executables-macos.sql +++ b/detection/execution/recently-created-executables-macos.sql @@ -106,6 +106,7 @@ WHERE 'Developer ID Application: CodeWeavers Inc. (9C6B7X7Z8E)', 'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', 'Developer ID Application: Objective-See, LLC (VBG97UB4TA)', + 'Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R)', 'Developer ID Application: Microsoft Corporation (UBF8T346G9)', 'Developer ID Application: Docker Inc (9BNSXJN65R)', 'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)', diff --git a/detection/execution/unexpected-fetcher-parents.sql b/detection/execution/unexpected-fetcher-parents.sql index 6d6d3d1..c822b33 100644 --- a/detection/execution/unexpected-fetcher-parents.sql +++ b/detection/execution/unexpected-fetcher-parents.sql @@ -46,6 +46,7 @@ WHERE -- NOTE: The remainder of this query is synced with unexpected-fetcher-par 'curl,500,bash,nix-daemon', 'wget,500,zsh,bash', 'wget,500,sh,bwrap', + 'curl,500,eos-connection-,eos-update-noti', 'curl,500,bash,ShellLauncher', 'curl,500,Slack,launchd', 'curl,500,bash,zsh', diff --git a/detection/execution/unexpected-osascript-calls.sql b/detection/execution/unexpected-osascript-calls.sql index 29685f0..cc0b319 100644 --- a/detection/execution/unexpected-osascript-calls.sql +++ b/detection/execution/unexpected-osascript-calls.sql @@ -90,9 +90,8 @@ WHERE OR p0_cmd LIKE '/usr/bin/osascript /Users/%/Library/Caches/com.runningwithcrayons.Alfred/Workflow Scripts/%' OR p0_cmd LIKE '/usr/bin/osascript /Users/%/osx-trash/trashfile.AppleScript %' OR p0_cmd LIKE '/usr/bin/osascript /Applications/Amazon Photos.app/Contents/Resources/quit_and_restart_app.scpt /Applications/Amazon Photos.app com.amazon.clouddrive.mac%' - OR p1_cmd LIKE '%/bin/gcloud auth%login' - OR p1_cmd LIKE '%/google-cloud-sdk/lib/gcloud.py auth%login' - OR p1_cmd LIKE '%aws configure sso%' + OR p1_cmd LIKE '%gcloud% auth %login' + OR p1_cmd LIKE '%aws %sso%' OR p1_cmd LIKE '% /opt/homebrew/bin/jupyter%notebook' OR p1_authority = 'Developer ID Application: Docker Inc (9BNSXJN65R)' OR p1_name IN ('yubikey-agent') diff --git a/detection/execution/unexpected-security-framework-program-macos.sql b/detection/execution/unexpected-security-framework-program-macos.sql index 8054fd5..75cb248 100644 --- a/detection/execution/unexpected-security-framework-program-macos.sql +++ b/detection/execution/unexpected-security-framework-program-macos.sql @@ -143,5 +143,6 @@ WHERE AND NOT exception_key LIKE '500,Runner.%,apphost-%,' AND NOT exception_key LIKE '500,kubectl.%,a.out,' AND NOT exception_key LIKE '500,rustlings,rustlings-%,' + AND NOT exception_key LIKE '500,rust-analyzer,rust-analyzer-%,' GROUP BY p0.pid diff --git a/detection/execution/unexpected-xattr-calls-macos.sql b/detection/execution/unexpected-xattr-calls-macos.sql index 1e56db4..026c847 100644 --- a/detection/execution/unexpected-xattr-calls-macos.sql +++ b/detection/execution/unexpected-xattr-calls-macos.sql @@ -79,21 +79,10 @@ WHERE AND pe.cmdline IS NOT NULL AND pe.status == 0 AND pe.path = '/usr/bin/xattr' - AND p0_cmd NOT IN ( - '/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app', - '/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app/Contents/Library/LoginItems/1Password Launcher.app', - '/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app/Contents/XPCServices/OP Updater Service.xpc', - '/usr/bin/xattr -r -d com.apple.quarantine /Applications/1Password.app', - '/usr/bin/xattr -d -r com.apple.quarantine /Applications/iTerm.app', - '/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app/Contents/XPCServices/OP Updater Service.xpc/Contents/Helpers/1Password Updater.app', - '/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app/Contents/Frameworks/1Password Helper.app', - '/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app/Contents/Frameworks/1Password Helper (GPU).app', - '/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app/Contents/Frameworks/1Password Helper (Plugin).app', - '/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app/Contents/Frameworks/1Password Helper (Renderer).app', - '/usr/bin/xattr -d com.apple.quarantine /Applications/Keybase.app', - '/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app/Contents/Library/LoginItems/1Password Browser Helper.app', - 'xattr -d -r com.apple.quarantine /Applications/Google Chrome.app' - ) + AND p0_cmd NOT LIKE '%xattr -d -r com.apple.quarantine /Applications/%.app' + AND p0_cmd NOT LIKE '%xattr -r -d com.apple.quarantine /Applications/%.app' + AND p0_cmd NOT LIKE '%xattr -d com.apple.quarantine /Applications/%.app' + AND p0_cmd NOT LIKE '%xattr -d com.apple.quarantine /Applications/%.app/%.xpc' AND NOT ( pe.euid > 500 AND p0_cmd LIKE '%xattr -l %' diff --git a/detection/initial_access/sketchy-mounted-diskimage.sql b/detection/initial_access/sketchy-mounted-diskimage.sql index 43369db..7b2135b 100644 --- a/detection/initial_access/sketchy-mounted-diskimage.sql +++ b/detection/initial_access/sketchy-mounted-diskimage.sql @@ -105,6 +105,7 @@ WHERE AND file.filename NOT IN ('.Trashes', '.background') AND file.filename NOT LIKE '%.previous' AND file.filename NOT LIKE '%.interrupted' + AND file.filename NOT LIKE '%.backup' ) -- 7. Volumes containing a top-level symlink to something other than /Applications, such as yWnBJLaF (1302.app) OR ( file.symlink = 1 diff --git a/detection/initial_access/unexpected-shell-parent-events.sql b/detection/initial_access/unexpected-shell-parent-events.sql index 93f3c85..58a1460 100644 --- a/detection/initial_access/unexpected-shell-parent-events.sql +++ b/detection/initial_access/unexpected-shell-parent-events.sql @@ -249,6 +249,7 @@ WHERE 'sh,500,docs,zsh', 'sh,500,Google Drive,launchd', 'dash,0,snapd,systemd', + 'bash,500,xdg-desktop-portal,systemd', 'sh,500,snyk-macos,snyk', 'sh,500,ssh,mosh-client', 'sh,500,updater,Foxit PDF Reader', diff --git a/detection/initial_access/unexpected-shell-parents.sql b/detection/initial_access/unexpected-shell-parents.sql index 8ffbd45..989ce9c 100644 --- a/detection/initial_access/unexpected-shell-parents.sql +++ b/detection/initial_access/unexpected-shell-parents.sql @@ -130,6 +130,7 @@ WHERE '/Applications/Docker.app/Contents/Resources/bin/docker-credential-desktop', '/Applications/IntelliJ IDEA.app/Contents/MacOS/idea', '/Applications/Parallels Desktop.app/Contents/MacOS/Parallels Service', + '/Applications/Parallels Desktop.app/Contents/MacOS/prl_update_helper', '/bin/dash', '/bin/sh', '/Library/Developer/CommandLineTools/usr/bin/git', @@ -202,3 +203,4 @@ WHERE AND NOT parent_path LIKE '/nix/store/%sh' AND NOT parent_path LIKE '/opt/homebrew/%' AND NOT p.cgroup_path LIKE '/system.slice/docker-%' + AND NOT p.cgroup_path LIKE '/system.slice/system.slice:docker:%' diff --git a/detection/persistence/unexpected-active-systemd-units.sql b/detection/persistence/unexpected-active-systemd-units.sql index 8a84a6d..35369c1 100644 --- a/detection/persistence/unexpected-active-systemd-units.sql +++ b/detection/persistence/unexpected-active-systemd-units.sql @@ -67,6 +67,8 @@ WHERE 'anacron.timer,Trigger anacron every hour,,100', 'apcupsd.service,APC UPS Power Control Daemon for Linux,,300', 'apparmor.service,Load AppArmor profiles,,1100', + 'apport-autoreport.path,Process error reports when automatic reporting is enabled (file watch),,200', + 'apport-autoreport.timer,Process error reports when automatic reporting is enabled (timer based),,200', 'apport.service,LSB: automatic crash report generation,,500', 'apt-daily.service,Daily apt download activities,,300', 'apt-daily.timer,Daily apt download activities,,100', @@ -87,8 +89,6 @@ WHERE 'bluetooth.service,Bluetooth service,,700', 'bluetooth.target,Bluetooth Support,,400', 'bolt.service,Thunderbolt system service,,600', - 'nessusd.service,The Nessus Vulnerability Scanner,,800', - 'setroubleshootd.service,SETroubleshoot daemon for processing new SELinux denial logs,setroubleshoot,200', 'chronyd.service,NTP client/server,,1500', "chrony.service,chrony, an NTP client/server,,1600", 'colord.service,Manage, Install and Generate Color Profiles,colord,200', @@ -200,6 +200,7 @@ WHERE 'motd-news.timer,Message of the Day,,100', 'mount-pstore.service,mount-pstore.service,,1100', 'multi-user.target,Multi-User System,,500', + 'nessusd.service,The Nessus Vulnerability Scanner,,800', 'netcf-transaction.service,Rollback uncommitted netcf network config change transactions,,300', 'networkd-dispatcher.service,Dispatcher daemon for systemd-networkd,,200', "networking.service,Raise network interfaces,,600", @@ -266,6 +267,7 @@ WHERE 'rsyslog.service,System Logging Service,,400', 'rsyslog.service,System Logging Service,,500', 'rtkit-daemon.service,RealtimeKit Scheduling Policy Service,,1000', + 'setroubleshootd.service,SETroubleshoot daemon for processing new SELinux denial logs,setroubleshoot,200', 'setvtrgb.service,Set console scheme,,300', 'shadow.service,Verify integrity of password and group files,,300', 'shadow.service,Verify integrity of password and group files,,900', @@ -276,6 +278,8 @@ WHERE 'smartcard.target,Smart Card,,400', 'smartd.service,Self Monitoring and Reporting Technology (SMART) Daemon,,400', 'snapd.apparmor.service,Load AppArmor profiles managed internally by snapd,,800', + 'snapd.mounts-pre.target,Mounting snaps,,100', + 'snapd.mounts.target,Mounted snaps,,100', 'snapd.seeded.service,Wait until snapd is fully seeded,,300', 'snapd.service,Snap Daemon,,400', 'snapd.service,Snap Daemon,,500', @@ -420,6 +424,7 @@ WHERE 'zfs-mount.service,Mount ZFS filesystems,,400', 'zfs-scrub.service,ZFS pools scrubbing,,1000', 'zfs-scrub.timer,zfs-scrub.timer,,0', + 'geoclue.service,Location Lookup Service,geoclue,500', 'zfs-share.service,ZFS file system shares,,400', 'zfs-share.service,ZFS file system shares,,500', 'zfs-snapshot-daily.service,ZFS auto-snapshotting every day,,1000', diff --git a/detection/persistence/unexpected-chrome-extensions.sql b/detection/persistence/unexpected-chrome-extensions.sql index ddad6b7..089f97e 100644 --- a/detection/persistence/unexpected-chrome-extensions.sql +++ b/detection/persistence/unexpected-chrome-extensions.sql @@ -59,6 +59,7 @@ WHERE 'false,julienv3@gmail.com,treasure-clicker,', "true,Gareth Stephenson,My O'Reilly Downloader,deebiaolijlopiocielojiipnpnaldlk", 'false,juverm@chainguard.dev,auto-close-gitsign,', + 'true,,Jamstash,jccdpflnecheidefpofmlblgebobbloc', 'false,,Trotto go links,nkeoojidblilnkcbbmfhaeebndapehjk', 'false,,YouTube,agimnkijcaahngcdmfeangaknmldooml', -- Deprecated Google Extension 'true,Adaware,Safe Torrent Scanner,aegnopegbbhjeeiganiajffnalhlkkjb', diff --git a/detection/persistence/unexpected-listening-port-linux.sql b/detection/persistence/unexpected-listening-port-linux.sql index 901c1d3..103f513 100644 --- a/detection/persistence/unexpected-listening-port-linux.sql +++ b/detection/persistence/unexpected-listening-port-linux.sql @@ -69,12 +69,12 @@ WHERE p.name ) IN ( '10250,6,0,kubelet', - '1,255,500,mtr-packet', '10250,6,500,kubelet', '10254,6,101,nginx-ingress-c', '10256,6,0,kube-proxy', - '255,255,500,mtr-packet', '10256,6,500,kube-proxy', + '1,1,500,ping', + '1,255,500,mtr-packet', '1716,6,500,kdeconnectd', '17,255,0,dhcpcd', '17,255,0,tailscaled', @@ -86,6 +86,7 @@ WHERE '22,6,0,sshd', '2379,6,500,etcd', '2380,6,500,etcd', + '255,255,500,mtr-packet', '27036,6,500,steam', '3000,6,472,grafana-server', '3000,6,500,grafana-server', @@ -96,7 +97,6 @@ WHERE '32768,6,500,dleyna-renderer', '32768,6,500,jetbrains-toolb', '32768,6,500,spotify', - '8834,6,0,nessusd', '3551,6,0,apcupsd', '4143,6,500,linkerd2-proxy', '4191,6,500,linkerd2-proxy', @@ -107,8 +107,8 @@ WHERE '5000,6,0,registry', '5000,6,500,ControlCenter', '5001,6,0,registry', - '53,17,0,coredns', '5050,6,500,rootlesskit', + '53,17,0,coredns', '53,17,500,aardvark-dns', '53,17,500,dnsmasq', '5355,6,193,systemd-resolve', @@ -150,6 +150,7 @@ WHERE '8443,6,500,controller', '8443,6,500,controlplane', '8443,6,500,webhook', + '8834,6,0,nessusd', '9000,6,500,authentik-proxy', '9000,6,500,main', '9090,6,500,controlplane', diff --git a/detection/persistence/unexpected-systemctl-calls-linux.sql b/detection/persistence/unexpected-systemctl-calls-linux.sql index 6f7a5a1..9ea2f8d 100644 --- a/detection/persistence/unexpected-systemctl-calls-linux.sql +++ b/detection/persistence/unexpected-systemctl-calls-linux.sql @@ -86,7 +86,7 @@ WHERE AND NOT p0_cmd IN ( '/bin/systemctl is-enabled -q whoopsie.path', '/bin/systemctl -q is-enabled whoopsie.path', - 'systemctl reboot', + '/bin/systemctl --quiet is-enabled whoopsie.path', '/bin/systemctl stop --no-block nvidia-persistenced', '/sbin/runlevel', 'systemctl is-active systemd-resolved.service', @@ -99,6 +99,7 @@ WHERE 'systemctl -p LoadState show cups.service', 'systemctl -q is-enabled whoopsie', 'systemctl --quiet is-enabled cups.service', + 'systemctl reboot', 'systemctl restart cups.service', 'systemctl status kubelet', 'systemctl stop kubelet', diff --git a/detection/persistence/unexpected-uid0-daemon-linux.sql b/detection/persistence/unexpected-uid0-daemon-linux.sql index b25aeb0..9eae1fa 100644 --- a/detection/persistence/unexpected-uid0-daemon-linux.sql +++ b/detection/persistence/unexpected-uid0-daemon-linux.sql @@ -162,6 +162,7 @@ WHERE 'pacman,/usr/bin/pacman,0,user.slice,user-1000.slice,0755', 'pcscd,/snap/yubioath-desktop/__VERSION__/usr/sbin/pcscd,0,system.slice,snap.yubioath-desktop.pcscd.service,0755', 'pcscd,/usr/sbin/pcscd,0,system.slice,pcscd.service,0755', + 'gdm-session-wor,/usr/lib/gdm-session-worker,0,user.slice,user-120.slice,0755', 'perl,/nix/store/__VERSION__/bin/perl,0,system.slice,znapzend.service,0555', 'polkitd,/usr/libexec/polkitd,0,system.slice,polkit.service,0755', 'power-profiles-,/usr/libexec/power-profiles-daemon,0,system.slice,power-profiles-daemon.service,0755', @@ -170,10 +171,12 @@ WHERE 'rsyslogd,/usr/sbin/rsyslogd,0,system.slice,rsyslog.service,0755', 'scdaemon,/usr/libexec/scdaemon,0,system.slice,packagekit.service,0755', 'scdaemon,/usr/libexec/scdaemon,0,user.slice,user-1000.slice,0755', + 'fish,/usr/bin/fish,0,user.slice,user-1000.slice,0755', 'sedispatch,/usr/sbin/sedispatch,0,system.slice,auditd.service,0755', 'sh,/nix/store/__VERSION__/bin/bash,0,system.slice,znapzend.service,0555', 'smartd,/usr/sbin/smartd,0,system.slice,smartd.service,0755', 'snapd,/snap/snapd/__VERSION__/usr/lib/snapd/snapd,0,system.slice,snapd.service,0755', + 'snapd,/usr/lib/snapd/snapd,0,system.slice,snapd.service,0755', 'sshd,/nix/store/__VERSION__/bin/sshd,0,system.slice,sshd.service,0555', 'sshd,/nix/store/__VERSION__/bin/sshd,0,user.slice,user-1000.slice,0555', 'sshd,/usr/bin/sshd,0,system.slice,sshd.service,0755', diff --git a/detection/privesc/unexpected-elevated-children-events_macos.sql b/detection/privesc/unexpected-elevated-children-events_macos.sql index 215d650..539ebba 100644 --- a/detection/privesc/unexpected-elevated-children-events_macos.sql +++ b/detection/privesc/unexpected-elevated-children-events_macos.sql @@ -80,6 +80,10 @@ FROM WHERE pe.time > (strftime('%s', 'now') -300) AND p0_euid < p1_euid + AND pe.status = 0 + AND pe.parent > 0 + AND pe.cmdline != '' + AND pe.cmdline IS NOT NULL AND p1_path NOT IN ( '/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mdworker_shared', '/usr/libexec/PerfPowerServicesExtended',