From ff2ab954313039aafd0cc93ca3e6d9471664423c Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Thu, 8 Jun 2023 18:26:57 -0400 Subject: [PATCH] Remove file sizes from systemd exception key --- detection/c2/unexpected-https-macos.sql | 2 + detection/c2/unexpected-talkers-linux.sql | 1 + .../excess-google-drive-downloads-macos.sql | 6 +- detection/evasion/hidden-executable.sql | 2 +- .../evasion/hidden-home-libappsupport.sql | 1 + .../unexpected-tmp-executables-linux.sql | 5 +- ...-created-executables-long-lived-linux.sql} | 2 +- ...-created-executables-long-lived-macos.sql} | 7 +- .../unexpected-execdir-events-macos.sql | 2 + .../execution/unexpected-execdir-macos.sql | 1 + .../execution/unexpected-fetcher-parents.sql | 2 + ...ected-security-framework-program-macos.sql | 5 +- .../exfil/multiple-drive-downloads-macos.sql | 1 + .../minimal-socket-client-macos.sql | 3 +- .../unexpected-active-systemd-units.sql | 775 +++++++++--------- .../unexpected-chrome-extensions.sql | 3 +- .../persistence/unexpected-global-lock.sql | 2 +- .../unexpected-uid0-daemon-linux.sql | 3 + ...xpected-elevated-children-events_linux.sql | 6 +- ...xpected-elevated-children-events_macos.sql | 1 + policy/gcp-service-account-keys-mdfind.sql | 5 +- 21 files changed, 429 insertions(+), 406 deletions(-) rename detection/execution/{recently-created-executables-linux.sql => recently-created-executables-long-lived-linux.sql} (99%) rename detection/execution/{recently-created-executables-macos.sql => recently-created-executables-long-lived-macos.sql} (97%) create mode 100644 detection/exfil/multiple-drive-downloads-macos.sql diff --git a/detection/c2/unexpected-https-macos.sql b/detection/c2/unexpected-https-macos.sql index e532244..72f018b 100644 --- a/detection/c2/unexpected-https-macos.sql +++ b/detection/c2/unexpected-https-macos.sql @@ -113,6 +113,7 @@ WHERE '500,cloud_sql_proxy,cloud_sql_proxy,,a.out', '500,Install Spotify,Install Spotify,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.installer', '500,ngrok,ngrok,Developer ID Application: ngrok LLC (TEX8MHRDQ9),darwin_amd64', + '0,multipassd,multipassd,Developer ID Application: Canonical Group Limited (X4QN7LTP59),com.canonical.multipass.multipassd', '500,Code Helper,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode.helper', '500,Code Helper (Plugin),Code Helper (Plugin),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper', '500,Code Helper (Renderer),Code Helper (Renderer),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper', @@ -148,6 +149,7 @@ WHERE '500,chainctl,chainctl,0u,0g', '500,chainctl,chainctl,500u,20g', '500,chainlink,chainlink,500u,20g', + '500,aws,aws,0u,0g', '500,cosign,cosign,0u,500g', '500,wolfictl,wolfictl,500u,20g', '500,cosign,cosign,500u,20g', diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql index f3454c0..2fe64e0 100644 --- a/detection/c2/unexpected-talkers-linux.sql +++ b/detection/c2/unexpected-talkers-linux.sql @@ -140,6 +140,7 @@ WHERE '80,6,0,cp,0u,0g,cp', '80,6,0,fc-cache,0u,0g,fc-cache', '80,6,0,find,0u,0g,find', + '80,6,500,java,u,g,java', '80,6,0,gawk,0u,0g,awk', '80,6,0,gpg,0u,0g,gpg', '80,6,0,grep,0u,0g,grep', diff --git a/detection/collection/excess-google-drive-downloads-macos.sql b/detection/collection/excess-google-drive-downloads-macos.sql index 08eccc1..d1a76d0 100644 --- a/detection/collection/excess-google-drive-downloads-macos.sql +++ b/detection/collection/excess-google-drive-downloads-macos.sql @@ -15,14 +15,14 @@ FROM JOIN extended_attributes ea ON mdfind.path = ea.path AND ea.key = "where_from" WHERE - query = "kMDItemFSCreationDate >= $time.now(-259200)" + query = "kMDItemFSCreationDate >= $time.now(-86400)" -- For some reason relying on kMDItemWhereFroms omitted download word docs, so -- this does it the slow way. AND ea.value LIKE "https://doc-%googleusercontent.com%" -- this seems excessive, but I was having issues with kMDItemFSCreationDate not filtering appropriately - AND MAX(file.btime, file.ctime, file.mtime) > (strftime('%s', 'now') -259200) + AND MAX(file.btime, file.ctime, file.mtime) > (strftime('%s', 'now') -86400) -- Common, low-risk for exfil AND file.filename NOT LIKE '%.csv' -- "GROUP BY" should be unnecessary, but Kolide seems to require it GROUP BY ea.key -HAVING num_downloads > 4 \ No newline at end of file +HAVING num_downloads > 5 \ No newline at end of file diff --git a/detection/evasion/hidden-executable.sql b/detection/evasion/hidden-executable.sql index 4a38d39..ba1ef21 100644 --- a/detection/evasion/hidden-executable.sql +++ b/detection/evasion/hidden-executable.sql @@ -41,7 +41,7 @@ WHERE ( p0.name LIKE '.%' OR f.filename LIKE '.%' - OR f.directory LIKE '.%' + OR f.directory LIKE '%/.%' ) AND NOT f.path LIKE '/nix/store/%/%-wrapped' AND NOT ( diff --git a/detection/evasion/hidden-home-libappsupport.sql b/detection/evasion/hidden-home-libappsupport.sql index 4ae0c8e..de59b6b 100644 --- a/detection/evasion/hidden-home-libappsupport.sql +++ b/detection/evasion/hidden-home-libappsupport.sql @@ -51,6 +51,7 @@ WHERE '~/Library/Application Support/Jabra Direct', '~/Library/Application Support/discord', '~/Library/Application Support/Keybase', + ' ~/Library/Application Support/1Password', '~/Library/Application Support/com.intelliscapesolutions.caffeine', '~/Library/Application Support/com.psiexams.psi-bridge-secure-browser', '~/Library/Application Support/GitHub Desktop', diff --git a/detection/evasion/unexpected-tmp-executables-linux.sql b/detection/evasion/unexpected-tmp-executables-linux.sql index 5aabe6f..a96d310 100644 --- a/detection/evasion/unexpected-tmp-executables-linux.sql +++ b/detection/evasion/unexpected-tmp-executables-linux.sql @@ -3,7 +3,10 @@ -- false positives: -- * developers building code out of /tmp -- --- tags: persistent +-- NOTE: +-- * This is currently disabled by default due to the high number of false positives +-- +-- tags: persistent disabled -- platform: linux SELECT DISTINCT file.path, diff --git a/detection/execution/recently-created-executables-linux.sql b/detection/execution/recently-created-executables-long-lived-linux.sql similarity index 99% rename from detection/execution/recently-created-executables-linux.sql rename to detection/execution/recently-created-executables-long-lived-linux.sql index 1285e14..2a9f0c3 100644 --- a/detection/execution/recently-created-executables-linux.sql +++ b/detection/execution/recently-created-executables-long-lived-linux.sql @@ -44,7 +44,7 @@ FROM WHERE p0.start_time > 0 AND f.ctime > 0 - AND p0.start_time > (strftime('%s', 'now') - 7200) + AND p0.start_time > (strftime('%s', 'now') - 86400) AND (p0.start_time - MAX(f.ctime, f.btime)) < 45 AND p0.start_time >= MAX(f.ctime, f.ctime) AND NOT f.directory IN ('/usr/lib/firefox', '/usr/local/kolide-k2/bin') -- Typically daemons or long-running desktop apps diff --git a/detection/execution/recently-created-executables-macos.sql b/detection/execution/recently-created-executables-long-lived-macos.sql similarity index 97% rename from detection/execution/recently-created-executables-macos.sql rename to detection/execution/recently-created-executables-long-lived-macos.sql index 3a9c2e0..9b0039b 100644 --- a/detection/execution/recently-created-executables-macos.sql +++ b/detection/execution/recently-created-executables-long-lived-macos.sql @@ -3,8 +3,7 @@ -- false-positives: -- * many -- --- tags: transient process state --- interval: 900 +-- tags: process state -- platform: darwin SELECT f.ctime, @@ -67,7 +66,7 @@ WHERE processes WHERE start_time > 0 - AND start_time > (strftime('%s', 'now') - 7200) + AND start_time > (strftime('%s', 'now') - 86400) AND pid > 0 AND path != "" AND NOT path LIKE '/Applications/%' @@ -163,7 +162,9 @@ WHERE 'Developer ID Application: Kolide, Inc (X98UFR7HA3)', 'Developer ID Application: GPGTools GmbH (PKV8ZPD836)', 'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)', + 'Developer ID Application: SteelSeries (6WGL6CHFH2)', 'Developer ID Application: Kandji, Inc. (P3FGV63VK7)', + 'Developer ID Application: Mojang AB (HR992ZEAE6)', 'Developer ID Application: Azul Systems, Inc. (TDTHCUPYFR)', 'Developer ID Application: Kolide Inc (YZ3EM74M78)', 'Developer ID Application: Logitech Inc. (QED4VVPZWA)', diff --git a/detection/execution/unexpected-execdir-events-macos.sql b/detection/execution/unexpected-execdir-events-macos.sql index e6a2a4e..0a220fe 100644 --- a/detection/execution/unexpected-execdir-events-macos.sql +++ b/detection/execution/unexpected-execdir-events-macos.sql @@ -139,6 +139,7 @@ WHERE '/Library/Application Support/Canon_Inc_IC', '~/.docker/cli-plugins/docker-sbom', '~/.docker/cli-plugins', + '~/Library/Application Support/minecraft', '~/Library/Application Support/com.elgato.StreamDeck', '~/Library/Application Support/com.grammarly.ProjectLlama', '/Library/Application Support/EcammLive', @@ -293,6 +294,7 @@ WHERE 'Developer ID Application: Sublime HQ Pty Ltd (Z6D26JE4Y4)', 'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', 'Developer ID Application: Docker Inc (9BNSXJN65R)', + 'Developer ID Application: Mojang AB (HR992ZEAE6)', 'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)', 'Developer ID Application: Figma, Inc. (T8RA8NE3B7)', 'Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D)', diff --git a/detection/execution/unexpected-execdir-macos.sql b/detection/execution/unexpected-execdir-macos.sql index 0141cb0..cefc29c 100644 --- a/detection/execution/unexpected-execdir-macos.sql +++ b/detection/execution/unexpected-execdir-macos.sql @@ -120,6 +120,7 @@ WHERE '~/bin/', '~/.cargo/', '~/code/', + '~/.Trash/', '~/Code/', '~/.steampipe/', '~/.config/', diff --git a/detection/execution/unexpected-fetcher-parents.sql b/detection/execution/unexpected-fetcher-parents.sql index 232c9f1..2278343 100644 --- a/detection/execution/unexpected-fetcher-parents.sql +++ b/detection/execution/unexpected-fetcher-parents.sql @@ -84,6 +84,8 @@ WHERE -- NOTE: The remainder of this query is synced with unexpected-fetcher-par 'login', 'roxterm', 'tmux', + 'stable', + 'old', 'tmux:server', 'wezterm-gui', 'zsh' diff --git a/detection/execution/unexpected-security-framework-program-macos.sql b/detection/execution/unexpected-security-framework-program-macos.sql index bebd486..4b50a68 100644 --- a/detection/execution/unexpected-security-framework-program-macos.sql +++ b/detection/execution/unexpected-security-framework-program-macos.sql @@ -1,7 +1,7 @@ -- Find programs that use the Security Framework on macOS - popular among malware authors -- -- platform: darwin --- tags: persistent state process +-- tags: persistent state process seldom SELECT s.authority, s.identifier, @@ -56,7 +56,7 @@ WHERE FROM processes WHERE - start_time < (strftime('%s', 'now') - 600) + start_time < (strftime('%s', 'now') - 1200) AND parent != 0 -- Assume STP AND NOT path LIKE '/System/%' @@ -195,6 +195,7 @@ WHERE ) AND NOT exception_key LIKE '500,terraform-provider-cosign_%,,' AND NOT exception_key LIKE '500,___Test%.test,a.out,' + AND NOT exception_key LIKE '500,zellij,zellij%,' AND NOT exception_key LIKE '500,gopls_%,a.out,' AND NOT exception_key LIKE '500,terraform-provider-%,a.out,' AND NOT exception_key LIKE '500,Runner.%,apphost-%,' diff --git a/detection/exfil/multiple-drive-downloads-macos.sql b/detection/exfil/multiple-drive-downloads-macos.sql new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/detection/exfil/multiple-drive-downloads-macos.sql @@ -0,0 +1 @@ + diff --git a/detection/persistence/minimal-socket-client-macos.sql b/detection/persistence/minimal-socket-client-macos.sql index 6890306..ef27183 100644 --- a/detection/persistence/minimal-socket-client-macos.sql +++ b/detection/persistence/minimal-socket-client-macos.sql @@ -53,8 +53,7 @@ WHERE AND processes.path NOT LIKE '/nix/store/%/bin/nix' AND processes.path NOT LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd' AND processes.path NOT LIKE '/usr/local/kolide-k2/bin/launcher-updates/%/Kolide.app/Contents/MacOS/launcher' - -- AND processes.start_time > (strftime('%s', 'now') -604800) - -- AND processes.resident_size < 200000000 + AND processes.start_time < (strftime('%s', 'now') -600) GROUP BY processes.path ) diff --git a/detection/persistence/unexpected-active-systemd-units.sql b/detection/persistence/unexpected-active-systemd-units.sql index 01becd5..8f86639 100644 --- a/detection/persistence/unexpected-active-systemd-units.sql +++ b/detection/persistence/unexpected-active-systemd-units.sql @@ -10,7 +10,7 @@ -- platform: linux SELECT -- description AS 'desc', fragment_path AS path, - MAX(user, "root") AS effective_user, + MAX(user, 'root') AS effective_user, following, hash.sha256, file.ctime, @@ -20,9 +20,7 @@ SELECT -- description AS 'desc', ',', description, ',', - user, - ',', - (file.size / 225) * 225 + user ) AS exception_key FROM systemd_units @@ -48,391 +46,392 @@ WHERE ) AND ( exception_key IN ( - 'abrtd.service,ABRT Automated Bug Reporting Tool,,450', - 'abrtd.service,ABRT Daemon,,225', - 'abrt-journal-core.service,ABRT coredumpctl message creator,,0', - 'abrt-journal-core.service,Creates ABRT problems from coredumpctl messages,,225', - 'abrt-oops.service,ABRT kernel log watcher,,225', - 'abrt-xorg.service,ABRT Xorg log watcher,,225', - 'accounts-daemon.service,Accounts Service,,1800', - 'accounts-daemon.service,Accounts Service,,2025', - 'accounts-daemon.service,Accounts Service,,675', - 'acpid.path,ACPI Events Check,,0', - 'acpid.service,ACPI Daemon,,1125', - 'acpid.service,ACPI event daemon,,225', - 'acpid.socket,ACPID Listen Socket,,0', - 'akmods.service,Builds and install new kmods from akmod packages,,225', - 'alsa-restore.service,Save/Restore Sound Card State,,225', - 'alsa-restore.service,Save/Restore Sound Card State,,450', - 'alsa-state.service,Manage Sound Card State (restore and store),,450', - 'alsa-store.service,Store Sound Card State,,1125', - 'anacron.service,Run anacron jobs,,675', - 'anacron.timer,Trigger anacron every hour,,0', - 'apcupsd.service,APC UPS Power Control Daemon for Linux,,225', - 'apparmor.service,Load AppArmor profiles,,1125', - 'apport-autoreport.path,Process error reports when automatic reporting is enabled (file watch),,0', - 'apport-autoreport.timer,Process error reports when automatic reporting is enabled (timer based),,0', - 'apport.service,LSB: automatic crash report generation,,450', - 'apt-daily.service,Daily apt download activities,,225', - 'apt-daily.timer,Daily apt download activities,,0', - 'apt-daily-upgrade.timer,Daily apt upgrade and clean activities,,0', - 'archlinux-keyring-wkd-sync.service,Refresh existing keys of archlinux-keyring,,1000', - 'archlinux-keyring-wkd-sync.service,Refresh existing keys of archlinux-keyring,,900', - 'archlinux-keyring-wkd-sync.timer,Refresh existing PGP keys of archlinux-keyring regularly,,0', - 'atd.service,Deferred execution scheduler,,225', - 'auditd.service,Security Auditing Service,,1575', - 'audit.service,Kernel Auditing,,1125', - 'avahi-daemon.service,Avahi mDNS/DNS-SD Stack,,900', - 'avahi-daemon.socket,Avahi mDNS/DNS-SD Stack Activation Socket,,675', - 'binfmt-support.service,Enable support for additional executable binary formats,,1125', - 'blk-availability.service,Availability of block devices,,225', - 'bluetooth.service,Bluetooth service,,675', - 'bolt.service,Thunderbolt system service,,450', - 'chronyd.service,NTP client/server,,1350', - "chrony.service,chrony, an NTP client/server,,1575", - 'chrony.service,chrony, an NTP client/server,,450', - 'cloud-config.service,Apply the settings specified in cloud-config,,225', - 'cloud-final.service,Execute cloud user/final scripts,,450', - 'cloud-init-hotplugd.socket,cloud-init hotplug hook socket,,225', - 'cloud-init-local.service,Initial cloud-init job (pre-networking),,450', - 'cloud-init.service,Initial cloud-init job (metadata service crawler),,450', - 'cloud-init.service,Initial cloud-init job (metadata service crawler),,675', - 'colord.service,Manage, Install and Generate Color Profiles,colord,225', - "com.system76.PowerDaemon.service,System76 Power Daemon,,225", - "com.system76.Scheduler.service,Automatically configure CPU scheduler for responsiveness on AC,,225", - 'console-setup.service,Set console font and keymap,,225', - 'containerd.service,containerd container runtime,,1125', - 'containerd.service,containerd container runtime,,1350', - 'crond.service,Command Scheduler,,225', - 'cronie.service,Periodic Command Scheduler,,0', - 'cron.service,Regular background program processing daemon,,225', - 'cups-browsed.service,Make remote CUPS printers available locally,,225', - 'cups.path,CUPS Scheduler,,0', - 'cups.service,CUPS Scheduler,,225', - 'cups.socket,CUPS Scheduler,,0', - "dbus-:1.2-org.pop_os.transition_system@0.service,dbus-:1.2-org.pop_os.transition_system@0.service,0,225", - 'dbus-broker.service,D-Bus System Message Bus,,450', - 'dbus.service,D-Bus System Message Bus,,225', - 'dbus.service,D-Bus System Message Bus,,450', - 'dbus.socket,D-Bus System Message Bus Socket,,0', - 'dhcpcd.service,DHCP Client,,1575', - 'display-manager.service,X11 Server,,1575', - 'dkms.service,Builds and install new kernel modules through DKMS,,225', - 'dm-event.socket,Device-mapper event daemon FIFOs,,0', - 'dm-event.socket,Device-mapper event daemon FIFOs,,225', - 'dnf-automatic-install.service,dnf automatic install updates,,225', - 'dnf-automatic-install.timer,dnf-automatic-install timer,,225', - 'dnf-makecache.service,dnf makecache,,225', - 'dnf-makecache.service,dnf makecache,,450', - 'dnf-makecache.timer,dnf makecache --timer,,225', - 'docker.service,Docker Application Container Engine,,1125', - 'docker.service,Docker Application Container Engine,,1350', - 'docker.service,Docker Application Container Engine,,1575', - 'docker.socket,Docker Socket for the API,,0', - 'docker.socket,Docker Socket for the API,,225', - 'dpkg-db-backup.timer,Daily dpkg database backup timer,,0', - 'dracut-shutdown.service,Restore /run/initramfs on shutdown,,225', - 'dracut-shutdown.service,Restore /run/initramfs on shutdown,,450', - 'e2scrub_all.timer,Periodic ext4 Online Metadata Check for All Filesystems,,225', - "finalrd.service,Create final runtime dir for shutdown pivot root,,225", - 'firewalld.service,firewalld - dynamic firewall daemon,,450', - 'firewall.service,Firewall,,1350', - 'flatpak-system-helper.service,flatpak system helper,,225', - 'fprintd.service,Fingerprint Authentication Daemon,,675', - 'fprintd.service,Fingerprint Authentication Daemon,,900', - 'fstrim.service,Discard unused blocks on filesystems from /etc/fstab,,225', - 'fstrim.service,Discard unused blocks on filesystems from /etc/fstab,,450', - 'fstrim.timer,Discard unused blocks once a week,,225', - 'fstrim.timer,Discard unused filesystem blocks once a week,,225', - 'fwupd-refresh.service,Refresh fwupd metadata and update motd,fwupd-refresh,225', - 'fwupd-refresh.service,Refresh fwupd metadata and update motd,fwupd-refresh,450', - 'fwupd-refresh.timer,Refresh fwupd metadata regularly,,0', - 'fwupd.service,Firmware update daemon,,450', - 'gdm.service,GNOME Display Manager,,675', - 'gdm.service,GNOME Display Manager,,900', - 'geoclue.service,Location Lookup Service,geoclue,450', - 'gitsign.service,Keyless Git signing with Sigstore!,,900', - 'gssproxy.service,GSSAPI Proxy Daemon,,450', - 'haproxy.service,HAProxy Load Balancer,,1350', - "ifupdown-pre.service,Helper to synchronize boot up for ifupdown,,225", - 'iio-sensor-proxy.service,IIO Sensor Proxy service,,225', - 'import-state.service,Import network configuration from initramfs,,225', - 'irqbalance.service,irqbalance daemon,,225', - 'irqbalance.service,irqbalance daemon,,450', - 'iscsid.socket,Open-iSCSI iscsid Socket,,0', - 'iscsiuio.socket,Open-iSCSI iscsiuio Socket,,0', - 'iwd.service,Wireless service,,450', - 'kerneloops.service,Tool to automatically collect and submit kernel crash signatures,kernoops,225', - 'keyboard-setup.service,Set the console keyboard layout,,225', - 'kmod-static-nodes.service,Create List of Static Device Nodes,,675', - 'kmod-static-nodes.service,Create list of static device nodes for the current kernel,,675', - 'kolide-launcher.service,Kolide launcher,,1800', - 'launcher.kolide-k2.service,The Kolide Launcher,,225', - 'ldconfig.service,Rebuild Dynamic Linker Cache,,675', - 'libvirtd-admin.socket,Libvirt admin socket,,225', - 'libvirtd-ro.socket,Libvirt local read-only socket,,225', - 'libvirtd.service,Virtualization daemon,,1800', - 'libvirtd.socket,Libvirt local socket,,225', - 'lightdm.service,Light Display Manager,,225', - 'lima-guestagent.service,lima-guestagent,,0', - 'livesys-late.service,SYSV: Late init script for live image.,,450', - 'livesys.service,LSB: Init script for live image.,,450', - 'lm_sensors.service,Hardware Monitoring Sensors,,225', - 'lm-sensors.service,Initialize hardware monitoring sensors,,0', - 'lm_sensors.service,Initialize hardware monitoring sensors,,225', - 'logrotate-checkconf.service,Logrotate configuration check,,1125', - 'logrotate-checkconf.service,Logrotate configuration check,,900', - 'logrotate.timer,Daily rotation of log files,,0', - 'logrotate.timer,logrotate.timer,,0', - 'low-memory-monitor.service,Low Memory Monitor,,675', - 'lvm2-lvmpolld.socket,LVM2 poll daemon socket,,0', - 'lvm2-lvmpolld.socket,LVM2 poll daemon socket,,225', - 'lvm2-monitor.service,Monitoring of LVM2 mirrors, snapshots etc. using dmeventd or progress polling,,450', - 'machine.slice,Virtual Machine and Container Slice,,450', - 'man-db.service,Daily man-db regeneration,root,675', - 'man-db.timer,Daily man-db regeneration,,0', - 'mcelog.service,Machine Check Exception Logging Daemon,,225', - 'mlocate-updatedb.timer,Updates mlocate database every day,,0', - 'ModemManager.service,Modem Manager,root,450', - 'modprobe@efi_pstore.service,Load Kernel Module efi_pstore,,450', - 'modprobe@pstore_blk.service,Load Kernel Module pstore_blk,,450', - 'modprobe@pstore_zone.service,Load Kernel Module pstore_zone,,450', - 'modprobe@ramoops.service,Load Kernel Module ramoops,,450', - 'monitorix.service,Monitorix,,225', - 'motd-news.timer,Message of the Day,,0', - 'mount-pstore.service,mount-pstore.service,,1125', - 'multipathd.service,Device-Mapper Multipath Device Controller,,675', - 'multipathd.socket,multipathd control socket,,225', - 'nessusd.service,The Nessus Vulnerability Scanner,,675', - 'netcf-transaction.service,Rollback uncommitted netcf network config change transactions,,225', - 'networkd-dispatcher.service,Dispatcher daemon for systemd-networkd,,225', - "networking.service,Raise network interfaces,,450", - 'network-local-commands.service,Extra networking commands.,,1125', - 'network-local-commands.service,Extra networking commands.,,1350', - 'NetworkManager-dispatcher.service,Network Manager Script Dispatcher Service,,450', - 'NetworkManager-dispatcher.service,Network Manager Script Dispatcher Service,,675', - 'NetworkManager.service,Network Manager,,1125', - 'NetworkManager.service,Network Manager,,1350', - 'NetworkManager-wait-online.service,Network Manager Wait Online,,1125', - 'network-setup.service,Networking Setup,,1350', - 'nginx.service,Nginx Web Server,nginx,2250', - 'nginx.service,Nginx Web Server,nginx,2400', - 'nix-daemon.service,Nix Daemon,,225', - 'nix-daemon.socket,Nix Daemon Socket,,225', - 'nix-gc.timer,nix-gc.timer,,0', - 'nscd.service,Name Service Cache Daemon,nscd,1800', - 'nscd.service,Name Service Cache Daemon (nsncd),nscd,1350', - 'nvidia-fallback.service,Fallback to nouveau as nvidia did not load,,225', - 'nvidia-persistenced.service,NVIDIA Persistence Daemon,,225', - 'nvidia-powerd.service,nvidia-powerd service,,0', - 'nvidia-suspend.service,NVIDIA system suspend actions,,225', - 'openvpn.service,OpenVPN service,,225', - 'packagekit.service,PackageKit Daemon,root,225', - 'pcscd.service,PC/SC Smart Card Daemon,,225', - 'pcscd.socket,PC/SC Smart Card Daemon Activation Socket,,0', - 'phpsessionclean.timer,Clean PHP session files every 30 mins,,0', - 'plocate-updatedb.service,Update the plocate database,,225', - 'plocate-updatedb.timer,Update the plocate database daily,,0', - 'plymouth-quit.service,Terminate Plymouth Boot Screen,,0', - 'plymouth-quit.service,Terminate Plymouth Boot Screen,,225', - 'plymouth-quit-wait.service,Hold until boot process finishes up,,0', - 'plymouth-read-write.service,Tell Plymouth To Write Out Runtime Data,,225', - 'plymouth-start.service,Show Plymouth Boot Screen,,450', - 'polkit.service,Authorization Manager,,0', - 'polkit.service,Authorization Manager,,225', - 'power-profiles-daemon.service,Power Profiles daemon,,675', - 'proc-sys-fs-binfmt_misc.automount,Arbitrary Executable File Formats File System Automount Point,,675', - 'pwrstatd.service,The monitor UPS software.,,225', - 'qemu-kvm.service,QEMU KVM preparation - module, ksm, hugepages,,225', - 'qualys-cloud-agent.service,Qualys cloud agent daemon,,225', - 'raid-check.timer,Weekly RAID setup health check,,0', - 'realmd.service,Realm and Domain Configuration,,0', - 'reflector.service,Refresh Pacman mirrorlist with Reflector.,,1350', - 'reflector.timer,Refresh Pacman mirrorlist weekly with Reflector.,,0', - 'reload-systemd-vconsole-setup.service,Reset console on configuration changes,,1125', - "resolvconf-pull-resolved.path,resolvconf-pull-resolved.path,,0", - "resolvconf.service,Nameserver information manager,,225", - 'resolvconf.service,resolvconf update,,1125', - 'rngd.service,Hardware RNG Entropy Gatherer Daemon,,225', - 'rpc-statd-notify.service,Notify NFS peers of a restart,,225', - 'rsyslog.service,System Logging Service,,225', - 'rsyslog.service,System Logging Service,,450', - 'rtkit-daemon.service,RealtimeKit Scheduling Policy Service,,900', - 'serial-getty@ttyS0.service,Serial Getty on ttyS0,,1350', - 'setroubleshootd.service,SETroubleshoot daemon for processing new SELinux denial logs,setroubleshoot,225', - 'setvtrgb.service,Set console scheme,,225', - 'shadow.service,Verify integrity of password and group files,,900', - 'shadow.timer,Daily verification of password and group files,,0', - '-.slice,Root Slice,,0', - 'smartd.service,Self Monitoring and Reporting Technology (SMART) Daemon,,225', - 'smartd.service,Self Monitoring and Reporting Technology (SMART) Daemon,,450', - 'snapd.apparmor.service,Load AppArmor profiles managed internally by snapd,,675', - 'snapd.seeded.service,Wait until snapd is fully seeded,,225', - 'snapd.service,Snap Daemon,,450', - 'snapd.socket,Socket activation for snappy daemon,,225', - 'snap.lxd.daemon.unix.socket,Socket unix for snap application lxd.daemon,,225', - 'snap.lxd.user-daemon.unix.socket,Socket unix for snap application lxd.user-daemon,,225', - 'snap.yubioath-desktop.pcscd.service,Service for snap application yubioath-desktop.pcscd,,450', - 'sshd.service,OpenSSH Daemon,,225', - 'sshd.service,OpenSSH server daemon,,225', - 'sshd.service,OpenSSH server daemon,,450', - 'sshd.service,SSH Daemon,,1575', - 'ssh.service,OpenBSD Secure Shell server,,450', - 'sssd-kcm.service,SSSD Kerberos Cache Manager,,225', - 'sssd-kcm.socket,SSSD Kerberos Cache Manager responder socket,,0', - 'supergfxd.service,SUPERGFX,,450', - 'switcheroo-control.service,Switcheroo Control Proxy service,,450', - 'syslog.socket,Syslog Socket,,1350', - 'sysstat-collect.timer,Run system activity accounting tool every 10 minutes,,225', - 'sysstat.service,Resets System Activity Logs,root,225', - 'sysstat.service,Resets System Activity Logs,root,450', - 'sysstat-summary.timer,Generate summary of yesterday''s process accounting,,225', - 'systemd-ask-password-console.path,Dispatch Password Requests to Console Directory Watch,,675', - 'systemd-ask-password-plymouth.path,Forward Password Requests to Plymouth Directory Watch,,225', - 'systemd-ask-password-plymouth.path,Forward Password Requests to Plymouth Directory Watch,,450', - 'systemd-ask-password-wall.path,Forward Password Requests to Wall Directory Watch,,450', - 'systemd-ask-password-wall.path,Forward Password Requests to Wall Directory Watch,,675', - 'systemd-binfmt.service,Set Up Additional Binary Formats,,1125', - 'systemd-boot-random-seed.service,Update Boot Loader Random Seed,,900', - 'systemd-boot-update.service,Automatic Boot Loader Update,,675', - 'systemd-coredump.socket,Process Core Dump Socket,,450', - "systemd-cryptsetup@cryptdata.service,Cryptography Setup for cryptdata,,900", - 'systemd-cryptsetup@cryptoswap.service,Cryptography Setup for cryptoswap,,900', - "systemd-cryptsetup@cryptswap.service,Cryptography Setup for cryptswap,,1125", - 'systemd-fsckd.socket,fsck to fsckd communication Socket,,450', - 'systemd-growfs@-.service,Grow File System on /,,225', - 'systemd-homed-activate.service,Home Area Activation,,450', - 'systemd-homed.service,Home Area Manager,,1350', - 'systemd-hostnamed.service,Hostname Service,,1125', - 'systemd-hwdb-update.service,Rebuild Hardware Database,,675', - 'systemd-initctl.socket,initctl Compatibility Named Pipe,,450', - 'systemd-journal-catalog-update.service,Rebuild Journal Catalog,,675', - 'systemd-journald-audit.socket,Journal Audit Socket,,450', - 'systemd-journald-audit.socket,Journal Audit Socket,,675', - 'systemd-journald-dev-log.socket,Journal Socket (/dev/log),,1125', - 'systemd-journald.service,Journal Service,,1800', - 'systemd-journald.service,Journal Service,,2025', - 'systemd-journald.service,Journal Service,,2200', - 'systemd-journald.service,Journal Service,,2250', - 'systemd-journald.socket,Journal Socket,,900', - 'systemd-journal-flush.service,Flush Journal to Persistent Storage,,675', - 'systemd-localed.service,Locale Service,,1125', - 'systemd-logind.service,User Login Management,,1800', - 'systemd-logind.service,User Login Management,,2025', - 'systemd-machined.service,Virtual Machine and Container Registration Service,,1125', - 'systemd-machined.service,Virtual Machine and Container Registration Service,,1350', - 'systemd-modules-load.service,Load Kernel Modules,,900', - 'systemd-networkd.service,Network Configuration,systemd-network,2250', - 'systemd-networkd.socket,Network Service Netlink Socket,,675', - 'systemd-networkd-wait-online.service,Wait for Network to be Configured,,675', - 'systemd-network-generator.service,Generate network units from Kernel command line,,450', - 'systemd-network-generator.service,Generate network units from Kernel command line,,675', - 'systemd-oomd.service,Userspace Out-Of-Memory (OOM) Killer,systemd-oom,1575', - 'systemd-oomd.socket,Userspace Out-Of-Memory (OOM) Killer Socket,,450', - 'systemd-pcrmachine.service,TPM2 PCR Machine ID Measurement,,675', - 'systemd-pcrmachine.service,TPM2 PCR Machine ID Measurement,,700', - 'systemd-pcrphase.service,TPM2 PCR Barrier (User),,675', - 'systemd-pcrphase-sysinit.service,TPM2 PCR Barrier (Initialization),,675', - 'systemd-random-seed.service,Load/Save OS Random Seed,,1125', - 'systemd-random-seed.service,Load/Save Random Seed,,1125', - 'systemd-remount-fs.service,Remount Root and Kernel File Systems,,675', - 'systemd-resolved.service,Network Name Resolution,systemd-resolve,1575', - 'systemd-resolved.service,Network Name Resolution,systemd-resolve,1800', - 'systemd-rfkill.socket,Load/Save RF Kill Switch Status /dev/rfkill Watch,,675', - 'systemd-suspend.service,System Suspend,,450', - 'systemd-sysctl.service,Apply Kernel Variables,,675', - 'systemd-sysusers.service,Create System Users,,1125', - 'systemd-sysusers.service,Create System Users,,675', - 'systemd-sysusers.service,Create System Users,,900', - 'systemd-timedated.service,Time & Date Service,,1125', - 'systemd-timesyncd.service,Network Time Synchronization,systemd-timesync,1575', - 'systemd-timesyncd.service,Network Time Synchronization,systemd-timesync,1800', - 'systemd-tmpfiles-clean.timer,Daily Cleanup of Temporary Directories,,450', - 'systemd-tmpfiles-setup-dev.service,Create Static Device Nodes in /dev,,675', - 'systemd-tmpfiles-setup.service,Create Volatile Files and Directories,,675', - 'systemd-tmpfiles-setup.service,Create Volatile Files and Directories,,900', - 'systemd-udevd-control.socket,udev Control Socket,,450', - 'systemd-udevd-kernel.socket,udev Kernel Socket,,450', - 'systemd-udevd.service,Rule-based Manager for Device Events and Files,,1125', - 'systemd-udevd.service,Rule-based Manager for Device Events and Files,,1350', - 'systemd-udev-settle.service,Wait for udev To Complete Device Initialization,,675', - 'systemd-udev-trigger.service,Coldplug All udev Devices,,675', - 'systemd-update-done.service,Update is Completed,,675', - 'systemd-update-utmp.service,Record System Boot/Shutdown in UTMP,,675', - 'systemd-update-utmp.service,Record System Boot/Shutdown in UTMP,,900', - 'systemd-update-utmp.service,Update UTMP about System Boot/Shutdown,,675', - 'systemd-userdbd.service,User Database Manager,,1125', - 'systemd-userdbd.socket,User Database Manager Socket,,675', - 'systemd-user-sessions.service,Permit User Sessions,,450', - 'systemd-user-sessions.service,Permit User Sessions,,675', - 'systemd-vconsole-setup.service,Setup Virtual Console,,450', - 'systemd-vconsole-setup.service,Setup Virtual Console,,675', - 'system.slice,System Slice,,0', - 'tailscaled.service,Tailscale node agent,,675', - 'thermald.service,Thermal Daemon Service,,225', - 'tlp.service,TLP system startup/shutdown,,450', - "touchegg.service,Touchégg Daemon,,225", - 'ua-timer.timer,Ubuntu Advantage Timer for running repeated jobs,,0', - 'udisks2.service,Disk Manager,,0', - 'udisks2.service,Disk Manager,,225', - 'ufw.service,Uncomplicated firewall,,225', - 'unattended-upgrades.service,Unattended Upgrades Shutdown,,225', - 'unbound-anchor.timer,daily update of the root trust anchor for DNSSEC,,225', - 'updatedb.timer,Daily locate database update,,0', - 'update-notifier-download.timer,Download data for packages that failed at package install time,,225', - 'update-notifier-motd.timer,Check to see whether there is a new version of Ubuntu available,,225', - 'upower.service,Daemon for power management,,900', - 'uresourced.service,User resource assignment daemon,,225', - 'usbmuxd.service,Socket daemon for the usbmux protocol used by Apple devices,,225', - 'user.slice,User and Session Slice,,225', - 'uuidd.socket,UUID daemon activation socket,,0', - 'vboxautostart-service.service,vboxautostart-service.service,,450', - 'vboxballoonctrl-service.service,vboxballoonctrl-service.service,,450', - 'vboxdrv.service,VirtualBox Linux kernel module,,450', - 'vboxweb-service.service,vboxweb-service.service,,450', - 'virtinterfaced.socket,Libvirt interface local socket,,225', - 'virtlockd.socket,Virtual machine lock manager socket,,0', - 'virtlogd-admin.socket,Virtual machine log manager socket,,225', - 'virtlogd.service,Virtual machine log manager,,675', - 'virtlogd.socket,Virtual machine log manager socket,,0', - 'virtnetworkd.socket,Libvirt network local socket,,225', - 'orbit,/opt/orbit/bin/orbit/linux/stable/orbit,0,system.slice,orbit.service,0755', - 'virtnodedevd.socket,Libvirt nodedev local socket,,225', - 'virtnwfilterd.socket,Libvirt nwfilter local socket,,225', - 'virtproxyd.socket,Libvirt proxy local socket,,225', - 'virtqemud-admin.socket,Libvirt qemu admin socket,,225', - 'virtqemud-ro.socket,Libvirt qemu local read-only socket,,225', - 'virtqemud.service,Virtualization qemu daemon,,1575', - 'virtqemud.socket,Libvirt qemu local socket,,0', - 'virtqemud.socket,Libvirt qemu local socket,,225', - 'virtsecretd.socket,Libvirt secret local socket,,0', - 'virtsecretd.socket,Libvirt secret local socket,,225', - 'orbit.service,Orbit osquery,,225', - 'virtstoraged.socket,Libvirt storage local socket,,225', - 'whoopsie.path,Start whoopsie on modification of the /var/crash directory,,0', - 'wpa_supplicant.service,WPA supplicant,,225', - 'zfs-import-cache.service,Import ZFS pools by cache file,,450', - 'zfs-load-key-rpool.service,Load ZFS key for rpool,,675', - 'zfs-load-module.service,Install ZFS kernel module,,225', - 'zfs-mount.service,Mount ZFS filesystems,,225', - 'zfs-scrub.service,ZFS pools scrubbing,,900', - 'zfs-scrub.timer,zfs-scrub.timer,,0', - 'zfs-share.service,ZFS file system shares,,225', - 'zfs-share.service,ZFS file system shares,,450', - 'zfs-snapshot-daily.service,ZFS auto-snapshotting every day,,900', - 'zfs-snapshot-frequent.service,ZFS auto-snapshotting every 15 mins,,900', - 'zfs-snapshot-hourly.service,ZFS auto-snapshotting every hour,,900', - 'zfs-volume-wait.service,Wait for ZFS Volume (zvol) links in /dev,,225', - 'zfs-zed.service,ZFS Event Daemon (zed),,225', - 'znapzend.service,ZnapZend - ZFS Backup System,root,1575', - 'zpool-trim.service,ZFS pools trim,,1125', - 'zpool-trim.timer,zpool-trim.timer,,0' + 'abrtd.service,ABRT Automated Bug Reporting Tool,', + 'abrtd.service,ABRT Daemon,', + 'abrt-journal-core.service,ABRT coredumpctl message creator,', + 'abrt-journal-core.service,Creates ABRT problems from coredumpctl messages,', + 'abrt-oops.service,ABRT kernel log watcher,', + 'abrt-xorg.service,ABRT Xorg log watcher,', + 'accounts-daemon.service,Accounts Service,', + 'accounts-daemon.service,Accounts Service,', + 'accounts-daemon.service,Accounts Service,', + 'acpid.path,ACPI Events Check,', + 'acpid.service,ACPI Daemon,', + 'acpid.service,ACPI event daemon,', + 'acpid.socket,ACPID Listen Socket,', + 'akmods.service,Builds and install new kmods from akmod packages,', + 'alsa-restore.service,Save/Restore Sound Card State,', + 'alsa-restore.service,Save/Restore Sound Card State,', + 'alsa-state.service,Manage Sound Card State (restore and store),', + 'alsa-store.service,Store Sound Card State,', + 'anacron.service,Run anacron jobs,', + 'anacron.timer,Trigger anacron every hour,', + 'apcupsd.service,APC UPS Power Control Daemon for Linux,', + 'apparmor.service,Load AppArmor profiles,', + 'apport-autoreport.path,Process error reports when automatic reporting is enabled (file watch),', + 'apport-autoreport.timer,Process error reports when automatic reporting is enabled (timer based),', + 'apport.service,LSB: automatic crash report generation,', + 'apt-daily.service,Daily apt download activities,', + 'apt-daily.timer,Daily apt download activities,', + 'apt-daily-upgrade.timer,Daily apt upgrade and clean activities,', + 'archlinux-keyring-wkd-sync.service,Refresh existing keys of archlinux-keyring,', + 'archlinux-keyring-wkd-sync.service,Refresh existing keys of archlinux-keyring,', + 'archlinux-keyring-wkd-sync.timer,Refresh existing PGP keys of archlinux-keyring regularly,', + 'atd.service,Deferred execution scheduler,', + 'auditd.service,Security Auditing Service,', + 'audit.service,Kernel Auditing,', + 'avahi-daemon.service,Avahi mDNS/DNS-SD Stack,', + 'avahi-daemon.socket,Avahi mDNS/DNS-SD Stack Activation Socket,', + 'binfmt-support.service,Enable support for additional executable binary formats,', + 'blk-availability.service,Availability of block devices,', + 'bluetooth.service,Bluetooth service,', + 'bolt.service,Thunderbolt system service,', + 'chronyd.service,NTP client/server,', + 'chrony.service,chrony, an NTP client/server', + 'chrony.service,chrony, an NTP client/server', + 'cloud-config.service,Apply the settings specified in cloud-config,', + 'cloud-final.service,Execute cloud user/final scripts,', + 'cloud-init-hotplugd.socket,cloud-init hotplug hook socket,', + 'cloud-init-local.service,Initial cloud-init job (pre-networking),', + 'cloud-init.service,Initial cloud-init job (metadata service crawler),', + 'cloud-init.service,Initial cloud-init job (metadata service crawler),', + 'colord.service,Manage, Install and Generate Color Profiles,colord', + 'com.system76.PowerDaemon.service,System76 Power Daemon,', + 'com.system76.Scheduler.service,Automatically configure CPU scheduler for responsiveness on AC,', + 'console-setup.service,Set console font and keymap,', + 'containerd.service,containerd container runtime,', + 'containerd.service,containerd container runtime,', + 'crond.service,Command Scheduler,', + 'cronie.service,Periodic Command Scheduler,', + 'cron.service,Regular background program processing daemon,', + 'cups-browsed.service,Make remote CUPS printers available locally,', + 'cups.path,CUPS Scheduler,', + 'cups.service,CUPS Scheduler,', + 'cups.socket,CUPS Scheduler,', + 'dbus-:1.2-org.pop_os.transition_system@0.service,dbus-:1.2-org.pop_os.transition_system@0.service,0', + 'dbus-broker.service,D-Bus System Message Bus,', + 'dbus.service,D-Bus System Message Bus,', + 'dbus.service,D-Bus System Message Bus,', + 'dbus.socket,D-Bus System Message Bus Socket,', + 'dhcpcd.service,DHCP Client,', + 'display-manager.service,X11 Server,', + 'dkms.service,Builds and install new kernel modules through DKMS,', + 'dm-event.socket,Device-mapper event daemon FIFOs,', + 'dm-event.socket,Device-mapper event daemon FIFOs,', + 'dnf-automatic-install.service,dnf automatic install updates,', + 'dnf-automatic-install.timer,dnf-automatic-install timer,', + 'dnf-makecache.service,dnf makecache,', + 'dnf-makecache.service,dnf makecache,', + 'dnf-makecache.timer,dnf makecache --timer,', + 'docker.service,Docker Application Container Engine,', + 'docker.service,Docker Application Container Engine,', + 'docker.service,Docker Application Container Engine,', + 'docker.socket,Docker Socket for the API,', + 'docker.socket,Docker Socket for the API,', + 'dpkg-db-backup.timer,Daily dpkg database backup timer,', + 'dracut-shutdown.service,Restore /run/initramfs on shutdown,', + 'dracut-shutdown.service,Restore /run/initramfs on shutdown,', + 'e2scrub_all.timer,Periodic ext4 Online Metadata Check for All Filesystems,', + 'finalrd.service,Create final runtime dir for shutdown pivot root,', + 'firewalld.service,firewalld - dynamic firewall daemon,', + 'firewall.service,Firewall,', + 'flatpak-system-helper.service,flatpak system helper,', + 'fprintd.service,Fingerprint Authentication Daemon,', + 'fprintd.service,Fingerprint Authentication Daemon,', + 'fstrim.service,Discard unused blocks on filesystems from /etc/fstab,', + 'fstrim.service,Discard unused blocks on filesystems from /etc/fstab,', + 'fstrim.timer,Discard unused blocks once a week,', + 'fstrim.timer,Discard unused filesystem blocks once a week,', + 'fwupd-refresh.service,Refresh fwupd metadata and update motd,fwupd-refresh', + 'fwupd-refresh.service,Refresh fwupd metadata and update motd,fwupd-refresh', + 'fwupd-refresh.timer,Refresh fwupd metadata regularly,', + 'fwupd.service,Firmware update daemon,', + 'gdm.service,GNOME Display Manager,', + 'gdm.service,GNOME Display Manager,', + 'geoclue.service,Location Lookup Service,geoclue', + 'gitsign.service,Keyless Git signing with Sigstore!,', + 'gssproxy.service,GSSAPI Proxy Daemon,', + 'haproxy.service,HAProxy Load Balancer,', + 'ifupdown-pre.service,Helper to synchronize boot up for ifupdown,', + 'iio-sensor-proxy.service,IIO Sensor Proxy service,', + 'import-state.service,Import network configuration from initramfs,', + 'irqbalance.service,irqbalance daemon,', + 'irqbalance.service,irqbalance daemon,', + 'iscsid.socket,Open-iSCSI iscsid Socket,', + 'iscsiuio.socket,Open-iSCSI iscsiuio Socket,', + 'iwd.service,Wireless service,', + 'kerneloops.service,Tool to automatically collect and submit kernel crash signatures,kernoops', + 'keyboard-setup.service,Set the console keyboard layout,', + 'kmod-static-nodes.service,Create List of Static Device Nodes,', + 'kmod-static-nodes.service,Create list of static device nodes for the current kernel,', + 'kolide-launcher.service,Kolide launcher,', + 'launcher.kolide-k2.service,The Kolide Launcher,', + 'ldconfig.service,Rebuild Dynamic Linker Cache,', + 'libvirtd-admin.socket,Libvirt admin socket,', + 'libvirtd-ro.socket,Libvirt local read-only socket,', + 'libvirtd.service,Virtualization daemon,', + 'libvirtd.socket,Libvirt local socket,', + 'lightdm.service,Light Display Manager,', + 'lima-guestagent.service,lima-guestagent,', + 'livesys-late.service,SYSV: Late init script for live image.,', + 'livesys.service,LSB: Init script for live image.,', + 'lm_sensors.service,Hardware Monitoring Sensors,', + 'lm-sensors.service,Initialize hardware monitoring sensors,', + 'lm_sensors.service,Initialize hardware monitoring sensors,', + 'logrotate-checkconf.service,Logrotate configuration check,', + 'logrotate-checkconf.service,Logrotate configuration check,', + 'logrotate.timer,Daily rotation of log files,', + 'logrotate.timer,logrotate.timer,', + 'low-memory-monitor.service,Low Memory Monitor,', + 'lvm2-lvmpolld.socket,LVM2 poll daemon socket,', + 'lvm2-lvmpolld.socket,LVM2 poll daemon socket,', + 'lvm2-monitor.service,Monitoring of LVM2 mirrors, snapshots etc. using dmeventd or progress polling,', + 'machine.slice,Virtual Machine and Container Slice,', + 'man-db.service,Daily man-db regeneration,root', + 'man-db.timer,Daily man-db regeneration,', + 'mcelog.service,Machine Check Exception Logging Daemon,', + 'mlocate-updatedb.timer,Updates mlocate database every day,', + 'ModemManager.service,Modem Manager,root', + 'modprobe@efi_pstore.service,Load Kernel Module efi_pstore,', + 'modprobe@pstore_blk.service,Load Kernel Module pstore_blk,', + 'modprobe@pstore_zone.service,Load Kernel Module pstore_zone,', + 'modprobe@ramoops.service,Load Kernel Module ramoops,', + 'monitorix.service,Monitorix,', + 'motd-news.timer,Message of the Day,', + 'mount-pstore.service,mount-pstore.service,', + 'multipathd.service,Device-Mapper Multipath Device Controller,', + 'multipathd.socket,multipathd control socket,', + 'nessusd.service,The Nessus Vulnerability Scanner,', + 'netcf-transaction.service,Rollback uncommitted netcf network config change transactions,', + 'networkd-dispatcher.service,Dispatcher daemon for systemd-networkd,', + 'networking.service,Raise network interfaces,', + 'network-local-commands.service,Extra networking commands.,', + 'network-local-commands.service,Extra networking commands.,', + 'NetworkManager-dispatcher.service,Network Manager Script Dispatcher Service,', + 'NetworkManager-dispatcher.service,Network Manager Script Dispatcher Service,', + 'NetworkManager.service,Network Manager,', + 'NetworkManager.service,Network Manager,', + 'NetworkManager-wait-online.service,Network Manager Wait Online,', + 'network-setup.service,Networking Setup,', + 'nginx.service,Nginx Web Server,nginx', + 'nginx.service,Nginx Web Server,nginx', + 'nix-daemon.service,Nix Daemon,', + 'nix-daemon.socket,Nix Daemon Socket,', + 'nix-gc.timer,nix-gc.timer,', + 'nscd.service,Name Service Cache Daemon,nscd', + 'nscd.service,Name Service Cache Daemon (nsncd),nscd', + 'nvidia-fallback.service,Fallback to nouveau as nvidia did not load,', + 'nvidia-persistenced.service,NVIDIA Persistence Daemon,', + 'nvidia-powerd.service,nvidia-powerd service,', + 'nvidia-suspend.service,NVIDIA system suspend actions,', + 'openvpn.service,OpenVPN service,', + 'packagekit.service,PackageKit Daemon,root', + 'pcscd.service,PC/SC Smart Card Daemon,', + 'pcscd.socket,PC/SC Smart Card Daemon Activation Socket,', + 'phpsessionclean.timer,Clean PHP session files every 30 mins,', + 'plocate-updatedb.service,Update the plocate database,', + 'plocate-updatedb.timer,Update the plocate database daily,', + 'plymouth-quit.service,Terminate Plymouth Boot Screen,', + 'plymouth-quit.service,Terminate Plymouth Boot Screen,', + 'plymouth-quit-wait.service,Hold until boot process finishes up,', + 'plymouth-read-write.service,Tell Plymouth To Write Out Runtime Data,', + 'plymouth-start.service,Show Plymouth Boot Screen,', + 'polkit.service,Authorization Manager,', + 'polkit.service,Authorization Manager,', + 'power-profiles-daemon.service,Power Profiles daemon,', + 'proc-sys-fs-binfmt_misc.automount,Arbitrary Executable File Formats File System Automount Point,', + 'pwrstatd.service,The monitor UPS software.,', + 'qemu-kvm.service,QEMU KVM preparation - module, ksm, hugepages,', + 'qualys-cloud-agent.service,Qualys cloud agent daemon,', + 'raid-check.timer,Weekly RAID setup health check,', + 'realmd.service,Realm and Domain Configuration,', + 'reflector.service,Refresh Pacman mirrorlist with Reflector.,', + 'reflector.timer,Refresh Pacman mirrorlist weekly with Reflector.,', + 'reload-systemd-vconsole-setup.service,Reset console on configuration changes,', + 'resolvconf-pull-resolved.path,resolvconf-pull-resolved.path,', + 'resolvconf.service,Nameserver information manager,', + 'resolvconf.service,resolvconf update,', + 'rngd.service,Hardware RNG Entropy Gatherer Daemon,', + 'rpc-statd-notify.service,Notify NFS peers of a restart,', + 'rsyslog.service,System Logging Service,', + 'rsyslog.service,System Logging Service,', + 'rtkit-daemon.service,RealtimeKit Scheduling Policy Service,', + 'serial-getty@ttyS0.service,Serial Getty on ttyS0,', + 'setroubleshootd.service,SETroubleshoot daemon for processing new SELinux denial logs,setroubleshoot', + 'setvtrgb.service,Set console scheme,', + 'shadow.service,Verify integrity of password and group files,', + 'shadow.timer,Daily verification of password and group files,', + '-.slice,Root Slice,', + 'smartd.service,Self Monitoring and Reporting Technology (SMART) Daemon,', + 'smartd.service,Self Monitoring and Reporting Technology (SMART) Daemon,', + 'snapd.apparmor.service,Load AppArmor profiles managed internally by snapd,', + 'snapd.seeded.service,Wait until snapd is fully seeded,', + 'snapd.service,Snap Daemon,', + 'snapd.socket,Socket activation for snappy daemon,', + 'snap.lxd.daemon.unix.socket,Socket unix for snap application lxd.daemon,', + 'snap.lxd.user-daemon.unix.socket,Socket unix for snap application lxd.user-daemon,', + 'snap.yubioath-desktop.pcscd.service,Service for snap application yubioath-desktop.pcscd,', + 'sshd.service,OpenSSH Daemon,', + 'sshd.service,OpenSSH server daemon,', + 'sshd.service,OpenSSH server daemon,', + 'sshd.service,SSH Daemon,', + 'ssh.service,OpenBSD Secure Shell server,', + 'sssd-kcm.service,SSSD Kerberos Cache Manager,', + 'sssd-kcm.socket,SSSD Kerberos Cache Manager responder socket,', + 'supergfxd.service,SUPERGFX,', + 'switcheroo-control.service,Switcheroo Control Proxy service,', + 'syslog.socket,Syslog Socket,', + 'sysstat-collect.timer,Run system activity accounting tool every 10 minutes,', + 'sysstat.service,Resets System Activity Logs,root', + 'sysstat.service,Resets System Activity Logs,root', + 'sysstat-summary.timer,Generate summary of yesterday''s process accounting,', + 'systemd-ask-password-console.path,Dispatch Password Requests to Console Directory Watch,', + 'systemd-ask-password-plymouth.path,Forward Password Requests to Plymouth Directory Watch,', + 'systemd-ask-password-plymouth.path,Forward Password Requests to Plymouth Directory Watch,', + 'systemd-ask-password-wall.path,Forward Password Requests to Wall Directory Watch,', + 'systemd-ask-password-wall.path,Forward Password Requests to Wall Directory Watch,', + 'systemd-binfmt.service,Set Up Additional Binary Formats,', + 'systemd-boot-random-seed.service,Update Boot Loader Random Seed,', + 'systemd-boot-update.service,Automatic Boot Loader Update,', + 'systemd-coredump.socket,Process Core Dump Socket,', + 'systemd-cryptsetup@cryptdata.service,Cryptography Setup for cryptdata,', + 'systemd-cryptsetup@cryptoswap.service,Cryptography Setup for cryptoswap,', + 'systemd-cryptsetup@cryptswap.service,Cryptography Setup for cryptswap,', + 'systemd-fsckd.socket,fsck to fsckd communication Socket,', + 'systemd-growfs@-.service,Grow File System on /,', + 'systemd-homed-activate.service,Home Area Activation,', + 'systemd-homed.service,Home Area Manager,', + 'systemd-hostnamed.service,Hostname Service,', + 'systemd-hwdb-update.service,Rebuild Hardware Database,', + 'systemd-initctl.socket,initctl Compatibility Named Pipe,', + 'systemd-journal-catalog-update.service,Rebuild Journal Catalog,', + 'systemd-journald-audit.socket,Journal Audit Socket,', + 'systemd-journald-audit.socket,Journal Audit Socket,', + 'systemd-journald-dev-log.socket,Journal Socket (/dev/log),', + 'systemd-journald.service,Journal Service,', + 'systemd-journald.service,Journal Service,', + 'systemd-journald.service,Journal Service,', + 'systemd-journald.service,Journal Service,', + 'systemd-journald.socket,Journal Socket,', + 'systemd-journal-flush.service,Flush Journal to Persistent Storage,', + 'systemd-localed.service,Locale Service,', + 'systemd-logind.service,User Login Management,', + 'systemd-logind.service,User Login Management,', + 'systemd-machined.service,Virtual Machine and Container Registration Service,', + 'systemd-machined.service,Virtual Machine and Container Registration Service,', + 'systemd-modules-load.service,Load Kernel Modules,', + 'systemd-networkd.service,Network Configuration,systemd-network', + 'systemd-networkd.socket,Network Service Netlink Socket,', + 'systemd-networkd-wait-online.service,Wait for Network to be Configured,', + 'systemd-network-generator.service,Generate network units from Kernel command line,', + 'systemd-network-generator.service,Generate network units from Kernel command line,', + 'systemd-oomd.service,Userspace Out-Of-Memory (OOM) Killer,systemd-oom', + 'systemd-oomd.socket,Userspace Out-Of-Memory (OOM) Killer Socket,', + 'systemd-oomd.socket,Userspace Out-Of-Memory (OOM) Killer Socket,', + 'systemd-pcrmachine.service,TPM2 PCR Machine ID Measurement,', + 'systemd-pcrmachine.service,TPM2 PCR Machine ID Measurement,', + 'systemd-pcrphase.service,TPM2 PCR Barrier (User),', + 'systemd-pcrphase-sysinit.service,TPM2 PCR Barrier (Initialization),', + 'systemd-random-seed.service,Load/Save OS Random Seed,', + 'systemd-random-seed.service,Load/Save Random Seed,', + 'systemd-remount-fs.service,Remount Root and Kernel File Systems,', + 'systemd-resolved.service,Network Name Resolution,systemd-resolve', + 'systemd-resolved.service,Network Name Resolution,systemd-resolve', + 'systemd-rfkill.socket,Load/Save RF Kill Switch Status /dev/rfkill Watch,', + 'systemd-suspend.service,System Suspend,', + 'systemd-sysctl.service,Apply Kernel Variables,', + 'systemd-sysusers.service,Create System Users,', + 'systemd-sysusers.service,Create System Users,', + 'systemd-sysusers.service,Create System Users,', + 'systemd-timedated.service,Time & Date Service,', + 'systemd-timesyncd.service,Network Time Synchronization,systemd-timesync', + 'systemd-timesyncd.service,Network Time Synchronization,systemd-timesync', + 'systemd-tmpfiles-clean.timer,Daily Cleanup of Temporary Directories,', + 'systemd-tmpfiles-setup-dev.service,Create Static Device Nodes in /dev,', + 'systemd-tmpfiles-setup.service,Create Volatile Files and Directories,', + 'systemd-tmpfiles-setup.service,Create Volatile Files and Directories,', + 'systemd-udevd-control.socket,udev Control Socket,', + 'systemd-udevd-kernel.socket,udev Kernel Socket,', + 'systemd-udevd.service,Rule-based Manager for Device Events and Files,', + 'systemd-udevd.service,Rule-based Manager for Device Events and Files,', + 'systemd-udev-settle.service,Wait for udev To Complete Device Initialization,', + 'systemd-udev-trigger.service,Coldplug All udev Devices,', + 'systemd-update-done.service,Update is Completed,', + 'systemd-update-utmp.service,Record System Boot/Shutdown in UTMP,', + 'systemd-update-utmp.service,Record System Boot/Shutdown in UTMP,', + 'systemd-update-utmp.service,Update UTMP about System Boot/Shutdown,', + 'systemd-userdbd.service,User Database Manager,', + 'systemd-userdbd.socket,User Database Manager Socket,', + 'systemd-user-sessions.service,Permit User Sessions,', + 'systemd-user-sessions.service,Permit User Sessions,', + 'systemd-vconsole-setup.service,Setup Virtual Console,', + 'systemd-vconsole-setup.service,Setup Virtual Console,', + 'system.slice,System Slice,', + 'tailscaled.service,Tailscale node agent,', + 'thermald.service,Thermal Daemon Service,', + 'tlp.service,TLP system startup/shutdown,', + 'touchegg.service,Touchégg Daemon,', + 'ua-timer.timer,Ubuntu Advantage Timer for running repeated jobs,', + 'udisks2.service,Disk Manager,', + 'udisks2.service,Disk Manager,', + 'ufw.service,Uncomplicated firewall,', + 'unattended-upgrades.service,Unattended Upgrades Shutdown,', + 'unbound-anchor.timer,daily update of the root trust anchor for DNSSEC,', + 'updatedb.timer,Daily locate database update,', + 'update-notifier-download.timer,Download data for packages that failed at package install time,', + 'update-notifier-motd.timer,Check to see whether there is a new version of Ubuntu available,', + 'upower.service,Daemon for power management,', + 'uresourced.service,User resource assignment daemon,', + 'usbmuxd.service,Socket daemon for the usbmux protocol used by Apple devices,', + 'user.slice,User and Session Slice,', + 'uuidd.socket,UUID daemon activation socket,', + 'vboxautostart-service.service,vboxautostart-service.service,', + 'vboxballoonctrl-service.service,vboxballoonctrl-service.service,', + 'vboxdrv.service,VirtualBox Linux kernel module,', + 'vboxweb-service.service,vboxweb-service.service,', + 'virtinterfaced.socket,Libvirt interface local socket,', + 'virtlockd.socket,Virtual machine lock manager socket,', + 'virtlogd-admin.socket,Virtual machine log manager socket,', + 'virtlogd.service,Virtual machine log manager,', + 'virtlogd.socket,Virtual machine log manager socket,', + 'virtnetworkd.socket,Libvirt network local socket,', + 'orbit,/opt/orbit/bin/orbit/linux/stable/orbit,0', + 'virtnodedevd.socket,Libvirt nodedev local socket,', + 'virtnwfilterd.socket,Libvirt nwfilter local socket,', + 'virtproxyd.socket,Libvirt proxy local socket,', + 'virtqemud-admin.socket,Libvirt qemu admin socket,', + 'virtqemud-ro.socket,Libvirt qemu local read-only socket,', + 'virtqemud.service,Virtualization qemu daemon,', + 'virtqemud.socket,Libvirt qemu local socket,', + 'virtqemud.socket,Libvirt qemu local socket,', + 'virtsecretd.socket,Libvirt secret local socket,', + 'virtsecretd.socket,Libvirt secret local socket,', + 'orbit.service,Orbit osquery,', + 'virtstoraged.socket,Libvirt storage local socket,', + 'whoopsie.path,Start whoopsie on modification of the /var/crash directory,', + 'wpa_supplicant.service,WPA supplicant,', + 'zfs-import-cache.service,Import ZFS pools by cache file,', + 'zfs-load-key-rpool.service,Load ZFS key for rpool,', + 'zfs-load-module.service,Install ZFS kernel module,', + 'zfs-mount.service,Mount ZFS filesystems,', + 'zfs-scrub.service,ZFS pools scrubbing,', + 'zfs-scrub.timer,zfs-scrub.timer,', + 'zfs-share.service,ZFS file system shares,', + 'zfs-share.service,ZFS file system shares,', + 'zfs-snapshot-daily.service,ZFS auto-snapshotting every day,', + 'zfs-snapshot-frequent.service,ZFS auto-snapshotting every 15 mins,', + 'zfs-snapshot-hourly.service,ZFS auto-snapshotting every hour,', + 'zfs-volume-wait.service,Wait for ZFS Volume (zvol) links in /dev,', + 'zfs-zed.service,ZFS Event Daemon (zed),', + 'znapzend.service,ZnapZend - ZFS Backup System,root', + 'zpool-trim.service,ZFS pools trim,', + 'zpool-trim.timer,zpool-trim.timer,' ) - OR exception_key LIKE 'machine-qemu%.scope,Virtual Machine qemu%,,225' - OR exception_key LIKE 'zfs-snapshot-%.timer,zfs-snapshot-%.timer,,0' - OR exception_key LIKE 'zfs-snapshot-%.service,zfs-snapshot-%.service,,900' - OR exception_key LIKE 'dbus-:1.%-org.freedesktop.problems@%.service,dbus-:%.%-org.freedesktop.problems@%.service,0,225' - OR exception_key LIKE 'run-media-%.mount,run-media-%.mount,,0' + OR exception_key LIKE 'machine-qemu%.scope,Virtual Machine qemu%,' + OR exception_key LIKE 'zfs-snapshot-%.timer,zfs-snapshot-%.timer,' + OR exception_key LIKE 'zfs-snapshot-%.service,zfs-snapshot-%.service,' + OR exception_key LIKE 'dbus-:1.%-org.freedesktop.problems@%.service,dbus-:%.%-org.freedesktop.problems@%.service,0' + OR exception_key LIKE 'run-media-%.mount,run-media-%.mount,' OR id LIKE '' OR id LIKE 'dev-disk-by%.swap' OR id LIKE 'dev-mapper-%.swap' diff --git a/detection/persistence/unexpected-chrome-extensions.sql b/detection/persistence/unexpected-chrome-extensions.sql index 386fa1e..09c6220 100644 --- a/detection/persistence/unexpected-chrome-extensions.sql +++ b/detection/persistence/unexpected-chrome-extensions.sql @@ -47,6 +47,7 @@ WHERE ( AND enabled = 1 AND exception_key NOT IN ( -- Deprecated Google Extension + 'false,AgileBits,1Password – Password Manager,dppgmdbiimibapkepcbdbmkaabgiofem', 'false,Anthony Feddersen - Chainguard, Inc.,Chainguard On-Call Chrome Extension,', 'false,,base64 encode or decode selected text,', 'false,,Edge relevant text changes,jmjflgjpcpepeafmmgdpfkogkghcpiha', @@ -93,7 +94,6 @@ WHERE ( 'true,,Cloud9,nbdmccoknlfggadpfkmcpnamfnbkmkcp', 'true,,Cloud Vision,nblmokgbialjjgfhfofbgfcghhbkejac', 'true,,coLaboratory Notebook,pianggobfjcgeihlmfhfgkfalopndooo', - 'true,,Refined GitHub,hlepfoohegkhhmjieoechaddaejaokhf', 'true,,ColorPick Eyedropper,ohcpnigalekghcmgcdcenkpelffpdolg', 'true,,Copper CRM for Gmail,hpfmedbkgaakgagknibnonpkimkibkla', 'true,,Copper CRM for Gmail™,hpfmedbkgaakgagknibnonpkimkibkla', @@ -173,6 +173,7 @@ WHERE ( 'true,,Reader Mode,llimhhconnjiflfimocjggfjdlmlhblm', 'true,,Readwise Highlighter,jjhefcfhmnkfeepcpnilbbkaadhngkbi', 'true,Reddit Enhancement Suite contributors,Reddit Enhancement Suite,kbmfpngjjgdllneeigpgjifpgocmfgmb', + 'true,,Refined GitHub,hlepfoohegkhhmjieoechaddaejaokhf', 'true,,RetailMeNot Deal Finder™️,jjfblogammkiefalfpafidabbnamoknm', 'true,,RSS Subscription Extension (by Google),nlbjncdgjeocebhnmkbbbdekmmmcbfjd', 'true,,Save to Google Drive,gmbmikajjgmnabiglmofipeabaddhgne', diff --git a/detection/persistence/unexpected-global-lock.sql b/detection/persistence/unexpected-global-lock.sql index cd041b6..b76004f 100644 --- a/detection/persistence/unexpected-global-lock.sql +++ b/detection/persistence/unexpected-global-lock.sql @@ -6,7 +6,7 @@ -- references: -- * https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game -- --- tags: persistent filesystem state +-- tags: persistent filesystem state seldom -- platform: posix SELECT *, CONCAT( diff --git a/detection/persistence/unexpected-uid0-daemon-linux.sql b/detection/persistence/unexpected-uid0-daemon-linux.sql index 8c4480a..0b3a494 100644 --- a/detection/persistence/unexpected-uid0-daemon-linux.sql +++ b/detection/persistence/unexpected-uid0-daemon-linux.sql @@ -116,6 +116,9 @@ WHERE 'dhcpcd,/nix/store/__VERSION__/bin/dhcpcd,0,system.slice,dhcpcd.service,0555', 'dnf,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755', 'dnsmasq,/usr/bin/dnsmasq,0,system.slice,libvirtd.service,0755', + 'systemd,/usr/lib/systemd/systemd,0,user.slice,user-0.slice,0755', + '(sd-pam),/usr/lib/systemd/systemd,0,user.slice,user-0.slice,0755', + 'qualys-cloud-ag,/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent,0,system.slice,qualys-cloud-agent.service,0700', 'dnsmasq,/usr/sbin/dnsmasq,0,system.slice,libvirtd.service,0755', 'doas,/usr/bin/doas,1000,user.slice,user-1000.slice,4755', 'dockerd,/nix/store/__VERSION__/libexec/docker/dockerd,0,system.slice,docker.service,0555', diff --git a/detection/privesc/unexpected-elevated-children-events_linux.sql b/detection/privesc/unexpected-elevated-children-events_linux.sql index 44e6f24..dc5d98d 100644 --- a/detection/privesc/unexpected-elevated-children-events_linux.sql +++ b/detection/privesc/unexpected-elevated-children-events_linux.sql @@ -1,6 +1,5 @@ -- Find processes that run with a lower effective UID than their parent (event-based) -- --- -- references: -- * https://attack.mitre.org/techniques/T1548/001/ (Setuid and Setgid) -- * https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux @@ -8,7 +7,10 @@ -- related: -- * unexpected-privilege-escalation.sql -- --- tags: events process escalation +-- False positives: +-- * On some hosts this ocassionally gets the parenting relationship confused +-- +-- tags: events process escalation disabled -- platform: linux -- interval: 600 SELECT diff --git a/detection/privesc/unexpected-elevated-children-events_macos.sql b/detection/privesc/unexpected-elevated-children-events_macos.sql index d6bda22..43642b4 100644 --- a/detection/privesc/unexpected-elevated-children-events_macos.sql +++ b/detection/privesc/unexpected-elevated-children-events_macos.sql @@ -115,6 +115,7 @@ WHERE 'bioutil,0,callservicesd,launchd', 'trustd,205,trustd,launchd', 'CAReportingService,0,LogiTune,launchd', + 'efilogin-helper,0,containermanagerd,launchd', 'com.apple.AccountPolicyHelper,0,LogiTune,launchd', 'com.apple.geod,262,com.docker.backend,Docker', 'com.apple.WebKit.WebContent,200,zsh,Emacs-arm64-11', diff --git a/policy/gcp-service-account-keys-mdfind.sql b/policy/gcp-service-account-keys-mdfind.sql index e4c181c..ff270b6 100644 --- a/policy/gcp-service-account-keys-mdfind.sql +++ b/policy/gcp-service-account-keys-mdfind.sql @@ -1,6 +1,9 @@ -- Indicative of stored GCP service account keys just sitting around unencrypted -- --- tags: persistent state filesystem +-- * False positives: +-- * Keys exported for non-production purposes +-- +-- tags: persistent state filesystem disabled -- platform: darwin SELECT file.path,