From 188bc78f4c8e4c43434fe84a468f8d4a31c79107 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Tue, 15 Aug 2023 18:29:27 -0400 Subject: [PATCH] Fix errors --- detection/c2/unexpected-https-linux.sql | 1 - detection/c2/unexpected-https-macos.sql | 1 - .../evasion/hidden-home-libappsupport.sql | 4 +- .../unexpected-alf-exceptions-macos.sql | 7 +- .../unexpected-process-extension-linux.sql | 3 +- .../unexpected-execdir-events-macos.sql | 5 +- .../execution/unexpected-osascript-calls.sql | 2 +- ...ected-security-framework-program-macos.sql | 2 +- .../unexpected-active-systemd-units.sql | 9 +-- detection/persistence/unexpected-device.sql | 3 +- .../persistence/unexpected-global-lock.sql | 77 ++++++++++--------- .../unexpected-uid0-daemon-linux.sql | 2 +- .../unexpected-uid0-daemon-macos.sql | 5 +- 13 files changed, 55 insertions(+), 66 deletions(-) diff --git a/detection/c2/unexpected-https-linux.sql b/detection/c2/unexpected-https-linux.sql index ef433d77..4f1436f5 100644 --- a/detection/c2/unexpected-https-linux.sql +++ b/detection/c2/unexpected-https-linux.sql @@ -288,7 +288,6 @@ WHERE '500,zdup,500u,500g,zdup', '500,zoom,0u,0g,zoom', '500,zoom.real,u,g,zoom.real' - ) -- Exceptions where we have to be more flexible for the process name AND NOT exception_key LIKE '500,node,0u,0g,npm exec %' AND NOT exception_key LIKE '500,node,0u,0g,npm install %' diff --git a/detection/c2/unexpected-https-macos.sql b/detection/c2/unexpected-https-macos.sql index b1f4ecbc..9581228c 100644 --- a/detection/c2/unexpected-https-macos.sql +++ b/detection/c2/unexpected-https-macos.sql @@ -156,7 +156,6 @@ WHERE '500,syncthing,syncthing,,syncthing', '500,terraform,terraform,Developer ID Application: Hashicorp, Inc. (D38WU7D763),terraform', '500,zoom.us,zoom.us,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3),us.zoom.xos' - ) AND NOT exception_key LIKE '500,tor-%-darwin-brave-%,tor-%-darwin-brave-%,Developer ID Application: Brave Software, Inc. (KL8N8XSYF4),tor-%-darwin-brave-%' AND NOT alt_exception_key IN ( diff --git a/detection/evasion/hidden-home-libappsupport.sql b/detection/evasion/hidden-home-libappsupport.sql index 95ecfb96..36d187b1 100644 --- a/detection/evasion/hidden-home-libappsupport.sql +++ b/detection/evasion/hidden-home-libappsupport.sql @@ -63,7 +63,7 @@ WHERE '~/Library/Application Support/Slack', '~/Library/Application Support/ZaloApp', '~/Library/Application Support/ZaloData', - '~/Library/Application Support/ZaloPC' + '~/Library/Application Support/ZaloPC', '~/Library/Application Support/com.apple.spotlight', '~/Library/Application Support/com.bohemiancoding.sketch3', '~/Library/Application Support/com.intelliscapesolutions.caffeine', @@ -71,7 +71,7 @@ WHERE '~/Library/Application Support/com.psiexams.psi-bridge-secure-browser', '~/Library/Application Support/com.tinyapp.TablePlus', '~/Library/Application Support/discord', - '~/Library/Application Support/lghub', + '~/Library/Application Support/lghub' ) AND NOT homepath IN ( '~/Library/Application Support/.Shadowland5.5', diff --git a/detection/evasion/unexpected-alf-exceptions-macos.sql b/detection/evasion/unexpected-alf-exceptions-macos.sql index 0e614375..87c998fe 100644 --- a/detection/evasion/unexpected-alf-exceptions-macos.sql +++ b/detection/evasion/unexpected-alf-exceptions-macos.sql @@ -53,7 +53,7 @@ WHERE ',,/Applications/ProtonMail%20Bridge.app/,', ',,/Applications/Visual%20Studio%20Code.app/,', ',,/Applications/Visual%20Studio%20Code.app/Contents/Frameworks/Code%20Helper.app/,', - ',,/usr/local/sbin/iodined,501' + ',,/usr/local/sbin/iodined,501', ',a.out,/opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/kubectl,501', ',a.out,/opt/homebrew/Cellar/go/1.20.4/libexec/pkg/tool/darwin_arm64/trace,501', ',dnsmasq,/opt/homebrew/Cellar/dnsmasq/2.88/sbin/dnsmasq,0', @@ -91,8 +91,7 @@ WHERE 'Software Signing,com.apple.controlcenter,/System/Library/CoreServices/ControlCenter.app/,0', 'Software Signing,com.apple.nc,/usr/bin/nc,0', 'Software Signing,com.apple.python3,/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.9/Resources/Python.app/,0', - 'Software Signing,com.apple.xartstorageremoted,/usr/libexec/xartstorageremoted,0', - + 'Software Signing,com.apple.xartstorageremoted,/usr/libexec/xartstorageremoted,0' ) AND NOT exception_key LIKE ',a.out,/opt/homebrew/Cellar/podman/%/libexec/podman/gvproxy,501' AND NOT exception_key LIKE ',a.out,/private/var/folders/%/T/GoLand/%,501' @@ -123,7 +122,7 @@ WHERE AND NOT ( signature.identifier = 'nix' AND ae.path LIKE '/nix/store/%-nix-%/bin/nix' - ) + ) AND NOT ( ae.path LIKE '/Users/%/Library/Application%20Support/Steam/Steam.AppBundle/Steam/' ) diff --git a/detection/evasion/unexpected-process-extension-linux.sql b/detection/evasion/unexpected-process-extension-linux.sql index dc5c56c7..75ecf3df 100644 --- a/detection/evasion/unexpected-process-extension-linux.sql +++ b/detection/evasion/unexpected-process-extension-linux.sql @@ -8,7 +8,6 @@ -- -- tags: persistent process state -- platform: linux - SELECT -- Child p0.pid AS p0_pid, @@ -80,4 +79,4 @@ WHERE 'ext' ) AND NOT basename LIKE 'python3.%' - AND NOT basename LIKE 'python2.%' \ No newline at end of file + AND NOT basename LIKE 'python2.%' diff --git a/detection/execution/unexpected-execdir-events-macos.sql b/detection/execution/unexpected-execdir-events-macos.sql index 29eeee3c..9e639615 100644 --- a/detection/execution/unexpected-execdir-events-macos.sql +++ b/detection/execution/unexpected-execdir-events-macos.sql @@ -203,7 +203,7 @@ WHERE '/Library/Printers/EPSON/InkjetPrinter2/Filter/commandtoescp.app/Contents/MacOS', '/Library/PrivilegedHelperTools', '/Library/TeX/texbin', - '/Volumes/Grammarly/Grammarly Installer.app/Contents/MacOS' + '/Volumes/Grammarly/Grammarly Installer.app/Contents/MacOS', '/bin', '/node_modules/.bin', '/opt/X11/bin', @@ -247,8 +247,7 @@ WHERE '~/code/bin', '~/go/bin', '~/melange', - '~/projects/go/bin', - + '~/projects/go/bin' ) -- Locally built executables AND NOT ( s.identifier = 'a.out' diff --git a/detection/execution/unexpected-osascript-calls.sql b/detection/execution/unexpected-osascript-calls.sql index 530d54d0..125168df 100644 --- a/detection/execution/unexpected-osascript-calls.sql +++ b/detection/execution/unexpected-osascript-calls.sql @@ -113,7 +113,7 @@ WHERE OR ( p1_authority = 'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)' AND p0_cmd = 'osascript' - ) + ) ) ) -- The following apply to all uids diff --git a/detection/execution/unexpected-security-framework-program-macos.sql b/detection/execution/unexpected-security-framework-program-macos.sql index 45f3dfcb..64c79b86 100644 --- a/detection/execution/unexpected-security-framework-program-macos.sql +++ b/detection/execution/unexpected-security-framework-program-macos.sql @@ -122,7 +122,7 @@ WHERE '500,Todoist,com.todoist.mac.Todoist,Apple Mac OS Application Signing', '500,TwitchStudioStreamDeck,TwitchStudioStreamDeck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', '500,WinAppHelper,,', - '500,WinAppHelper,WinAppHelper,' + '500,WinAppHelper,WinAppHelper,', '500,bash,bash,', '500,bash,com.apple.bash,Software Signing', '500,bufls,a.out,', diff --git a/detection/persistence/unexpected-active-systemd-units.sql b/detection/persistence/unexpected-active-systemd-units.sql index 88c266f3..452b112d 100644 --- a/detection/persistence/unexpected-active-systemd-units.sql +++ b/detection/persistence/unexpected-active-systemd-units.sql @@ -15,13 +15,7 @@ SELECT -- description AS 'desc', hash.sha256, file.ctime, file.size, - CONCAT ( - id, - ',', - description, - ',', - user - ) AS exception_key + CONCAT (id, ',', description, ',', user) AS exception_key FROM systemd_units LEFT JOIN hash ON systemd_units.fragment_path = hash.path @@ -374,7 +368,6 @@ WHERE 'znapzend.service,ZnapZend - ZFS Backup System,root', 'zpool-trim.service,ZFS pools trim,', 'zpool-trim.timer,zpool-trim.timer,' - ) OR exception_key LIKE 'machine-qemu%.scope,Virtual Machine qemu%,' OR exception_key LIKE 'zfs-snapshot-%.timer,zfs-snapshot-%.timer,' diff --git a/detection/persistence/unexpected-device.sql b/detection/persistence/unexpected-device.sql index 4557d703..40e9a873 100644 --- a/detection/persistence/unexpected-device.sql +++ b/detection/persistence/unexpected-device.sql @@ -224,7 +224,7 @@ WHERE '/dev/vgubuntu/root', '/dev/vgubuntu/swap_', '/dev/vhci', - '/dev/disk/by-dname' + '/dev/disk/by-dname', '/dev/vhost-net', '/dev/vhost-vsock', '/dev/video', @@ -241,7 +241,6 @@ WHERE '/dev/zram', '/dev/zvol/', '/dev/zvol/rpool' - ) AND NOT path LIKE '/dev/mapper/%' AND NOT path LIKE '/dev/shm/sem.rpc%' diff --git a/detection/persistence/unexpected-global-lock.sql b/detection/persistence/unexpected-global-lock.sql index af74ac71..1d2c7156 100644 --- a/detection/persistence/unexpected-global-lock.sql +++ b/detection/persistence/unexpected-global-lock.sql @@ -8,40 +8,43 @@ -- -- tags: persistent filesystem state seldom -- platform: posix -SELECT *, - CONCAT( - MIN(file.uid, 500), - ",", - file.gid, - ",", - file.path, - ",", - file.type, - ',', - mode - ) AS exception_key -FROM file -WHERE ( - path LIKE "/tmp/%.lock" - OR path LIKE "/var/run/%.lock" - OR path LIKE "/var/tmp/%.lock" - OR path LIKE "/dev/shm/%.lock" - OR path LIKE "/dev/mqueue/%.lock" - OR path LIKE "/tmp/.%.lock" - OR path LIKE "/var/run/.%.lock" - OR path LIKE "/var/tmp/.%.lock" - OR path LIKE "/dev/shm/.%.lock" - OR path LIKE "/dev/mqueue/.%.lock" - ) - AND exception_key NOT IN ( - '0,0,/var/run/unattended-upgrades.lock,regular,0640', - '500,0,/tmp/mysql.sock.lock,regular,0600', - '500,0,/tmp/mysqlx.sock.lock,regular,0600', - '0,0,/var/run/xtables.lock,regular,0600', - '0,0,/var/run/dnf-metadata.lock,regular,0644', - '0,0,/var/run/ufw.lock,regular,0644', - '0,0,/var/run/apport.lock,regular,0600', - '74,0,/tmp/mysql.sock.lock,regular,0600', - '74,0,/tmp/mysqlx.sock.lock,regular,0600', - '500,1001,/tmp/nwg-dock.lock,regular,0600' - ) \ No newline at end of file +SELECT + *, + CONCAT ( + MIN(file.uid, 500), + ",", + file.gid, + ",", + file.path, + ",", + file.type, + ',', + mode + ) AS exception_key +FROM + file +WHERE + ( + path LIKE "/tmp/%.lock" + OR path LIKE "/var/run/%.lock" + OR path LIKE "/var/tmp/%.lock" + OR path LIKE "/dev/shm/%.lock" + OR path LIKE "/dev/mqueue/%.lock" + OR path LIKE "/tmp/.%.lock" + OR path LIKE "/var/run/.%.lock" + OR path LIKE "/var/tmp/.%.lock" + OR path LIKE "/dev/shm/.%.lock" + OR path LIKE "/dev/mqueue/.%.lock" + ) + AND exception_key NOT IN ( + '0,0,/var/run/unattended-upgrades.lock,regular,0640', + '500,0,/tmp/mysql.sock.lock,regular,0600', + '500,0,/tmp/mysqlx.sock.lock,regular,0600', + '0,0,/var/run/xtables.lock,regular,0600', + '0,0,/var/run/dnf-metadata.lock,regular,0644', + '0,0,/var/run/ufw.lock,regular,0644', + '0,0,/var/run/apport.lock,regular,0600', + '74,0,/tmp/mysql.sock.lock,regular,0600', + '74,0,/tmp/mysqlx.sock.lock,regular,0600', + '500,1001,/tmp/nwg-dock.lock,regular,0600' + ) diff --git a/detection/persistence/unexpected-uid0-daemon-linux.sql b/detection/persistence/unexpected-uid0-daemon-linux.sql index cc8ceb31..a5f71dc0 100644 --- a/detection/persistence/unexpected-uid0-daemon-linux.sql +++ b/detection/persistence/unexpected-uid0-daemon-linux.sql @@ -262,7 +262,7 @@ WHERE 'zfs,/nix/store/__VERSION__/bin/zfs,0,system.slice,zfs-snapshot-hourly.service,0555', 'zfs,/nix/store/__VERSION__/bin/zfs,0,system.slice,znapzend.service,0555', 'zfs-auto-snapsh,/nix/store/__VERSION__/bin/ruby,0,system.slice,zfs-snapshot-frequent.service,0555', - 'zfs-auto-snapsh,/nix/store/__VERSION__/bin/ruby,0,system.slice,zfs-snapshot-hourly.service,0555', + 'zfs-auto-snapsh,/nix/store/__VERSION__/bin/ruby,0,system.slice,zfs-snapshot-hourly.service,0555' ) AND NOT exception_key LIKE 'abrt-dbus,/usr/sbin/abrt-dbus,0,system.slice,system-dbus%org.freedesktop.problems.slice,0755' AND NOT exception_key LIKE 'fusermount3,/usr/bin/fusermount3,%,user.slice,user-%.slice,4755' diff --git a/detection/persistence/unexpected-uid0-daemon-macos.sql b/detection/persistence/unexpected-uid0-daemon-macos.sql index 93b30990..a6a0ce9b 100644 --- a/detection/persistence/unexpected-uid0-daemon-macos.sql +++ b/detection/persistence/unexpected-uid0-daemon-macos.sql @@ -267,7 +267,7 @@ WHERE -- Focus on longer-running programs '/usr/sbin/BTLEServer', '/usr/sbin/BlueTool', '/usr/sbin/KernelEventAgent', - '/usr/sbin/WirelessRadioManagerd' + '/usr/sbin/WirelessRadioManagerd', '/usr/sbin/aslmanager', '/usr/sbin/audioclocksyncd', '/usr/sbin/auditd', @@ -282,8 +282,7 @@ WHERE -- Focus on longer-running programs '/usr/sbin/sshd', '/usr/sbin/syslogd', '/usr/sbin/systemsoundserverd', - '/usr/sbin/systemstats', - + '/usr/sbin/systemstats' ) AND NOT path LIKE '/nix/store/%-nix-%/bin/nix' AND NOT path LIKE '/opt/homebrew/Cellar/htop/%/bin/htop'