From 7d9aced380a51e875f3b41095f663016616c843b Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Wed, 25 Oct 2023 09:18:04 -0400 Subject: [PATCH] fpr: mtr, vscode, cpptools, cron, firefox --- detection/c2/unexpected-talker-events.sql | 60 ++++++++++--------- detection/evasion/unexpected-dev-entries.sql | 12 ++-- .../unexpected-hidden-system-paths.sql | 6 +- .../evasion/unusual-process-name-linux.sql | 28 +++++---- .../evasion/unusual-process-name-macos.sql | 10 +++- detection/exfil/high_disk_bytes_read.sql | 23 +++---- .../persistence/unexpected-cron-entries.sql | 1 + .../unexpected-uid0-daemon-macos.sql | 5 +- 8 files changed, 85 insertions(+), 60 deletions(-) diff --git a/detection/c2/unexpected-talker-events.sql b/detection/c2/unexpected-talker-events.sql index 995ef83d..e7c1984d 100644 --- a/detection/c2/unexpected-talker-events.sql +++ b/detection/c2/unexpected-talker-events.sql @@ -103,22 +103,20 @@ WHERE AND NOT homedir = '~/Library/Application Support/Foxit Software/Addon/Foxit PDF Reader/FoxitPDFReaderUpdateService.app/Contents/MacOS' AND NOT exception_key IN ( '500,0,110,syncthing', - '500,0,123,sntp', - '500,0,53,spotify', - '500,500,443,Signal', - '500,500,443,Google Chrome Helper', - '500,500,443,Signal Helper (Renderer)', '500,0,1234,spotify', - '500,500,443,apk', + '500,0,123,sntp', '500,0,20480,io.tailscale.ipn.macsys.network-extension', '500,0,22,ssh', '500,0,31488,sntp', '500,0,32768,com.apple.NRD.UpdateBrainService', '500,0,32768,io.tailscale.ipn.macsys.network-extension', '500,0,32768,ksfetch', + '500,0,32768,networkQuality', '500,0,32768,syncthing', - '500,0,443,OneDriveStandaloneUpdater', + '500,0,43,whois', + '500,0,443,Brackets', '500,0,443,chrome', + '500,0,443,chrome_crashpad_handler', '500,0,443,com.apple.MobileSoftwareUpdate.UpdateBrainService', '500,0,443,com.apple.NRD.UpdateBrainService', '500,0,443,com.google.one.NetworkExtension', @@ -128,79 +126,85 @@ WHERE '500,0,443,git-remote-http', '500,0,443,gnome-software', '500,0,443,http', - '500,0,443,Brackets', - '500,500,80,Google Chrome Helper', - '500,500,443,minikube', '500,0,443,io.tailscale.ipn.macsys.network-extension', '500,0,443,ksfetch', '500,0,443,launcher', '500,0,443,nessusd', - '500,500,443,kubectl', + '500,0,443,networkQuality', '500,0,443,node', + '500,0,443,OneDriveStandaloneUpdater', '500,0,443,slack', - '500,0,443,ssh', - '500,500,53,Code Helper', - '500,0,43,whois', - '500,0,443,spotify', '500,0,443,snapd', + '500,0,443,spotify', + '500,0,443,ssh', '500,0,443,syncthing', '500,0,443,velociraptor', '500,0,443,wget', - '500,0,443,chrome_crashpad_handler', '500,0,5228,chrome', - '500,0,443,gnome-software', - '500,0,53,NetworkManager', '500,0,53,chrome', '500,0,53,git', - '500,500,443,GoogleUpdater', '500,0,53,launcher', + '500,0,53,NetworkManager', '500,0,53,slack', + '500,0,53,spotify', '500,0,53,wget', '500,0,5632,ssh', '500,0,80,chrome', '500,0,80,com.apple.NRD.UpdateBrainService', '500,0,80,firefox', '500,0,80,http', - '500,500,20480,GoogleUpdater', '500,0,80,io.tailscale.ipn.macsys.network-extension', '500,0,80,ksfetch', '500,0,9,launcher', '500,500,13568,Code Helper', + '500,500,20480,Code Helper', + '500,500,20480,GoogleUpdater', '500,500,20480,ksfetch', '500,500,22,ssh', '500,500,2304,cloud_sql_proxy', - '500,500,32768,Electron', '500,500,32768,cloud-sql-proxy', + '500,500,32768,Electron', + '500,500,32768,GoogleUpdater', '500,500,32768,java', '500,500,32768,ksfetch', + '500,500,32768,node', '500,500,4318,Code Helper (Plugin)', + '500,500,443,apk', + '500,500,443,aws', + '500,500,443,chainctl', '500,500,443,Cisco WebEx Start', '500,500,443,CleanMyMac X Updater', + '500,500,443,cloud_sql_proxy', + '500,500,443,Code Helper', '500,500,443,Code Helper (Plugin)', '500,500,443,Code Helper (Renderer)', - '500,500,443,Code Helper', + '500,500,443,copilot-agent-macos-arm64', '500,500,443,DropboxMacUpdate', '500,500,443,Electron', - '500,500,443,GitX', - '500,500,443,aws', - '500,500,443,chainctl', - '500,500,443,cloud_sql_proxy', - '500,500,443,copilot-agent-macos-arm64', '500,500,443,figma_agent', '500,500,443,gh', '500,500,443,git-remote-http', '500,500,443,gitsign', + '500,500,443,GitX', '500,500,443,go', + '500,500,443,Google Chrome Helper', + '500,500,443,GoogleUpdater', '500,500,443,grype', '500,500,443,ksfetch', + '500,500,443,kubectl', + '500,500,443,minikube', '500,500,443,node', '500,500,443,old', + '500,500,443,Signal', + '500,500,443,Signal Helper (Renderer)', '500,500,443,syft', '500,500,443,wolfictl', '500,500,53,Code Helper', - '500,500,80,Code Helper (Plugin)', '500,500,80,cloud_sql_proxy', + '500,500,80,Code Helper', + '500,500,80,Code Helper (Plugin)', '500,500,80,copilot-agent-macos-arm64', + '500,500,80,Google Chrome Helper', '500,500,80,ksfetch', '500,500,80,node' ) diff --git a/detection/evasion/unexpected-dev-entries.sql b/detection/evasion/unexpected-dev-entries.sql index b32ac32e..53d8a6fd 100644 --- a/detection/evasion/unexpected-dev-entries.sql +++ b/detection/evasion/unexpected-dev-entries.sql @@ -8,7 +8,8 @@ -- -- tags: persistent state filesystem -- platform: posix -SELECT file.path, +SELECT + file.path, file.type, file.size, file.mtime, @@ -17,10 +18,12 @@ SELECT file.path, file.gid, hash.sha256, magic.data -FROM file +FROM + file LEFT JOIN hash ON file.path = hash.path LEFT JOIN magic ON file.path = magic.path -WHERE ( +WHERE + ( file.path LIKE '/dev/shm/%%' OR file.path LIKE '/dev/%/.%' OR file.path LIKE '/dev/.%' @@ -34,6 +37,7 @@ WHERE ( file.path LIKE '/dev/shm/.com.google.%' OR file.path LIKE '/dev/shm/.org.chromium.%' OR file.path LIKE '/dev/shm/wayland.mozilla.%' + OR file.path LIKE '/dev/shm/byobu-%' OR file.path LIKE '/dev/shm/shm-%-%-%' OR file.path LIKE '/dev/shm/pulse-shm-%' OR file.path LIKE '/dev/shm/u1000-Shm%' @@ -47,4 +51,4 @@ WHERE ( AND file.path NOT LIKE '/dev/shm/libpod_rootless_lock_%' AND file.path NOT LIKE '%/../%' AND file.path NOT LIKE '%/./%' - AND file.path NOT IN ('/dev/.mdadm/', '/dev/shm/libpod_lock') \ No newline at end of file + AND file.path NOT IN ('/dev/.mdadm/', '/dev/shm/libpod_lock') diff --git a/detection/evasion/unexpected-hidden-system-paths.sql b/detection/evasion/unexpected-hidden-system-paths.sql index edeed680..ddb1ccd0 100644 --- a/detection/evasion/unexpected-hidden-system-paths.sql +++ b/detection/evasion/unexpected-hidden-system-paths.sql @@ -152,7 +152,11 @@ WHERE '/var/tmp/.ses', '/var/tmp/.ses.bak' ) - AND file.directory NOT IN ('/etc/skel', '/etc/skel/.config') + AND file.directory NOT IN ( + '/etc/skel', + '/etc/skel/.config', + '/var/root/.provisio' + ) AND file.path NOT LIKE '/%bin/bootstrapping/.default_components' AND file.path NOT LIKE '/tmp/.#%' AND file.path NOT LIKE '/tmp/.lark_cache_%' diff --git a/detection/evasion/unusual-process-name-linux.sql b/detection/evasion/unusual-process-name-linux.sql index 46699a2c..0a9e4a76 100644 --- a/detection/evasion/unusual-process-name-linux.sql +++ b/detection/evasion/unusual-process-name-linux.sql @@ -7,7 +7,10 @@ SELECT p0.name AS pname, COALESCE(REGEX_MATCH (p0.path, '.*/(.*)', 1), p0.path) AS basename, - COALESCE(REGEX_MATCH (p0.name, '.*/.*\.([a-z]{2,4})$', 1), "") AS pext, + COALESCE( + REGEX_MATCH (p0.name, '.*/.*\.([a-z]{2,4})$', 1), + "" + ) AS pext, -- Child p0.pid AS p0_pid, p0.path AS p0_path, @@ -90,18 +93,21 @@ WHERE ) AND NOT p1_pid = 2 AND NOT p0_pid = 2 + AND NOT pname LIKE '.%-wrap%' + AND p0.path NOT LIKE "/nix/store/%/.%-wrapped" AND basename NOT IN ( - "xdg-permission-store", - "xdg-desktop-portal", - "xdg-document-portal", + "acpid", + 'firefox', + "gmenudbusmenuproxy", + "irqbalance", + "kactivitymanagerd", + "nm-applet", + "perl", + "systemd", 'udevadm', + "xdg-desktop-portal", "xdg-desktop-portal-gnome", "xdg-desktop-portal-gtk", - "perl", - "nm-applet", - "acpid", - "systemd", - "kactivitymanagerd", - "gmenudbusmenuproxy", - "irqbalance" + "xdg-document-portal", + "xdg-permission-store" ) diff --git a/detection/evasion/unusual-process-name-macos.sql b/detection/evasion/unusual-process-name-macos.sql index 406636f3..eb1b62c4 100644 --- a/detection/evasion/unusual-process-name-macos.sql +++ b/detection/evasion/unusual-process-name-macos.sql @@ -7,7 +7,10 @@ SELECT p0.name AS pname, COALESCE(REGEX_MATCH (p0.path, '.*/(.*)', 1), p0.path) AS basename, - COALESCE(REGEX_MATCH (p0.name, '.*/.*\.([a-z]{2,4})$', 1), "") AS pext, + COALESCE( + REGEX_MATCH (p0.name, '.*/.*\.([a-z]{2,4})$', 1), + "" + ) AS pext, -- Child p0.pid AS p0_pid, p0.path AS p0_path, @@ -33,7 +36,7 @@ SELECT p2_hash.sha256 AS p2_sha256 FROM processes p0 - LEFT JOIN signature s ON p0.path = s.path + LEFT JOIN signature s ON p0.path = s.path LEFT JOIN hash p0_hash ON p0.path = p0_hash.path LEFT JOIN processes p1 ON p0.parent = p1.pid LEFT JOIN hash p1_hash ON p1.path = p1_hash.path @@ -91,8 +94,9 @@ WHERE ) AND pext NOT IN ("", "gui", "cli", "us", "node", "com") ) - AND NOT pname IN ( + AND NOT pname IN ( 'cpu', + 'com.microsoft.teams2.notificationcenter', 'BetterTouchToolAppleScriptRunner', 'BetterTouchToolShellScriptRunner', 'TwitterNotificationServiceExtension', diff --git a/detection/exfil/high_disk_bytes_read.sql b/detection/exfil/high_disk_bytes_read.sql index 7b813d33..7143a071 100644 --- a/detection/exfil/high_disk_bytes_read.sql +++ b/detection/exfil/high_disk_bytes_read.sql @@ -55,18 +55,22 @@ WHERE AND p0.path NOT LIKE '/Library/Apple/System/Library/%' AND p0.path NOT LIKE '/home/%/.local/share/Steam/steamapps/%' AND p0.name NOT IN ( + 'baloo_file', + 'baloo_file_extr', 'bash', 'bwrap', 'cargo', 'chrome', 'clamscan', 'code', - 'kandji-parameter-agent', + 'com.apple.MobileSoftwareUpdate.UpdateBrainService', 'com.apple.NRD.UpdateBrainService', + 'cpptools', 'dnf', 'docker', 'electron', 'emacs', + 'factorio', 'firefox', 'fish', 'fleet_backend', @@ -76,21 +80,18 @@ WHERE 'go', 'golangci-lint', 'GoogleSoftwareUpdateAgent', - 'com.apple.MobileSoftwareUpdate.UpdateBrainService', - 'UpdateBrainService', 'gopls', 'grype', 'java', + 'kandji-parameter-agent', 'kube-apiserver', 'kube-controller', 'kube-scheduler', 'kue', 'launcher', 'LogiFacecamService', - 'factorio', 'mediawriter', 'melange', - 'rpi-imager', 'nautilus', 'nessusd', 'nix', @@ -98,30 +99,30 @@ WHERE 'nvim', 'osqueryd', 'osqueryi', - 'baloo_file', - 'baloo_file_extr', + 'plasmashell', 'qemu-system-aarch64', 'qemu-system-x86', 'qemu-system-x86-64', + 'rpi-imager', + 'rsync', 'Safari', 'sh', - 'plasmashell', - 'rsync', 'slack', 'spotify', 'steam', 'systemd', - 'terraform-provider-apko', 'terraform', 'terraform-ls', + 'terraform-provider-apko', 'thunderbird', 'tilt', 'unattended-upgr', + 'UpdateBrainService', 'vim', 'wineserver', 'yay', - 'yum', 'ykman-gui', + 'yum', 'zsh', 'ZwiftAppMetal' ) diff --git a/detection/persistence/unexpected-cron-entries.sql b/detection/persistence/unexpected-cron-entries.sql index 74b294f8..5fa3bf80 100644 --- a/detection/persistence/unexpected-cron-entries.sql +++ b/detection/persistence/unexpected-cron-entries.sql @@ -22,3 +22,4 @@ WHERE AND command NOT LIKE '%/usr/lib/php/sessionclean%' AND command NOT LIKE 'root command -v debian-sa1%' AND command NOT LIKE '%rsync%' + AND command NOT LIKE 'gsutil %' diff --git a/detection/persistence/unexpected-uid0-daemon-macos.sql b/detection/persistence/unexpected-uid0-daemon-macos.sql index d53abf13..65dd84c6 100644 --- a/detection/persistence/unexpected-uid0-daemon-macos.sql +++ b/detection/persistence/unexpected-uid0-daemon-macos.sql @@ -285,11 +285,12 @@ WHERE -- Focus on longer-running programs '/usr/sbin/systemstats' ) AND NOT path LIKE '/nix/store/%-nix-%/bin/nix' - AND NOT path LIKE '/opt/homebrew/Cellar/htop/%/bin/htop' AND NOT path LIKE '/opt/homebrew/Cellar/btop/%/bin/btop' + AND NOT path LIKE '/opt/homebrew/Cellar/htop/%/bin/htop' + AND NOT path LIKE '/opt/homebrew/Cellar/mtr/%/sbin/%' AND NOT path LIKE '/opt/homebrew/Cellar/socket_vmnet/%/bin/socket_vmnet' - AND NOT path LIKE '/usr/local/Cellar/htop/%/bin/htop' AND NOT path LIKE '/usr/local/Cellar/btop/%/bin/btop' + AND NOT path LIKE '/usr/local/Cellar/htop/%/bin/htop' AND NOT path LIKE '/usr/local/kolide-k2/bin/launcher-updates/%/Kolide.app/Contents/MacOS/launcher' AND NOT path LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd' GROUP BY