diff --git a/detection/c2/unexpected-dns-traffic-events.sql b/detection/c2/unexpected-dns-traffic-events.sql index b42e46f..82b3b94 100644 --- a/detection/c2/unexpected-dns-traffic-events.sql +++ b/detection/c2/unexpected-dns-traffic-events.sql @@ -69,7 +69,8 @@ WHERE '75.75.76.76', -- Comcast '68.105.28.13', -- Cox '80.248.7.1', -- 21st Century (NG) - '34.160.111.32' -- wolfi.dev + '34.160.111.32', -- wolfi.dev + '185.125.190.31' -- Canonical ) -- Exceptions that specifically talk to one server AND exception_key NOT IN ( @@ -90,6 +91,7 @@ WHERE 'distnoted,8.8.8.8,53', 'limactl,8.8.8.8,53', 'msedge,8.8.8.8,53', + 'brave,8.8.8.8,53', 'adguard_dns,1.0.0.1,53', 'helm,185.199.108.133,53', 'coredns,8.8.8.8,53', @@ -115,6 +117,7 @@ WHERE 'go', 'wolfictl', 'gvproxy', + 'grype', 'incusd', 'helm', 'terraform-provi', diff --git a/detection/c2/unexpected-https-macos.sql b/detection/c2/unexpected-https-macos.sql index df4c51d..0af076e 100644 --- a/detection/c2/unexpected-https-macos.sql +++ b/detection/c2/unexpected-https-macos.sql @@ -112,6 +112,7 @@ WHERE '500,Authy,Authy,Apple iPhone OS Application Signing,com.authy', '500,podman,podman,Developer ID Application: Red Hat, Inc. (HYSCB8KRL2),podman', '500,bash,bash,,bash', + '500,nami,nami,,a.out', '500,CrossyRoad,CrossyRoad,Apple iPhone OS Application Signing,com.hipsterwhale.crossy', '500,cloud_sql_proxy,cloud_sql_proxy,,a.out', '500,com.docker.backend,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R),com.docker.docker', diff --git a/detection/evasion/empty_root_environ_linux.sql b/detection/evasion/empty_root_environ_linux.sql index a8e4c8c..7cac60e 100644 --- a/detection/evasion/empty_root_environ_linux.sql +++ b/detection/evasion/empty_root_environ_linux.sql @@ -71,6 +71,7 @@ WHERE AND NOT pp.name IN ( 'systemd-userdbd', 'crond', + 'dpkg', 'systemd', 'systemd-udevd', '(udev-worker)', @@ -85,6 +86,7 @@ WHERE AND NOT p.cmdline LIKE '%--type=zygote%' AND NOT p.cmdline LIKE '%--disable-seccomp-filter-sandbox%' AND NOT p.cgroup_path LIKE '/system.slice/docker-%' + AND NOT pp.path LIKE '/usr/bin/%' AND NOT ( p.name = 'sh' AND p.cgroup_path = '/system.slice/znapzend.service' diff --git a/detection/evasion/hidden-cwd.sql b/detection/evasion/hidden-cwd.sql index b20174e..19927ff 100644 --- a/detection/evasion/hidden-cwd.sql +++ b/detection/evasion/hidden-cwd.sql @@ -8,8 +8,7 @@ -- -- tags: transient often -- platform: posix -SELECT - REPLACE(p0.cwd, u.directory, '~') AS dir, +SELECT REPLACE(p0.cwd, u.directory, '~') AS dir, REGEX_MATCH ( REPLACE(p0.cwd, u.directory, '~'), '([/~].*?/.*?)/', @@ -56,8 +55,7 @@ SELECT p2.path AS p2_path, p2.cmdline AS p2_cmd, p2_hash.sha256 AS p2_sha256 -FROM - processes p0 +FROM processes p0 LEFT JOIN file f ON p0.path = f.path LEFT JOIN users u ON p0.uid = u.uid LEFT JOIN hash p0_hash ON p0.path = p0_hash.path @@ -66,14 +64,10 @@ FROM LEFT JOIN hash p1_hash ON p1.path = p1_hash.path LEFT JOIN processes p2 ON p1.parent = p2.pid LEFT JOIN hash p2_hash ON p2.path = p2_hash.path -WHERE - p0.pid IN ( - SELECT DISTINCT - pid - FROM - processes - WHERE - cwd LIKE '%/.%' +WHERE p0.pid IN ( + SELECT DISTINCT pid + FROM processes + WHERE cwd LIKE '%/.%' AND NOT name IN ( 'apfsd', 'bindfs', @@ -93,33 +87,34 @@ WHERE AND NOT ( exception_key IN ( 'Arduino IDE Helper,/private/var/folders', - 'Electron,~/.vscode/extensions', 'arduino-language-server,/private/var/folders', 'as,~/.cache/yay', - 'bash,~/.Trash', - 'bash,~/.local/share', 'bash,~/go/src', - 'c++,~/.cache/yay', + 'bash,~/.local/share', + 'bash,~/.Trash', 'cc1,/home/build/.cache', 'cc1plus,~/.cache/yay', + 'c++,~/.cache/yay', 'cgo,~/.gimme/versions', 'clangd,/private/var/folders', 'conmon,/var~/.local/share', - 'mysqld,/var~/.local/share', 'dirhelper,/private/var/folders', + 'Electron,~/.vscode/extensions', 'fileproviderd,~/Library/Mobile Documents', - 'fish,~/.Trash', 'fish,~/.local/share', + 'fish,~/.Trash', 'git,~/.local/share', + 'java,~/.gradle/daemon', 'java,/home/build/.gradle', 'java,/home/build/.kotlin', - 'java,~/.gradle/daemon', 'java,~/.local/share', 'make,~/.cache/yay', 'makepkg,~/.cache/yay', 'mysqld,~/.local/share', + 'mysqld,/var~/.local/share', 'npm install,~/.npm/_cacache', 'opera_autoupdate,/private/var/folders', + 'postinstall,/Library/InstallerSandboxes/.PKInstallSandboxManager', 'rm,/private/var/folders', 'rust-analyzer-p,~/.cargo/registry', 'rustc,/home/build/.cargo', @@ -183,12 +178,10 @@ WHERE OR dir LIKE '~/%google-cloud-sdk/.install/.backup%' OR dir LIKE '~/code/%' OR dir LIKE '~/dev/%/dots/%/.config%' - OR dir LIKE '~/src/%' - -- For sudo calls to other things + OR dir LIKE '~/src/%' -- For sudo calls to other things OR ( dir LIKE '/home/.terraform.d/%' AND p0.euid = 0 ) ) -GROUP BY - p0.pid +GROUP BY p0.pid \ No newline at end of file diff --git a/detection/evasion/hidden-executable.sql b/detection/evasion/hidden-executable.sql index ebcc0f9..89232cb 100644 --- a/detection/evasion/hidden-executable.sql +++ b/detection/evasion/hidden-executable.sql @@ -71,6 +71,10 @@ WHERE ( '~/.pnpm', '~/.rbenv', '~/.rustup', + '~/Code', + '~/code', + '~/Projects', + '~/src', '~/.sdkman', '~/.supermaven', '~/.terraform', @@ -93,6 +97,7 @@ WHERE ( '~/.docker/cli-plugins', '~/.fig/bin', '~/.go/bin', + '/home/linuxbrew/.linuxbrew', '~/.linkerd2/bin', '~/.linuxbrew/Cellar', '~/node_modules/.bin', @@ -106,6 +111,7 @@ WHERE ( ) AND NOT dir LIKE '~/Library/Application Support/Code/User/globalStorage/ms-dotnettools.vscode-dotnet-runtime/.dotnet/%' AND NOT dir LIKE '%/.terraform/providers/%' + AND NOT dir LIKE '%/node_modules/.pnpm/%' AND NOT f.directory LIKE '/Applications/Corsair iCUE5 Software/.cuepkg-%' AND NOT f.directory LIKE '%/Applications/PSI Bridge Secure Browser.app/Contents/Resources/.apps/darwin/%' AND NOT f.directory LIKE '/var/home/linuxbrew/.linuxbrew/Cellar/%' diff --git a/detection/evasion/missing-from-disk-linux.sql b/detection/evasion/missing-from-disk-linux.sql index f43815a..3182a6c 100644 --- a/detection/evasion/missing-from-disk-linux.sql +++ b/detection/evasion/missing-from-disk-linux.sql @@ -49,8 +49,6 @@ WHERE -- Snap packages? AND p.path NOT LIKE '/tmp/.mount_%' AND p.path NOT LIKE '/home/%/.cache/yay/1password-cli/pkg/1password-cli/usr/bin/op' - AND p.path NOT IN ( - '/usr/bin/python3.10', - '/opt/google/chrome/nacl_helper', - '/opt/Synergy/resources/synergy-tray' - ) + -- Probably just an upgrade + AND p.path NOT LIKE '/usr/bin/%' + AND p.path NOT LIKE '/opt/%' diff --git a/detection/evasion/unexpected-hidden-system-paths.sql b/detection/evasion/unexpected-hidden-system-paths.sql index 90bec6f..97e7b4e 100644 --- a/detection/evasion/unexpected-hidden-system-paths.sql +++ b/detection/evasion/unexpected-hidden-system-paths.sql @@ -92,6 +92,7 @@ WHERE '/tmp/.eos-update-notifier.log', '/tmp/.featureflags-agent/', '/tmp/.font-unix/', + '/tmp/.SIGN.RSA.local-melange-enterprise.rsa.pub', '/tmp/.git/', '/tmp/.go-version', '/tmp/.helmrepo', diff --git a/detection/execution/recently-created-executables-long-lived-linux.sql b/detection/execution/recently-created-executables-long-lived-linux.sql index 1d6405e..ea83b34 100644 --- a/detection/execution/recently-created-executables-long-lived-linux.sql +++ b/detection/execution/recently-created-executables-long-lived-linux.sql @@ -44,7 +44,7 @@ FROM WHERE p0.start_time > 0 AND f.ctime > 0 - AND p0.start_time > (strftime('%s', 'now') - 43200) + AND p0.start_time < (strftime('%s', 'now') - 43200) AND (p0.start_time - MAX(f.ctime, f.btime)) < 10800 AND p0.start_time >= MAX(f.ctime, f.ctime) AND NOT f.directory IN ('/usr/lib/firefox', '/usr/local/kolide-k2/bin') -- Typically daemons or long-running desktop apps diff --git a/detection/execution/unexpected-env-values-linux.sql b/detection/execution/unexpected-env-values-linux.sql index caa9e1e..452b076 100644 --- a/detection/execution/unexpected-env-values-linux.sql +++ b/detection/execution/unexpected-env-values-linux.sql @@ -75,6 +75,7 @@ WHERE -- This time should match the interval OR ( LENGTH(pe.value) > 1024 AND pe.key != 'LS_COLORS' + AND pe.key != 'HTTP_AUTH' AND f.mode IS NOT NULL AND f.mode NOT LIKE '0%' ) diff --git a/detection/exfil/yara-unexpected-rust-http-exec-process.sql b/detection/exfil/yara-unexpected-rust-http-exec-process.sql index 1cb5aa1..e68077f 100644 --- a/detection/exfil/yara-unexpected-rust-http-exec-process.sql +++ b/detection/exfil/yara-unexpected-rust-http-exec-process.sql @@ -67,9 +67,10 @@ WHERE 'figma_agent', 'nvim', 'old', - 'rpm-ostree', 'OrbStack Helper', + 'rpm-ostree', 'sg-nvim-agent', + 'sm-agent', 'stable', 'wezterm-gui', 'zed' diff --git a/detection/persistence/listening-from-unusual-location.sql b/detection/persistence/listening-from-unusual-location.sql index e4101f7..97dec8e 100644 --- a/detection/persistence/listening-from-unusual-location.sql +++ b/detection/persistence/listening-from-unusual-location.sql @@ -102,6 +102,7 @@ WHERE AND NOT homepath LIKE "~/.%" AND NOT homecwd LIKE "~/.%" AND NOT homecwd LIKE '/Users/%/.gradle/daemon/%' + AND NOT homecwd LIKE '/home/%/.gradle/daemon/%' AND NOT f.directory IN ( '/Applications/Keybase.app/Contents/SharedSupport/bin', '/opt/docker-desktop/bin' diff --git a/detection/persistence/unexpected-chrome-extensions.sql b/detection/persistence/unexpected-chrome-extensions.sql index 765caed..82e908d 100644 --- a/detection/persistence/unexpected-chrome-extensions.sql +++ b/detection/persistence/unexpected-chrome-extensions.sql @@ -101,6 +101,8 @@ WHERE 'true,Benjamin Hollis,JSONView,gmegofmjomhknnokphhckolhcffdaihd', 'true,BetaFish,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom', 'true,,Bionic Reading,kdfkejelgkdjgfoolngegkhkiecmlflj', + 'true,,Gem,bnbpceglddpnehbopmdjegpfinikcaoh', + 'true,,Chrome Capture - screenshot & GIF,ggaabchcecdbomdcnbahdfddfikjmphe', 'true,Bitwarden Inc.,Bitwarden - Free Password Manager,nngceckbapebfimnlniiiahkandclblb', 'true,Bitwarden Inc.,Bitwarden Password Manager,nngceckbapebfimnlniiiahkandclblb', 'true,,BlockSite: Block Websites & Stay Focused,eiimnmioipafcokbfikbljfdeojpcgbh', diff --git a/detection/persistence/unexpected-device-linux.sql b/detection/persistence/unexpected-device-linux.sql index b458caf..adcc60a 100644 --- a/detection/persistence/unexpected-device-linux.sql +++ b/detection/persistence/unexpected-device-linux.sql @@ -210,6 +210,7 @@ WHERE ( '/dev/stderr,fifo', '/dev/stderr,character', '/dev/stdin,character', + '/dev/stdin,fifo', '/dev/stdout,fifo', '/dev/stdout,character', '/dev/tee,character', diff --git a/detection/persistence/unexpected-launchd-program-arguments.sql b/detection/persistence/unexpected-launchd-program-arguments.sql index 29c3f66..380f8f4 100644 --- a/detection/persistence/unexpected-launchd-program-arguments.sql +++ b/detection/persistence/unexpected-launchd-program-arguments.sql @@ -41,11 +41,11 @@ WHERE 'Developer ID Application: Cloudflare Inc. (68WVV388M8)', 'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', 'Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z)', + 'Developer ID Application: EnterpriseDB Corporation (26QKX55P9K)', 'Developer ID Application: Foxit Corporation (8GN47HTP75)', 'Developer ID Application: Fumihiko Takayama (G43BCU2T37)', 'Developer ID Application: Google, Inc. (EQHXZ8M8AV)', 'Developer ID Application: Google LLC (EQHXZ8M8AV)', - 'Developer ID Application: Ubiquiti Inc. (4P645293E8)', 'Developer ID Application: Grammarly, Inc (W8F64X92K3)', 'Developer ID Application: Hercules Labs Inc. (B8PC799ZGU)', 'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)', @@ -73,6 +73,7 @@ WHERE 'Developer ID Application: Sanford, L.P. (N3S6676K3E)', -- DYMO 'Developer ID Application: Seiko Epson Corporation (TXAEAV5RN4)', 'Developer ID Application: Tenable, Inc. (4B8J598M7U)', + 'Developer ID Application: Ubiquiti Inc. (4P645293E8)', 'Developer ID Application: X-Rite, Incorporated (2K7GT73B4R)', 'Software Signing', -- Apple 'yabai-cert' diff --git a/detection/persistence/unexpected-listening-port-macos.sql b/detection/persistence/unexpected-listening-port-macos.sql index deef7b7..57e5592 100644 --- a/detection/persistence/unexpected-listening-port-macos.sql +++ b/detection/persistence/unexpected-listening-port-macos.sql @@ -5,8 +5,7 @@ -- -- tags: persistent state net low -- platform: darwin -SELECT - lp.address, +SELECT lp.address, lp.port, lp.protocol, p.uid, @@ -28,13 +27,11 @@ SELECT ',', signature.authority ) AS exception_key -FROM - listening_ports lp +FROM listening_ports lp LEFT JOIN processes p ON lp.pid = p.pid LEFT JOIN hash ON p.path = hash.path LEFT JOIN signature ON p.path = signature.path -WHERE - port != 0 +WHERE port != 0 AND lp.address NOT IN ('224.0.0.251', '::1') AND lp.address NOT LIKE '127.0.0.%' AND lp.address NOT LIKE '172.1%' @@ -220,7 +217,7 @@ WHERE AND lp.port > 5000 ) AND NOT ( - exception_key LIKE '3%,6,500,java,' + exception_key LIKE '3%,6,500,java,' AND p.cwd LIKE '/Users/%' ) AND NOT ( @@ -229,18 +226,23 @@ WHERE and lp.protocol = 6 ) AND NOT ( - p.name IN ( - 'caddy', - 'com.docker.backend', - 'controller', - 'crane', - 'crc', - 'OrbStack Helper', - 'docker-proxy', - 'hugo', - 'kubectl', - 'node', - 'webhook' + ( + p.name IN ( + 'caddy', + 'com.docker.backend', + 'controller', + 'crane', + 'crc', + 'OrbStack Helper', + 'docker-proxy', + 'hugo', + 'kubectl', + 'ssh', + 'node', + 'webhook' + ) + OR p.name LIKE 'kubectl.%' + OR p.name LIKE '__%_go' ) AND lp.port > 1024 and lp.protocol = 6 @@ -266,5 +268,4 @@ WHERE AND lp.protocol = 6 ) ) -GROUP BY - exception_key +GROUP BY exception_key \ No newline at end of file diff --git a/detection/persistence/unexpected-uid0-daemon-linux.sql b/detection/persistence/unexpected-uid0-daemon-linux.sql index fe36868..7401ab1 100644 --- a/detection/persistence/unexpected-uid0-daemon-linux.sql +++ b/detection/persistence/unexpected-uid0-daemon-linux.sql @@ -88,6 +88,7 @@ WHERE 'agetty,/usr/sbin/agetty,0,system.slice,system-serial\x2dgetty.slice,0755', 'alsactl,/usr/sbin/alsactl,0,system.slice,alsa-state.service,0755', 'anacron,/usr/bin/anacron,0,system.slice,cronie.service,0755', + 'anacron,/usr/sbin/anacron,0,system.slice,anacron.service,0755', 'anacron,/usr/sbin/anacron,0,system.slice,crond.service,0755', 'apache2,/usr/sbin/apache2,0,system.slice,apache2.service,0755', 'apcupsd,/usr/bin/apcupsd,0,system.slice,apcupsd.service,0755', @@ -118,6 +119,7 @@ WHERE 'cupsd,/snap/cups/__VERSION__/sbin/cupsd,0,system.slice,snap.cups.cupsd.service,0700', 'cupsd,/usr/bin/cupsd,0,system.slice,cups.service,0700', 'cupsd,/usr/sbin/cupsd,0,system.slice,cups.service,0755', + 'cupsd,/usr/sbin/cupsd,0,system.slice,system-cups.slice,0755', 'dbus-daemon,/usr/bin/dbus-daemon,0,user.slice,user-1000.slice,0755', 'dbus-launch,/usr/bin/dbus-launch,0,user.slice,user-1000.slice,0755', 'dconf-service,/usr/libexec/dconf-service,0,user.slice,user-1000.slice,0755', @@ -165,6 +167,7 @@ WHERE 'gpg-agent,/usr/bin/gpg-agent,0,system.slice,fwupd.service,0755', 'gpg-agent,/usr/bin/gpg-agent,0,system.slice,packagekit.service,0755', 'gpg-agent,/usr/bin/gpg-agent,0,user.slice,user-1000.slice,0755', + 'group-admin-dae,/usr/libexec/group-admin-daemon,0,system.slice,group-admin-daemon.service,0755', 'gssproxy,/usr/sbin/gssproxy,0,system.slice,gssproxy.service,0755', 'gvfsd-fuse,/usr/libexec/gvfsd-fuse,0,user.slice,user-1000.slice,0755', 'gvfsd,/usr/libexec/gvfsd,0,user.slice,user-1000.slice,0755', @@ -185,6 +188,7 @@ WHERE 'ir_agent,/opt/rapid7/ir_agent/ir_agent,0,system.slice,ir_agent.service,0700', 'irqbalance,/usr/sbin/irqbalance,0,system.slice,irqbalance.service,0755', 'iwd,/usr/lib/iwd/iwd,0,system.slice,iwd.service,0755', + 'just,/usr/bin/just,0,user.slice,user-1000.slice,0755', 'launcher,/opt/kolide-k2/bin/launcher,0,system.slice,launcher.kolide-k2.service,0755', 'launcher,/opt/kolide-k2/bin/launcher-updates/__VERSION__/launcher,0,system.slice,launcher.kolide-k2.service,0755', 'launcher,/usr/lib/opt/kolide-k2/bin/launcher,0,system.slice,launcher.kolide-k2.service,0755', @@ -198,6 +202,8 @@ WHERE 'lightdm,/usr/bin/lightdm,0,system.slice,lightdm.service,0755', 'lightdm,/usr/bin/lightdm,0,user.slice,user-1000.slice,0755', 'lightdm,/usr/bin/lightdm,0,user.slice,user-974.slice,0755', + 'lightdm,/usr/sbin/lightdm,0,system.slice,lightdm.service,0755', + 'lightdm,/usr/sbin/lightdm,0,user.slice,user-1000.slice,0755', 'lima-guestagent,/usr/local/bin/lima-guestagent,0,system.slice,lima-guestagent.service,0755', 'login,/usr/bin/login,0,user.slice,user-1000.slice,0755', 'low-memory-moni,/usr/libexec/low-memory-monitor,0,system.slice,low-memory-monitor.service,0755', @@ -322,7 +328,6 @@ WHERE 'velociraptor_cl,/usr/local/bin/velociraptor,0,system.slice,velociraptor_client.service,0700', 'virtiofsd,/opt/incus/bin/virtiofsd,0,system.slice,incus.service,0755', 'virtlogd,/usr/bin/virtlogd,0,system.slice,virtlogd.service,0755', - 'just,/usr/bin/just,0,user.slice,user-1000.slice,0755', 'wpa_supplicant,/usr/bin/wpa_supplicant,0,system.slice,wpa_supplicant.service,0755', 'wpa_supplicant,/usr/sbin/wpa_supplicant,0,system.slice,wpa_supplicant.service,0755', 'xdg-desktop-por,/usr/libexec/xdg-desktop-portal,0,user.slice,user-1000.slice,0755', @@ -333,6 +338,7 @@ WHERE 'X,/nix/store/__VERSION__/bin/Xorg,0,system.slice,display-manager.service,0555', 'Xorg,/usr/lib/Xorg,0,system.slice,lightdm.service,0755', 'Xorg,/usr/lib/Xorg,0,system.slice,sddm.service,0755', + 'Xorg,/usr/lib/xorg/Xorg,0,system.slice,lightdm.service,0755', 'Xorg,/usr/lib/xorg/Xorg,0,system.slice,sddm.service,0755', 'yum,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755', 'zed,/nix/store/__VERSION__/bin/zed,0,system.slice,zfs-zed.service,0555', @@ -350,6 +356,7 @@ WHERE AND NOT exception_key LIKE 'incusd,%/bin/incusd,0,lxc.monitor.%,,0755' AND NOT exception_key LIKE 'osquery-extensi,/opt/Elastic/Agent/data/elastic-agent-%/components/osquery-extension.ext,0,system.slice,elastic-agent.service,0750' AND NOT exception_key LIKE 'osqueryd,/opt/Elastic/Agent/data/elastic-agent-%/components/osqueryd,0,system.slice,elastic-agent.service,0750' + AND NOT exception_key LIKE 'tuned-ppd,/usr/bin/python3.%,system.slice,tuned-ppd.service,0755' AND NOT p0.path IN ('/bin/bash', '/usr/bin/bash') AND NOT p0.cgroup_path LIKE '/system.slice/docker-%' GROUP BY