Skip to content

Commit

Permalink
Merge pull request #426 from tstromberg/nov19
Browse files Browse the repository at this point in the history
fpr: mark exotic queries as extra, add flatpak/pop-os uid0 procs
  • Loading branch information
tstromberg authored Nov 19, 2024
2 parents b85f602 + 8237521 commit a2c2571
Show file tree
Hide file tree
Showing 3 changed files with 18 additions and 12 deletions.
2 changes: 1 addition & 1 deletion detection/execution/exotic-commands-linux.sql
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
-- false positives:
-- * possible, but none known
--
-- tags: transient process state
-- tags: transient process state extra
-- platform: linux
SELECT
DATETIME(f.ctime, 'unixepoch') AS p0_changed,
Expand Down
2 changes: 1 addition & 1 deletion detection/execution/exotic-commands-macos.sql
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
-- false positives:
-- * possible, but none known
--
-- tags: transient process state
-- tags: transient process state extra
-- platform: darwin
SELECT
s.authority AS p0_auth,
Expand Down
26 changes: 16 additions & 10 deletions detection/persistence/unexpected-uid0-daemon-linux.sql
Original file line number Diff line number Diff line change
Expand Up @@ -97,8 +97,8 @@ WHERE
'atopacctd,/usr/sbin/atopacctd,0,system.slice,atopacct.service,0755',
'atop,/usr/bin/atop,0,system.slice,atop.service,0755',
'auditd,/usr/bin/auditd,0,system.slice,auditd.service,0755',
'auditd,/usr/sbin/auditd,0,system.slice,auditd.service,0755',
'auditd,/usr/sbin/auditd,0,system.slice,auditd.service,0750',
'auditd,/usr/sbin/auditd,0,system.slice,auditd.service,0755',
'bash,/usr/bin/bash,0,user.slice,user-1000.slice,0755',
'blueman-mechanism.service,Bluetooth management mechanism,,200',
'blueman-mechani,/usr/bin/python3.10,0,system.slice,blueman-mechanism.service,0755',
Expand All @@ -122,10 +122,10 @@ WHERE
'cupsd,/snap/cups/__VERSION__/sbin/cupsd,0,system.slice,snap.cups.cupsd.service,0700',
'cupsd,/usr/bin/cupsd,0,system.slice,cups.service,0700',
'cupsd,/usr/sbin/cupsd,0,system.slice,cups.service,0755',
'cupsd,/usr/sbin/cupsd,0,system.slice,system-cups.slice,0755',
'cupsd,/usr/sbin/cupsd,0,system.slice,system-cups.slice,0700',
'dbus-daemon,/usr/bin/dbus-daemon,0,user.slice,user-1000.slice,0755',
'cupsd,/usr/sbin/cupsd,0,system.slice,system-cups.slice,0755',
'dbus-daemon,/usr/bin/dbus-daemon,0,user.slice,user-0.slice,0755',
'dbus-daemon,/usr/bin/dbus-daemon,0,user.slice,user-1000.slice,0755',
'dbus-launch,/usr/bin/dbus-launch,0,user.slice,user-1000.slice,0755',
'dconf-service,/usr/libexec/dconf-service,0,user.slice,user-1000.slice,0755',
'dhclient,/usr/sbin/dhclient,0,system.slice,networking.service,0755',
Expand All @@ -148,12 +148,14 @@ WHERE
'elastic-endpoin,/opt/Elastic/Endpoint/elastic-endpoint,0,elasticendpoint,,0500',
'elastic-endpoin,/opt/Elastic/Endpoint/elastic-endpoint,0,system.slice,ElasticEndpoint.service,0500',
'elastic-endpoin,/var/opt/Elastic/Endpoint/elastic-endpoint,0,elasticendpoint,,0500',
'execsnoop-bpfcc,/usr/bin/python3.10,0,system.slice,com.system76.Scheduler.service,0755',
'firewalld,/usr/bin/python3.10,0,system.slice,firewalld.service,0755',
'firewalld,/usr/bin/python3.12,0,system.slice,firewalld.service,0755',
'firewalld,/usr/bin/python3.13,0,system.slice,firewalld.service,0755',
'firewalld,/usr/bin/python__VERSION__,0,system.slice,firewalld.service,0755',
'fish,/usr/bin/fish,0,user.slice,user-1000.slice,0755',
'flatpak-system-,/usr/libexec/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755',
'flatpak-system-,/usr/libexec/flatpak-system-helper,0,user.slice,user-0.slice,0755',
'flatpak-system-,/usr/lib/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755',
'flock,/usr/bin/flock,0,system.slice,system-btrfs\x2ddedup.slice,0755',
'fprintd,/usr/libexec/fprintd,0,system.slice,fprintd.service,0755',
Expand All @@ -163,17 +165,17 @@ WHERE
'fwupd,/usr/libexec/fwupd/fwupd,0,system.slice,fwupd.service,0755',
'fwupd,/usr/lib/fwupd/fwupd,0,system.slice,fwupd.service,0755',
'gdm3,/usr/sbin/gdm3,0,system.slice,gdm.service,0755',
'gdm-session-wor,/usr/libexec/gdm/gdm-session-worker,0,user.slice,user-1000.slice,0755',
'gdm-session-wor,/usr/libexec/gdm/gdm-session-worker,0,user.slice,user-463.slice,0755',
'gdm-session-wor,/usr/libexec/gdm-session-worker,0,user.slice,user-1000.slice,0755',
'gdm-session-wor,/usr/libexec/gdm-session-worker,0,user.slice,user-1001.slice,0755',
'gdm-session-wor,/usr/libexec/gdm-session-worker,0,user.slice,user-120.slice,0755',
'gdm-session-wor,/usr/libexec/gdm-session-worker,0,user.slice,user-42.slice,0755',
'gdm-session-wor,/usr/lib/gdm-session-worker,0,user.slice,user-1000.slice,0755',
'gdm-session-wor,/usr/lib/gdm-session-worker,0,user.slice,user-120.slice,0755',
'gdm-session-wor,/usr/libexec/gdm/gdm-session-worker,0,user.slice,user-463.slice,0755',
'gdm-session-wor,/usr/libexec/gdm/gdm-session-worker,0,user.slice,user-1000.slice,0755',
'gdm,/usr/bin/gdm,0,system.slice,gdm.service,0755',
'gdm,/usr/sbin/gdm,0,system.slice,gdm.service,0755',
'gdm,/usr/sbin/gdm,0,system.slice,display-manager.service,0755',
'gdm,/usr/sbin/gdm,0,system.slice,gdm.service,0755',
'geoclue.service,Location Lookup Service,geoclue,500',
'gnome-keyring-d,/usr/bin/gnome-keyring-daemon,0,user.slice,user-1000.slice,0755',
'gpg-agent,/usr/bin/gpg-agent,0,system.slice,fwupd.service,0755',
Expand Down Expand Up @@ -227,6 +229,7 @@ WHERE
'make,/usr/bin/make,0,user.slice,user-1000.slice,0755',
'mbim-proxy,/usr/libexec/mbim-proxy,0,system.slice,ModemManager.service,0755',
'mcelog,/usr/sbin/mcelog,0,system.slice,mcelog.service,0755',
'mc,/usr/bin/mc,0,user.slice,user-0.slice,0755',
'ModemManager,/usr/sbin/ModemManager,0,system.slice,ModemManager.service,0755',
'multipassd,/snap/multipass/__VERSION__/bin/multipassd,0,system.slice,snap.multipass.multipassd.service,0755',
'multipathd,/usr/sbin/multipathd,0,system.slice,multipathd.service,0755',
Expand Down Expand Up @@ -265,12 +268,14 @@ WHERE
'pmdaroot,/usr/libexec/pcp/pmdas/root/pmdaroot,0,system.slice,pmcd.service,0755',
'pmdaxfs,/usr/libexec/pcp/pmdas/xfs/pmdaxfs,0,system.slice,pmcd.service,0755',
'polkitd,/usr/libexec/polkitd,0,system.slice,polkit.service,0755',
'pop-system-upda,/usr/bin/pop-system-updater,0,system.slice,com.system76.SystemUpdater.service,0755',
'power-profiles-,/usr/libexec/power-profiles-daemon,0,system.slice,power-profiles-daemon.service,0755',
'power-profiles-,/usr/lib/power-profiles-daemon,0,system.slice,power-profiles-daemon.service,0755',
'pwrstatd,/usr/sbin/pwrstatd,0,system.slice,pwrstatd.service,0700',
'python3,/usr/bin/python3.10,0,system.slice,system-dbus\x2d:1.1\x2dorg.pop_os.transition_system.slice,0755',
'python3,/usr/bin/python__VERSION__,0,system.slice,ubuntu-advantage.service,0755',
'qualys-cloud-ag,/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent,0,system.slice,qualys-cloud-agent.service,0700',
'qemu-ga,/usr/bin/qemu-ga,0,system.slice,qemu-guest-agent.service,0755',
'qualys-cloud-ag,/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent,0,system.slice,qualys-cloud-agent.service,0700',
'rapid7_endpoint,/opt/rapid7/ir_agent/components/endpoint_broker/__VERSION__/rapid7_endpoint_broker,0,system.slice,ir_agent.service,0744',
'rsyslogd,/usr/sbin/rsyslogd,0,system.slice,rsyslog.service,0755',
'run-cups-browse,/usr/bin/dash,0,system.slice,snap.cups.cups-browsed.service,0755',
Expand Down Expand Up @@ -308,8 +313,9 @@ WHERE
'supergfxd,/usr/bin/supergfxd,0,system.slice,supergfxd.service,0755',
'su,/usr/bin/su,0,user.slice,user-1000.slice,4755',
'su,/usr/bin/su,1000,user.slice,user-0.slice,4755',
'mc,/usr/bin/mc,0,user.slice,user-0.slice,0755',
'switcheroo-cont,/usr/libexec/switcheroo-control,0,system.slice,switcheroo-control.service,0755',
'system76-schedu,/usr/bin/system76-scheduler,0,system.slice,com.system76.Scheduler.service,0755',
'system76-power,/usr/bin/system76-power,0,system.slice,com.system76.PowerDaemon.service,0755',
'systemd-coredum,/nix/store/__VERSION__/lib/systemd/systemd-coredump,0,,,0555',
'systemd-homed,/usr/lib/systemd/systemd-homed,0,system.slice,systemd-homed.service,0755',
'systemd-hostnam,/usr/lib/systemd/systemd-hostnamed,0,system.slice,systemd-hostnamed.service,0755',
Expand All @@ -321,7 +327,6 @@ WHERE
'systemd-machine,/usr/lib/systemd/systemd-machined,0,system.slice,systemd-machined.service,0755',
'systemd-nsresou,/usr/lib/systemd/systemd-nsresourced,0,system.slice,systemd-nsresourced.service,0755',
'systemd-nsresou,/usr/lib/systemd/systemd-nsresourcework,0,system.slice,systemd-nsresourced.service,0755',
'systemd-nsresou,/usr/lib/systemd/systemd-nsresourced,0,system.slice,systemd-nsresourced.service,0755',
'systemd-sleep,/usr/lib/systemd/systemd-sleep,0,system.slice,systemd-suspend.service,0755',
'systemd-udevd,/nix/store/__VERSION__/bin/udevadm,0,system.slice,systemd-udevd.service,0555',
'systemd-udevd,/usr/bin/udevadm,0,system.slice,systemd-udevd.service,0755',
Expand All @@ -333,6 +338,7 @@ WHERE
'.tailscaled-wra,/nix/store/__VERSION__/bin/.tailscaled-wrapped,0,system.slice,tailscaled.service,0555',
'tcpdump,/usr/bin/tcpdump,0,user.slice,user-1000.slice,0755',
'thermald,/usr/sbin/thermald,0,system.slice,thermald.service,0755',
'touchegg,/usr/bin/touchegg,0,system.slice,touchegg.service,0755',
'tuned,/usr/bin/python3.12,0,system.slice,tuned.service,0755',
'tuned,/usr/bin/python3.13,0,system.slice,tuned.service,0755',
'ubuntu-advantag,/usr/libexec/ubuntu-advantage-desktop-daemon,0,system.slice,ubuntu-advantage-desktop-daemon.service,0755',
Expand All @@ -359,8 +365,8 @@ WHERE
'xdg-desktop-por,/usr/libexec/xdg-desktop-portal-gnome,0,user.slice,user-1000.slice,0755',
'xdg-desktop-por,/usr/libexec/xdg-desktop-portal-gtk,0,user.slice,user-1000.slice,0755',
'xdg-document-po,/usr/libexec/xdg-document-portal,0,user.slice,user-1000.slice,0755',
'xdg-permission-,/usr/libexec/xdg-permission-store,0,user.slice,user-1000.slice,0755',
'xdg-permission-,/usr/libexec/xdg-permission-store,0,user.slice,user-0.slice,0755',
'xdg-permission-,/usr/libexec/xdg-permission-store,0,user.slice,user-1000.slice,0755',
'X,/nix/store/__VERSION__/bin/Xorg,0,system.slice,display-manager.service,0555',
'Xorg,/usr/lib/Xorg,0,system.slice,lightdm.service,0755',
'Xorg,/usr/lib/Xorg,0,system.slice,sddm.service,0755',
Expand Down

0 comments on commit a2c2571

Please sign in to comment.