Skip to content

Commit

Permalink
Merge pull request #416 from tstromberg/oct30
Browse files Browse the repository at this point in the history
  • Loading branch information
tstromberg authored Oct 30, 2024
2 parents 1207726 + b3c4277 commit f12e6d9
Show file tree
Hide file tree
Showing 7 changed files with 46 additions and 34 deletions.
9 changes: 5 additions & 4 deletions detection/c2/unexpected-https-macos.sql
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
-- references:
-- * https://attack.mitre.org/techniques/T1071/ (C&C, Application Layer Protocol)
--
-- tags: transient state net often
-- tags: transient state net often extra
-- platform: macos
SELECT
pos.protocol,
Expand Down Expand Up @@ -213,18 +213,17 @@ WHERE
)
AND NOT s.authority IN (
'Developer ID Application: Adguard Software Limited (TC3Q7MAJXF)',
'Developer ID Application: AMZN Mobile LLC (94KV3E626L)',
'Developer ID Application: Autodesk (XXKJ396S2Y)',
'Developer ID Application: Adobe Inc. (JQ525L2MZD)',
'Developer ID Application: AgileBits Inc. (2BUA8C4S2C)',
'Developer ID Application: AMZN Mobile LLC (94KV3E626L)',
'Developer ID Application: ANCHORE, INC. (9MJHKYX5AT)',
'Developer ID Application: Autodesk (XXKJ396S2Y)',
'Developer ID Application: Bitdefender SRL (GUNFMW623Y)',
'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4)',
'Developer ID Application: Canonical Group Limited (X4QN7LTP59)',
'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
'Developer ID Application: Denver Technologies, Inc (2BBY89MBSN)',
'Developer ID Application: Docker Inc (9BNSXJN65R)',
'Developer ID Application: TechSmith Corporation (7TQL462TU8)',
'Developer ID Application: Ecamm Network, LLC (5EJH68M642)',
'Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z)',
'Developer ID Application: Farhan Ahmed (4RZN52RN5P)',
Expand All @@ -248,7 +247,9 @@ WHERE
'Developer ID Application: SteelSeries (6WGL6CHFH2)',
'Developer ID Application: Sublime HQ Pty Ltd (Z6D26JE4Y4)',
'Developer ID Application: Tailscale Inc. (W5364U7YZB)',
'Developer ID Application: TechSmith Corporation (7TQL462TU8)',
'Developer ID Application: Tenable, Inc. (4B8J598M7U)',
'Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G)',
'Developer ID Application: Valve Corporation (MXGJJ98X76)',
'Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)',
'Developer ID Application: Zwift, Inc (C2GM8Y9VFM)'
Expand Down
3 changes: 2 additions & 1 deletion detection/collection/high-disk-bytes-written.sql
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
-- references:
-- * https://attack.mitre.org/tactics/TA0009/ (Collection)
--
-- tags: transient process
-- tags: transient process extra
SELECT
-- WARNING: Writes to tmpfs are not reflected against this counter
p0.disk_bytes_written AS bytes_written,
Expand Down Expand Up @@ -206,6 +206,7 @@ WHERE
)
AND p0.path NOT LIKE '/Applications/%.app/Contents/%'
AND p0.path NOT LIKE '/home/%/.local/share/Steam'
AND p0.path NOT LIKE '/Library/Application Support/%'
AND p0.path NOT LIKE '/nix/store/%/bin/nix'
AND p0.path NOT LIKE '/nix/store/%/bin/%sh'
AND p0.path NOT LIKE '/nix/store/%kolide-launcher-%/bin/launcher'
Expand Down
34 changes: 15 additions & 19 deletions detection/evasion/hidden-executable.sql
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@
SELECT f.directory,
f.btime,
p0.start_time,
REPLACE(f.directory, u.directory, '~') AS dir,
RTRIM(
COALESCE(
REGEX_MATCH (
Expand All @@ -28,6 +27,8 @@ SELECT f.directory,
),
REPLACE(f.directory, u.directory, '~')
) AS top3_dir,
REPLACE(f.directory, u.directory, '~') AS homedir,
REPLACE(f.path, u.directory, '~') AS homepath,
-- Child
p0.pid AS p0_pid,
p0.path AS p0_path,
Expand Down Expand Up @@ -63,6 +64,13 @@ WHERE (
OR f.filename LIKE '.%'
OR f.directory LIKE '%/.%'
)
AND NOT homedir LIKE '~/.%/bin'
AND NOT homedir LIKE '~/%/node_modules/.bin'
AND NOT homedir LIKE '~/.%/%x64/%'
AND NOT homedir LIKE '%/node_modulues/.%'
AND NOT homepath LIKE '~/%arm64%'
AND NOT homepath LIKE '~/%x86_64%'
AND NOT top3_dir LIKE '~/.%/extensions'
AND NOT top2_dir IN (
'~/.dropbox-dist',
'~/.goenv',
Expand All @@ -85,38 +93,24 @@ WHERE (
'~/.krew'
)
AND NOT top3_dir IN (
'~/.arkade/bin',
'~/.bin',
'~/.bin-unwrapped',
'~/.cache/gitstatus',
'~/.cache/selenium/chromedriver/~',
'~/.cargo/bin',
'~/.cache/selenium',
'~/.config/bluejeans-v2',
'~/.config/Code',
'~/.config/nvm',
'~/.deno/bin',
'~/.devpod/contexts',
'~/.docker/cli-plugins',
'~/.dotfiles/.local',
'~/.fig/bin',
'~/.go/bin',
'/home/linuxbrew/.linuxbrew',
'~/.linkerd2/bin',
'~/.linuxbrew/Cellar',
'~/node_modules/.bin',
'~/.nvm/versions',
'~/.provisio/bin',
'~/.pyenv/versions',
'~/.steampipe/db',
'~/thinkorswim/.install4j',
'~/.vscode/extensions',
'~/.vscode-insiders/extensions'
'~/thinkorswim/.install4j'
)
AND NOT dir LIKE '~/Library/Application Support/Code/User/globalStorage/ms-dotnettools.vscode-dotnet-runtime/.dotnet/%'
AND NOT dir LIKE '%/.terraform/providers/%'
AND NOT dir LIKE '%/node_modulues/.bin/hugo'
AND NOT dir LIKE '%/node_modules/.pnpm/%'
AND NOT dir LIKE '%/.Trash/1Password %.app/Contents/Library/LoginItems/1Password Extension Helper.app/Contents/MacOS'
AND NOT f.directory LIKE '/Applications/Corsair iCUE5 Software/.cuepkg-%'
AND NOT f.directory LIKE '%/Applications/PSI Bridge Secure Browser.app/Contents/Resources/.apps/darwin/%'
AND NOT f.directory LIKE '/var/home/linuxbrew/.linuxbrew/Cellar/%'
Expand All @@ -125,6 +119,8 @@ WHERE (
f.path LIKE '/nix/store/%'
AND p0.name LIKE '%-wrappe%'
)
AND NOT f.path LIKE '%/.Trash/1Password %.app/Contents/Library/LoginItems/1Password Extension Helper.app/Contents/MacOS'
AND NOT f.path LIKE '/home/%/.local/share/AppImage/ZenBrowser.AppImage'
AND NOT homedir LIKE '~/.Trash/1Password %.app/Contents/Library/LoginItems/1Password Extension Helper.app/Contents/MacOS'
AND NOT homedir LIKE '~/.local/share/AppImage/ZenBrowser.AppImage'
AND NOT homedir LIKE '~/Library/Application Support/Code/User/globalStorage/ms-dotnettools.vscode-dotnet-runtime/.dotnet/%'
AND NOT homedir LIKE '%/.Trash/1Password %.app/Contents/Library/LoginItems/1Password Extension Helper.app/Contents/MacOS'
GROUP BY f.path
2 changes: 1 addition & 1 deletion detection/evasion/unexpected-dev-entries.sql
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ WHERE
OR file.path LIKE '/dev/shm/u1000-Valve%'
OR file.path LIKE '/dev/shm/aomshm.%'
OR file.path LIKE '/dev/shm/jack_db%'
OR file.path LIKE '/dev/shm/.com.microsoft.Edge.*'
OR file.path LIKE '/dev/shm/.com.microsoft.Edge.%'
)
)
AND NOT (
Expand Down
5 changes: 5 additions & 0 deletions detection/evasion/unexpected-process-extension-linux.sql
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,10 @@ WHERE
'28',
'29',
'30',
'31',
'32',
'33',
'34',
'backend',
'emacs',
'build',
Expand All @@ -85,6 +89,7 @@ WHERE
)
AND NOT basename LIKE 'python3.%'
AND NOT basename LIKE 'python2.%'
AND NOT basename LIKE 'kubectl-%'
AND NOT basename LIKE 'terraform-provider%'
AND NOT basename LIKE 'ld-%.so'
AND NOT basename LIKE 'unison-%'
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
-- Long-running programs who were recently added to disk, based on btime/ctime
-- Long-running programs who were started around when they were written to disk
--
-- false-positives:
-- * many
Expand All @@ -22,6 +22,7 @@ SELECT
REPLACE(f.directory, u.directory, '~')
) AS top3_dir,
REPLACE(f.path, u.directory, '~') AS homepath,
p0.start_time - f.btime AS start_birth_delta,
-- Child
p0.pid AS p0_pid,
p0.start_time AS p0_start,
Expand Down Expand Up @@ -66,20 +67,25 @@ WHERE
processes
WHERE
start_time > 0
AND start_time > (strftime('%s', 'now') - 43200)
AND start_time > (strftime('%s', 'now') - 86400)
AND pid > 0
AND path != ""
AND NOT path LIKE '/Applications/%'
AND NOT path LIKE '/Library/Apple/%'
AND NOT path LIKE '/nix/store/%'
AND NOT path LIKE '/usr/libexec/%'
AND NOT path LIKE '/usr/sbin/%'
AND NOT path LIKE '/bin/%'
AND NOT path LIKE '/usr/bin/%'
AND NOT path LIKE '/Library/Elastic/Agent/data/%/components/%'
AND NOT path LIKE '/opt/%'
AND NOT path LIKE '%/bin/cargo'
AND NOT path LIKE '/System/%'
AND NOT path LIKE '/usr/local/kolide-k2/bin/%'
AND NOT path LIKE '%/cloud_sql_proxy'
)
AND (p0.start_time - MAX(f.ctime, f.btime)) < 10800
AND f.ctime > 0
-- Processes that started around when they were last modified on disk
AND start_birth_delta BETWEEN -900 AND 900
-- Exceptions for no-privileged execution
AND NOT (
p0.euid > 499
AND (
Expand Down Expand Up @@ -141,11 +147,16 @@ WHERE
OR dir LIKE '~/dev/%'
OR dir LIKE '~/git/%'
OR f.path LIKE '%go-build%'
OR homepath LIKE '~/%/cloud_sql_proxy'
OR homepath LIKE '~/%/src/%.test'
OR homepath LIKE '~/%/pkg/%.test'
OR homepath LIKE '~/%/gopls'
OR homepath LIKE '~/go/%/bin'
OR homepath LIKE '~/Parallels/%/WinAppHelper'
OR homepath LIKE '~/%/terraform-provider-%'
OR homepath LIKE '~/src/%'
OR homepath LIKE '~/github/%'
OR homepath LIKE '~/go/src/%'
OR f.path LIKE '/private/tmp/%/Creative Cloud Installer.app/Contents/MacOS/Install'
OR f.path LIKE '/private/tmp/go-%'
OR f.path LIKE '/private/tmp/nix-build-%'
Expand Down Expand Up @@ -224,6 +235,7 @@ WHERE
AND p0.path LIKE "/Users/%/Library/Printers/%/Contents/MacOS/PrinterProxy"
AND p0.uid > 499
)
-- Local developer testing
AND NOT (
homepath LIKE '~/%'
AND p0.uid > 499
Expand All @@ -234,10 +246,6 @@ WHERE
AND p0.path NOT LIKE '%/.%'
AND p0.path NOT LIKE '%Cache%'
)
AND NOT homepath LIKE '~/%/terraform-provider-%'
AND NOT homepath LIKE '~/src/%'
AND NOT homepath LIKE '~/github/%'
AND NOT homepath LIKE '~/go/src/%'
-- Arc
AND NOT (
p0.path LIKE '/Users/%/Library/Caches/%/org.sparkle-project.Sparkle/Launcher/%'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ WHERE -- Focus on longer-running programs
AND NOT path LIKE '/Users/%/dev/%'
AND NOT path LIKE '/Users/%/src/%'
AND NOT path LIKE '/Users/%/bin/%'
AND NOT path LIKE '/nix/store/%'
AND NOT path LIKE '/Users/%/Library/Application Support/com.elgato.StreamDeck/Plugins/%'
AND NOT path LIKE '/Users/%/Library/Application Support/Zed/supermaven/%'
AND NOT path LIKE '/private/var/folders%/T/go-build%/exe/%'
Expand Down

0 comments on commit f12e6d9

Please sign in to comment.