Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mark https-linux extra, minor query tuning #392

Merged
merged 4 commits into from
Oct 11, 2024
Merged

mark https-linux extra, minor query tuning #392

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c60c8cc
mark https-linux extra, minor query tuning
tstromberg Oct 11, 2024
a3fcee2
Enable suspicious systemd, disable unexpected-active
tstromberg Oct 11, 2024
c65ddc8
exceptions for Bluefin systemd services
tstromberg Oct 11, 2024
71282a0
Relax checks enough to pass tests
tstromberg Oct 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions detection/c2/unexpected-dns-traffic-events.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,8 @@ WHERE
'75.75.75.75', -- Comcast
'75.75.76.76', -- Comcast
'68.105.28.13', -- Cox
'80.248.7.1' -- 21st Century (NG)
'80.248.7.1', -- 21st Century (NG)
'34.160.111.32' -- wolfi.dev
)
-- Exceptions that specifically talk to one server
AND exception_key NOT IN (
Expand Down Expand Up @@ -125,7 +126,7 @@ WHERE
'systemd-resolved',
'WhatsApp'
)
AND p.name NOT IN ('Jabra Direct Helper')
AND p.name NOT IN ('Jabra Direct Helper', 'terraform-provi')
-- Chromium/Electron apps seem to send stray packets out like nobodies business
AND p.path NOT LIKE '%/%.app/Contents/MacOS/% Helper'
-- Workaround for the GROUP_CONCAT subselect adding a blank ent
Expand Down
2 changes: 1 addition & 1 deletion detection/c2/unexpected-https-linux.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
-- references:
-- * https://attack.mitre.org/techniques/T1071/ (C&C, Application Layer Protocol)
--
-- tags: transient state net often
-- tags: transient state net often extra
-- platform: linux
SELECT
s.remote_address,
Expand Down
1 change: 1 addition & 0 deletions detection/evasion/hidden-executable.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,7 @@ WHERE
AND NOT f.directory LIKE '%/node_modules/.bin/%'
AND NOT f.directory LIKE '%/.nvm/versions/%/bin'
AND NOT f.directory LIKE '%/.pnpm/%'
AND NOT f.directory LIKE '/var/home/linuxbrew/.linuxbrew/%'
AND NOT f.directory LIKE '%/.cache/selenium/chromedriver/%'
AND NOT f.directory LIKE '%/.provisio/bin/%'
AND NOT f.directory LIKE '%/.rustup/%'
Expand Down
2 changes: 1 addition & 1 deletion detection/execution/tiny-executable-events.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,9 +45,9 @@ WHERE
'/sbin/ldconfig',
'/usr/sbin/ldconfig',
'/usr/bin/c_rehash',
'/home/smoser/bin/firefox',
'/usr/sbin/update-ca-certificates'
)
AND NOT p.path LIKE '%/bin/firefox'
AND NOT (
p.path LIKE '/Users/%'
AND magic.data LIKE 'POSIX shell script%'
Expand Down
39 changes: 6 additions & 33 deletions detection/exfil/high_disk_bytes_read.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,10 +50,12 @@ WHERE
bytes_read_rate > 2500000
AND age > 180
AND p0.path NOT LIKE '/Applications/%.app/Contents/%'
AND p0.path NOT LIKE '/System/Library/%'
AND p0.path NOT LIKE '/System/Applications/%'
AND p0.path NOT LIKE '/Library/Apple/System/Library/%'
AND p0.path NOT LIKE '%/bin/%'
AND p0.path NOT LIKE '/usr/%'
AND p0.path NOT LIKE '/home/%/.local/share/Steam/steamapps/%'
AND p0.path NOT LIKE '/Library/Apple/System/Library/%'
AND p0.path NOT LIKE '/System/Applications/%'
AND p0.path NOT LIKE '/System/Library/%'
AND p0.name NOT IN (
'BDLDaemon',
'Disk Inventory X',
Expand Down Expand Up @@ -158,36 +160,7 @@ WHERE
'/Library/Application Support/Adobe/Adobe Desktop Common/HDBox/Setup',
'/Library/Elastic/Endpoint/elastic-endpoint',
'/System/Volumes/Preboot/Cryptexes/App/System/Applications/Safari.app/Contents/XPCServices/com.apple.Safari.BrowserDataImportingService.xpc/Contents/MacOS/com.apple.Safari.BrowserDataImportingService',
'/System/Volumes/Preboot/Cryptexes/Incoming/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent',
'/usr/bin/apt',
'/usr/bin/darktable',
'/usr/bin/dockerd',
'/usr/bin/gnome-shell',
'/usr/bin/gnome-software',
'/usr/bin/rsync',
'/usr/bin/teskdisk',
'/usr/bin/topgrade',
'/usr/bin/udevadm',
'/usr/bin/update-notifier',
'/usr/lib64/electron/electron',
'/usr/libexec/aned',
'/usr/libexec/biomesyncd',
'/usr/libexec/coreduetd',
'/usr/libexec/diskimagesiod',
'/usr/libexec/diskmanagementd',
'/usr/libexec/flatpak-system-helper',
'/usr/libexec/logd',
'/usr/libexec/logd_helper',
'/usr/libexec/packagekitd',
'/usr/libexec/PerfPowerServices',
'/usr/libexec/signpost_reporter',
'/usr/libexec/snapd/snapd',
'/usr/libexec/syspolicyd',
'/usr/libexec/tracker-extract-3',
'/usr/libexec/tracker-miner-fs-3',
'/usr/lib/systemd/systemd',
'/usr/sbin/spindump',
'/usr/sbin/systemstats'
'/System/Volumes/Preboot/Cryptexes/Incoming/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent'
)
AND NOT p0.path LIKE '/Library/SystemExtensions/%/io.kandji.KandjiAgent.ESF-Extension.systemextension/Contents/MacOS/io.kandji.KandjiAgent.ESF-Extension'
AND NOT p0.path LIKE '/Users/%/Library/Application Support/Google/GoogleUpdater/%/GoogleUpdater.app/Contents/MacOS/GoogleUpdater'
Expand Down
4 changes: 3 additions & 1 deletion detection/persistence/suspicious-systemd-unit.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
-- false positives:
-- * home-made systemd files
--
-- tags: persistent filesystem systemd extra
-- tags: persistent filesystem systemd
-- platform: linux
SELECT
file.path,
Expand Down Expand Up @@ -117,6 +117,7 @@ rule systemd_small_multiuser_no_comments_or_documentation : high {
$not_dbus = "Type=dbus"
$not_oneshot = "Type=oneshot"
$not_lima = "Description=lima-guestagent"
$not_check_sb = "Description=Service to check for secure boot key enrollment"
condition:
filesize < 384 and $execstart and $multiuser and none of ($not_*)
}
Expand Down Expand Up @@ -152,6 +153,7 @@ rule systemd_small_multiuser_not_in_dependency_tree : high {
$not_idle = "Type=idle"
$not_systemd = "ExecStart=systemd-"
$not_lima = "Description=lima-guestagent"
$not_check_sb = "Description=Service to check for secure boot key enrollment"
condition:
filesize < 384 and $execstart and $multiuser and none of ($not_*)
}
Expand Down
3 changes: 2 additions & 1 deletion detection/persistence/unexpected-active-systemd-units.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
-- false positives:
-- * System updates
--
-- tags: persistent seldom filesystem systemd
-- tags: persistent seldom filesystem systemd extra
-- platform: linux
SELECT -- description AS 'desc',
fragment_path,
Expand Down Expand Up @@ -90,6 +90,7 @@ WHERE
'bluetooth.service,Bluetooth service,',
'bolt.service,Thunderbolt system service,',
'bootupd.socket,bootupd.socket,',
'brew-upgrade.service,Upgrade Brew packages,1000',
'brew-update.service,Auto update brew for mutable brew installs,1000',
'brew-update.timer,Timer for brew update for mutable brew,',
'brew-upgrade.timer,Timer for brew upgrade for on image brew,',
Expand Down
Loading