From 5552b2d850ba0a6f090383ce727c776e4cf4d5fe Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Wed, 26 Feb 2025 11:21:04 -0500 Subject: [PATCH 1/2] fpr: podman, docker, iotop, pop-launcher, go, argo, ObjSee --- detection/c2/1-unexpected-https-linux.sql | 1 + detection/c2/1-unexpected-talkers-macos.sql | 1 + detection/collection/1-high-disk-bytes-written.sql | 2 ++ .../2-unexpected-user-executables-macos.sql | 14 ++------------ ...ected-long-running-security-framework-macos.sql | 3 ++- .../3-yara-unexpected-rust-http-exec-process.sql | 1 + .../2-unexpected-listening-port-macos.sql | 3 ++- .../persistence/2-unexpected-uid0-daemon-linux.sql | 1 + 8 files changed, 12 insertions(+), 14 deletions(-) diff --git a/detection/c2/1-unexpected-https-linux.sql b/detection/c2/1-unexpected-https-linux.sql index f34c9514..9b6cfe8d 100644 --- a/detection/c2/1-unexpected-https-linux.sql +++ b/detection/c2/1-unexpected-https-linux.sql @@ -88,6 +88,7 @@ WHERE '0,http,0u,0g,https', '0,ir_agent,0u,0g,ir_agent', '0,kmod,0u,0g,depmod', + '500,argo,500u,500g,argo', '0,launcher,0u,0g,launcher', '0,launcher,500u,500g,launcher', '0,ldconfig,0u,0g,ldconfig', diff --git a/detection/c2/1-unexpected-talkers-macos.sql b/detection/c2/1-unexpected-talkers-macos.sql index f2fa5d7a..72286c3b 100644 --- a/detection/c2/1-unexpected-talkers-macos.sql +++ b/detection/c2/1-unexpected-talkers-macos.sql @@ -102,6 +102,7 @@ WHERE AND NOT signed_exception IN ( '0,Developer ID Application: Tailscale Inc. (W5364U7YZB)', '0,Developer ID Application: Y Soft Corporation, a.s. (3CPED8WGS9)', + '0,Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R)', '500,Apple Mac OS Application Signing', '500,Developer ID Application: Adguard Software Limited (TC3Q7MAJXF)', '500,Developer ID Application: Autodesk (XXKJ396S2Y)', diff --git a/detection/collection/1-high-disk-bytes-written.sql b/detection/collection/1-high-disk-bytes-written.sql index 70ddd114..b33c0d37 100644 --- a/detection/collection/1-high-disk-bytes-written.sql +++ b/detection/collection/1-high-disk-bytes-written.sql @@ -221,6 +221,8 @@ WHERE AND p0.path NOT LIKE '/var/kolide-k2/%/osqueryd' AND p0.path NOT LIKE "%/terraform-provider-%" AND NOT p0.cmdline LIKE '%/gsutil %rsync%' + AND NOT p0.cmdline LIKE '%python -m build%' AND NOT p0.cmdline LIKE '%/lib/gcloud.py components update' AND NOT p0.cmdline LIKE '%brew.rb upgrade' AND NOT p0.cgroup_path LIKE '/system.slice/docker-%' + AND p0.cwd != '/home/build' diff --git a/detection/evasion/2-unexpected-user-executables-macos.sql b/detection/evasion/2-unexpected-user-executables-macos.sql index 4863cc66..be673ca9 100644 --- a/detection/evasion/2-unexpected-user-executables-macos.sql +++ b/detection/evasion/2-unexpected-user-executables-macos.sql @@ -207,25 +207,15 @@ WHERE '~/.config/i3', '~/.config/nvm/nvm.sh', '~/.config/polybar', - '~/Library/Assistant/SiriAnalytics.db', - '~/Library/Calendars/Calendar.sqlitedb-wal', - '~/Library/Calendars/Calendar.sqlitedb', - '~/Library/com.apple.iTunesCloud/play_activity.sqlitedb-wal', - '~/Library/Group Containers/group.com.apple.calendar/Calendar.sqlitedb-wal', - '~/Library/Group Containers/group.com.apple.calendar/Calendar.sqlitedb', - '~/Library/Finance/finance_cloud.db-wal', - '~/Library/Finance/finance_cloud.db', '~/Library/Group Containers/group.com.docker/unleash-repo-schema-v1-Docker Desktop.json', - '~/Library/HTTPStorages/com.apple.AddressBookSourceSync', - '~/Library/HTTPStorages/com.apple.AddressBookSourceSync/httpstorages.sqlite-shm', + '~/Library/Preferences/Macromedia/Flash Player/www.macromedia.com/bin/airappinstaller/airappinstaller_rsrc', '~/Library/Keychains/login.keychain-db', '~/Library/Logs/zoom.us/upload_history.txt', '~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2' ) AND NOT homepath LIKE '~/Library/%/%.db-wal' AND NOT homepath LIKE '~/Library/%/%.db' - AND NOT homepath LIKE '~/Library/%/%.sqlite-wal' - AND NOT homepath LIKE '~/Library/%/%.sqlite' + AND NOT homepath LIKE '~/Library/%/%.sqlite%' AND NOT f.directory LIKE '/Users/%/.docker/cli-plugins' AND NOT f.directory LIKE '/Users/%/.nix-profile/bin' AND NOT f.directory LIKE '/Users/%/.pkg-cache/%' diff --git a/detection/execution/2-unexpected-long-running-security-framework-macos.sql b/detection/execution/2-unexpected-long-running-security-framework-macos.sql index 7c4c6c39..2dd379c9 100644 --- a/detection/execution/2-unexpected-long-running-security-framework-macos.sql +++ b/detection/execution/2-unexpected-long-running-security-framework-macos.sql @@ -107,7 +107,8 @@ WHERE -- Focus on longer-running programs AND NOT exception_key LIKE '500,terraform-provider-%,a.out,' AND NOT exception_key LIKE '500,___%go_build_%,a.out,' AND NOT exception_key LIKE '500,___2go_build_main_go,a.out,' - AND NOT exception_key LIKE '500,___Test%.test,a.out' + AND NOT exception_key LIKE '500,___Test%.test,a.out,' + AND NOT exception_key LIKE '500,___%__go_1_%,a.out,' AND NOT exception_key LIKE '500,lifx-streamdeck,lifx-streamdeck-%' AND NOT exception_key LIKE '500,marksman-macos,marksman-%,' AND NOT exception_key LIKE '500,nvim,bob-%,' diff --git a/detection/exfil/3-yara-unexpected-rust-http-exec-process.sql b/detection/exfil/3-yara-unexpected-rust-http-exec-process.sql index 5a6937eb..a6b18a6f 100644 --- a/detection/exfil/3-yara-unexpected-rust-http-exec-process.sql +++ b/detection/exfil/3-yara-unexpected-rust-http-exec-process.sql @@ -100,5 +100,6 @@ WHERE AND p0.path NOT IN ( '/Applications/safeqclient.app/Contents/MacOS/safeqclient', '/Applications/Zed.app/Contents/MacOS/Zed', + '/usr/bin/pop-launcher', '/Library/safeqclientcore/bin/safeqclientcore' ) diff --git a/detection/persistence/2-unexpected-listening-port-macos.sql b/detection/persistence/2-unexpected-listening-port-macos.sql index e7d8ccfa..d4d9f29f 100644 --- a/detection/persistence/2-unexpected-listening-port-macos.sql +++ b/detection/persistence/2-unexpected-listening-port-macos.sql @@ -97,6 +97,7 @@ WHERE '49152,6,500,Music,Software Signing', '49152,6,500,OmniFocus,Apple Mac OS Application Signing', '49152,6,500,barrier', + '22,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)', '80,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)', '443,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)', '49152,6,500,git-daemon,', @@ -111,7 +112,6 @@ WHERE '5000,6,500,ControlCenter,Software Signing', '5001,6,500,Record It,Apple Mac OS Application Signing', '5001,6,500,crane,', - '5001,6,500,gvproxy,', '5060,6,500,CommCenter,Software Signing', '53,17,500,dnsmasq,', '53,17,500,server,', @@ -231,6 +231,7 @@ WHERE 'crane', 'crc', 'docker-proxy', + 'gvproxy', 'hugo', 'kubectl', 'node', diff --git a/detection/persistence/2-unexpected-uid0-daemon-linux.sql b/detection/persistence/2-unexpected-uid0-daemon-linux.sql index 8dc7834b..4d6712d8 100644 --- a/detection/persistence/2-unexpected-uid0-daemon-linux.sql +++ b/detection/persistence/2-unexpected-uid0-daemon-linux.sql @@ -93,6 +93,7 @@ WHERE 'agetty,/usr/sbin/agetty,0,system.slice,system-serial\x2dgetty.slice,0755', 'alsactl,/usr/sbin/alsactl,0,system.slice,alsa-state.service,0755', 'anacron,/usr/bin/anacron,0,system.slice,cronie.service,0755', + 'iotop,/usr/sbin/iotop-c,0,user.slice,user-1000.slice,0755', 'anacron,/usr/sbin/anacron,0,system.slice,anacron.service,0755', 'anacron,/usr/sbin/anacron,0,system.slice,crond.service,0755', 'apache2,/usr/sbin/apache2,0,system.slice,apache2.service,0755', From 51d1267a47bc1d797fb21d7ace406f194e4007f1 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Wed, 26 Feb 2025 12:14:46 -0500 Subject: [PATCH 2/2] run "make reformat" --- .../1-unexpected-netutil-calls-linux.sql | 9 +- .../1-unexpected-netutil-calls-macos.sql | 8 +- .../evasion/0-touched-executable-linux.sql | 106 +++++++++--------- .../2-unexpected-user-executables-macos.sql | 3 +- .../1-exotic-command-events-linux.sql | 8 +- .../1-exotic-command-events-macos.sql | 6 +- ...y-created-executables-long-lived-macos.sql | 1 + .../1-unexpected-fetcher-parent-events.sql | 8 +- .../2-sketchy-download-name.sql | 7 +- .../2-minimal-socket-client-linux.sql | 4 +- incident_response/unified_log_macos.sql | 9 +- 11 files changed, 69 insertions(+), 100 deletions(-) diff --git a/detection/discovery/1-unexpected-netutil-calls-linux.sql b/detection/discovery/1-unexpected-netutil-calls-linux.sql index 1c454cbf..e0520963 100644 --- a/detection/discovery/1-unexpected-netutil-calls-linux.sql +++ b/detection/discovery/1-unexpected-netutil-calls-linux.sql @@ -80,14 +80,7 @@ WHERE AND pe.time > (strftime('%s', 'now') -300) AND NOT ( pe.euid > 500 - AND p1_name IN ( - 'bash', - 'dash', - 'fish', - 'nu', - 'sh', - 'zsh' - ) + AND p1_name IN ('bash', 'dash', 'fish', 'nu', 'sh', 'zsh') AND p2_name IN ( 'alacritty', 'gnome-terminal-', diff --git a/detection/discovery/1-unexpected-netutil-calls-macos.sql b/detection/discovery/1-unexpected-netutil-calls-macos.sql index 0b9c1c25..369f5553 100644 --- a/detection/discovery/1-unexpected-netutil-calls-macos.sql +++ b/detection/discovery/1-unexpected-netutil-calls-macos.sql @@ -88,13 +88,7 @@ WHERE AND pe.status == 0 AND NOT ( pe.euid > 500 - AND p1_name IN ( - 'bash', - 'dash', - 'fish', - 'sh', - 'zsh' - ) + AND p1_name IN ('bash', 'dash', 'fish', 'sh', 'zsh') AND p2_name IN ( 'kitty', 'login', diff --git a/detection/evasion/0-touched-executable-linux.sql b/detection/evasion/0-touched-executable-linux.sql index 2a391a03..21a7484e 100644 --- a/detection/evasion/0-touched-executable-linux.sql +++ b/detection/evasion/0-touched-executable-linux.sql @@ -7,59 +7,59 @@ -- tags: transient process state extra -- platform: linux SELECT - p.pid, - p.path, - p.name, - p.cmdline, - p.cgroup_path, - p.cwd, - p.euid, - p.parent, - f.ctime, - f.btime, - f.mtime, - p.start_time, - pp.path AS parent_path, - pp.cmdline AS parent_cmd, - pp.cwd AS parent_cwd, - hash.sha256 AS sha256 + p.pid, + p.path, + p.name, + p.cmdline, + p.cgroup_path, + p.cwd, + p.euid, + p.parent, + f.ctime, + f.btime, + f.mtime, + p.start_time, + pp.path AS parent_path, + pp.cmdline AS parent_cmd, + pp.cwd AS parent_cwd, + hash.sha256 AS sha256 FROM - processes p - LEFT JOIN file f ON p.path = f.path - LEFT JOIN processes pp ON p.parent = pp.pid - LEFT JOIN hash ON p.path = hash.path + processes p + LEFT JOIN file f ON p.path = f.path + LEFT JOIN processes pp ON p.parent = pp.pid + LEFT JOIN hash ON p.path = hash.path WHERE - f.ctime = f.mtime - AND (strftime ('%s', 'now') - p.start_time) > 25000 - AND p.path != '/' - AND f.path NOT IN ( - '/opt/Elastic/Endpoint/elastic-endpoint', - '/opt/google/endpoint-verification/bin/apihelper', - '/opt/resolve/bin/resolve', - '/usr/bin/ld.bfd', - '/usr/bin/ld', - '/usr/bin/ghostty', - '/usr/bin/melange', - '/var/opt/velociraptor/bin/velociraptor' - ) - AND f.path NOT LIKE '/home/%' - AND f.path NOT LIKE '/opt/Elastic/Agent/data/elastic-agent%' - AND f.path NOT LIKE '/opt/rapid7/ir_agent/%' - AND f.path NOT LIKE '/snap/%' - AND f.path NOT LIKE '/tmp/%/.terraform/providers/%' - AND f.path NOT LIKE '/tmp/%go-build%/exe/%' - AND f.path NOT LIKE '/tmp/cargo-install%/%' - AND f.path NOT LIKE '/tmp/go-build%' - AND f.path NOT LIKE '/usr/local/aws-cli/%/dist/aws' - AND f.path NOT LIKE '/usr/local/bin/%' - AND f.path NOT LIKE '/usr/local/kolide-k2/bin/%-updates/%' - AND f.path NOT LIKe '/var/home/%' - AND f.path NOT LIKE '/var/home/linuxbrew/.linuxbrew/%' - AND f.path NOT LIKE '/var/home/linuxbrew/.linuxbrew/Cellar/%/bin/%' - AND f.path NOT LIKE '/var/kolide-k2/k2device.kolide.com/updates/%' - AND f.path NOT LIKE '/var/opt/Elastic/Endpoint/elastic-endpoint' - AND f.path NOT LIKE '%/go/bin/%' - AND f.path NOT LIKE '%/osqueryi' - AND p.name NOT LIKE 'osqtool%' + f.ctime = f.mtime + AND (strftime('%s', 'now') - p.start_time) > 25000 + AND p.path != '/' + AND f.path NOT IN ( + '/opt/Elastic/Endpoint/elastic-endpoint', + '/opt/google/endpoint-verification/bin/apihelper', + '/opt/resolve/bin/resolve', + '/usr/bin/ld.bfd', + '/usr/bin/ld', + '/usr/bin/ghostty', + '/usr/bin/melange', + '/var/opt/velociraptor/bin/velociraptor' + ) + AND f.path NOT LIKE '/home/%' + AND f.path NOT LIKE '/opt/Elastic/Agent/data/elastic-agent%' + AND f.path NOT LIKE '/opt/rapid7/ir_agent/%' + AND f.path NOT LIKE '/snap/%' + AND f.path NOT LIKE '/tmp/%/.terraform/providers/%' + AND f.path NOT LIKE '/tmp/%go-build%/exe/%' + AND f.path NOT LIKE '/tmp/cargo-install%/%' + AND f.path NOT LIKE '/tmp/go-build%' + AND f.path NOT LIKE '/usr/local/aws-cli/%/dist/aws' + AND f.path NOT LIKE '/usr/local/bin/%' + AND f.path NOT LIKE '/usr/local/kolide-k2/bin/%-updates/%' + AND f.path NOT LIKe '/var/home/%' + AND f.path NOT LIKE '/var/home/linuxbrew/.linuxbrew/%' + AND f.path NOT LIKE '/var/home/linuxbrew/.linuxbrew/Cellar/%/bin/%' + AND f.path NOT LIKE '/var/kolide-k2/k2device.kolide.com/updates/%' + AND f.path NOT LIKE '/var/opt/Elastic/Endpoint/elastic-endpoint' + AND f.path NOT LIKE '%/go/bin/%' + AND f.path NOT LIKE '%/osqueryi' + AND p.name NOT LIKE 'osqtool%' GROUP by - p.pid + p.pid diff --git a/detection/evasion/2-unexpected-user-executables-macos.sql b/detection/evasion/2-unexpected-user-executables-macos.sql index be673ca9..53059416 100644 --- a/detection/evasion/2-unexpected-user-executables-macos.sql +++ b/detection/evasion/2-unexpected-user-executables-macos.sql @@ -60,7 +60,6 @@ WHERE OR directory LIKE '/Users/%/Library/.%' OR directory LIKE '/Users/%/Library/%' OR directory LIKE '/Users/%/Library/%/.%' - OR directory LIKE '/Users/%/Library/%/%' OR directory LIKE '/Users/%/Photos' OR directory LIKE '/Users/%/Photos/.%' OR directory LIKE '/Users/%/Photos/%' @@ -70,7 +69,7 @@ WHERE OR directory LIKE '/Users/Shared/.%' OR directory LIKE '/Users/Shared/%' OR directory LIKE '/var/root/.%' - OR directory LIKE '/var/root/%%' + OR directory LIKE '/var/root/%' ) AND ( type = 'regular' diff --git a/detection/execution/1-exotic-command-events-linux.sql b/detection/execution/1-exotic-command-events-linux.sql index 55f47353..462a7a2c 100644 --- a/detection/execution/1-exotic-command-events-linux.sql +++ b/detection/execution/1-exotic-command-events-linux.sql @@ -197,13 +197,7 @@ WHERE AND NOT p0_cmd LIKE 'modprobe --all%' AND NOT p0_cmd LIKE 'modprobe -ab%' AND NOT p0_cmd LIKE 'pkill -f cut -c3%' - AND NOT p0_name IN ( - 'ar', - 'cc1', - 'cc1plus', - 'cmake', - 'compile' - ) + AND NOT p0_name IN ('ar', 'cc1', 'cc1plus', 'cmake', 'compile') AND NOT exception_key IN ( 'bash,0,bash,containerd-shim-runc-v2', 'bash,500,ninja,bash', diff --git a/detection/execution/1-exotic-command-events-macos.sql b/detection/execution/1-exotic-command-events-macos.sql index 955b927a..fcf97c47 100644 --- a/detection/execution/1-exotic-command-events-macos.sql +++ b/detection/execution/1-exotic-command-events-macos.sql @@ -208,11 +208,7 @@ WHERE AND NOT p0_cmd LIKE 'rm -f /tmp/locate%/mklocate%/_mklocatedb%' AND NOT p0_cmd LIKE 'touch -r . /private/tmp/nix-build%' AND NOT p0_cmd LIKE 'touch -r /tmp/KSInstallAction.%' - AND NOT p0_name IN ( - 'cc1', - 'compile', - 'yara' - ) + AND NOT p0_name IN ('cc1', 'compile', 'yara') AND NOT exception_key IN ( 'bash,500,idea,launchd', 'bat,500,zsh,login', diff --git a/detection/execution/1-recently-created-executables-long-lived-macos.sql b/detection/execution/1-recently-created-executables-long-lived-macos.sql index d6eb67d6..415fc7fc 100644 --- a/detection/execution/1-recently-created-executables-long-lived-macos.sql +++ b/detection/execution/1-recently-created-executables-long-lived-macos.sql @@ -145,6 +145,7 @@ WHERE OR dir LIKE '~/dev/%' OR dir LIKE '~/Downloads/%.app/Contents/MacOS' OR dir LIKE '~/git/%' + OR dir LIKE '~/Applications/%.app/%' OR f.path LIKE '%go-build%' OR homepath LIKE '~/%/cloud_sql_proxy' OR homepath LIKE '~/%/gopls' diff --git a/detection/execution/1-unexpected-fetcher-parent-events.sql b/detection/execution/1-unexpected-fetcher-parent-events.sql index 81f14451..55afc55b 100644 --- a/detection/execution/1-unexpected-fetcher-parent-events.sql +++ b/detection/execution/1-unexpected-fetcher-parent-events.sql @@ -88,13 +88,7 @@ WHERE ) AND NOT ( pe.euid > 500 - AND p1_name IN ( - 'bash', - 'dash', - 'fish', - 'sh', - 'zsh' - ) + AND p1_name IN ('bash', 'dash', 'fish', 'sh', 'zsh') AND p2_name IN ( 'alacritty', 'gnome-terminal-', diff --git a/detection/initial_access/2-sketchy-download-name.sql b/detection/initial_access/2-sketchy-download-name.sql index 0773ea27..2d423f5f 100644 --- a/detection/initial_access/2-sketchy-download-name.sql +++ b/detection/initial_access/2-sketchy-download-name.sql @@ -23,12 +23,7 @@ FROM WHERE file.path LIKE "/Users/%/Downloads/%" -- Frequently targetted extension for InfoStealer attacks - AND extension IN ( - 'dmg', - 'exe', - 'pkg', - 'rar' - ) + AND extension IN ('dmg', 'exe', 'pkg', 'rar') AND ( file.filename LIKE "%.app%" OR file.filename LIKE "%Adobe Photoshop%" diff --git a/detection/persistence/2-minimal-socket-client-linux.sql b/detection/persistence/2-minimal-socket-client-linux.sql index 4dc5db28..a3af1f90 100644 --- a/detection/persistence/2-minimal-socket-client-linux.sql +++ b/detection/persistence/2-minimal-socket-client-linux.sql @@ -72,9 +72,7 @@ WHERE pos.local_address = "127.0.0.1" AND pos.remote_address = "127.0.0.1" ) - AND NOT proc_cgroup in ( - '/system.slice/snapd.service' - ) + AND NOT proc_cgroup in ('/system.slice/snapd.service') GROUP BY pos.pid -- libc.so, ld-linux HAVING diff --git a/incident_response/unified_log_macos.sql b/incident_response/unified_log_macos.sql index c9a59ad2..186981da 100644 --- a/incident_response/unified_log_macos.sql +++ b/incident_response/unified_log_macos.sql @@ -4,8 +4,13 @@ -- platform: darwin -- interval: 1800 SELECT - timestamp, pid, process, category, subsystem, message + timestamp, + pid, + process, + category, + subsystem, + message FROM unified_log WHERE - timestamp > (strftime('%s', 'now') - 1800) + timestamp > (strftime('%s', 'now') - 1800)