Merge pull request #399 from tstromberg/fpr-oct21

chainguard-dev · Oct 21, 2024 · 2ff2fa4 · 2ff2fa4
2 parents 638266b + 2da853b
commit 2ff2fa4
Show file tree

Hide file tree

Showing 7 changed files with 35 additions and 28 deletions.
diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql
@@ -92,6 +92,7 @@ WHERE
     '8000,6,500,brave,0u,0g,brave',
     '8000,6,500,chrome,0u,0g,chrome',
     '8000,6,500,firefox,0u,0g,firefox',
+    '80,6,500,telegram-desktop,u,g,telegram-deskto',
     '80,6,0,grep,0u,0g,grep',
     '80,6,0,incusd,0u,0g,incusd',
     '80,6,0,kmod,0u,0g,depmod',

diff --git a/detection/credentials/unexpected-dev-opener-linux.sql b/detection/credentials/unexpected-dev-opener-linux.sql
@@ -241,13 +241,8 @@ WHERE
     '/dev/zfs,zfs',
     '/dev/zfs,zpool'
   )
-  -- Halflife
-  AND path_exception NOT LIKE '/dev/shm/u1000-Shm_%,bash'
-  -- lvmdbusd / gcloud / gsutil
-  AND path_exception NOT LIKE '/dev/shm/pym-%python3%'
-  -- celery
-  AND path_exception NOT LIKE '/dev/shm/pymp-%,python3.%'
-  AND dir_exception NOT LIKE '/dev/shm/byobu-%/%.tmux%'
+  AND path_exception NOT LIKE '/dev/shm/%'
+  AND path_exception NOT LIKE '/dev/cpu_dma_latency,python%'
   AND NOT (
     pof.path = "/dev/uinput"
     AND p0.name LIKE "solaar%"

diff --git a/detection/evasion/empty_root_environ_linux.sql b/detection/evasion/empty_root_environ_linux.sql
@@ -73,7 +73,8 @@ WHERE
     'crond',
     'systemd',
     'systemd-udevd',
-    '(udev-worker)'
+    '(udev-worker)',
+    '(sd-exec-strv)'
   )
   AND NOT (
     p.name LIKE 'systemd-%'

diff --git a/detection/evasion/touched-executable-linux.sql b/detection/evasion/touched-executable-linux.sql
@@ -11,6 +11,7 @@ SELECT
   p.path,
   p.name,
   p.cmdline,
+  p.cgroup_path,
   p.cwd,
   p.euid,
   p.parent,
@@ -34,6 +35,8 @@ WHERE
     '/opt/google/endpoint-verification/bin/apihelper',
     '/opt/Elastic/Endpoint/elastic-endpoint',
     '/opt/resolve/bin/resolve',
+    '/usr/bin/ld',
+    '/usr/bin/ld.bfd',
     '/var/opt/velociraptor/bin/velociraptor',
     '/usr/bin/melange'
   )

diff --git a/detection/execution/unexpected-packet-sniffer.sql b/detection/execution/unexpected-packet-sniffer.sql
@@ -48,3 +48,9 @@ WHERE
     'dhcpcd',
     'tcpdump'
   )
+  AND NOT (
+    p0.cgroup_path LIKE '/system.slice/docker-%'
+    AND p0.path = '/speaker'
+    AND p0.name = 'speaker'
+    AND protocol = 2054
+  )
diff --git a/detection/exfil/high_disk_bytes_read.sql b/detection/exfil/high_disk_bytes_read.sql
@@ -57,19 +57,12 @@ WHERE
   AND p0.path NOT LIKE '/System/Applications/%'
   AND p0.path NOT LIKE '/System/Library/%'
   AND p0.name NOT IN (
-    'BDLDaemon',
-    'Disk Inventory X',
-    'GoogleSoftwareUpdateAgent',
-    'LogiFacecamService',
-    'Safari',
-    'UpdateBrainService',
-    'ZwiftAppMetal',
-    'ZwiftAppSilicon',
     'apko',
-    'Meeting Center',
+    'Autodesk Identity Manager',
     'baloo_file',
     'baloo_file_extr',
     'bash',
+    'BDLDaemon',
     'bincapz',
     'bwrap',
     'cargo',
@@ -79,25 +72,26 @@ WHERE
     'com.apple.MobileSoftwareUpdate.UpdateBrainService',
     'com.apple.NRD.UpdateBrainService',
     'cpptools',
+    'Disk Inventory X',
     'dnf',
     'docker',
     'elastic-endpoin',
     'elastic-endpoint',
     'electron',
     'emacs',
-    'steam_osx',
     'factorio',
-    'Google Chrome',
+    'Fedora Media Writer',
     'firefox',
-    'meta',
-    'ollama',
     'fish',
     'fleet_backend',
     'fsdaemon',
     'fsnotifier',
     'gnome-software',
     'go',
+    'goland',
     'golangci-lint',
+    'Google Chrome',
+    'GoogleSoftwareUpdateAgent',
     'gopls',
     'grype',
     'hugo',
@@ -108,21 +102,22 @@ WHERE
     'kube-controller',
     'kube-scheduler',
     'kue',
-    'goland',
     'launcher',
+    'LogiFacecamService',
+    'mal',
     'mediawriter',
+    'Meeting Center',
     'melange',
+    'meta',
+    'Microsoft Update Assistant',
     'nautilus',
     'nessusd',
     'nix',
-    'Fedora Media Writer',
-    'updatedb',
     'nix-daemon',
     'nvim',
     'ollama',
-    'Autodesk Identity Manager',
-    'ollama-runer',
     'ollama_llama_server',
+    'ollama-runer',
     'osqueryd',
     'osqueryi',
     'plasmashell',
@@ -132,28 +127,33 @@ WHERE
     'rpi-imager',
     'rpm-ostree',
     'rsync',
-    'Microsoft Update Assistant',
+    'Safari',
     'sh',
     'simdiskimaged',
     'slack',
     'snapd',
     'spotify',
     'steam',
+    'steam_osx',
     'systemd',
     'terraform',
     'terraform-ls',
     'terraform-provider-apko',
     'thunderbird',
     'tilt',
     'unattended-upgr',
+    'UpdateBrainService',
+    'updatedb',
     'update_dyld_sim_shared_cache',
     'vim',
     'wineserver',
     'wolfictl',
     'yay',
     'ykman-gui',
     'yum',
-    'zsh'
+    'zsh',
+    'ZwiftAppMetal',
+    'ZwiftAppSilicon'
   )
   AND NOT p0.path IN (
     '/app/libexec/mediawriter/helper',

diff --git a/detection/privesc/setxid-cmdline-overflow-attempt.sql b/detection/privesc/setxid-cmdline-overflow-attempt.sql
@@ -62,4 +62,5 @@ WHERE
   AND file.mode NOT LIKE '0%'
   AND pe.cmdline_size > 2048
   AND p0_cmd NOT LIKE '%sudo dpkg %'
+  AND p0_cmd NOT LIKE '%bwrap --bind %'
   AND p0_cmd NOT LIKE '%sudo %--vmodule=% --audit-policy-file=%kube%'