diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql index 4b4c308..0b8de64 100644 --- a/detection/c2/unexpected-talkers-linux.sql +++ b/detection/c2/unexpected-talkers-linux.sql @@ -92,6 +92,7 @@ WHERE '8000,6,500,brave,0u,0g,brave', '8000,6,500,chrome,0u,0g,chrome', '8000,6,500,firefox,0u,0g,firefox', + '80,6,500,telegram-desktop,u,g,telegram-deskto', '80,6,0,grep,0u,0g,grep', '80,6,0,incusd,0u,0g,incusd', '80,6,0,kmod,0u,0g,depmod', diff --git a/detection/credentials/unexpected-dev-opener-linux.sql b/detection/credentials/unexpected-dev-opener-linux.sql index 8ca3915..9febd9f 100644 --- a/detection/credentials/unexpected-dev-opener-linux.sql +++ b/detection/credentials/unexpected-dev-opener-linux.sql @@ -241,13 +241,8 @@ WHERE '/dev/zfs,zfs', '/dev/zfs,zpool' ) - -- Halflife - AND path_exception NOT LIKE '/dev/shm/u1000-Shm_%,bash' - -- lvmdbusd / gcloud / gsutil - AND path_exception NOT LIKE '/dev/shm/pym-%python3%' - -- celery - AND path_exception NOT LIKE '/dev/shm/pymp-%,python3.%' - AND dir_exception NOT LIKE '/dev/shm/byobu-%/%.tmux%' + AND path_exception NOT LIKE '/dev/shm/%' + AND path_exception NOT LIKE '/dev/cpu_dma_latency,python%' AND NOT ( pof.path = "/dev/uinput" AND p0.name LIKE "solaar%" diff --git a/detection/evasion/empty_root_environ_linux.sql b/detection/evasion/empty_root_environ_linux.sql index bcebf10..a8e4c8c 100644 --- a/detection/evasion/empty_root_environ_linux.sql +++ b/detection/evasion/empty_root_environ_linux.sql @@ -73,7 +73,8 @@ WHERE 'crond', 'systemd', 'systemd-udevd', - '(udev-worker)' + '(udev-worker)', + '(sd-exec-strv)' ) AND NOT ( p.name LIKE 'systemd-%' diff --git a/detection/evasion/touched-executable-linux.sql b/detection/evasion/touched-executable-linux.sql index eddeafc..fb3ceda 100644 --- a/detection/evasion/touched-executable-linux.sql +++ b/detection/evasion/touched-executable-linux.sql @@ -11,6 +11,7 @@ SELECT p.path, p.name, p.cmdline, + p.cgroup_path, p.cwd, p.euid, p.parent, @@ -34,6 +35,8 @@ WHERE '/opt/google/endpoint-verification/bin/apihelper', '/opt/Elastic/Endpoint/elastic-endpoint', '/opt/resolve/bin/resolve', + '/usr/bin/ld', + '/usr/bin/ld.bfd', '/var/opt/velociraptor/bin/velociraptor', '/usr/bin/melange' ) diff --git a/detection/execution/unexpected-packet-sniffer.sql b/detection/execution/unexpected-packet-sniffer.sql index 9ed8eeb..7f9474e 100644 --- a/detection/execution/unexpected-packet-sniffer.sql +++ b/detection/execution/unexpected-packet-sniffer.sql @@ -48,3 +48,9 @@ WHERE 'dhcpcd', 'tcpdump' ) + AND NOT ( + p0.cgroup_path LIKE '/system.slice/docker-%' + AND p0.path = '/speaker' + AND p0.name = 'speaker' + AND protocol = 2054 + ) diff --git a/detection/exfil/high_disk_bytes_read.sql b/detection/exfil/high_disk_bytes_read.sql index 124564b..cd30efe 100644 --- a/detection/exfil/high_disk_bytes_read.sql +++ b/detection/exfil/high_disk_bytes_read.sql @@ -57,19 +57,12 @@ WHERE AND p0.path NOT LIKE '/System/Applications/%' AND p0.path NOT LIKE '/System/Library/%' AND p0.name NOT IN ( - 'BDLDaemon', - 'Disk Inventory X', - 'GoogleSoftwareUpdateAgent', - 'LogiFacecamService', - 'Safari', - 'UpdateBrainService', - 'ZwiftAppMetal', - 'ZwiftAppSilicon', 'apko', - 'Meeting Center', + 'Autodesk Identity Manager', 'baloo_file', 'baloo_file_extr', 'bash', + 'BDLDaemon', 'bincapz', 'bwrap', 'cargo', @@ -79,25 +72,26 @@ WHERE 'com.apple.MobileSoftwareUpdate.UpdateBrainService', 'com.apple.NRD.UpdateBrainService', 'cpptools', + 'Disk Inventory X', 'dnf', 'docker', 'elastic-endpoin', 'elastic-endpoint', 'electron', 'emacs', - 'steam_osx', 'factorio', - 'Google Chrome', + 'Fedora Media Writer', 'firefox', - 'meta', - 'ollama', 'fish', 'fleet_backend', 'fsdaemon', 'fsnotifier', 'gnome-software', 'go', + 'goland', 'golangci-lint', + 'Google Chrome', + 'GoogleSoftwareUpdateAgent', 'gopls', 'grype', 'hugo', @@ -108,21 +102,22 @@ WHERE 'kube-controller', 'kube-scheduler', 'kue', - 'goland', 'launcher', + 'LogiFacecamService', + 'mal', 'mediawriter', + 'Meeting Center', 'melange', + 'meta', + 'Microsoft Update Assistant', 'nautilus', 'nessusd', 'nix', - 'Fedora Media Writer', - 'updatedb', 'nix-daemon', 'nvim', 'ollama', - 'Autodesk Identity Manager', - 'ollama-runer', 'ollama_llama_server', + 'ollama-runer', 'osqueryd', 'osqueryi', 'plasmashell', @@ -132,13 +127,14 @@ WHERE 'rpi-imager', 'rpm-ostree', 'rsync', - 'Microsoft Update Assistant', + 'Safari', 'sh', 'simdiskimaged', 'slack', 'snapd', 'spotify', 'steam', + 'steam_osx', 'systemd', 'terraform', 'terraform-ls', @@ -146,6 +142,8 @@ WHERE 'thunderbird', 'tilt', 'unattended-upgr', + 'UpdateBrainService', + 'updatedb', 'update_dyld_sim_shared_cache', 'vim', 'wineserver', @@ -153,7 +151,9 @@ WHERE 'yay', 'ykman-gui', 'yum', - 'zsh' + 'zsh', + 'ZwiftAppMetal', + 'ZwiftAppSilicon' ) AND NOT p0.path IN ( '/app/libexec/mediawriter/helper', diff --git a/detection/privesc/setxid-cmdline-overflow-attempt.sql b/detection/privesc/setxid-cmdline-overflow-attempt.sql index c97088e..c60f2d7 100644 --- a/detection/privesc/setxid-cmdline-overflow-attempt.sql +++ b/detection/privesc/setxid-cmdline-overflow-attempt.sql @@ -62,4 +62,5 @@ WHERE AND file.mode NOT LIKE '0%' AND pe.cmdline_size > 2048 AND p0_cmd NOT LIKE '%sudo dpkg %' + AND p0_cmd NOT LIKE '%bwrap --bind %' AND p0_cmd NOT LIKE '%sudo %--vmodule=% --audit-policy-file=%kube%'