From a7f0b3001d9305c783917ac4a2fd82b734506b45 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Tue, 26 Sep 2023 13:09:22 -0400 Subject: [PATCH] Reduce false positives on Ubuntu + Lima --- .../unexpected-dev-opener-linux.sql | 1 + .../credentials/yara-mounted-stealer.sql | 21 ++++++++++--------- detection/evasion/name_path_mismatch.sql | 1 + .../evasion/touched-executable-linux.sql | 2 +- .../evasion/unexpected-etc-executables.sql | 1 + .../evasion/unexpected-var-run-linux.sql | 6 ++++++ .../yara-unexpected-go-crypt-exec-process.sql | 2 ++ .../unexpected-active-systemd-units.sql | 4 ++++ detection/persistence/unexpected-device.sql | 2 ++ .../unexpected-listening-port-linux.sql | 3 +++ .../unexpected-uid0-daemon-linux.sql | 2 ++ .../yara-suspicious-strings-process-linux.sql | 1 + 12 files changed, 35 insertions(+), 11 deletions(-) diff --git a/detection/credentials/unexpected-dev-opener-linux.sql b/detection/credentials/unexpected-dev-opener-linux.sql index 1bd91b42..5d5b82e1 100644 --- a/detection/credentials/unexpected-dev-opener-linux.sql +++ b/detection/credentials/unexpected-dev-opener-linux.sql @@ -172,6 +172,7 @@ WHERE '/dev/fb,Xorg', '/dev/hidraw,chrome', '/dev/hwrng,rngd', + '/dev/hvc,agetty', '/dev/input/event,thermald', '/dev/input/event,touchegg', '/dev/input/event,Xorg', diff --git a/detection/credentials/yara-mounted-stealer.sql b/detection/credentials/yara-mounted-stealer.sql index a642a743..9d1cf5a0 100644 --- a/detection/credentials/yara-mounted-stealer.sql +++ b/detection/credentials/yara-mounted-stealer.sql @@ -65,17 +65,18 @@ WHERE AND yara.sigrule = ' rule stealer { strings: - $ds = "data_stealers" ascii - $lk = "/Library/Keychains" ascii - $cs = "cookies.sqlite" ascii - $mc = "moz_cookies" ascii - $og = "OperaGX" ascii - $bs = "BraveSoftware" ascii - $os = "osascript" ascii - $fgp = "find-generic-password" ascii + $data_stealers = "data_stealers" ascii + $library_keychains = "/Library/Keychains" ascii + $cookies_sqlite = "cookies.sqlite" ascii + $moz_cookies = "moz_cookies" ascii + $operagx = "OperaGX" ascii + $brave_software = "BraveSoftware" ascii + $osascript = "osascript" ascii + $find_generic_password = "find-generic-password" ascii condition: 2 of them }' - AND yara.count > 0 -GROUP BY file.path \ No newline at end of file + AND yara.count > 0 +GROUP BY + file.path diff --git a/detection/evasion/name_path_mismatch.sql b/detection/evasion/name_path_mismatch.sql index a3d484e7..5e4e0fc5 100644 --- a/detection/evasion/name_path_mismatch.sql +++ b/detection/evasion/name_path_mismatch.sql @@ -89,6 +89,7 @@ WHERE '0,udevadm,systemd-udevd', '0,udevadm,(udev-worker)', '500,netcat,nc', + '500,nc.openbsd,nc', '500,busybox,sh', '500,coreutils,tail', '500,gjs-console,gnome-character', diff --git a/detection/evasion/touched-executable-linux.sql b/detection/evasion/touched-executable-linux.sql index 640c4949..e04be4c1 100644 --- a/detection/evasion/touched-executable-linux.sql +++ b/detection/evasion/touched-executable-linux.sql @@ -41,6 +41,6 @@ WHERE AND f.path NOT LIKE '/usr/local/aws-cli/%/dist/aws' AND f.path NOT LIKE '/usr/local/kolide-k2/bin/%-updates/%' AND f.path NOT LIKE '/tmp/go-build%' - AND p.name != 'osqtool' + AND p.name NOT LIKE 'osqtool%' GROUP by p.pid diff --git a/detection/evasion/unexpected-etc-executables.sql b/detection/evasion/unexpected-etc-executables.sql index 0673edd0..3294da5e 100644 --- a/detection/evasion/unexpected-etc-executables.sql +++ b/detection/evasion/unexpected-etc-executables.sql @@ -33,6 +33,7 @@ WHERE '/etc/alternatives', '/etc/apcupsd', '/etc/apm/resume.d', + '/etc/vmware-tools/scripts/vmware', '/etc/apm/scripts.d', '/etc/apm/suspend.d', '/etc/avahi', diff --git a/detection/evasion/unexpected-var-run-linux.sql b/detection/evasion/unexpected-var-run-linux.sql index deff6519..f4a7f78f 100644 --- a/detection/evasion/unexpected-var-run-linux.sql +++ b/detection/evasion/unexpected-var-run-linux.sql @@ -33,6 +33,12 @@ WHERE 'apcupsd.pid', 'apport.lock', 'atd.pid', + 'adduser', + 'lima-boot-done', + 'lima-ssh-ready', + 'machine-id', + 'motd.dynamic', + 'multipathd.pid', 'auditd.pid', 'cron.reboot', 'crond.pid', diff --git a/detection/exfil/yara-unexpected-go-crypt-exec-process.sql b/detection/exfil/yara-unexpected-go-crypt-exec-process.sql index cd60a16d..b9eae693 100644 --- a/detection/exfil/yara-unexpected-go-crypt-exec-process.sql +++ b/detection/exfil/yara-unexpected-go-crypt-exec-process.sql @@ -74,6 +74,8 @@ WHERE 'kubectl', 'go', 'docker', + 'lima-guestagent', + 'containerd-star', 'gopls', 'launcher', 'tflint', diff --git a/detection/persistence/unexpected-active-systemd-units.sql b/detection/persistence/unexpected-active-systemd-units.sql index 3cc38ce1..811e2b3d 100644 --- a/detection/persistence/unexpected-active-systemd-units.sql +++ b/detection/persistence/unexpected-active-systemd-units.sql @@ -55,6 +55,10 @@ WHERE 'accounts-daemon.service,Accounts Service,', 'acpid.path,ACPI Events Check,', 'acpid.service,ACPI Daemon,', + 'serial-getty@hvc0.service,Serial Getty on hvc0,', + 'ssh.socket,OpenBSD Secure Shell server socket,', + 'launcher,/usr/local/kolide-k2/bin/launcher,0,system.slice,launcher.kolide-k2.service,0755', + 'systemd-machine-id-commit.service,Commit a transient machine-id on disk,', 'acpid.service,ACPI event daemon,', 'acpid.socket,ACPID Listen Socket,', 'akmods.service,Builds and install new kmods from akmod packages,', diff --git a/detection/persistence/unexpected-device.sql b/detection/persistence/unexpected-device.sql index 928e65a4..83b08b98 100644 --- a/detection/persistence/unexpected-device.sql +++ b/detection/persistence/unexpected-device.sql @@ -118,6 +118,8 @@ WHERE '/dev/loop', '/dev/loop-control', '/dev/lp', + '/dev/hvc', + '/dev/vportp', '/dev/mapper/', '/dev/mapper/control', '/dev/mcelog', diff --git a/detection/persistence/unexpected-listening-port-linux.sql b/detection/persistence/unexpected-listening-port-linux.sql index 4cde326a..7c042852 100644 --- a/detection/persistence/unexpected-listening-port-linux.sql +++ b/detection/persistence/unexpected-listening-port-linux.sql @@ -70,6 +70,9 @@ WHERE ) IN ( '10250,6,0,kubelet', '10250,6,500,kubelet', + '22,6,0,systemd', + '58,255,500,systemd-network', + '68,17,500,systemd-network', '10254,6,101,nginx-ingress-c', '10256,6,0,kube-proxy', '10256,6,500,kube-proxy', diff --git a/detection/persistence/unexpected-uid0-daemon-linux.sql b/detection/persistence/unexpected-uid0-daemon-linux.sql index dc56f7ad..0af96cd4 100644 --- a/detection/persistence/unexpected-uid0-daemon-linux.sql +++ b/detection/persistence/unexpected-uid0-daemon-linux.sql @@ -75,6 +75,8 @@ WHERE AND p0.start_time < (strftime('%s', 'now') - 1200) AND exception_key NOT IN ( '(sd-pam),/usr/lib/systemd/systemd,0,user.slice,user-0.slice,0755', + 'sshd,/usr/sbin/sshd,0,user.slice,user-501.slice,0755', + 'launcher,/usr/local/kolide-k2/bin/launcher,0,system.slice,launcher.kolide-k2.service,0755', '.tailscaled-wra,/nix/store/__VERSION__/bin/.tailscaled-wrapped,0,system.slice,tailscaled.service,0555', '/usr/bin/monito,/usr/bin/perl,0,system.slice,monitorix.service,0755', 'ModemManager,/usr/sbin/ModemManager,0,system.slice,ModemManager.service,0755', diff --git a/detection/persistence/yara-suspicious-strings-process-linux.sql b/detection/persistence/yara-suspicious-strings-process-linux.sql index 175fa7b4..6f262793 100644 --- a/detection/persistence/yara-suspicious-strings-process-linux.sql +++ b/detection/persistence/yara-suspicious-strings-process-linux.sql @@ -89,6 +89,7 @@ WHERE '/usr/bin/gnome-software', '/usr/bin/gpg-agent', '/usr/bin/ibus-daemon', + '/usr/bin/make', '/usr/bin/NetworkManager', '/usr/bin/nvidia-persistenced', '/usr/bin/pulseaudio',