From bf66053d5c682a7991e20a26437c4815cb2e9779 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Mon, 2 Oct 2023 16:11:44 -0400 Subject: [PATCH] fpr: containerd, hyper, Docker, Chromium, spotify, busycal --- detection/c2/unexpected-talker-events.sql | 5 ++++- detection/evasion/old-binaries-running.sql | 1 + .../evasion/unexpected-alf-exceptions-macos.sql | 3 ++- detection/execution/exotic-command-events-macos.sql | 1 + .../execution/unexpected-execdir-events-macos.sql | 5 ++++- .../unexpected-security-framework-program-macos.sql | 13 ++++++++----- .../initial_access/sketchy-mounted-diskimage.sql | 3 ++- .../initial_access/unexpected-shell-parents.sql | 1 + .../yara-suspicious-strings-process-linux.sql | 8 ++++---- 9 files changed, 27 insertions(+), 13 deletions(-) diff --git a/detection/c2/unexpected-talker-events.sql b/detection/c2/unexpected-talker-events.sql index c8d7db23..3b4a307f 100644 --- a/detection/c2/unexpected-talker-events.sql +++ b/detection/c2/unexpected-talker-events.sql @@ -11,7 +11,7 @@ SELECT s.family, s.path, s.fd, - REPLACE("::ffff:", "", s.remote_address), + REPLACE(s.remote_address, "::ffff:", "") AS remote_address, s.remote_port, s.local_port, COALESCE(REGEX_MATCH (s.path, '.*/(.*)', 1), s.path) AS basename, @@ -103,6 +103,8 @@ WHERE AND NOT exception_key IN ( '500,0,110,syncthing', '500,0,123,sntp', + '500,0,53,spotify', + '500,0,1234,spotify', '500,0,20480,io.tailscale.ipn.macsys.network-extension', '500,0,22,ssh', '500,0,31488,sntp', @@ -131,6 +133,7 @@ WHERE '500,0,443,ssh', '500,500,53,Code Helper', '500,0,43,whois', + '500,0,443,spotify', '500,0,443,syncthing', '500,0,443,velociraptor', '500,0,443,wget', diff --git a/detection/evasion/old-binaries-running.sql b/detection/evasion/old-binaries-running.sql index 5c6c4375..0f94a5d9 100644 --- a/detection/evasion/old-binaries-running.sql +++ b/detection/evasion/old-binaries-running.sql @@ -56,6 +56,7 @@ WHERE '/usr/bin/sshfs', '/usr/bin/xclip', '/usr/bin/xss-lock', + '/usr/bin/i3lock', '/usr/local/bin/dive' ) AND p.name NOT IN ( diff --git a/detection/evasion/unexpected-alf-exceptions-macos.sql b/detection/evasion/unexpected-alf-exceptions-macos.sql index 4014b80e..d054a847 100644 --- a/detection/evasion/unexpected-alf-exceptions-macos.sql +++ b/detection/evasion/unexpected-alf-exceptions-macos.sql @@ -64,6 +64,7 @@ WHERE '/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/', 'Apple Mac OS Application Signing,com.anydo.mac,/Applications/Anydo.app/,0', 'Apple Mac OS Application Signing,com.apple.garageband10,/Applications/GarageBand.app/,0', + 'Apple Mac OS Application Signing,com.busymac.busycal3,/Applications/BusyCal.app/,0', 'Apple Mac OS Application Signing,com.joeallen.teleprompter.mac,/Applications/Teleprompter.app/,0', 'Apple Mac OS Application Signing,com.utmapp.QEMULauncher,/Applications/UTM.app/Contents/XPCServices/QEMUHelper.xpc/Contents/MacOS/QEMULauncher.app/,0', 'Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension,/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/,0', @@ -73,6 +74,7 @@ WHERE 'Developer ID Application: Brother Industries, LTD. (5HCL85FLGW),com.brother.utility.WorkflowAppControlServer,/Library/Printers/Brother/Utilities/Server/WorkflowAppControl.app/,0', 'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5),com.elgato.WaveLink,/Applications/WaveLink.app/,0', 'Developer ID Application: Cypress.Io, Inc. (7D655LWGLY),com.electron.cypress,/Users/garrying/Library/Caches/Cypress/12.9.0/Cypress.app/,501', + 'Developer ID Application: DBeaver Corporation (42B6MDKMW8),org.jkiss.dbeaver.core.product,/Applications/DBeaver.app/,501', 'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK),com.getdropbox.dropbox,/Applications/Dropbox.app/,501', 'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland,/Applications/GoLand.app/,501', 'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.pycharm,/Applications/PyCharm.app/,501', @@ -81,7 +83,6 @@ WHERE 'Developer ID Application: RescueTime, Inc (FSY4RB8H39),com.rescuetime.RescueTime,/Applications/RescueTime.app/,0', 'Developer ID Application: Sonos, Inc. (2G4LW83Q3E),com.sonos.macController,/Applications/Sonos.app/,501', 'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client,/Applications/Spotify.app/,501', - 'Developer ID Application: DBeaver Corporation (42B6MDKMW8),org.jkiss.dbeaver.core.product,/Applications/DBeaver.app/,501', 'Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension,/Library/SystemExtensions/A30AF854-E980-4345-A658-17000BF66D00/io.tailscale.ipn.macsys.network-extension.systemextension/,0', 'Developer ID Application: VNG ONLINE CO.,LTD (CVB6BX97VM),com.vng.zalo,/Applications/Zalo.app/,501', 'Developer ID Application: Voicemod Sociedad Limitada. (S2MC4XQDSM),net.voicemod.desktop,/Applications/Voicemod.app/,0', diff --git a/detection/execution/exotic-command-events-macos.sql b/detection/execution/exotic-command-events-macos.sql index bc288c3d..87132693 100644 --- a/detection/execution/exotic-command-events-macos.sql +++ b/detection/execution/exotic-command-events-macos.sql @@ -209,6 +209,7 @@ WHERE 'yara,500,bash,fish', 'ssh,500,limactl.ventura,launchd', 'git,500,zsh,login', + 'bat,500,zsh,login', 'git,500,zsh,goland', 'sh,0,Ecamm Live,launchd', 'cat,500,zsh,login' diff --git a/detection/execution/unexpected-execdir-events-macos.sql b/detection/execution/unexpected-execdir-events-macos.sql index 09145ec7..4bdad8ff 100644 --- a/detection/execution/unexpected-execdir-events-macos.sql +++ b/detection/execution/unexpected-execdir-events-macos.sql @@ -258,7 +258,10 @@ WHERE ) -- Locally built executables AND NOT ( s.identifier = 'a.out' - AND dir LIKE '~/%' + AND ( + dir LIKE '~/%' + OR dir LIKE '/Users/%' + ) AND p1_name IN ('fish', 'sh', 'bash', 'zsh', 'terraform', 'code') ) AND NOT ( diff --git a/detection/execution/unexpected-security-framework-program-macos.sql b/detection/execution/unexpected-security-framework-program-macos.sql index 58d532e6..1b3b24e4 100644 --- a/detection/execution/unexpected-security-framework-program-macos.sql +++ b/detection/execution/unexpected-security-framework-program-macos.sql @@ -96,6 +96,9 @@ WHERE '500,Duckly Helper,Electron Helper,', '500,Duckly,Electron,', '500,Emacs-arm64-11,Emacs-arm64-11,Developer ID Application: Galvanix (5BRAQAFB8B)', + '500,Evernote Helper (Renderer),com.evernote.Evernote.helper.Renderer,Apple Mac OS Application Signing', + '500,Evernote Helper,com.evernote.Evernote.helper,Apple Mac OS Application Signing', + '500,Evernote,com.evernote.Evernote,Apple Mac OS Application Signing', '500,Final Cut Pro,com.apple.FinalCut,Apple Mac OS Application Signing', '500,GitterHelperApp,com.troupe.gitter.mac.GitterHelperApp,Developer ID Application: Troupe Technology Limited (A86QBWJ43W)', '500,Grammarly Safari Extension,com.grammarly.safari.extension.ext2,Apple Mac OS Application Signing', @@ -126,8 +129,6 @@ WHERE '500,bash,bash,', '500,bash,com.apple.bash,Software Signing', '500,bufls,a.out,', - '500,timestamp-server,a.out,', - '500,docker,a.out,', '500,chainctl,a.out,', '500,cloud-sql-proxy,a.out,', '500,cloud-sql-proxy.darwin.arm64,a.out,', @@ -137,11 +138,9 @@ WHERE '500,cpu,cpu-555549441132dc6b7af538428ce3359ae94eab37,', '500,crane,a.out,', '500,debug.test,a.out,', - '500,gke-gcloud-auth-plugin,a.out,', '500,dive,a.out,', - '500,monday.com Helper (Renderer),com.monday.desktop.helper.Renderer,Apple Mac OS Application Signing', - '500,Divvy,com.mizage.Divvy,Apple Mac OS Application Signing', '500,dlv,a.out,', + '500,docker,a.out,', '500,epdfinfo,epdfinfo,', '500,esbuild,,', '500,esbuild,a.out,', @@ -149,6 +148,7 @@ WHERE '500,git,git,', '500,gitsign,a.out,', '500,gitsign-credential-cache,a.out,', + '500,gke-gcloud-auth-plugin,a.out,', '500,go,a.out,', '500,gopls,a.out,', '500,gopls,gopls,', @@ -164,6 +164,7 @@ WHERE '500,mattermost,a.out,', '500,melange,a.out,', '500,melange-run,a.out,', + '500,monday.com Helper (Renderer),com.monday.desktop.helper.Renderer,Apple Mac OS Application Signing', '500,monday.com Helper,com.monday.desktop.helper,Apple Mac OS Application Signing', '500,monorail,a.out,', '500,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)', @@ -172,6 +173,7 @@ WHERE '500,registry-redirect,a.out,', '500,rust-analyzer,rust_analyzer-d11ae4e1bae4360d,', '500,scdaemon,scdaemon,', + '500,Chromium,Chromium,', '500,sdaudioswitch,,', '500,sdaudioswitch,sdaudioswitch,', '500,sdzoomplugin,,', @@ -184,6 +186,7 @@ WHERE '500,tflint,a.out,', '500,tflint-ruleset-aws,a.out,', '500,tflint-ruleset-google,a.out,', + '500,timestamp-server,a.out,', '500,vim,,', '500,vim,vim,' ) diff --git a/detection/initial_access/sketchy-mounted-diskimage.sql b/detection/initial_access/sketchy-mounted-diskimage.sql index 160238e3..57033040 100644 --- a/detection/initial_access/sketchy-mounted-diskimage.sql +++ b/detection/initial_access/sketchy-mounted-diskimage.sql @@ -97,7 +97,6 @@ WHERE OR ( ( vol_name LIKE "Install%" - -- The rest are synced with sketchy-download-names OR vol_name LIKE "%.app%" OR vol_name LIKE "%AnyDesk%" @@ -174,6 +173,8 @@ WHERE -- emacs AND magic.data NOT LIKE 'symbolic link to bin-x86%' AND magic.data NOT LIKE 'symbolic link to /Users/%/My Drive' + -- Docker + AND magic.data NOT LIKE 'cannot open%' ) ) GROUP BY diff --git a/detection/initial_access/unexpected-shell-parents.sql b/detection/initial_access/unexpected-shell-parents.sql index 8701dc28..d5190155 100644 --- a/detection/initial_access/unexpected-shell-parents.sql +++ b/detection/initial_access/unexpected-shell-parents.sql @@ -157,6 +157,7 @@ WHERE AND p1_path NOT IN ( '/Applications/Docker.app/Contents/MacOS/Docker', '/Applications/Docker.app/Contents/MacOS/install', + '/Applications/Hyper.app/Contents/MacOS/Hyper', '/Applications/Visual Studio Code.app/Contents/MacOS/Electron', '/Applications/Docker.app/Contents/Resources/bin/com.docker.cli', '/Applications/Docker.app/Contents/Resources/bin/docker-credential-desktop', diff --git a/detection/persistence/yara-suspicious-strings-process-linux.sql b/detection/persistence/yara-suspicious-strings-process-linux.sql index dcb50c51..1721e17f 100644 --- a/detection/persistence/yara-suspicious-strings-process-linux.sql +++ b/detection/persistence/yara-suspicious-strings-process-linux.sql @@ -43,8 +43,7 @@ FROM LEFT JOIN hash p2_hash ON p2.path = p2_hash.path WHERE p0.start_time > (strftime('%s', 'now') - 7200) - AND - yara.sigrule = ' + AND yara.sigrule = ' rule redflags { strings: $bash_history = ".bash_history" @@ -90,6 +89,7 @@ WHERE '/usr/bin/sudo', '/usr/bin/bash', '/usr/bin/containerd-shim-runc-v2', + '/bin/containerd-shim-runc-v2', '/usr/bin/docker-proxy', '/usr/bin/fish', '/usr/bin/gnome-software', @@ -102,7 +102,7 @@ WHERE '/usr/bin/udevadm', '/usr/bin/update-notifier', '/usr/bin/Xwayland', - '/usr/lib/bluetooth/bluetoothd', + '/usr/lib/bluetooth/bluetoothd', '/usr/lib/bluetooth/obexd', '/usr/libexec/accounts-daemon', '/usr/libexec/bluetooth/bluetoothd', @@ -123,4 +123,4 @@ WHERE '/usr/sbin/NetworkManager', '/usr/sbin/rsyslogd', '/usr/sbin/smartd' - ) \ No newline at end of file + )