2022-10-13 18:59:32 +00:00
|
|
|
-- Unexpected launchd scripts that use the 'program_arguments' field
|
2022-10-19 20:56:32 +00:00
|
|
|
--
|
2022-10-14 18:19:13 +00:00
|
|
|
-- references:
|
2022-10-19 20:56:32 +00:00
|
|
|
-- * https://attack.mitre.org/techniques/T1543/004/ (Create or Modify System Process: Launch Daemon)
|
2022-10-12 01:53:36 +00:00
|
|
|
--
|
2022-10-14 18:19:13 +00:00
|
|
|
-- false positives:
|
|
|
|
-- * Software by new vendors which have not yet been added to the allow list
|
|
|
|
--
|
2022-10-14 18:26:49 +00:00
|
|
|
-- tags: persistent filesystem state
|
2022-10-12 01:53:36 +00:00
|
|
|
-- platform: darwin
|
2022-09-24 15:12:23 +00:00
|
|
|
SELECT
|
|
|
|
l.label,
|
|
|
|
l.name,
|
|
|
|
l.path,
|
2022-10-13 18:59:32 +00:00
|
|
|
TRIM(REGEX_SPLIT (l.program_arguments, ' -', 0)) AS program_path,
|
2022-09-24 15:12:23 +00:00
|
|
|
l.program_arguments,
|
|
|
|
l.keep_alive,
|
|
|
|
signature.authority AS program_authority,
|
|
|
|
hash.sha256
|
|
|
|
FROM
|
|
|
|
launchd l
|
|
|
|
LEFT JOIN signature ON program_path = signature.path
|
|
|
|
LEFT JOIN hash ON program_path = hash.path
|
|
|
|
WHERE
|
|
|
|
(
|
|
|
|
run_at_load = 1
|
|
|
|
OR keep_alive = 1
|
|
|
|
)
|
|
|
|
AND (
|
|
|
|
program IS NULL
|
2022-10-13 18:59:32 +00:00
|
|
|
OR program = ''
|
2022-09-24 15:12:23 +00:00
|
|
|
)
|
2022-10-13 18:59:32 +00:00
|
|
|
AND l.path NOT LIKE '/System/%'
|
2023-02-01 20:06:58 +00:00
|
|
|
AND l.path NOT LIKE '/Library/Apple/System/%'
|
2022-09-24 15:12:23 +00:00
|
|
|
AND program_authority NOT IN (
|
2024-07-02 01:56:28 +00:00
|
|
|
'Developer ID Application: Adguard Software Limited (TC3Q7MAJXF)',
|
2022-10-13 18:59:32 +00:00
|
|
|
'Developer ID Application: Adobe Inc. (JQ525L2MZD)',
|
2024-08-27 22:40:43 +00:00
|
|
|
'Developer ID Application: AtomicJar, Inc. (33C47PTHN6)',
|
2023-06-07 13:55:17 +00:00
|
|
|
'Developer ID Application: Canonical Group Limited (X4QN7LTP59)',
|
|
|
|
'Developer ID Application: Canva Pty Ltd (5HD2ARTBFS)',
|
2024-07-02 01:56:28 +00:00
|
|
|
'Developer ID Application: Cloudflare Inc. (68WVV388M8)',
|
2022-10-13 18:59:32 +00:00
|
|
|
'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
|
2024-07-02 01:56:28 +00:00
|
|
|
'Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z)',
|
2024-10-22 20:12:21 +00:00
|
|
|
'Developer ID Application: EnterpriseDB Corporation (26QKX55P9K)',
|
2022-10-13 18:59:32 +00:00
|
|
|
'Developer ID Application: Foxit Corporation (8GN47HTP75)',
|
2023-06-07 13:55:17 +00:00
|
|
|
'Developer ID Application: Fumihiko Takayama (G43BCU2T37)',
|
2023-08-15 22:13:06 +00:00
|
|
|
'Developer ID Application: Google, Inc. (EQHXZ8M8AV)',
|
2024-08-27 22:40:43 +00:00
|
|
|
'Developer ID Application: Google LLC (EQHXZ8M8AV)',
|
2024-07-02 01:56:28 +00:00
|
|
|
'Developer ID Application: Grammarly, Inc (W8F64X92K3)',
|
2023-08-15 22:13:06 +00:00
|
|
|
'Developer ID Application: Hercules Labs Inc. (B8PC799ZGU)',
|
2023-06-07 13:55:17 +00:00
|
|
|
'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)',
|
2022-10-13 18:59:32 +00:00
|
|
|
'Developer ID Application: Keybase, Inc. (99229SGT5K)',
|
2023-08-15 22:13:06 +00:00
|
|
|
'Developer ID Application: Kolide, Inc (X98UFR7HA3)',
|
2024-08-27 22:40:43 +00:00
|
|
|
'Developer ID Application: Kolide Inc (YZ3EM74M78)',
|
2023-06-07 13:55:17 +00:00
|
|
|
'Developer ID Application: Krisp Technologies, Inc. (U5R26XM5Z2)',
|
2022-10-13 18:59:32 +00:00
|
|
|
'Developer ID Application: Logitech Inc. (QED4VVPZWA)',
|
|
|
|
'Developer ID Application: MacPaw Inc. (S8EX82NJP6)',
|
2024-08-27 22:40:43 +00:00
|
|
|
'Developer ID Application: Maxon Computer GmbH (4ZY22YGXQG)',
|
2022-10-13 18:59:32 +00:00
|
|
|
'Developer ID Application: Mersive Technologies (63B5A5WDNG)',
|
|
|
|
'Developer ID Application: Microsoft Corporation (UBF8T346G9)',
|
2024-07-02 01:56:28 +00:00
|
|
|
'Developer ID Application: Mullvad VPN AB (CKG9MXH72F)',
|
2024-08-27 22:40:43 +00:00
|
|
|
'Developer ID Application: Objective-See, LLC (VBG97UB4TA)',
|
2024-07-02 01:56:28 +00:00
|
|
|
'Developer ID Application: OPENVPN TECHNOLOGIES, INC. (ACV7L3WCD8)',
|
2023-02-18 20:02:40 +00:00
|
|
|
'Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
|
2024-08-27 22:40:43 +00:00
|
|
|
'Developer ID Application: PACE Anti-Piracy, Inc. (TFZ8226T6X)',
|
2023-08-15 22:13:06 +00:00
|
|
|
'Developer ID Application: Paragon Software GmbH (LSJ6YVK468)',
|
2024-08-27 22:40:43 +00:00
|
|
|
'Developer ID Application: PFU LIMITED (XW4U7W2E9L)', -- Fujitsu
|
2023-06-07 13:55:17 +00:00
|
|
|
'Developer ID Application: Private Internet Access, Inc. (5357M5NW9W)',
|
2024-07-02 01:56:28 +00:00
|
|
|
'Developer ID Application: Proton AG (2SB5Z68H26)',
|
2023-06-07 13:55:17 +00:00
|
|
|
'Developer ID Application: Proton Technologies AG (6UN54H93QT)',
|
2024-07-02 01:56:28 +00:00
|
|
|
'Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
|
|
|
|
'Developer ID Application: Red Hat, Inc. (HYSCB8KRL2)',
|
2023-06-07 13:55:17 +00:00
|
|
|
'Developer ID Application: Sanford, L.P. (N3S6676K3E)', -- DYMO
|
|
|
|
'Developer ID Application: Seiko Epson Corporation (TXAEAV5RN4)',
|
|
|
|
'Developer ID Application: Tenable, Inc. (4B8J598M7U)',
|
2024-10-22 20:12:21 +00:00
|
|
|
'Developer ID Application: Ubiquiti Inc. (4P645293E8)',
|
2023-06-07 13:55:17 +00:00
|
|
|
'Developer ID Application: X-Rite, Incorporated (2K7GT73B4R)',
|
2022-10-13 18:59:32 +00:00
|
|
|
'Software Signing', -- Apple
|
|
|
|
'yabai-cert'
|
2022-09-24 15:12:23 +00:00
|
|
|
)
|
|
|
|
AND program_arguments NOT IN (
|
2024-09-24 19:10:21 +00:00
|
|
|
'/Applications/AeroSpace.app/Contents/MacOS/AeroSpace --started-at-login',
|
2024-10-29 17:08:43 +00:00
|
|
|
'/Applications/RODE Virtual Channels.app/Contents/MacOS/RODE Virtual Channels',
|
2022-10-13 18:59:32 +00:00
|
|
|
'/Applications/Stream Deck.app/Contents/MacOS/Stream Deck --runinbk',
|
2024-09-24 19:10:21 +00:00
|
|
|
'/Applications/Tunnelblick.app/Contents/Resources/launchAtLogin.sh',
|
2023-03-14 23:00:44 +00:00
|
|
|
'/Library/Application Support/Sony Application Launcher/SonyAutoLauncher.app/Contents/MacOS/SonyAutoLauncher',
|
2024-09-24 19:10:21 +00:00
|
|
|
'/Library/Application Support/WirelessAutoImport/WirelessImporterDaemon',
|
|
|
|
'/Library/PrivilegedHelperTools/MHLinkServer.app/Contents/MacOS/MHLinkServer',
|
|
|
|
'/opt/homebrew/bin/gitsign-credential-cache',
|
2024-09-26 16:40:04 +00:00
|
|
|
'/opt/homebrew/opt/emacs/bin/emacs --fg-daemon',
|
2024-11-13 21:34:12 +00:00
|
|
|
'/opt/homebrew/opt/libvirt/sbin/libvirtd -f /opt/homebrew/etc/libvirt/libvirtd.conf',
|
2023-03-14 23:00:44 +00:00
|
|
|
'/opt/homebrew/opt/dnsmasq/sbin/dnsmasq --keep-in-foreground -C /opt/homebrew/etc/dnsmasq.conf -7 /opt/homebrew/etc/dnsmasq.d,*.conf',
|
2022-12-15 21:51:58 +00:00
|
|
|
'/opt/homebrew/opt/jenkins/bin/jenkins --httpListenAddress=127.0.0.1 --httpPort=8080',
|
2022-10-13 18:59:32 +00:00
|
|
|
'/opt/homebrew/opt/mariadb/bin/mysqld_safe',
|
2023-03-14 23:00:44 +00:00
|
|
|
'/opt/homebrew/opt/nginx/bin/nginx -g daemon off;',
|
2024-09-24 19:10:21 +00:00
|
|
|
'/opt/homebrew/opt/pueue/bin/pueued --verbose',
|
2022-10-13 18:59:32 +00:00
|
|
|
'/opt/homebrew/opt/skhd/bin/skhd',
|
2022-12-15 21:51:58 +00:00
|
|
|
'/opt/homebrew/opt/tailscale/bin/tailscaled',
|
2022-10-13 18:59:32 +00:00
|
|
|
'/opt/homebrew/opt/yubikey-agent/bin/yubikey-agent -l /opt/homebrew/var/run/yubikey-agent.sock',
|
|
|
|
'/usr/local/MacGPG2/libexec/fixGpgHome'
|
2022-09-24 15:12:23 +00:00
|
|
|
)
|
2024-09-26 16:40:04 +00:00
|
|
|
AND program_arguments NOT LIKE '/opt/homebrew/opt/%/bin/%'
|
2023-07-19 19:22:43 +00:00
|
|
|
AND program_arguments NOT LIKE '/opt/homebrew/opt/mongodb-community%/bin/mongod --config /opt/homebrew/etc/mongod.conf'
|
2022-10-27 20:55:00 +00:00
|
|
|
AND program_arguments NOT LIKE '/Users/%/Library/Application Support/com.grammarly.ProjectLlama/Scripts/Grammarly Uninstaller'
|
2022-10-13 18:59:32 +00:00
|
|
|
AND program_arguments NOT LIKE '/Users/%/Library/Application Support/com.grammarly.ProjectLlama/Scripts/post-uninstall.sh'
|
|
|
|
AND program_arguments NOT LIKE '%/mysqld_safe --datadir=%'
|
2023-01-20 14:24:24 +00:00
|
|
|
AND program_arguments NOT LIKE '/opt/homebrew/opt/socket_vmnet/bin/socket_vmnet --vmnet-gateway=% /opt/homebrew/var/run/socket_vmnet'
|