2023-04-27 19:09:53 +00:00
|
|
|
-- Unexpected programs communicating over HTTPS (state-based)
|
|
|
|
|
--
|
|
|
|
|
-- references:
|
|
|
|
|
-- * https://attack.mitre.org/techniques/T1071/ (C&C, Application Layer Protocol)
|
|
|
|
|
--
|
|
|
|
|
-- tags: transient state net often
|
|
|
|
|
-- platform: macos
|
2023-06-01 15:52:20 +00:00
|
|
|
SELECT
|
|
|
|
|
pos.protocol,
|
2023-04-27 19:09:53 +00:00
|
|
|
pos.local_port,
|
|
|
|
|
pos.remote_port,
|
|
|
|
|
pos.remote_address,
|
|
|
|
|
pos.local_port,
|
|
|
|
|
pos.local_address,
|
|
|
|
|
CONCAT (
|
|
|
|
|
MIN(p0.euid, 500),
|
|
|
|
|
',',
|
|
|
|
|
REGEX_MATCH (p0.path, '.*/(.*?)$', 1),
|
|
|
|
|
',',
|
|
|
|
|
p0.name,
|
|
|
|
|
',',
|
|
|
|
|
s.authority,
|
|
|
|
|
',',
|
|
|
|
|
s.identifier
|
2023-05-08 17:20:47 +00:00
|
|
|
) AS exception_key,
|
2023-04-28 18:09:57 +00:00
|
|
|
CONCAT (
|
|
|
|
|
MIN(p0.euid, 500),
|
|
|
|
|
',',
|
|
|
|
|
REGEX_MATCH (p0.path, '.*/(.*?)$', 1),
|
|
|
|
|
',',
|
|
|
|
|
p0.name,
|
|
|
|
|
',',
|
|
|
|
|
MIN(f.uid, 500),
|
|
|
|
|
'u,',
|
|
|
|
|
MIN(f.gid, 500),
|
2023-05-02 21:49:53 +00:00
|
|
|
'g'
|
2023-05-02 19:25:36 +00:00
|
|
|
) AS alt_exception_key,
|
2023-04-27 19:09:53 +00:00
|
|
|
-- Child
|
|
|
|
|
p0.pid AS p0_pid,
|
|
|
|
|
p0.path AS p0_path,
|
|
|
|
|
s.authority AS p0_sauth,
|
|
|
|
|
s.identifier AS p0_sid,
|
|
|
|
|
p0.name AS p0_name,
|
|
|
|
|
p0.cmdline AS p0_cmd,
|
|
|
|
|
p0.cwd AS p0_cwd,
|
|
|
|
|
p0.euid AS p0_euid,
|
|
|
|
|
p0_hash.sha256 AS p0_sha256,
|
|
|
|
|
-- Parent
|
|
|
|
|
p0.parent AS p1_pid,
|
|
|
|
|
p1.path AS p1_path,
|
|
|
|
|
p1.name AS p1_name,
|
|
|
|
|
p1.euid AS p1_euid,
|
|
|
|
|
p1.cmdline AS p1_cmd,
|
|
|
|
|
p1_hash.sha256 AS p1_sha256,
|
|
|
|
|
-- Grandparent
|
|
|
|
|
p1.parent AS p2_pid,
|
|
|
|
|
p2.name AS p2_name,
|
|
|
|
|
p2.path AS p2_path,
|
|
|
|
|
p2.cmdline AS p2_cmd,
|
|
|
|
|
p2_hash.sha256 AS p2_sha256
|
2023-06-01 15:52:20 +00:00
|
|
|
FROM
|
|
|
|
|
process_open_sockets pos
|
2023-04-27 19:09:53 +00:00
|
|
|
LEFT JOIN processes p0 ON pos.pid = p0.pid
|
|
|
|
|
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
|
|
|
|
|
LEFT JOIN processes p1 ON p0.parent = p1.pid
|
|
|
|
|
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
|
|
|
|
|
LEFT JOIN processes p2 ON p1.parent = p2.pid
|
|
|
|
|
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
|
|
|
|
|
LEFT JOIN file f ON p0.path = f.path
|
|
|
|
|
LEFT JOIN signature s ON p0.path = s.path
|
2023-06-01 15:52:20 +00:00
|
|
|
WHERE
|
|
|
|
|
pos.protocol IN (6, 17)
|
2023-04-27 19:09:53 +00:00
|
|
|
AND pos.remote_port = 443
|
|
|
|
|
AND pos.remote_address NOT IN ('127.0.0.1', '::ffff:127.0.0.1', '::1')
|
|
|
|
|
AND pos.remote_address NOT LIKE 'fe80:%'
|
|
|
|
|
AND pos.remote_address NOT LIKE '127.%'
|
|
|
|
|
AND pos.remote_address NOT LIKE '192.168.%'
|
|
|
|
|
AND pos.remote_address NOT LIKE '172.1%'
|
|
|
|
|
AND pos.remote_address NOT LIKE '172.2%'
|
|
|
|
|
AND pos.remote_address NOT LIKE '172.30.%'
|
|
|
|
|
AND pos.remote_address NOT LIKE '172.31.%'
|
|
|
|
|
AND pos.remote_address NOT LIKE '::ffff:172.%'
|
|
|
|
|
AND pos.remote_address NOT LIKE '10.%'
|
|
|
|
|
AND pos.remote_address NOT LIKE '::ffff:10.%'
|
2023-04-28 18:09:57 +00:00
|
|
|
AND pos.remote_address NOT LIKE 'fdfd:%'
|
2023-04-27 19:09:53 +00:00
|
|
|
AND pos.remote_address NOT LIKE 'fc00:%'
|
|
|
|
|
AND pos.state != 'LISTEN' -- Ignore most common application paths
|
|
|
|
|
AND p0.path NOT LIKE '/Applications/%.app/Contents/%'
|
|
|
|
|
AND p0.path NOT LIKE '/Library/Apple/System/Library/%'
|
|
|
|
|
AND p0.path NOT LIKE '/Library/Application Support/%/Contents/%'
|
|
|
|
|
AND p0.path NOT LIKE '/System/Applications/%'
|
|
|
|
|
AND p0.path NOT LIKE '/System/Library/%'
|
|
|
|
|
AND p0.path NOT LIKE '/Users/%/Library/%.app/Contents/MacOS/%'
|
|
|
|
|
AND p0.path NOT LIKE '/Users/%/code/%'
|
|
|
|
|
AND p0.path NOT LIKE '/Users/%/src/%'
|
|
|
|
|
AND p0.path NOT LIKE '/Users/%/bin/%'
|
|
|
|
|
AND p0.path NOT LIKE '/System/%'
|
2023-10-31 15:40:10 +00:00
|
|
|
AND p0.path NOT LIKE '/Users/%/Library/Caches/JetBrains/%/tmp/GoLand/___%'
|
2023-04-27 19:09:53 +00:00
|
|
|
AND p0.path NOT LIKE '/opt/homebrew/Cellar/%/bin/%'
|
|
|
|
|
AND p0.path NOT LIKE '/usr/libexec/%'
|
|
|
|
|
AND p0.path NOT LIKE '/usr/sbin/%'
|
2023-05-17 21:52:55 +00:00
|
|
|
AND p0.path NOT LIKE '/usr/local/kolide-k2/%'
|
|
|
|
|
AND p0.path NOT LIKE '/private/var/folders/%/go-build%/%' -- Apple programs running from weird places, like the UpdateBrainService
|
2023-04-27 19:09:53 +00:00
|
|
|
AND NOT (
|
|
|
|
|
s.identifier LIKE 'com.apple.%'
|
|
|
|
|
AND s.authority = 'Software Signing'
|
|
|
|
|
)
|
|
|
|
|
AND NOT exception_key IN (
|
2023-06-30 20:38:31 +00:00
|
|
|
'0,AGSService,AGSService,Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.ags',
|
2023-08-15 22:13:06 +00:00
|
|
|
'500,Authy,Authy,Apple iPhone OS Application Signing,com.authy',
|
2023-05-23 15:31:37 +00:00
|
|
|
'500,Fleet,~/Library/Caches/JetBrains/Fleet',
|
2023-05-11 15:29:55 +00:00
|
|
|
'500,IterableRichNotifications,IterableRichNotifications,Apple iPhone OS Application Signing,com.plexapp.plex.IterableRichNotifications',
|
2023-07-19 19:22:43 +00:00
|
|
|
'500,Java Updater,Java Updater,Developer ID Application: Oracle America, Inc. (VB5E2TV963),com.oracle.java.Java-Updater',
|
2023-09-01 21:09:47 +00:00
|
|
|
'500,Kindle,Kindle,TestFlight Beta Distribution,com.amazon.Lassen',
|
2023-08-15 22:13:06 +00:00
|
|
|
'500,Paintbrush,Paintbrush,Developer ID Application: Michael Schreiber (G966ML7VBG),com.soggywaffles.paintbrush',
|
2024-01-09 00:07:57 +00:00
|
|
|
'500,Plex,Plex,Developer ID Application: Plex Inc. (K4QJ56KR4A),tv.plex.desktop',
|
2023-08-15 22:13:06 +00:00
|
|
|
'500,PlexMobile,PlexMobile,Apple iPhone OS Application Signing,com.plexapp.plex',
|
2024-01-09 00:07:57 +00:00
|
|
|
'500,Realm,Realm,Apple iPhone OS Application Signing,camera.youpi.metareal',
|
2023-08-15 22:13:06 +00:00
|
|
|
'500,bash,bash,,bash',
|
|
|
|
|
'500,cloud_sql_proxy,cloud_sql_proxy,,a.out',
|
|
|
|
|
'500,git-remote-http,git-remote-http,,git-remote-http-55554944748a32c47cdc35cfa7f071bb69a39ce4',
|
2023-05-11 15:29:55 +00:00
|
|
|
'500,melange,melange,,a.out',
|
2023-05-02 21:49:53 +00:00
|
|
|
'500,node,node,Developer ID Application: Node.js Foundation (HX7739G8FX),node',
|
|
|
|
|
'500,sdaudioswitch,sdaudioswitch,,sdaudioswitch',
|
2023-04-28 18:09:57 +00:00
|
|
|
'500,snyk-ls_darwin_arm64,snyk-ls_darwin_arm64,,a.out',
|
2024-01-22 15:36:01 +00:00
|
|
|
'500,syncthing,syncthing,,syncthing'
|
2023-05-02 19:25:36 +00:00
|
|
|
)
|
2023-05-02 21:49:53 +00:00
|
|
|
AND NOT alt_exception_key IN (
|
2023-07-12 21:38:26 +00:00
|
|
|
'0,velociraptor,velociraptor,0u,0g',
|
2023-09-01 21:09:47 +00:00
|
|
|
'0,velociraptor,velociraptor,0u,80g',
|
2023-12-08 22:12:27 +00:00
|
|
|
'500,nodegizmo,nodegizmo,500u,20g',
|
2023-05-05 16:44:46 +00:00
|
|
|
'500,apko,apko,0u,0g',
|
2023-06-01 15:52:20 +00:00
|
|
|
'500,apko,apko,500u,20g',
|
2024-01-09 21:14:00 +00:00
|
|
|
'500,wolfibump,wolfibump,500u,20g',
|
2023-12-08 22:12:27 +00:00
|
|
|
'500,wolfictl,wolfictl,0u,0g',
|
2023-11-02 13:39:41 +00:00
|
|
|
'500,istioctl,istioctl,500u,20g',
|
2023-07-12 21:38:26 +00:00
|
|
|
'500,aws,aws,0u,0g',
|
2023-06-14 14:58:41 +00:00
|
|
|
'500,cargo,cargo,500u,80g',
|
2023-06-01 15:52:20 +00:00
|
|
|
'500,chainctl,chainctl,0u,0g',
|
|
|
|
|
'500,chainctl,chainctl,500u,20g',
|
2023-05-11 15:29:55 +00:00
|
|
|
'500,chainlink,chainlink,500u,20g',
|
2023-07-12 21:38:26 +00:00
|
|
|
'500,cilium,cilium,500u,123g',
|
2023-09-01 21:09:47 +00:00
|
|
|
'500,cloud-sql-proxy,cloud-sql-proxy,500u,20g',
|
2023-05-08 17:07:57 +00:00
|
|
|
'500,cosign,cosign,0u,500g',
|
2023-10-24 22:01:36 +00:00
|
|
|
'500,snyk-macos-arm64,snyk-macos-arm64,500u,20g',
|
2023-06-02 23:08:08 +00:00
|
|
|
'500,cosign,cosign,500u,20g',
|
2023-07-12 21:38:26 +00:00
|
|
|
'500,cosign,cosign,500u,80g',
|
2023-09-14 21:13:12 +00:00
|
|
|
'500,git-credential-osxkeychain,git-credential-osxkeychain,500u,80g',
|
2023-06-01 15:52:20 +00:00
|
|
|
'500,cpu,cpu,500u,20g',
|
|
|
|
|
'500,crane,crane,0u,500g',
|
2023-05-11 15:29:55 +00:00
|
|
|
'500,crane,crane,500u,80g',
|
2023-07-12 21:38:26 +00:00
|
|
|
'500,gh-dash,gh-dash,500u,20g',
|
|
|
|
|
'500,git,git,0u,500g',
|
2024-01-26 19:07:37 +00:00
|
|
|
'500,taplo-full-darwin-aarch64,taplo-full-darwin-aarch64,500u,20g',
|
2023-06-01 15:52:20 +00:00
|
|
|
'500,git-remote-http,git-remote-http,500u,20g',
|
2023-05-11 15:29:55 +00:00
|
|
|
'500,git-remote-http,git-remote-http,500u,80g',
|
2023-09-20 13:30:46 +00:00
|
|
|
'500,istioctl,istioctl,,a.out',
|
2023-06-01 15:52:20 +00:00
|
|
|
'500,gitsign,gitsign,500u,20g',
|
|
|
|
|
'500,go,go,500u,80g',
|
2023-09-20 13:30:46 +00:00
|
|
|
'500,vexi,vexi,500u,20g',
|
2023-07-12 21:38:26 +00:00
|
|
|
'500,.man-wrapped,.man-wrapped,0u,500g',
|
2023-09-01 21:09:47 +00:00
|
|
|
'500,pprof,pprof,500u,80g',
|
2023-06-01 15:52:20 +00:00
|
|
|
'500,pulumi-resource-gcp,pulumi-resource-gcp,500u,20g',
|
2023-05-02 21:49:53 +00:00
|
|
|
'500,sdaudioswitch,sdaudioswitch,500u,20g',
|
2023-06-01 15:52:20 +00:00
|
|
|
'500,sdzoomplugin,sdzoomplugin,500u,20g',
|
2023-07-12 21:40:06 +00:00
|
|
|
'500,vim,vim,0u,500g',
|
|
|
|
|
'500,wolfictl,wolfictl,500u,20g'
|
2023-05-02 21:49:53 +00:00
|
|
|
)
|
2024-01-22 15:36:01 +00:00
|
|
|
AND NOT s.authority IN (
|
|
|
|
|
'Developer ID Application: ANCHORE, INC. (9MJHKYX5AT)',
|
2024-01-26 19:07:37 +00:00
|
|
|
'Developer ID Application: Adguard Software Limited (TC3Q7MAJXF)',
|
2024-01-22 15:36:01 +00:00
|
|
|
'Developer ID Application: Adobe Inc. (JQ525L2MZD)',
|
|
|
|
|
'Developer ID Application: AgileBits Inc. (2BUA8C4S2C)',
|
|
|
|
|
'Developer ID Application: Bitdefender SRL (GUNFMW623Y)',
|
|
|
|
|
'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4)',
|
|
|
|
|
'Developer ID Application: Canonical Group Limited (X4QN7LTP59)',
|
|
|
|
|
'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
|
|
|
|
|
'Developer ID Application: Denver Technologies, Inc (2BBY89MBSN)',
|
|
|
|
|
'Developer ID Application: Ecamm Network, LLC (5EJH68M642)',
|
|
|
|
|
'Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z)',
|
|
|
|
|
'Developer ID Application: Farhan Ahmed (4RZN52RN5P)',
|
|
|
|
|
'Developer ID Application: Fortinet, Inc (AH4XFXJ7DK)',
|
|
|
|
|
'Developer ID Application: Google LLC (EQHXZ8M8AV)',
|
|
|
|
|
'Developer ID Application: Hashicorp, Inc. (D38WU7D763)',
|
|
|
|
|
'Developer ID Application: Kandji, Inc. (P3FGV63VK7)',
|
|
|
|
|
'Developer ID Application: Kolide, Inc (X98UFR7HA3)',
|
|
|
|
|
'Developer ID Application: Logitech Inc. (QED4VVPZWA)',
|
|
|
|
|
'Developer ID Application: Michael Schreiber (G966ML7VBG)',
|
|
|
|
|
'Developer ID Application: Microsoft Corporation (UBF8T346G9)',
|
|
|
|
|
'Developer ID Application: PSI Services LLC (73AT498HPV)',
|
|
|
|
|
'Developer ID Application: Panic, Inc. (VE8FC488U5)',
|
|
|
|
|
'Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR)',
|
|
|
|
|
'Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
|
|
|
|
|
'Developer ID Application: Reflect App, LLC (789ULN5MZB)',
|
|
|
|
|
'Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL)',
|
|
|
|
|
'Developer ID Application: Spotify (2FNC3A47ZF)',
|
|
|
|
|
'Developer ID Application: SteelSeries (6WGL6CHFH2)',
|
|
|
|
|
'Developer ID Application: Sublime HQ Pty Ltd (Z6D26JE4Y4)',
|
|
|
|
|
'Developer ID Application: Tailscale Inc. (W5364U7YZB)',
|
|
|
|
|
'Developer ID Application: Tenable, Inc. (4B8J598M7U)',
|
|
|
|
|
'Developer ID Application: Valve Corporation (MXGJJ98X76)',
|
|
|
|
|
'Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)',
|
|
|
|
|
'Developer ID Application: Zwift, Inc (C2GM8Y9VFM)'
|
|
|
|
|
)
|
2023-05-05 16:44:46 +00:00
|
|
|
AND NOT alt_exception_key LIKE '500,terraform-provider-%,terraform-provider-%,500u,20g'
|
2024-01-18 22:15:37 +00:00
|
|
|
AND NOT alt_exception_key LIKE '500,plugin_host-%,plugin_host-%,500u,20g'
|
2023-04-27 19:09:53 +00:00
|
|
|
AND NOT p0.path LIKE '/private/var/folders/%/T/GoLand/%'
|
2023-05-23 15:31:37 +00:00
|
|
|
AND NOT (
|
|
|
|
|
exception_key = '500,Python,Python,,org.python.python'
|
|
|
|
|
AND p0_cmd LIKE '% main.py'
|
|
|
|
|
AND p0_cwd LIKE "%/neko"
|
|
|
|
|
)
|
2023-04-28 18:09:57 +00:00
|
|
|
AND NOT (
|
2023-05-17 21:52:55 +00:00
|
|
|
exception_key IN (
|
|
|
|
|
'500,Python,Python,,org.python.python',
|
2023-06-02 23:08:08 +00:00
|
|
|
'500,Python,Python,,Python',
|
2023-06-30 20:38:31 +00:00
|
|
|
'500,Python,Python,,',
|
|
|
|
|
'500,Python,Python,Developer ID Application: Ned Deily (DJ3H93M7VJ),org.python.python'
|
2023-05-17 21:52:55 +00:00
|
|
|
)
|
2023-05-02 21:49:53 +00:00
|
|
|
AND (
|
|
|
|
|
p0_cmd LIKE '%/gcloud.py%'
|
2023-07-19 19:22:43 +00:00
|
|
|
OR p0_cmd LIKE '%/google-cloud-sdk/bin/%'
|
2023-09-01 21:09:47 +00:00
|
|
|
OR p0_cmd LIKE '%/google-cloud-sdk/platform/%'
|
2023-05-02 21:49:53 +00:00
|
|
|
OR p0_cmd LIKE '%pip install%'
|
2023-05-08 16:19:19 +00:00
|
|
|
OR p0_cmd LIKE '%googlecloudsdk/core/metrics_reporter.py%'
|
2023-05-08 17:07:57 +00:00
|
|
|
OR p0_cmd LIKE '%/bin/aws%'
|
2023-06-02 23:08:08 +00:00
|
|
|
OR p0_cmd LIKE "%/gsutil/gsutil %"
|
2023-06-07 13:55:17 +00:00
|
|
|
OR p0_cwd LIKE "/Users/%/github/%"
|
|
|
|
|
OR p0_cwd LIKE "/Users/%/src/%"
|
2023-05-02 21:49:53 +00:00
|
|
|
)
|
2023-05-17 21:52:55 +00:00
|
|
|
) -- theScore and other iPhone apps
|
2023-04-27 19:09:53 +00:00
|
|
|
AND NOT (
|
|
|
|
|
s.authority = 'Apple iPhone OS Application Signing'
|
|
|
|
|
AND p0.cwd = '/'
|
|
|
|
|
AND p0.path = '/private/var/folders/%/Wrapper/%.app/%'
|
2023-05-17 21:52:55 +00:00
|
|
|
) -- nix socket inheritance
|
2023-05-03 20:28:00 +00:00
|
|
|
AND NOT (
|
|
|
|
|
p0.path LIKE '/nix/store/%/bin/%'
|
|
|
|
|
AND p1.path LIKE '/nix/store/%/bin/%'
|
|
|
|
|
)
|
2023-06-01 15:52:20 +00:00
|
|
|
GROUP BY
|
|
|
|
|
p0.cmdline
|
