2022-10-13 18:59:32 +00:00
|
|
|
-- Unexpected launchd scripts that use the 'program' field
|
2022-10-12 01:53:36 +00:00
|
|
|
--
|
2022-10-14 18:19:13 +00:00
|
|
|
-- references:
|
2022-10-19 20:56:32 +00:00
|
|
|
-- * https://attack.mitre.org/techniques/T1543/004/ (Create or Modify System Process: Launch Daemon)
|
2022-10-14 18:19:13 +00:00
|
|
|
--
|
|
|
|
-- false positives:
|
|
|
|
-- * Software by new vendors which have not yet been added to the allow list
|
|
|
|
--
|
2022-10-14 18:26:49 +00:00
|
|
|
-- tags: persistent filesystem state
|
2022-10-12 01:53:36 +00:00
|
|
|
-- platform: darwin
|
2022-09-24 15:12:23 +00:00
|
|
|
SELECT
|
|
|
|
l.label,
|
|
|
|
l.name,
|
|
|
|
l.path,
|
|
|
|
l.program,
|
|
|
|
l.program_arguments,
|
|
|
|
l.keep_alive,
|
|
|
|
signature.authority AS program_authority,
|
|
|
|
signature.identifier AS program_identifier,
|
|
|
|
hash.sha256
|
|
|
|
FROM
|
|
|
|
launchd l
|
|
|
|
LEFT JOIN signature ON l.program = signature.path
|
|
|
|
LEFT JOIN hash ON l.path = hash.path
|
|
|
|
WHERE
|
|
|
|
(
|
|
|
|
run_at_load = 1
|
|
|
|
OR keep_alive = 1
|
|
|
|
)
|
2022-10-13 18:59:32 +00:00
|
|
|
AND l.path NOT LIKE '/System/%'
|
2022-09-24 15:12:23 +00:00
|
|
|
AND program IS NOT NULL
|
|
|
|
AND program_authority NOT IN (
|
2024-04-26 20:14:02 +00:00
|
|
|
'Developer ID Application: Adguard Software Limited (TC3Q7MAJXF)',
|
2022-09-24 15:12:23 +00:00
|
|
|
'Developer ID Application: Adobe Inc. (JQ525L2MZD)',
|
2024-04-26 20:14:02 +00:00
|
|
|
'Developer ID Application: Bitdefender SRL (GUNFMW623Y)',
|
2023-06-09 11:15:24 +00:00
|
|
|
'Developer ID Application: Canonical Group Limited (X4QN7LTP59)',
|
2023-06-07 13:55:17 +00:00
|
|
|
'Developer ID Application: Creative Labs Pte. Ltd. (5Q3552844F)',
|
2022-09-24 15:12:23 +00:00
|
|
|
'Developer ID Application: Docker Inc (9BNSXJN65R)',
|
2024-06-27 13:23:52 +00:00
|
|
|
'Developer ID Application: Universal Audio (4KAC9AX6CG)',
|
2024-04-26 20:14:02 +00:00
|
|
|
'Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z)',
|
2023-08-15 22:13:06 +00:00
|
|
|
'Developer ID Application: Fortinet, Inc (AH4XFXJ7DK)',
|
|
|
|
'Developer ID Application: Hercules Labs Inc. (B8PC799ZGU)',
|
2024-01-09 00:07:57 +00:00
|
|
|
'Developer ID Application: Ilya Parniuk (ACC5R6RH47)',
|
|
|
|
'Developer ID Application: Jonathan Bullard (Z2SG5H3HC8)',
|
2023-03-17 19:46:00 +00:00
|
|
|
'Developer ID Application: Kandji, Inc. (P3FGV63VK7)',
|
2022-09-24 15:12:23 +00:00
|
|
|
'Developer ID Application: Logitech Inc. (QED4VVPZWA)',
|
2023-06-09 11:15:24 +00:00
|
|
|
'Developer ID Application: Louis Pontoise (QXD7GW8FHY)',
|
2022-09-24 15:12:23 +00:00
|
|
|
'Developer ID Application: Microsoft Corporation (UBF8T346G9)',
|
|
|
|
'Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R)',
|
|
|
|
'Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
|
2024-06-27 13:23:52 +00:00
|
|
|
'Developer ID Application: PACE Anti-Piracy, Inc. (TFZ8226T6X)',
|
2024-01-09 00:07:57 +00:00
|
|
|
'Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
|
2024-04-26 20:14:02 +00:00
|
|
|
'Developer ID Application: Rogue Amoeba Software, Inc. (7266XEXAPM)',
|
2024-06-27 13:23:52 +00:00
|
|
|
'Developer ID Application: Signify Netherlands B.V. (PREPN2W95S)',
|
2024-04-26 20:14:02 +00:00
|
|
|
'Developer ID Application: TPZ Solucoes Digitais Ltda (X37R283V2T)',
|
2022-09-24 15:12:23 +00:00
|
|
|
'Developer ID Application: Valve Corporation (MXGJJ98X76)',
|
2024-01-09 00:07:57 +00:00
|
|
|
'Developer ID Application: Wireshark Foundation (7Z6EMTD2C6)',
|
2023-03-03 12:24:42 +00:00
|
|
|
'Developer ID Application: Wireshark Foundation, Inc. (7Z6EMTD2C6)',
|
2024-04-26 20:14:02 +00:00
|
|
|
'Developer ID Application: Y Soft Corporation, a.s. (3CPED8WGS9)',
|
2023-03-03 12:24:42 +00:00
|
|
|
'Software Signing'
|
2022-09-24 15:12:23 +00:00
|
|
|
)
|
2024-01-26 19:07:37 +00:00
|
|
|
AND program NOT IN (
|
|
|
|
'/usr/local/MacGPG2/libexec/shutdown-gpg-agent',
|
|
|
|
'/usr/local/bin/warsaw/core'
|
|
|
|
)
|
2022-12-15 15:20:16 +00:00
|
|
|
AND NOT (
|
|
|
|
l.path = '/Library/LaunchDaemons/com.docker.socket.plist'
|
|
|
|
AND program_authority = 'Software Signing'
|
2023-01-06 15:36:48 +00:00
|
|
|
AND program_identifier IN ('com.apple.ln', 'com.apple.link')
|
2022-12-15 15:20:16 +00:00
|
|
|
AND program_arguments LIKE '/bin/ln -s -f /Users/%/run/docker.sock /var/run/docker.sock'
|
|
|
|
)
|
2023-05-08 17:20:47 +00:00
|
|
|
GROUP BY
|
|
|
|
l.path
|