diff --git a/detection/c2/unexpected-https-macos.sql b/detection/c2/unexpected-https-macos.sql index e240926..e61c655 100644 --- a/detection/c2/unexpected-https-macos.sql +++ b/detection/c2/unexpected-https-macos.sql @@ -95,6 +95,7 @@ WHERE AND p0.path NOT LIKE '/Users/%/src/%' AND p0.path NOT LIKE '/Users/%/bin/%' AND p0.path NOT LIKE '/System/%' + AND p0.path NOT LIKE '/Users/%/Library/Caches/JetBrains/%/tmp/GoLand/___%' AND p0.path NOT LIKE '/opt/homebrew/Cellar/%/bin/%' AND p0.path NOT LIKE '/usr/libexec/%' AND p0.path NOT LIKE '/usr/sbin/%' diff --git a/detection/c2/unexpected-talker-events.sql b/detection/c2/unexpected-talker-events.sql index eed9e8d..a9dc07e 100644 --- a/detection/c2/unexpected-talker-events.sql +++ b/detection/c2/unexpected-talker-events.sql @@ -89,6 +89,7 @@ WHERE '/System/Volumes', '/usr/libexec', '/usr/local', + '/usr/bin', '/usr/sbin', '~/.provisio', '~/Applications', @@ -100,11 +101,16 @@ WHERE '~/src', '~/work' ) - AND NOT homedir = '~/Library/Application Support/Foxit Software/Addon/Foxit PDF Reader/FoxitPDFReaderUpdateService.app/Contents/MacOS' + AND NOT homedir IN ( + '~/Library/Application Support/Foxit Software/Addon/Foxit PDF Reader/FoxitPDFReaderUpdateService.app/Contents/MacOS', + '/opt/spotify' + ) AND NOT exception_key IN ( '500,0,110,syncthing', '500,0,1234,spotify', '500,0,123,sntp', + '500,500,32768,Code Helper', + '500,0,443,Authy', '500,0,20480,io.tailscale.ipn.macsys.network-extension', '500,0,22,ssh', '500,0,31488,sntp', @@ -119,6 +125,7 @@ WHERE '500,0,443,chrome_crashpad_handler', '500,0,443,com.apple.MobileSoftwareUpdate.UpdateBrainService', '500,0,443,com.apple.NRD.UpdateBrainService', + '500,500,32768,Chromium Helper', '500,0,443,com.google.one.NetworkExtension', '500,0,443,curl', '500,0,443,electron', @@ -126,6 +133,8 @@ WHERE '500,0,443,fwupdmgr', '500,0,443,git-remote-http', '500,0,443,gnome-software', + '500,0,53,electron', + '500,0,443,kioslave5', '500,0,443,http', '500,0,443,io.tailscale.ipn.macsys.network-extension', '500,0,443,ksfetch', @@ -136,6 +145,7 @@ WHERE '500,0,443,OneDriveStandaloneUpdater', '500,0,443,slack', '500,0,443,snapd', + '500,500,32768,Code Helper', '500,0,443,spotify', '500,0,443,ssh', '500,0,443,syncthing', @@ -147,6 +157,7 @@ WHERE '500,0,53,launcher', '500,0,53,NetworkManager', '500,0,53,slack', + '500,0,443,com.fortinet.forticlient.macos.vpn.nwextension', '500,0,53,spotify', '500,0,53,wget', '500,0,5632,ssh', @@ -161,6 +172,7 @@ WHERE '500,500,13568,Code Helper', '500,500,20480,Code Helper', '500,500,20480,GoogleUpdater', + '500,0,4070,spotify', '500,500,20480,ksfetch', '500,500,22,ssh', '500,500,2304,cloud_sql_proxy', @@ -188,6 +200,7 @@ WHERE '500,500,443,git-remote-http', '500,500,443,gitsign', '500,500,443,GitX', + '500,500,32768,melange', '500,500,443,go', '500,500,443,Google Chrome Helper', '500,500,443,GoogleUpdater', @@ -196,6 +209,7 @@ WHERE '500,500,443,kubectl', '500,500,443,minikube', '500,500,443,node', + '500,500,2304,terraform-provider-google_v4.37.0_x5', '500,500,443,old', '500,500,443,Signal', '500,500,443,Signal Helper (Renderer)', @@ -213,6 +227,10 @@ WHERE AND NOT exception_key LIKE '500,500,443,terraform%' AND NOT exception_key LIKE '500,0,%,syncthing' AND NOT exception_key LIKE '500,0,%,chrome' + AND NOT p0_path LIKE '/Users/%/code/%' + AND NOT p0_path LIKE '/Users/%/go/%' + AND NOT p0_path LIKE '/Users/%/src/%' + AND NOT p0_path LIKE '/Users/%/dev/%' AND NOT ( basename = "Python" AND ( diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql index 1253420..c87a728 100644 --- a/detection/c2/unexpected-talkers-macos.sql +++ b/detection/c2/unexpected-talkers-macos.sql @@ -221,8 +221,12 @@ WHERE 'Developer ID Application: Bookry Ltd (4259LE8SU5),com.bookry.wavebox.helper', 'Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension', 'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4),com.brave.Browser.helper', + 'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.Chrome.helper', 'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker', + 'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.Reader', + 'Developer ID Application: Cloudflare Inc. (68WVV388M8),CloudflareWARP', 'Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D),com.googlecode.iterm2', + 'Developer ID Application: TechSmith Corporation (7TQL462TU8),com.techsmith.snagit.capturehelper2020', 'Apple Mac OS Application Signing,com.microsoft.OneDrive-mac', 'Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL),com.tinyspeck.slackmacgap.helper', 'Developer ID Application: Epic Games International, S.a.r.l. (96DBZ92D3Y),com.epicgames.EpicGamesLauncher', diff --git a/detection/evasion/hidden-home-library-dir.sql b/detection/evasion/hidden-home-library-dir.sql index 1836902..6e418f1 100644 --- a/detection/evasion/hidden-home-library-dir.sql +++ b/detection/evasion/hidden-home-library-dir.sql @@ -43,8 +43,7 @@ WHERE '~/Library/Finance/.finance_dropbox_SUPPORT/_EXTERNAL_DATA', '~/Library/com.apple.groupkitd/.syncedGroupStore_SUPPORT/_EXTERNAL_DATA/', '~/Library/Preferences/.wrangler', - '~/Library/Mobile Documents/.Trash/2.0', - '~/Library/Mobile Documents/.Trash', + '~/Library/Mobile Documents/.Trash%', '~/Library/Group Containers/.SiriTodayViewExtension/Library', '~/Library/Group Containers/.SiriTodayViewExtension', '~/Library/Saved Searches/.DockTags', diff --git a/detection/evasion/unexpected-alf-exceptions-macos.sql b/detection/evasion/unexpected-alf-exceptions-macos.sql index d054a84..5db2432 100644 --- a/detection/evasion/unexpected-alf-exceptions-macos.sql +++ b/detection/evasion/unexpected-alf-exceptions-macos.sql @@ -75,6 +75,7 @@ WHERE 'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5),com.elgato.WaveLink,/Applications/WaveLink.app/,0', 'Developer ID Application: Cypress.Io, Inc. (7D655LWGLY),com.electron.cypress,/Users/garrying/Library/Caches/Cypress/12.9.0/Cypress.app/,501', 'Developer ID Application: DBeaver Corporation (42B6MDKMW8),org.jkiss.dbeaver.core.product,/Applications/DBeaver.app/,501', + 'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker.docker,/Applications/Docker.app/,501', 'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK),com.getdropbox.dropbox,/Applications/Dropbox.app/,501', 'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland,/Applications/GoLand.app/,501', 'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.pycharm,/Applications/PyCharm.app/,501', diff --git a/detection/evasion/unusual-executable-name-macos.sql b/detection/evasion/unusual-executable-name-macos.sql index d094e73..2c75d7e 100644 --- a/detection/evasion/unusual-executable-name-macos.sql +++ b/detection/evasion/unusual-executable-name-macos.sql @@ -6,7 +6,10 @@ -- tags: persistent process SELECT COALESCE(REGEX_MATCH (p0.path, '.*/(.*)', 1), p0.path) AS pname, - COALESCE(REGEX_MATCH (p0.path, '.*/.*\.([a-z]{2,4})$', 1), "") AS pext, + COALESCE( + REGEX_MATCH (p0.path, '.*/.*\.([a-z]{2,4})$', 1), + "" + ) AS pext, -- Child p0.pid AS p0_pid, p0.path AS p0_path, @@ -29,7 +32,7 @@ SELECT p2.name AS p2_name, p2.path AS p2_path, p2.cmdline AS p2_cmd, - p2_hash.sha256 AS p2_sha256 + p2_hash.sha256 AS p2_sha256 FROM processes p0 LEFT JOIN signature s ON p0.path = s.path @@ -82,13 +85,14 @@ WHERE OR REGEX_MATCH (pname, "^(\W)", 1) != "" OR ( REGEX_MATCH (pname, "(\W)$", 1) != "" - AND pname NOT LIKE "%)" + AND pname NOT LIKE "%)" ) AND pext NOT IN ("", "gui", "cli", "us", "node", "com") ) AND NOT pname IN ( 'cpu', 'BetterTouchToolAppleScriptRunner', + 'ThingsWidgetExtensionMacAppStore', 'BetterTouchToolShellScriptRunner', 'at.obdev.littlesnitch.networkextension', 'EcammLiveVideoOutAssistantXPCHelper' diff --git a/detection/evasion/unusual-process-name-macos.sql b/detection/evasion/unusual-process-name-macos.sql index eb1b62c..5462050 100644 --- a/detection/evasion/unusual-process-name-macos.sql +++ b/detection/evasion/unusual-process-name-macos.sql @@ -97,6 +97,7 @@ WHERE AND NOT pname IN ( 'cpu', 'com.microsoft.teams2.notificationcenter', + 'at.obdev.littlesnitch.endpointsecurity', 'BetterTouchToolAppleScriptRunner', 'BetterTouchToolShellScriptRunner', 'TwitterNotificationServiceExtension', diff --git a/detection/execution/unexpected-execdir-events-macos.sql b/detection/execution/unexpected-execdir-events-macos.sql index 4bdad8f..244d72b 100644 --- a/detection/execution/unexpected-execdir-events-macos.sql +++ b/detection/execution/unexpected-execdir-events-macos.sql @@ -143,13 +143,12 @@ WHERE '/Library/Application Support/GPGTools', '/Library/Application Support/com.canonical.multipass', '/Library/Application Support/org.pqrs', - '~/Library/Application Support/Steam', '/Library/Developer/CommandLineTools', - '/Library/Screen Savers/XScreenSaverUpdater.app', '/Library/Google/GoogleSoftwareUpdate', '/Library/Java/JavaVirtualMachines', '/Library/Plug-Ins/FxPlug', '/Library/Printers/Canon', + '/Library/Screen Savers/XScreenSaverUpdater.app', '/Volumes/Google Chrome/Google Chrome.app', '/Volumes/Slack/Slack.app', '/opt/homebrew/Caskroom', @@ -168,6 +167,8 @@ WHERE '~/Library/Application Support/Foxit Software', '~/Library/Application Support/JetBrains', '~/Library/Application Support/LogMeInInc', + '~/Library/Application Support/OpenLens', + '~/Library/Application Support/Steam', '~/Library/Application Support/com.elgato.StreamDeck', '~/Library/Application Support/com.grammarly.ProjectLlama', '~/Library/Application Support/minecraft', diff --git a/detection/execution/unexpected-security-framework-program-macos.sql b/detection/execution/unexpected-security-framework-program-macos.sql index a31c1fe..ee7ee75 100644 --- a/detection/execution/unexpected-security-framework-program-macos.sql +++ b/detection/execution/unexpected-security-framework-program-macos.sql @@ -130,6 +130,7 @@ WHERE '500,go,a.out,', '500,gopls,a.out,', '500,gopls,gopls,', + '500,monday.com,com.monday.desktop,Apple Mac OS Application Signing', '500,gpg-agent,gpg-agent,', '500,Grammarly for Safari,com.grammarly.safari.extension,Apple Mac OS Application Signing', '500,Grammarly Safari Extension,com.grammarly.safari.extension.ext2,Apple Mac OS Application Signing', @@ -216,6 +217,7 @@ WHERE AND NOT exception_key LIKE '500,copilot-agent-macos-%,copilot-agent-macos-%,' AND NOT exception_key LIKE '500,samply,samply-%,' AND NOT exception_key LIKE '500,gopls_%,a.out,' + AND NOT exception_key LIKE '500,terraform-provider-%,,' AND NOT exception_key LIKE '500,terraform-provider-%,a.out,' AND NOT exception_key LIKE '500,Runner.%,apphost-%,' AND NOT exception_key LIKE '500,kubectl.%,a.out,' diff --git a/detection/execution/unexpected-sysutils-macos.sql b/detection/execution/unexpected-sysutils-macos.sql index 8bf14e4..22e83ab 100644 --- a/detection/execution/unexpected-sysutils-macos.sql +++ b/detection/execution/unexpected-sysutils-macos.sql @@ -101,6 +101,7 @@ WHERE 'sysctl -n hw.optional.arm64', 'sw_vers -productName', 'sysctl -n sysctl.proc_translated', + '/usr/sbin/system_profiler SPUSBDataType', '/usr/sbin/sysctl kern.hv_support', '/usr/sbin/sysctl -n hw.cputype', '/usr/sbin/sysctl sysctl.proc_translated' diff --git a/detection/exfil/high_disk_bytes_read.sql b/detection/exfil/high_disk_bytes_read.sql index 7143a07..3b9b26a 100644 --- a/detection/exfil/high_disk_bytes_read.sql +++ b/detection/exfil/high_disk_bytes_read.sql @@ -55,6 +55,11 @@ WHERE AND p0.path NOT LIKE '/Library/Apple/System/Library/%' AND p0.path NOT LIKE '/home/%/.local/share/Steam/steamapps/%' AND p0.name NOT IN ( + 'GoogleSoftwareUpdateAgent', + 'LogiFacecamService', + 'Safari', + 'UpdateBrainService', + 'ZwiftAppMetal', 'baloo_file', 'baloo_file_extr', 'bash', @@ -79,7 +84,6 @@ WHERE 'gnome-software', 'go', 'golangci-lint', - 'GoogleSoftwareUpdateAgent', 'gopls', 'grype', 'java', @@ -89,7 +93,6 @@ WHERE 'kube-scheduler', 'kue', 'launcher', - 'LogiFacecamService', 'mediawriter', 'melange', 'nautilus', @@ -105,7 +108,6 @@ WHERE 'qemu-system-x86-64', 'rpi-imager', 'rsync', - 'Safari', 'sh', 'slack', 'spotify', @@ -117,14 +119,13 @@ WHERE 'thunderbird', 'tilt', 'unattended-upgr', - 'UpdateBrainService', 'vim', 'wineserver', + 'wolfictl', 'yay', 'ykman-gui', 'yum', - 'zsh', - 'ZwiftAppMetal' + 'zsh' ) AND NOT p0.path IN ( '/System/Volumes/Preboot/Cryptexes/App/System/Applications/Safari.app/Contents/XPCServices/com.apple.Safari.BrowserDataImportingService.xpc/Contents/MacOS/com.apple.Safari.BrowserDataImportingService', diff --git a/detection/exfil/yara-unexpected-go-crypt-exec-process.sql b/detection/exfil/yara-unexpected-go-crypt-exec-process.sql index a224e01..b9d008a 100644 --- a/detection/exfil/yara-unexpected-go-crypt-exec-process.sql +++ b/detection/exfil/yara-unexpected-go-crypt-exec-process.sql @@ -72,11 +72,13 @@ WHERE 'crane', 'op', 'kubectl', + 'yay', 'go', 'docker', 'lima-guestagent', 'containerd-star', 'gopls', + 'ollama', 'launcher', 'tflint', 'cloud-sql-proxy', diff --git a/detection/exfil/yara-unexpected-rust-http-exec-process.sql b/detection/exfil/yara-unexpected-rust-http-exec-process.sql index 3959435..b9b2a1d 100644 --- a/detection/exfil/yara-unexpected-rust-http-exec-process.sql +++ b/detection/exfil/yara-unexpected-rust-http-exec-process.sql @@ -1,5 +1,4 @@ -- Rust Program that uses both HTTP and Exec - -- tags: persistent -- interval: 7200 -- platform: posix @@ -52,6 +51,7 @@ WHERE AND p0.name NOT IN ( 'old', 'stable', + 'nvim', 'Cody', 'fig-darwin-universal', 'wezterm-gui' diff --git a/detection/impact/unexpected-etc-hosts.sql b/detection/impact/unexpected-etc-hosts.sql index 1fae06d..79b56c3 100644 --- a/detection/impact/unexpected-etc-hosts.sql +++ b/detection/impact/unexpected-etc-hosts.sql @@ -41,5 +41,6 @@ WHERE AND hostnames NOT LIKE '%.test' AND hostnames NOT LIKE '%.internal' AND hostnames NOT LIKE '%.local' + AND hostnames NOT LIKE "%.cloud" AND hostnames NOT LIKE 'ip6-%' AND hostnames NOT LIKE "%.example.com" diff --git a/detection/initial_access/unexpected-diskimage-source-macos.sql b/detection/initial_access/unexpected-diskimage-source-macos.sql index c764f7f..e009aed 100644 --- a/detection/initial_access/unexpected-diskimage-source-macos.sql +++ b/detection/initial_access/unexpected-diskimage-source-macos.sql @@ -97,27 +97,29 @@ WHERE 'openra.net', 'oracle.com', 'osuosl.org', + 'perforce.com', 'pqrs.org', 'prusa3d.com', 'remarkable.com', 'rewind.ai', 's3.amazonaws.com', - 'synaptics.com', 'securew2.com', 'signal.org', 'skype.com', 'slack-edge.com', + 'slack.com', 'stclairsoft.com', 'steampowered.com', + 'synaptics.com', 'tableplus.com', 'teams.cdn.office.net', 'techsmith.com', - 'slack.com', 'ubuntu.com', 'umd.edu', 'usa.canon.com', 'uubyte.com', 'vc.logitech.com', + 'vimcal.com', 'virtualbox.org', 'vmware.com', 'warp.dev', @@ -130,35 +132,36 @@ WHERE ) -- NOTE: Do not put all of storage.googleapis.com or similarly generic hosts here AND host NOT IN ( - 'arc.net', - 'presenting.app', 'adoptium.net', - 'mimestream.com', + 'arc.net', 'balsamiq.com', 'bearly.ai', 'brave.com', + 'calibre-ebook.com', 'cron.com', - 'opalcamera.com', 'discord.com', 'dl.discordapp.net', - 'flipperzero.one', 'dl.google.com', 'duckduckgo.com', - 'go.dev', 'dygma.com', 'emacsformacosx.com', + 'flipperzero.one', 'getkap.co', 'github.com', + 'go.dev', 'krisp.ai', 'mail.google.com', 'manual.canon', + 'mimestream.com', + 'mnvoip.mm.fcix.net', 'mutedeck.com', 'obdev.at', 'obsidian.md', 'obsproject.com', + 'opalcamera.com', 'posit.co', + 'presenting.app', 'proton.me', - 'mnvoip.mm.fcix.net', 'rancherdesktop.io', 'rectangleapp.com', 'stclairsoft.s3.amazonaws.com', diff --git a/detection/initial_access/unexpected-shell-parents.sql b/detection/initial_access/unexpected-shell-parents.sql index f02b2d5..cd1d8b3 100644 --- a/detection/initial_access/unexpected-shell-parents.sql +++ b/detection/initial_access/unexpected-shell-parents.sql @@ -63,6 +63,7 @@ WHERE 'PK-Backend', 'Rancher Desktop', 'Runner.Listener', + 'terraform-provi', 'Runner.Worker', 'abrt-action-per', 'abrt-handle-eve', @@ -91,6 +92,7 @@ WHERE 'fish', 'gephi', 'git', + 'GoogleUpdater', 'git-remote-http', 'git-remote-https', 'gnome-session-b', @@ -246,7 +248,7 @@ WHERE AND NOT p1.name LIKE '%term%' AND NOT p1.name LIKE '%Term%' AND NOT p1.name LIKE 'Emacs%' - AND NOT p1.name LIKE 'terraform-provider-%' + AND NOT p1.name LIKE 'terraform-prov%' AND NOT p1.path LIKE '/Users/%/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwareUpdateAgent' -- Oh, NixOS. AND NOT p1.name LIKE '%/bin/bash' diff --git a/detection/persistence/unexpected-launchd-program-macos.sql b/detection/persistence/unexpected-launchd-program-macos.sql index 784a367..5924e1f 100644 --- a/detection/persistence/unexpected-launchd-program-macos.sql +++ b/detection/persistence/unexpected-launchd-program-macos.sql @@ -33,6 +33,7 @@ WHERE 'Developer ID Application: Adobe Inc. (JQ525L2MZD)', 'Developer ID Application: Canonical Group Limited (X4QN7LTP59)', 'Developer ID Application: Creative Labs Pte. Ltd. (5Q3552844F)', + 'Developer ID Application: Wireshark Foundation (7Z6EMTD2C6)', 'Developer ID Application: Docker Inc (9BNSXJN65R)', 'Developer ID Application: Jonathan Bullard (Z2SG5H3HC8)', 'Developer ID Application: Ilya Parniuk (ACC5R6RH47)', diff --git a/detection/persistence/unexpected-listening-port-macos.sql b/detection/persistence/unexpected-listening-port-macos.sql index 173c272..5290cb5 100644 --- a/detection/persistence/unexpected-listening-port-macos.sql +++ b/detection/persistence/unexpected-listening-port-macos.sql @@ -53,6 +53,7 @@ WHERE -- port is capped at 49152 to represent transient ports AND NOT exception_key IN ( '10011,6,0,launchd,Software Signing', + '10011,6,0,webfilterproxyd,Software Signing', '1024,6,0,systemmigrationd,Software Signing', '1313,6,500,hugo,', '1338,6,500,registry,', @@ -65,7 +66,6 @@ WHERE '1834,6,500,Camera Hub,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', '2112,6,500,fake,', '2112,6,500,rekor-server,', - '3181,6,500,sourcegraph-backend,Developer ID Application: SOURCEGRAPH INC (74A5FJ7P96)', '2112,6,500,timestamp-server,', '22,6,0,launchd,Software Signing', '22000,6,500,syncthing,', @@ -80,6 +80,8 @@ WHERE '3080,6,500,sourcegraph-backend,Developer ID Application: SOURCEGRAPH INC (74A5FJ7P96)', '3090,6,500,sourcegraph-backend,Developer ID Application: SOURCEGRAPH INC (74A5FJ7P96)', '3180,6,500,sourcegraph-backend,Developer ID Application: SOURCEGRAPH INC (74A5FJ7P96)', + '3181,6,500,sourcegraph-backend,Developer ID Application: SOURCEGRAPH INC (74A5FJ7P96)', + '3182,6,500,sourcegraph-backend,Developer ID Application: SOURCEGRAPH INC (74A5FJ7P96)', '3306,6,500,mariadbd,', '3306,6,74,mysqld,Developer ID Application: Oracle America, Inc. (VB5E2TV963)', '33060,6,74,mysqld,Developer ID Application: Oracle America, Inc. (VB5E2TV963)', @@ -117,6 +119,8 @@ WHERE '49152,6,500,jetbrains-toolbox,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)', '49152,6,500,logioptionsplus_agent,Developer ID Application: Logitech Inc. (QED4VVPZWA)', '49152,6,500,node,', + '49152,6,500,qemu-system-aarch64,', + '33333,6,500,Ultimate,', '49152,6,500,rapportd,Software Signing', '49152,6,500,telepresence,', '49152,6,500,vpnkit-bridge,Developer ID Application: Docker Inc (9BNSXJN65R)', @@ -144,7 +148,6 @@ WHERE '80,6,500,limactl,', '8081,6,500,crane,', '81,6,500,nginx,', - '49152,6,500,qemu-system-aarch64,', '8123,6,500,Brackets-node,Developer ID Application: CORE.AI SCIENTIFIC TECHNOLOGIES PRIVATE LIMITED (8F632A866K)', '8770,6,500,sharingd,Software Signing', '8771,6,500,sharingd,Software Signing', diff --git a/detection/persistence/unexpected-small-udev-entry-linux.sql b/detection/persistence/unexpected-small-udev-entry-linux.sql index 670b242..c908f42 100644 --- a/detection/persistence/unexpected-small-udev-entry-linux.sql +++ b/detection/persistence/unexpected-small-udev-entry-linux.sql @@ -35,6 +35,7 @@ WHERE '/usr/lib/udev/rules.d/45-i2c-tools.rules', '/usr/lib/udev/rules.d/50-apport.rules', '/usr/lib/udev/rules.d/60-ddcutil.rules', + '/usr/lib/udev/rules.d/60-ddcutil-i2c.rules', '/usr/lib/udev/rules.d/60-drm.rules', '/usr/lib/udev/rules.d/60-net.rules', '/usr/lib/udev/rules.d/60-rfkill.rules', diff --git a/detection/persistence/unexpected-uid0-daemon-linux.sql b/detection/persistence/unexpected-uid0-daemon-linux.sql index 724a01f..4caf442 100644 --- a/detection/persistence/unexpected-uid0-daemon-linux.sql +++ b/detection/persistence/unexpected-uid0-daemon-linux.sql @@ -97,6 +97,7 @@ WHERE 'agetty,/nix/store/__VERSION__/bin/agetty,0,system.slice,system-getty.slice,0555', 'agetty,/usr/bin/agetty,0,system.slice,system-getty.slice,0755', 'agetty,/usr/sbin/agetty,0,system.slice,system-getty.slice,0755', + 'bash,/usr/bin/bash,0,user.slice,user-1000.slice,0755', 'agetty,/usr/sbin/agetty,0,system.slice,system-serial\x2dgetty.slice,0755', 'alsactl,/usr/sbin/alsactl,0,system.slice,alsa-state.service,0755', 'anacron,/usr/bin/anacron,0,system.slice,cronie.service,0755', diff --git a/detection/persistence/unexpected-uid0-daemon-macos.sql b/detection/persistence/unexpected-uid0-daemon-macos.sql index 65dd84c..c9369e1 100644 --- a/detection/persistence/unexpected-uid0-daemon-macos.sql +++ b/detection/persistence/unexpected-uid0-daemon-macos.sql @@ -204,6 +204,7 @@ WHERE -- Focus on longer-running programs '/usr/libexec/colorsync.displayservices', '/usr/libexec/colorsyncd', '/usr/libexec/configd', + '/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater', '/usr/libexec/containermanagerd', '/usr/libexec/corebrightnessd', '/usr/libexec/coreduetd', diff --git a/detection/persistence/yara-suspicious-strings-process-linux.sql b/detection/persistence/yara-suspicious-strings-process-linux.sql index f858e11..37751a7 100644 --- a/detection/persistence/yara-suspicious-strings-process-linux.sql +++ b/detection/persistence/yara-suspicious-strings-process-linux.sql @@ -66,7 +66,7 @@ WHERE $avahi = "avahi-daemon:" $redhat4 = "Red Hat 4" condition: - filesize < 25MB and 3 of them + filesize < 25MB and 4 of them }' AND yara.count > 0 AND p0.name NOT IN ( @@ -83,6 +83,7 @@ WHERE AND p0.path NOT LIKE '%/chrome_crashpad_handler' AND p0.path NOT LIKE '/nix/store/%/bin/%' AND p0.path NOT LIKE '/nix/store/%/libexec/%' + AND p0.path NOT LIKE '/usr/local/aws-cli/%/aws' AND p0.path NOT LIKE '/usr/local/kolide-k2/bin/launcher-updates/%/launcher' AND p0.path NOT IN ( '/bin/bash',