RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-01-02 19:42:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

Massive false-positive reduction, particularly for uBlue

Browse Source
This commit is contained in:
Thomas Stromberg 2024-06-27 09:23:52 -04:00
parent 18e05c5a4c
commit 00fa80a0d9
Failed to extract signature
40 changed files with 568 additions and 474 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
detection/c2/unexpected-https-linux.sql
View File

@ -57,12 +57,12 @@ WHERE
AND s.remote_address NOT LIKE 'fc00:%'
AND p.path != ''
AND NOT exception_key IN (
'0,.tailscaled-wrapped,0u,0g,.tailscaled-wra',
'0,apk,u,g,apk',
'0,applydeltarpm,0u,0g,applydeltarpm',
'0,bash,0u,0g,bash',
'0,bash,0u,0g,mkinitcpio',
'0,bash,0u,0g,sh',
'0,canonical-livepatchd,0u,0g,canonical-livep',
'0,chainctl,0u,0g,chainctl',
'0,cmake,u,g,cmake',
'0,containerd,u,g,containerd',
@ -78,90 +78,72 @@ WHERE
'0,http,0u,0g,https',
'0,ir_agent,0u,0g,ir_agent',
'0,kmod,0u,0g,depmod',
'500,gdb,0u,0g,gdb',
'0,launcher,0u,0g,launcher',
'0,launcher,500u,500g,launcher',
'0,ldconfig,0u,0g,ldconfig',
'0,make,0u,0g,make',
'0,metricbeat,0u,0g,metricbeat',
'0,nessusd,0u,0g,nessusd',
'500,license-detector,500u,500g,license-detecto',
'0,nix,0u,0g,nix',
'500,node,500u,500g,npm run start',
'0,nix,0u,0g,nix-daemon',
'0,orbit,0u,0g,orbit',
'0,osqueryd,0u,0g,osqueryd',
'0,packagekitd,0u,0g,packagekitd',
'0,packetbeat,0u,0g,packetbeat',
'0,pacman,0u,0g,pacman',
'0,python3.10,0u,0g,dnf',
'0,python3.10,0u,0g,dnf-automatic',
'0,python3.10,0u,0g,yum',
'0,python3.11,0u,0g,dnf',
'500,deno,500u,500g,deno',
'0,python3.11,0u,0g,dnf-automatic',
'0,python3.11,0u,0g,yum',
'0,python3.12,0u,0g,dnf',
'0,python3.12,0u,0g,dnf-automatic',
'0,python3.12,0u,0g,yum',
'0,rapid7_endpoint_broker,0u,0g,rapid7_endpoint',
'0,rpi-imager,0u,0g,rpi-imager',
'0,snapd,0u,0g,snapd',
'128,fwupdmgr,0u,0g,fwupdmgr',
'0,systemctl,0u,0g,systemctl',
'500,flatpak,0u,0g,flatpak',
'0,tailscaled,0u,0g,tailscaled',
'0,tailscaled,500u,500g,tailscaled',
'0,.tailscaled-wrapped,0u,0g,.tailscaled-wra',
'0,velociraptor,0u,0g,velociraptor_cl',
'0,yay,0u,0g,yay',
'500,losslesscut,500u,500g,losslesscut',
'105,http,0u,0g,https',
'106,geoclue,0u,0g,geoclue',
'115,geoclue,0u,0g,geoclue',
'120,fwupdmgr,0u,0g,fwupdmgr',
'128,fwupdmgr,0u,0g,fwupdmgr',
'129,fwupdmgr,0u,0g,fwupdmgr',
'42,http,0u,0g,https',
'500,1password,0u,0g,1password',
'500,Brackets,0u,0g,Brackets',
'500,Discord,0u,0g,Discord',
'500,Discord,u,g,Discord',
'500,Keybase,0u,0g,Keybase',
'500,Logseq,u,g,Logseq',
'500,Melvor Idle,500u,500g,exe',
'500,TJPP8_Vulkan,500u,500g,TJPP8_Vulkan',
'500,WPILibInstaller,500u,500g,WPILibInstaller',
'500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
'500,___go_build_main_go,500u,500g,___go_build_mai',
'500,abrt-action-generate-core-backtrace,0u,0g,abrt-action-gen',
'500,act,0u,0g,act',
'500,apk,500u,500g,apk',
'500,apk,u,g,apk',
'500,obsidian,0u,0g,obsidian',
'500,apko,500u,500g,apko',
'500,apko,u,g,apko',
'500,gcsfuse,500u,500g,gcsfuse',
'500,apk,u,g,apk',
'500,aws,0u,0g,aws',
'500,skopeo,0u,0g,skopeo',
'500,syncthing,u,g,syncthing',
'0,python3.12,0u,0g,dnf',
'500,aws,500u,500g,aws',
'500,bash,0u,0g,bash',
'500,beeper,u,g,beeper',
'115,geoclue,0u,0g,geoclue',
'120,fwupdmgr,0u,0g,fwupdmgr',
'500,Docker Desktop,0u,0g,Docker Desktop',
'500,bom,500u,500g,bom',
'500,bom-linux-amd64,500u,500g,bom-linux-amd64',
'500,Brackets,0u,0g,Brackets',
'500,brave,0u,0g,brave',
'0,canonical-livepatchd,0u,0g,canonical-livep',
'500,buildkitd,500u,500g,buildkitd',
'500,buildkite-agent,500u,500g,buildkite-agent',
'500,cargo,0u,0g,cargo',
'500,cargo,500u,500g,cargo',
'500,cargo,u,g,cargo',
'500,chainctl,0u,0g,chainctl',
'500,chainctl,500u,100g,chainctl',
'500,chainctl,500u,493g,chainctl',
'500,chainctl,500u,500g,chainctl',
'500,chainctl,500u,500g,docker-credenti',
'500,chrome,0u,0g,chrome',
'500,chrome,u,g,chrome',
'500,chrome_crashpad_handler,0u,0g,chrome_crashpad',
'500,chrome,u,g,chrome',
'500,cilium,500u,123g,cilium',
'500,cloud_sql_proxy,0u,0g,cloud_sql_proxy',
'500,code,0u,0g,code',
@ -177,23 +159,30 @@ WHERE
'500,crane,0u,0g,crane',
'500,crane,500u,500g,crane',
'500,curl,0u,0g,curl',
'500,deno,500u,500g,deno',
'500,Discord,0u,0g,Discord',
'500,Discord,u,g,Discord',
'500,docker,0u,0g,docker',
'500,docker-buildx,0u,0g,docker-buildx',
'500,Docker Desktop,0u,0g,Docker Desktop',
'500,eksctl,0u,0g,eksctl',
'500,eksctl,500u,500g,eksctl',
'500,electron,0u,0g,electron',
'500,evolution-addressbook-factory,0u,0g,evolution-addre',
'500,evolution-calendar-factory,0u,0g,evolution-calen',
'500,evolution-source-registry,0u,0g,evolution-sourc',
'500,firefox,0u,0g,firefox',
'500,firefox,0u,0g,.firefox-wrappe',
'500,firefox,0u,0g,Socket Process',
'500,firefox,0u,0g,firefox',
'500,firefox-bin,500u,500g,firefox-bin',
'500,firefox-bin,u,g,firefox-bin',
'500,flameshot,0u,0g,flameshot',
'500,flatpak,0u,0g,flatpak',
'500,flatpak-oci-authenticator,0u,0g,flatpak-oci-aut',
'500,flux,500u,500g,flux',
'500,fulcio,500u,500g,fulcio',
'500,gcsfuse,500u,500g,gcsfuse',
'500,gdb,0u,0g,gdb',
'500,geoclue,0u,0g,geoclue',
'500,gh,0u,0g,gh',
'500,git,0u,0g,git',
@ -209,9 +198,10 @@ WHERE
'500,gnome-software,0u,0g,gnome-software',
'500,go,0u,0g,go',
'500,go,500u,500g,go',
'500,go,u,g,go',
'500,goa-daemon,0u,0g,goa-daemon',
'500,___go_build_main_go,500u,500g,___go_build_mai',
'500,gobuster,500u,500g,gobuster',
'500,go,u,g,go',
'500,grafana,u,g,grafana',
'500,grype,0u,0g,grype',
'500,grype,500u,500g,grype',
@ -231,6 +221,7 @@ WHERE
'500,k6,500u,500g,k6',
'500,kbfsfuse,0u,0g,kbfsfuse',
'500,keybase,0u,0g,keybase',
'500,Keybase,0u,0g,Keybase',
'500,kioslave5,0u,0g,kioslave5',
'500,ko,500u,500g,ko',
'500,ko,u,g,ko',
@ -240,26 +231,32 @@ WHERE
'500,kubectl,500u,500g,kubectl',
'500,lens,0u,0g,lens',
'500,less,0u,0g,less',
'500,license-detector,500u,500g,license-detecto',
'500,limactl,0u,0g,limactl',
'500,Logseq,u,g,Logseq',
'500,losslesscut,500u,500g,losslesscut',
'500,mconvert,500u,500g,mconvert',
'500,mediawriter,u,g,mediawriter',
'500,melange,500u,500g,melange',
'500,melange,u,g,melange',
'500,Melvor Idle,500u,500g,exe',
'500,minikube,0u,0g,minikube',
'500,nautilus,0u,0g,nautilus',
'500,nerdctl,500u,500g,nerdctl',
'500,nix,0u,0g,nix',
'500,node,0u,0g,.node2nix-wrapp',
'500,node,0u,0g,node',
'500,node,0u,0g,.node2nix-wrapp',
'500,node,0u,0g,npm install',
'500,node,500u,500g,npm run start',
'500,node,u,g,node',
'500,nuclei,500u,500g,nuclei',
'500,obs,0u,0g,obs',
'500,obs,u,g,obs',
'500,obs-browser-page,0u,0g,obs-browser-pag',
'500,obs-ffmpeg-mux,0u,0g,obs-ffmpeg-mux',
'500,obs-ffmpeg-mux,u,g,obs-ffmpeg-mux',
'500,obsidian,0u,0g,obsidian',
'500,obsidian,u,g,obsidian',
'500,obs,u,g,obs',
'500,op,0u,500g,op',
'500,packer-plugin-proxmox_v1.1.2_x5.0_linux_amd64,500u,500g,packer-plugin-p',
'500,pacman,0u,0g,pacman',
@ -268,9 +265,7 @@ WHERE
'500,pingsender,0u,0g,pingsender',
'500,promoter,500u,500g,promoter',
'500,publish-release,500u,500g,publish-release',
'500,python.test,500u,500g,python.test',
'500,python3,0u,0g,python3',
'500,python3,500u,500g,python3',
'500,python3.10,0u,0g,aws',
'500,python3.10,0u,0g,python',
'500,python3.10,0u,0g,python3',
@ -279,6 +274,8 @@ WHERE
'500,python3.11,0u,0g,gnome-abrt',
'500,python3.11,0u,0g,protonvpn',
'500,python3.11,0u,0g,prowler',
'500,python3,500u,500g,python3',
'500,python.test,500u,500g,python.test',
'500,qemu-system-x86_64,0u,0g,qemu-system-x86',
'500,reporter-ureport,0u,0g,reporter-urepor',
'500,rpi-imager,0u,0g,rpi-imager',
@ -286,6 +283,7 @@ WHERE
'500,scoville,500u,500g,scoville',
'500,signal-desktop,0u,0g,signal-desktop',
'500,signal-desktop,u,g,signal-desktop',
'500,skopeo,0u,0g,skopeo',
'500,slack,0u,0g,slack',
'500,slack,u,g,slack',
'500,slirp4netns,0u,0g,slirp4netns',
@ -303,6 +301,7 @@ WHERE
'500,step-cli,0u,0g,step',
'500,stern,500u,500g,stern',
'500,syncthing,0u,0g,syncthing',
'500,syncthing,u,g,syncthing',
'500,synergy,0u,0g,synergy',
'500,teams,0u,0g,teams',
'500,terraform,0u,0g,terraform',
@ -311,17 +310,19 @@ WHERE
'500,thunderbird,0u,0g,thunderbird',
'500,thunderbird,u,g,thunderbird',
'500,tilt,500u,500g,tilt',
'500,TJPP8_Vulkan,500u,500g,TJPP8_Vulkan',
'500,todoist,0u,0g,todoist',
'500,trivy,0u,0g,trivy',
'500,trivy,500u,500g,trivy',
'500,ubuntu-report,0u,0g,ubuntu-report',
'500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
'500,wget,0u,0g,wget',
'500,wine64-preloader,500u,500g,DaveTheDiver.ex',
'500,wine64-preloader,500u,500g,Root.exe',
'500,wolfictl,500u,500g,wolfictl',
'500,WPILibInstaller,500u,500g,WPILibInstaller',
'500,xmobar,0u,0g,xmobar',
'500,yay,0u,0g,yay',
'0,packetbeat,0u,0g,packetbeat',
'500,zdup,500u,500g,zdup',
'500,zoom,0u,0g,zoom',
'500,zoom.real,u,g,zoom.real'

6
detection/c2/unexpected-https-macos.sql
View File

@ -111,7 +111,9 @@ WHERE
'500,Authy,Authy,Apple iPhone OS Application Signing,com.authy',
'500,bash,bash,,bash',
'500,cloud_sql_proxy,cloud_sql_proxy,,a.out',
'500,com.docker.backend,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R),com.docker.docker',
'500,Fleet,~/Library/Caches/JetBrains/Fleet',
'500,.Telegram-wrapped,.Telegram-wrapped,,Telegram',
'500,git-remote-http,git-remote-http,,git-remote-http-55554944748a32c47cdc35cfa7f071bb69a39ce4',
'500,goland,goland,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland',
'500,IterableRichNotifications,IterableRichNotifications,Apple iPhone OS Application Signing,com.plexapp.plex.IterableRichNotifications',
@ -122,18 +124,18 @@ WHERE
'500,krisp Helper,krisp Helper,Developer ID Application: Krisp Technologies, Inc. (U5R26XM5Z2),ai.krisp.krispMac.helper',
'500,krisp,krisp,Developer ID Application: Krisp Technologies, Inc. (U5R26XM5Z2),ai.krisp.krispMac',
'500,melange,melange,,a.out',
'500,pycharm,pycharm,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.pycharm',
'500,node,node,Developer ID Application: Node.js Foundation (HX7739G8FX),node',
'500,Paintbrush,Paintbrush,Developer ID Application: Michael Schreiber (G966ML7VBG),com.soggywaffles.paintbrush',
'500,PlexMobile,PlexMobile,Apple iPhone OS Application Signing,com.plexapp.plex',
'500,Plex,Plex,Developer ID Application: Plex Inc. (K4QJ56KR4A),tv.plex.desktop',
'500,process-agent,process-agent,Developer ID Application: Datadog, Inc. (JKFCB4CN7C),process-agent',
'500,pycharm,pycharm,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.pycharm',
'500,Realm,Realm,Apple iPhone OS Application Signing,camera.youpi.metareal',
'500,sdaudioswitch,sdaudioswitch,,sdaudioswitch',
'500,Skitch,Skitch,Developer ID Application: Skitch Inc (J8RPQ294UB),com.skitch.skitch',
'500,Sky Go,Sky Go,Developer ID Application: Sky UK Limited (GJ24C8864F),com.bskyb.skygoplayer',
'500,snyk-ls_darwin_arm64,snyk-ls_darwin_arm64,,a.out',
'500,syncthing,syncthing,,syncthing',
'500,process-agent,process-agent,Developer ID Application: Datadog, Inc. (JKFCB4CN7C),process-agent',
'500,trunk,trunk,Developer ID Application: Trunk Technologies, Inc. (LDR5F9BL92),trunk-cli',
'500,WebexHelper,WebexHelper,Developer ID Application: Cisco (DE8Y96K9QP),Cisco-Systems.SparkHelper',
'500,zed,zed,Developer ID Application: Zed Industries, Inc. (MQ55VZLNZQ),dev.zed.Zed'

7
detection/c2/unexpected-libcurl-user-linux.sql
View File

@ -67,9 +67,12 @@ WHERE
p0.euid = 0
AND pmm.path LIKE '%libcurl%'
AND NOT exception_key IN (
'0,0,/var/run/ublue-update.lock,regular,0755',
'rpm-ostree,/usr/bin/rpm-ostree,0,system.slice,rpm-ostreed.service,0755',
'rpm-ostree,/usr/bin/rpm-ostree,0,system.slice,ublue-update.service,0755',
'dnf-automatic,/usr/bin/python3.12,0,system.slice,dnf-automatic-install.service,0755',
'dnf-automatic,/usr/bin/python__VERSION__,0,system.slice,dnf-automatic-install.service,0755',
'dnf,/usr/bin/python__VERSION__,0,system.slice,dnf-makecache.service,0755',
'0,0,/var/run/ublue-update.lock,regular,0755',
'dnf,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755',
'flatpak-system-,/usr/libexec/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755',
'fwupd,/usr/libexec/fwupd/fwupd,0,system.slice,fwupd.service,0755',
@ -78,9 +81,9 @@ WHERE
'NetworkManager,/usr/bin/NetworkManager,0,system.slice,NetworkManager.service,0755',
'NetworkManager,/usr/sbin/NetworkManager,0,system.slice,NetworkManager.service,0755',
'nix-daemon,/nix/store/__VERSION__/bin/nix,0,system.slice,nix-daemon.service,0555',
'ostree,/usr/bin/ostree,0,system.slice,ostree-finalize-staged-hold.service,0755',
'packagekitd,/usr/libexec/packagekitd,0,system.slice,packagekit.service,0755',
'pacman,/usr/bin/pacman,0,user.slice,user-1000.slice,0755',
'dnf-automatic,/usr/bin/python3.12,0,system.slice,dnf-automatic-install.service,0755',
'sddm-helper,/usr/lib/sddm/sddm-helper,0,user.slice,user-1000.slice,0755',
'sddm,/usr/bin/sddm,0,system.slice,sddm.service,0755',
'virtlogd,/usr/bin/virtlogd,0,system.slice,virtlogd.service,0755',

81
detection/c2/unexpected-talkers-linux.sql
View File

@ -84,72 +84,12 @@ WHERE
AND exception_key = '32768,6,%,sshd,0u,0g,sshd'
)
AND NOT exception_key IN (
'123,17,114,chronyd,0u,0g,chronyd',
'123,17,500,chronyd,0u,0g,chronyd',
'143,6,500,thunderbird,0u,0g,thunderbird',
'143,6,500,thunderbird,u,g,thunderbird',
'19305,6,500,firefox,0u,0g,.firefox-wrappe',
'19305,6,500,firefox,0u,0g,firefox',
'1983,6,500,dleyna-renderer-service,0u,0g,dleyna-renderer',
'22,6,0,ssh,0u,0g,ssh',
'22,6,0,tailscaled,0u,0g,tailscaled',
'22,6,500,cargo,0u,0g,cargo',
'22,6,500,cargo,500u,500g,cargo',
'22,6,500,image-automation-controller,u,g,image-automatio',
'22,6,500,netcat,0u,0g,nc',
'22,6,500,ssh,0u,0g,ssh',
'22,6,500,terraform,500u,500g,terraform',
'22000,6,500,syncthing,0u,0g,syncthing',
'3000,6,500,brave,0u,0g,brave',
'3000,6,500,chrome,0u,0g,chrome',
'32768,17,500,traceroute,0u,0g,traceroute',
'32768,6,0,tailscaled,0u,0g,tailscaled',
'32768,6,500,ssh,0u,0g,ssh',
'3306,6,500,java,u,g,java',
'3307,6,500,cloud_sql_proxy,0u,0g,cloud_sql_proxy',
'3443,6,500,chrome,0u,0g,chrome',
'3478,6,500,chrome,0u,0g,chrome',
'3478,6,500,firefox,0u,0g,firefox',
'4070,6,500,spotify,0u,0g,spotify',
'4070,6,500,spotify,500u,500g,spotify',
'4070,6,500,spotify,u,g,spotify',
'43,6,500,whois,0u,0g,whois',
'43,6,500,whois.md,0u,0g,whois',
'444,6,500,firefox,0u,0g,firefox',
'4460,6,114,chronyd,0u,0g,chronyd',
'465,6,500,thunderbird,0u,0g,thunderbird',
'500,0,32768,com.apple.MobileSoftwareUpdate.UpdateBrainService',
'500,0,80,com.apple.NRD.UpdateBrainService',
'500,htop,0u,0g,htop',
'80,6,500,wget,0u,0g,wget',
'500,syft,0u,0g,syft',
'5004,6,500,brave,0u,0g,brave',
'5006,6,500,brave,0u,0g,brave',
'5228,6,500,chrome,0u,0g,chrome',
'587,6,500,thunderbird,0u,0g,thunderbird',
'587,6,500,thunderbird,u,g,thunderbird',
'6443,6,500,kubectl,0u,0g,kubectl',
'80,6,0,python3.12,0u,0g,dnf',
'67,17,0,NetworkManager,0u,0g,NetworkManager',
'80,6,0,.tailscaled-wrapped,0u,0g,.tailscaled-wra',
'80,6,0,/usr/python2.7,u,g,yum',
'80,6,0,/usr/xargs,0u,0g,xargs',
'80,6,0,NetworkManager,0u,0g,NetworkManager',
'80,6,0,applydeltarpm,0u,0g,applydeltarpm',
'80,6,0,appstreamcli,0u,0g,appstreamcli',
'80,6,0,bash,0u,0g,bash',
'80,6,0,bash,0u,0g,mkinitcpio',
'80,6,0,bash,0u,0g,sh',
'80,6,0,bash,0u,0g,update-ca-trust',
'80,6,0,cp,0u,0g,cp',
'80,6,0,python3.12,0u,0g,dnf-automatic',
'80,6,0,fc-cache,0u,0g,fc-cache',
'80,6,0,find,0u,0g,find',
'80,6,500,wget,0u,0g,wget',
'80,6,0,gawk,0u,0g,awk',
'80,6,0,gpg,0u,0g,gpg',
'80,6,500,chrome,u,g,chrome',
'8000,6,500,brave,0u,0g,brave',
'8000,6,500,chrome,0u,0g,chrome',
'8000,6,500,firefox,0u,0g,firefox',
'80,6,0,grep,0u,0g,grep',
'80,6,0,incusd,0u,0g,incusd',
'80,6,0,kmod,0u,0g,depmod',
'80,6,0,kubelet,u,g,kubelet',
'80,6,0,ldconfig,0u,0g,ldconfig',
@ -172,7 +112,6 @@ WHERE
'80,6,100,http,0u,0g,http',
'80,6,105,http,0u,0g,http',
'80,6,42,http,0u,0g,http',
'80,6,500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
'80,6,500,aws-iam-authenticator,0u,0g,aws-iam-authent',
'80,6,500,brave,0u,0g,brave',
'80,6,500,chrome,0u,0g,chrome',
@ -181,10 +120,11 @@ WHERE
'80,6,500,copilot-agent-linux,500u,500g,copilot-agent-l',
'80,6,500,curl,0u,0g,curl',
'80,6,500,electron,0u,0g,electron',
'80,6,500,firefox,0u,0g,.firefox-wrappe',
'80,6,500,firefox,0u,0g,firefox',
'80,6,500,firefox,0u,0g,.firefox-wrappe',
'80,6,500,firefox-bin,500u,500g,firefox-bin',
'80,6,500,firefox-bin,u,g,firefox-bin',
'80,6,500,flatpak,0u,0g,flatpak',
'80,6,500,git-remote-http,0u,0g,git-remote-http',
'80,6,500,gnome-software,0u,0g,gnome-software',
'80,6,500,java,0u,0g,java',
@ -209,22 +149,19 @@ WHERE
'80,6,500,slirp4netns,500u,500g,slirp4netns',
'80,6,500,spotify,0u,0g,spotify',
'80,6,500,spotify,500u,500g,spotify',
'80,6,500,spotify,u,g,spotify',
'80,6,500,spotify-launcher,0u,0g,spotify-launche',
'80,6,500,spotify,u,g,spotify',
'80,6,500,steam,500u,100g,steam',
'80,6,0,incusd,0u,0g,incusd',
'80,6,500,steam,500u,500g,steam',
'80,6,500,steamwebhelper,500u,500g,steamwebhelper',
'80,6,500,terraform,0u,0g,terraform',
'80,6,500,terraform,500u,500g,terraform',
'80,6,500,thunderbird,0u,0g,thunderbird',
'80,6,500,thunderbird,u,g,thunderbird',
'80,6,500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
'80,6,500,wine64-preloader,0u,0g,control.exe',
'80,6,500,zoom,0u,0g,zoom',
'80,6,500,zoom.real,u,g,zoom.real',
'8000,6,500,brave,0u,0g,brave',
'8000,6,500,chrome,0u,0g,chrome',
'8000,6,500,firefox,0u,0g,firefox',
'8080,6,500,brave,0u,0g,brave',
'8080,6,500,chrome,0u,0g,chrome',
'8080,6,500,firefox,0u,0g,firefox',
@ -232,9 +169,9 @@ WHERE
'8080,6,500,speedtest,500u,500g,speedtest',
'8443,6,500,chrome,0u,0g,chrome',
'8443,6,500,firefox,0u,0g,firefox',
'88,6,500,syncthing,0u,0g,syncthing',
'8801,17,500,zoom,0u,0g,zoom',
'8801,17,500,zoom.real,u,g,zoom.real',
'88,6,500,syncthing,0u,0g,syncthing',
'8987,6,500,whois,0u,0g,whois',
'9418,6,500,git,0u,0g,git',
'993,6,500,evolution,0u,0g,evolution',

59
detection/c2/unexpected-talkers-macos.sql
View File

@ -117,48 +117,60 @@ WHERE pos.protocol > 0
AND NOT exception_key IN (
'0,6,80,fcconfig,fcconfig,Developer ID Application: Fortinet, Inc (AH4XFXJ7DK),fcconfig',
'0,6,80,prl_naptd,prl_naptd,Developer ID Application: Parallels International GmbH (4C6364ACXT),com.parallels.naptd',
'500,17,123,agent,agent,Developer ID Application: Datadog, Inc. (JKFCB4CN7C),agent',
'500,17,123,Garmin Express,Garmin Express,Developer ID Application: Garmin International (72ES32VZUA),com.garmin.renu.client',
'500,17,32768,Luna Display,Luna Display,Developer ID Application: Astro HQ LLC (8356ZZ8Y5K),com.astro-hq.LunaDisplayMac',
'500,17,68,com.docker.backend,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R),com.docker',
'500,17,8801,zoom.us,zoom.us,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3),us.zoom.xos',
'500,17,9000,Meeting Center,Meeting Center,Developer ID Application: Cisco (DE8Y96K9QP),com.webex.meetingmanager',
'500,6,22,Cyberduck,Cyberduck,Developer ID Application: David Kocher (G69SCX94XU),ch.sudo.cyberduck',
'500,6,22,Transmit,Transmit,Developer ID Application: Panic, Inc. (VE8FC488U5),com.panic.Transmit',
'500,6,22,goland,goland,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland',
'500,6,22,Transmit,Transmit,Developer ID Application: Panic, Inc. (VE8FC488U5),com.panic.Transmit',
'500,6,2869,Spotify,Spotify,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client',
'500,6,32000,Spotify Helper,Spotify Helper,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client.helper',
'500,6,32400,PlexMobile,PlexMobile,Apple iPhone OS Application Signing,com.plexapp.plex',
'500,6,32768,IPNExtension,IPNExtension,Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension',
'500,6,3306,dbeaver,dbeaver,Developer ID Application: DBeaver Corporation (42B6MDKMW8),org.jkiss.dbeaver.core.product',
'500,6,3389,Microsoft Remote Desktop,Microsoft Remote Desktop,Apple Mac OS Application Signing,com.microsoft.rdc.macos',
'500,6,3389,Microsoft Remote Desktop,Microsoft Remote Desktop,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.rdc.macos',
'500,6,4070,Spotify,Spotify,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client',
'500,6,4317,flyctl,flyctl,,a.out',
'500,6,80,Sky Go,Sky Go,Developer ID Application: Sky UK Limited (GJ24C8864F),com.bskyb.skygoplayer',
'500,6,80,agent,agent,Developer ID Application: Datadog, Inc. (JKFCB4CN7C),agent',
'500,6,80,AdobeAcrobat,AdobeAcrobat,Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.Acrobat.Pro',
'500,6,4318,Code Helper (Plugin),Code Helper (Plugin),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
'500,6,5053,bridge,bridge,Developer ID Application: Proton Technologies AG (6UN54H93QT),bridge',
'500,6,5091,ZoomPhone,ZoomPhone,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3),us.zoom.ZoomPhone',
'500,6,5222,Telegram,Telegram,Apple Mac OS Application Signing,ru.keepcoder.Telegram',
'500,6,5222,WhatsApp,WhatsApp,Developer ID Application: WhatsApp Inc. (57T9237FN3),net.whatsapp.WhatsApp',
'500,6,5222,WhatsApp,WhatsApp,Apple Mac OS Application Signing,net.whatsapp.WhatsApp',
'500,6,5222,WhatsApp,WhatsApp,Developer ID Application: WhatsApp Inc. (57T9237FN3),net.whatsapp.WhatsApp',
'500,6,5223,KakaoTalk,KakaoTalk,Apple Mac OS Application Signing,com.kakao.KakaoTalkMac',
'500,6,995,KakaoTalk,KakaoTalk,Apple Mac OS Application Signing,com.kakao.KakaoTalkMac',
'500,6,5228,Clay,Clay,Developer ID Application: Clay Software, Inc. (C68GA48KN3),com.clay.mac',
'500,6,5228,com.adguard.mac.adguard.network-extension,com.adguard.mac.adguard.network-extension,0u,0g',
'500,6,5228,com.adguard.mac.adguard.network-extension,com.adguard.mac.adguard.network-extension,Developer ID Application: Adguard Software Limited (TC3Q7MAJXF),com.adguard.mac.adguard.network-extension',
'500,6,8009,Spotify Helper,Spotify Helper,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client.helper',
'500,6,8080,goland,goland,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland',
'500,6,8080,Speedtest,Speedtest,Apple Mac OS Application Signing,com.ookla.speedtest-macos',
'500,6,80,agent,agent,Developer ID Application: Datadog, Inc. (JKFCB4CN7C),agent',
'500,6,80,Arc Helper,Arc Helper,Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G),company.thebrowser.browser.helper',
'500,6,80,Brackets,Brackets,Developer ID Application: CORE.AI SCIENTIFIC TECHNOLOGIES PRIVATE LIMITED (8F632A866K),io.brackets.appshell',
'500,6,80,CEPHtmlEngine Helper,CEPHtmlEngine Helper,Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.cep.CEPHtmlEngine Helper',
'500,6,80,Code - Insiders Helper (Plugin),Code - Insiders Helper (Plugin),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
'500,6,80,Code Helper (Plugin),Code Helper (Plugin),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
'500,6,80,Code - Insiders Helper (Plugin),Code - Insiders Helper (Plugin),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
'500,6,80,com.docker.backend,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R),com.docker',
'500,6,80,Creative Cloud UI Helper,Creative Cloud UI Helper,Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.acc.HEXHelper',
'500,6,80,firefox,firefox,Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.firefox',
'500,6,80,Google Drive Helper,Google Drive Helper,Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.drivefs.helper',
'500,6,80,IPNExtension,IPNExtension,Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension',
'500,6,80,Jabra Direct,Jabra Direct,Developer ID Application: GN Audio AS (55LV32M29R),com.jabra.directonline',
'500,6,80,jcef Helper,jcef Helper,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),org.jcef.jcef.helper',
'500,6,80,KakaoTalk,KakaoTalk,Apple Mac OS Application Signing,com.kakao.KakaoTalkMac',
'500,6,80,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV),ksfetch',
'500,6,80,launcher-Helper,launcher-Helper,Developer ID Application: Mojang AB (HR992ZEAE6),com.mojang.mclauncher.helper',
'500,6,80,Loom Helper,Loom Helper,Developer ID Application: Loom, Inc (QGD2ZPXZZG),com.loom.desktop.helper',
'500,6,80,Mem Helper,Mem Helper,Developer ID Application: Kevin Moody (9ZLK8RSRVN),org.memlabs.Mem.helper',
'500,6,80,node,node,Developer ID Application: Node.js Foundation (HX7739G8FX),node',
'500,6,80,rpi-imager,rpi-imager,Developer ID Application: Floris Bos (WYH7G79LM6),org.raspberrypi.imagingutility',
'500,6,80,Signal Helper (Renderer),Signal Helper (Renderer),Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR),org.whispersystems.signal-desktop.helper.Renderer',
'500,6,80,Sky Go,Sky Go,Developer ID Application: Sky UK Limited (GJ24C8864F),com.bskyb.skygoplayer',
'500,6,80,Slack Helper,Slack Helper,Apple Mac OS Application Signing,com.tinyspeck.slackmacgap.helper',
'500,6,80,Snagit 2020,Snagit 2020,Apple Mac OS Application Signing,com.TechSmith.Snagit2020',
'500,6,80,Snagit 2023,Snagit 2023,Developer ID Application: TechSmith Corporation (7TQL462TU8),com.TechSmith.Snagit2023',
@ -167,26 +179,17 @@ WHERE pos.protocol > 0
'500,6,80,SnagitHelper2023,SnagitHelper2023,Developer ID Application: TechSmith Corporation (7TQL462TU8),com.techsmith.snagit.capturehelper2023',
'500,6,80,Spark Desktop Helper,Spark Desktop Helper,Developer ID Application: Readdle Technologies Limited (3L68KQB4HG),com.readdle.SparkDesktop.helper',
'500,6,80,Spotify,Spotify,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client',
'500,6,80,TIDAL Helper,TIDAL Helper,Developer ID Application: TIDAL Music AS (GK2243L7KB),com.tidal.desktop.helper',
'500,6,80,Telegram,Telegram,Apple Mac OS Application Signing,ru.keepcoder.Telegram',
'500,6,80,thunderbird,thunderbird,Defveloper ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird',
'500,6,80,TIDAL Helper,TIDAL Helper,Developer ID Application: TIDAL Music AS (GK2243L7KB),com.tidal.desktop.helper',
'500,6,80,Twitter,Twitter,Apple Mac OS Application Signing,maccatalyst.com.atebits.Tweetie2',
'500,6,80,Wavebox Helper,Wavebox Helper,Developer ID Application: Bookry Ltd (4259LE8SU5),com.bookry.wavebox.helper',
'500,6,80,WhatsApp,WhatsApp,Developer ID Application: WhatsApp Inc. (57T9237FN3),WhatsApp',
'500,6,80,com.docker.backend,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R),com.docker',
'500,6,80,firefox,firefox,Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.firefox',
'500,6,80,jcef Helper,jcef Helper,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),org.jcef.jcef.helper',
'500,6,80,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV),ksfetch',
'500,6,80,launcher-Helper,launcher-Helper,Developer ID Application: Mojang AB (HR992ZEAE6),com.mojang.mclauncher.helper',
'500,6,80,node,node,Developer ID Application: Node.js Foundation (HX7739G8FX),node',
'500,6,80,rpi-imager,rpi-imager,Developer ID Application: Floris Bos (WYH7G79LM6),org.raspberrypi.imagingutility',
'500,6,80,thunderbird,thunderbird,Defveloper ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird',
'500,6,8009,Spotify Helper,Spotify Helper,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client.helper',
'500,6,8080,Speedtest,Speedtest,Apple Mac OS Application Signing,com.ookla.speedtest-macos',
'500,6,8080,goland,goland,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland',
'500,6,9123,Elgato Control Center,Elgato Control Center,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5),com.corsair.ControlCenter',
'500,6,993,Mimestream,Mimestream,Developer ID Application: Mimestream, LLC (P2759L65T8),com.mimestream.Mimestream',
'500,6,993,Spark Desktop Helper,Spark Desktop Helper,Developer ID Application: Readdle Technologies Limited (3L68KQB4HG),com.readdle.SparkDesktop.helper',
'500,6,993,thunderbird,thunderbird,Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird'
'500,6,993,thunderbird,thunderbird,Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird',
'500,6,995,KakaoTalk,KakaoTalk,Apple Mac OS Application Signing,com.kakao.KakaoTalkMac'
) -- Useful for unsigned binaries
AND NOT alt_exception_key IN (
'0,6,80,tailscaled,tailscaled,500u,80g',
@ -237,51 +240,53 @@ WHERE pos.protocol > 0
'Apple Mac OS Application Signing,com.microsoft.OneDrive-mac',
'Apple Mac OS Application Signing,com.ookla.speedtest-macos',
'Developer ID Application: Adguard Software Limited (TC3Q7MAJXF),com.adguard.mac.adguard.network-extension',
'Developer ID Application: Cisco (DE8Y96K9QP),Cisco-Systems.SparkHelper',
'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.AdobeResourceSynchronizer',
'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.lightroomCC',
'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.Reader',
'Developer ID Application: Bitdefender SRL (GUNFMW623Y),com.bitdefender.cst.net.dci.dci-network-extension',
'Developer ID Application: Bookry Ltd (4259LE8SU5),com.bookry.wavebox.helper',
'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4),com.brave.Browser.helper',
'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4),com.brave.Browser.nightly.helper',
'Developer ID Application: Cisco (DE8Y96K9QP),Cisco-Systems.SparkHelper',
'Developer ID Application: Cloudflare Inc. (68WVV388M8),CloudflareWARP',
'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.lightroomCC',
'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker',
'Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3),us.zoom.xos',
'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker.docker',
'Developer ID Application: Epic Games International, S.a.r.l. (96DBZ92D3Y),com.epicgames.EpicGamesLauncher',
'Developer ID Application: Epic Games International, S.a.r.l. (96DBZ92D3Y),com.epicgames.UE4EditorServices',
'Developer ID Application: Fortinet, Inc (AH4XFXJ7DK),fctupdate',
'Developer ID Application: WhatsApp Inc. (57T9237FN3),net.whatsapp.WhatsApp',
'Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D),com.googlecode.iterm2',
'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.Chrome.helper',
'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.GoogleUpdater',
'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.one.NetworkExtension',
'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode.helper',
'Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G),company.thebrowser.Browser',
'Developer ID Application: Loom, Inc (QGD2ZPXZZG),com.loom.desktop',
'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.edgemac.helper',
'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.teams2.helper',
'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode.helper',
'Developer ID Application: Microsoft Corporation (UBF8T346G9),net.java.openjdk.java',
'Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.firefox',
'Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.firefoxdeveloperedition',
'Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird',
'Developer ID Application: Opera Software AS (A2P9LX4JPN),com.operasoftware.Opera.helper',
'Developer ID Application: Parallels International GmbH (4C6364ACXT),com.parallels.naptd',
'Developer ID Application: Loom, Inc (QGD2ZPXZZG),com.loom.desktop',
'Developer ID Application: Red Hat, Inc. (HYSCB8KRL2),gvproxy',
'Developer ID Application: Skype Communications S.a.r.l (AL798K98FX),com.skype.skype.Helper',
'Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL),com.tinyspeck.slackmacgap.helper',
'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client',
'Developer ID Application: TechSmith Corporation (7TQL462TU8),com.techsmith.snagit.capturehelper2024',
'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client.helper',
'Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension',
'Developer ID Application: TechSmith Corporation (7TQL462TU8),com.techsmith.snagit.capturehelper2020',
'Developer ID Application: TechSmith Corporation (7TQL462TU8),com.techsmith.snagit.capturehelper2024',
'Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G),company.thebrowser.Browser',
'Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G),company.thebrowser.browser.helper',
'Developer ID Application: Valve Corporation (MXGJJ98X76),com.valvesoftware.steam',
'Developer ID Application: Valve Corporation (MXGJJ98X76),com.valvesoftware.steam.helper',
'Developer ID Application: Vivaldi Technologies AS (4XF3XNRN6Y),com.vivaldi.Vivaldi.helper',
'Developer ID Application: Vladimir Prelovac (TFVG979488),com.apple.WebKit.Networking',
'Developer ID Application: WhatsApp Inc. (57T9237FN3),net.whatsapp.WhatsApp',
'Developer ID Application: WhatsApp Inc. (57T9237FN3),net.whatsapp.WhatsApp.ServiceExtension',
'Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3),us.zoom.xos',
'Developer ID Application: Zwift, Inc (C2GM8Y9VFM),ZwiftAppSilicon'
)
)
GROUP BY p0.cmdline

1
detection/collection/high-disk-bytes-written.sql
View File

@ -61,6 +61,7 @@ WHERE
'/usr/bin/apt',
'/usr/bin/aptd',
'/usr/bin/bash',
'/usr/bin/gnome-disks',
'/usr/bin/bwrap',
'/usr/bin/curl',
'/usr/bin/darktable',

15
detection/credentials/macos_keyboard_sniffer.sql
View File

@ -60,22 +60,23 @@ WHERE
AND s.authority != 'Software Signing' -- Popular programs that sniff keyboard events, but do not appear to be malware.
AND NOT exception_key IN (
'Alfred,com.runningwithcrayons.Alfred,Developer ID Application: Running with Crayons Ltd (XZZXE9SED4)',
'BetterDisplay,pro.betterdisplay.BetterDisplay,Developer ID Application: Istvan Toth (299YSU96J7)',
'BetterTouchTool,com.hegenberg.BetterTouchTool,Developer ID Application: folivora.AI GmbH (DAFVSXZ82P)',
'Contexts,com.contextsformac.Contexts,Developer ID Application: Usman Khalid (RZ7E748ZSC)',
'Grammarly Desktop,com.grammarly.ProjectLlama,Developer ID Application: Grammarly, Inc (W8F64X92K3)',
'HueSync,com.lighting.huesync,Developer ID Application: Signify Netherlands B.V. (PREPN2W95S)',
'Hyperkey,com.knollsoft.Hyperkey,Developer ID Application: Ryan Hanson (XSYZ3E4B7D)',
'MonitorControl,me.guillaumeb.MonitorControl,Developer ID Application: Joni Van Roost (CYC8C8R4K9)',
'Rocket,net.matthewpalmer.Rocket,Developer ID Application: Matthew Palmer (Z4JV2M65MH)',
'TextExpander,com.smileonmymac.textexpander,Developer ID Application: SmileOnMyMac, LLC (7PKJ6G4DXL)',
'iTerm2,com.googlecode.iterm2,Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D)',
'lghub_agent,com.logi.ghub.agent,Developer ID Application: Logitech Inc. (QED4VVPZWA)',
'logioptionsplus_agent,com.logi.cp-dev-mgr,Developer ID Application: Logitech Inc. (QED4VVPZWA)',
'MonitorControl,me.guillaumeb.MonitorControl,Developer ID Application: Joni Van Roost (CYC8C8R4K9)',
'osqueryd,io.osquery.agent,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
'skhd,skhd,',
'Grammarly Desktop,com.grammarly.ProjectLlama,Developer ID Application: Grammarly, Inc (W8F64X92K3)',
'polyrecorder,polyrecorder,Developer ID Application: Adam Pietrasiak (SXF593CX2N)',
'BetterDisplay,pro.betterdisplay.BetterDisplay,Developer ID Application: Istvan Toth (299YSU96J7)',
'Rocket,net.matthewpalmer.Rocket,Developer ID Application: Matthew Palmer (Z4JV2M65MH)',
'skhd,skhd,',
'Superkey,com.knollsoft.Superkey,Developer ID Application: Ryan Hanson (XSYZ3E4B7D)',
'synergy-core,synergy-core,Developer ID Application: Symless Ltd (4HX897Y6GJ)'
'synergy-core,synergy-core,Developer ID Application: Symless Ltd (4HX897Y6GJ)',
'TextExpander,com.smileonmymac.textexpander,Developer ID Application: SmileOnMyMac, LLC (7PKJ6G4DXL)'
)
GROUP BY
p0.path

5
detection/credentials/unexpected-dev-opener-linux.sql
View File

@ -243,6 +243,11 @@ WHERE
-- celery
AND path_exception NOT LIKE '/dev/shm/pymp-%,python3.%'
AND dir_exception NOT LIKE '/dev/shm/byobu-%/status.tmux,'
AND NOT (
pof.path = "/dev/uinput"
AND p0.name LIKE "solaar%"
AND p0.path LIKE '/usr/bin/python%'
)
AND NOT (
pof.path LIKE '/dev/bus/usb/%'
AND p0.name IN (

2
detection/credentials/unexpected-sensitive-file-access-linux.sql
View File

@ -101,12 +101,14 @@ WHERE
'firefox,WebExtensions,~/.cache/mozilla',
'firefox,WebExtensions,~/.mozilla/firefox',
'firefox,WebExtensions,~/snap/firefox',
'updater,updater,~/.mozilla/firefox',
'firefox,file:// Content,~/.cache/mozilla',
'firefox,file:// Content,~/.mozilla/firefox',
'firefox,file:// Content,~/snap/firefox',
'firefox,firefox,~/.cache/mozilla',
'firefox,firefox,~/.mozilla/firefox',
'firefox,firefox,~/snap/firefox',
'updater,updater,~/.cache/mozilla',
'firefox-bin,Isolated Web Co,~/.mozilla/firefox',
'firefox-bin,Privileged Cont,~/.mozilla/firefox',
'firefox-bin,WebExtensions,~/.mozilla/firefox',

4
detection/discovery/unexpected-pcap-user-macos.sql
View File

@ -12,20 +12,24 @@ SELECT
p0.pid AS p0_pid,
p0.path AS p0_path,
p0.name AS p0_name,
p0.start_time AS p0_start,
p0.cmdline AS p0_cmd,
p0.cwd AS p0_cwd,
p0.cgroup_path AS p0_cgroup,
p0.euid AS p0_euid,
p0_hash.sha256 AS p0_sha256,
-- Parent
p0.parent AS p1_pid,
p1.path AS p1_path,
p1.name AS p1_name,
p1.start_time AS p1_start,
p1.euid AS p1_euid,
p1.cmdline AS p1_cmd,
p1_hash.sha256 AS p1_sha256,
-- Grandparent
p1.parent AS p2_pid,
p2.name AS p2_name,
p2.start_time AS p2_start,
p2.path AS p2_path,
p2.cmdline AS p2_cmd,
p2_hash.sha256 AS p2_sha256

3
detection/evasion/hidden-cwd.sql
View File

@ -133,6 +133,7 @@ WHERE
'~/.local/bin',
'/var/home/linuxbrew/.linuxbrew/Cellar',
'~/.vim',
'~/dev/extra-packages/.chainguard',
'~/.provisio',
'~/.terraform.d',
'~/.cache/yay',
@ -155,10 +156,12 @@ WHERE
OR dir LIKE '/tmp/%/.github/workflows'
OR dir LIKE '~/%/.terragrunt-cache/%'
OR dir LIKE '%/.build'
OR dir LIKE '%/.cargo/%'
OR dir LIKE '%/.git'
OR dir LIKE '%/.git/%'
OR dir LIKE '%/.gradle'
OR dir LIKE '%/.github/%'
OR dir LIKE '%/.cache/melange%'
OR dir LIKE '%/.github'
OR dir LIKE '%/.venv'
OR dir LIKE '/home/build/.cache%'

35
detection/evasion/hidden-executable.sql
View File

@ -44,35 +44,38 @@ WHERE
OR f.filename LIKE '.%'
OR f.directory LIKE '%/.%'
)
AND NOT f.directory LIKE '/Applications/Corsair iCUE5 Software/.cuepkg-%'
AND NOT f.directory LIKE '%/Applications/PSI Bridge Secure Browser.app/Contents/Resources/.apps/darwin/%'
AND NOT f.directory LIKE '%/.bin'
AND NOT f.directory LIKE '%/.bin-unwrapped'
AND NOT f.directory LIKE '%/.cargo/bin'
AND NOT f.directory LIKE '%/.gradle/jdks/%'
AND NOT f.directory LIKE '%/.deno/bin'
AND NOT f.directory LIKE '%/.fig/bin'
AND NOt f.directory LIKE '%/.config/Code/User/globalStorage/ms-dotnettools.vscode-dotnet-runtime/.dotnet/%'
AND NOT f.directory LIKE '%/.config/Code/User/globalStorage/sourcegraph.cody-ai/cody-engine'
AND NOT f.directory LIKE '%/.config/nvm/%/bin'
AND NOT f.directory LIKE '%/.provisio/bin/%'
AND NOT f.directory LIKE '%/.cursor/%'
AND NOT f.directory LIKE '%/.deno/bin'
AND NOT f.directory LIKE '%/.linuxbrew/Cellar/%/bin'
AND NOT f.directory LIKE '%/.docker/cli-plugins'
AND NOT f.directory LIKE '%/.fig/bin'
AND NOT f.directory LIKE '%/.go/bin'
AND NOT f.directory LIKE '%/.goenv/%/bin'
AND NOT f.directory LIKE '%/.gradle/jdks/%'
AND NOT f.directory LIKE '/home/%/.pyenv/versions/%/bin'
AND NOT f.directory LIKE '%/.local/%'
AND NOT f.directory LIKE '%/node_modules/.bin/%'
AND NOT f.directory LIKE '%/.nvm/versions/%/bin'
AND NOT f.directory LIKE '%/.goenv/%/bin'
AND NOT f.directory LIKE '%/.pnpm/%'
AND NOT f.directory LIKE '%/.yardstick/%'
AND NOT f.directory LIKE '%/.go/bin'
AND NOT f.directory LIKE '/home/%/.pyenv/versions/%/bin'
AND NOT f.directory LIKE '%/.provisio/bin/%'
AND NOT f.directory LIKE '%/.rustup/%'
AND NOT f.directory LIKE '%/.config/Code/User/globalStorage/sourcegraph.cody-ai/cody-engine'
AND NOT f.directory LIKE '%/.terraform%'
AND NOT f.directory LIKE '%/.rbenv/%'
AND NOT f.directory LIKE '%/.steampipe/db/%'
AND NOT f.directory LIKE '%/.docker/cli-plugins'
AND NOT f.directory LIKE '%/.cursor/%'
AND NOT f.directory LIKE '/Applications/Corsair iCUE5 Software/.cuepkg-%'
AND NOT f.directory LIKE '%/.terraform%'
AND NOT f.directory LIKE '%/.tflint.d/%'
AND NOT f.directory LIKE '%/.vs-kubernetes/%'
AND NOT f.directory LIKE '%/.vscode/extensions/%'
AND NOT f.directory LIKE '/Users/%/Library/Application Support/Code/User/globalStorage/ms-dotnettools.vscode-dotnet-runtime/.dotnet/%'
AND NOT f.directory LIKE '%/.vscode/extensions/%'
AND NOT f.directory LIKE '%/.vscode-insiders/extensions/%'
AND NOT f.directory LIKE '%/Applications/PSI Bridge Secure Browser.app/Contents/Resources/.apps/darwin/%'
AND NOT f.directory LIKE '%/.vs-kubernetes/%'
AND NOT f.directory LIKE '%/.yardstick/%'
AND NOT f.path LIKE '/home/%/.config/bluejeans-v2/BluejeansHelper'
AND NOT f.path LIKE '/nix/store/%/%-wrapped'
AND NOT (

3
detection/evasion/hidden-home-library-dir.sql
View File

@ -57,3 +57,6 @@ WHERE
AND NOT homedir LIKE '~/Library/.icedove/%'
AND NOT homedir LIKE '~/Library/Mobile Documents/.Trash%'
AND NOT homedir LIKE '~/Library/%/.%_SUPPORT/_EXTERNAL_DATA'
-- ugh
AND NOT file.path LIKE '/Library/Application Scripts/.%-%-%-%-%/.%'

15
detection/evasion/name_path_mismatch.sql
View File

@ -90,21 +90,22 @@ WHERE
AND NOT exception_key IN (
'0,udevadm,systemd-udevd',
'0,udevadm,(udev-worker)',
'500,netcat,nc',
'500,nc.openbsd,nc',
'500,vim.tiny,vi',
'500,x86_64-linux-gnu-as,as',
'500,systemd-executor,(sd-pam)',
'500,busybox,sh',
'500,coreutils,tail',
'500,gjs-console,daemon.js',
'500,gjs-console,gnome-character',
'500,nc.openbsd,nc',
'500,netcat,nc',
'500,plugin-container,MainThread',
'500,pyrogenesis,main',
'500,vim.nox,vi',
'500,rootlesskit,exe',
'500,rootlessport,exe',
'500,systemd-executor,(sd-pam)',
'500,udevadm,systemd-udevd',
'500,vim.basic,vi'
'500,vim.basic,vi',
'500,vim.nox,vi',
'500,vim.tiny,vi',
'500,x86_64-linux-gnu-as,as'
)
AND NOT exception_key LIKE '%,systemd,(sd-pam)'
AND NOT (

2
detection/evasion/old-binaries-running.sql
View File

@ -50,6 +50,7 @@ WHERE
'/Applications/Vimari.app/Contents/PlugIns/Vimari Extension.appex/Contents/MacOS/Vimari Extension',
'/Library/Printers/Brother/Utilities/Server/NETserver.app/Contents/MacOS/NETserver',
'/Library/Printers/Brother/Utilities/Server/USBAppControl.app/Contents/MacOS/USBAppControl',
'/Library/Application Support/EPSON/Scanner/ScannerMonitor/Epson Scanner Monitor.app/Contents/MacOS/Epson Scanner Monitor',
'/Library/Printers/Brother/Utilities/Server/USBserver.app/Contents/MacOS/USBserver',
'/Library/Printers/Brother/Utilities/Server/WorkflowAppControl.app/Contents/MacOS/WorkflowAppControl',
'/snap/brackets/138/opt/brackets/Brackets',
@ -64,6 +65,7 @@ WHERE
)
AND p.name NOT IN (
'buildkitd',
'Flycut',
'kail',
'Vimari Extension',
'Android File Transfer Agent',

5
detection/evasion/touched-executable-linux.sql
View File

@ -33,6 +33,7 @@ WHERE
AND f.path NOT IN (
'/opt/google/endpoint-verification/bin/apihelper',
'/opt/Elastic/Endpoint/elastic-endpoint',
'/opt/resolve/bin/resolve',
'/usr/bin/melange'
)
AND f.path NOT LIKE '/home/%'
@ -40,12 +41,14 @@ WHERE
AND f.path NOT LIKE '/tmp/%go-build%/exe/%'
AND f.path NOT LIKE '/usr/local/bin/%'
AND f.path NOT LIKE '/opt/rapid7/ir_agent/%'
AND f.path NOT LIKE '/opt/Elastic/Agent/data/elastic-agent%/elastic-agent'
AND f.path NOT LIKE '/opt/Elastic/Agent/data/elastic-agent%'
AND f.path NOT LIKE '/usr/local/aws-cli/%/dist/aws'
AND f.path NOT LIKE '/usr/local/kolide-k2/bin/%-updates/%'
AND f.path NOT LIKE '/var/kolide-k2/k2device.kolide.com/updates/%'
AND f.path NOT LIKE '/tmp/go-build%'
AND f.path NOT LIKE '/var/home/linuxbrew/.linuxbrew/Cellar/%/bin/%'
AND p.name NOT LIKE 'osqtool%'
AND f.path NOT LIKE '%/go/bin/%'
AND f.path NOT LIKE '%/osqueryi'
GROUP by
p.pid

63
detection/evasion/unexpected-alf-exceptions-macos.sql
View File

@ -46,33 +46,29 @@ WHERE -- Filter out stock exceptions to decrease overhead
) -- Ignore files that ahve already been removed
AND file.filename NOT NULL
AND exception_key NOT IN (
',a.out,/opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/kubectl,501',
',a.out,/opt/homebrew/Cellar/go/1.20.4/libexec/pkg/tool/darwin_arm64/trace,501',
',a.out,/private/tmp/learning-labs-static/server,501',
',a.out,/Users/amouat/proj/learning-labs-static/server,501',
',a.out,/Users/dlorenc/.wash/downloads/nats-server,501',
'Apple Mac OS Application Signing,com.anydo.mac,/Applications/Anydo.app/,0',
'Apple Mac OS Application Signing,com.apple.garageband10,/Applications/GarageBand.app/,0',
'Apple Mac OS Application Signing,com.busymac.busycal3,/Applications/BusyCal.app/,0',
'Apple Mac OS Application Signing,com.evernote.Evernote,/Applications/Evernote.app/,0',
'Apple Mac OS Application Signing,com.joeallen.teleprompter.mac,/Applications/Teleprompter.app/,0',
'Apple Mac OS Application Signing,com.utmapp.QEMULauncher,/Applications/UTM.app/Contents/XPCServices/QEMUHelper.xpc/Contents/MacOS/QEMULauncher.app/,0',
'Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension,/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/,0',
'Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension,/Applications/Tailscale.localized/Tailscale.app/Contents/PlugIns/IPNExtension.appex/,0',
',,/Applications/Google%20Chrome.app/,',
',,/Applications/IntelliJ%20IDEA.app/,',
',,/Applications/ProtonMail%20Bridge.app/,',
',,/Applications/Visual%20Studio%20Code.app/,',
',,/Applications/Visual%20Studio%20Code.app/Contents/Frameworks/Code%20Helper.app/,',
',,/usr/local/sbin/iodined,501',
',a.out,/private/tmp/learning-labs-static/server,501',
',a.out,/Users/dlorenc/.wash/downloads/nats-server,501',
',a.out,/Users/amouat/proj/learning-labs-static/server,501',
',a.out,/opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/kubectl,501',
',a.out,/opt/homebrew/Cellar/go/1.20.4/libexec/pkg/tool/darwin_arm64/trace,501',
',dnsmasq,/opt/homebrew/Cellar/dnsmasq/2.88/sbin/dnsmasq,0',
',iodined-55554944d1ffcb236a84363d9b667be6a1742a17,/usr/local/sbin/iodined,501',
',java,/opt/homebrew/Cellar/openjdk/19/libexec/openjdk.jdk/Contents/Home/bin/java,501',
'/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/',
'Apple Mac OS Application Signing,com.anydo.mac,/Applications/Anydo.app/,0',
'Apple Mac OS Application Signing,com.apple.garageband10,/Applications/GarageBand.app/,0',
'Apple Mac OS Application Signing,com.busymac.busycal3,/Applications/BusyCal.app/,0',
'Apple Mac OS Application Signing,com.joeallen.teleprompter.mac,/Applications/Teleprompter.app/,0',
'Apple Mac OS Application Signing,com.utmapp.QEMULauncher,/Applications/UTM.app/Contents/XPCServices/QEMUHelper.xpc/Contents/MacOS/QEMULauncher.app/,0',
'Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension,/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/,0',
'Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension,/Applications/Tailscale.localized/Tailscale.app/Contents/PlugIns/IPNExtension.appex/,0',
'Developer ID Application: Adguard Software Limited (TC3Q7MAJXF),com.adguard.mac.adguard.network-extension,/Library/SystemExtensions/AD3BCA34-237A-4135-B7A4-0F7477D9144C/com.adguard.mac.adguard.network-extension.systemextension/,0',
'Developer ID Application: Any.DO inc. (FW4RAPJ9FF),com.anydo.mac,/Applications/Anydo.app/,501',
'Developer ID Application: Bearly Inc (NK6K4BACCF),com.bearly.app,/Applications/Bearly.app/,501',
'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.SketchMirrorHelper,/Applications/Sketch.app/Contents/XPCServices/SketchMirrorHelper.xpc/,501',
'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.sketch3,/Applications/Sketch.app/,501',
'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.SketchMirrorHelper,/Applications/Sketch.app/Contents/XPCServices/SketchMirrorHelper.xpc/,501',
'Developer ID Application: Brother Industries, LTD. (5HCL85FLGW),com.brother.utility.WorkflowAppControlServer,/Library/Printers/Brother/Utilities/Server/WorkflowAppControl.app/,0',
'Developer ID Application: Canonical Group Limited (X4QN7LTP59),com.canonical.multipass.,/Applications/Multipass.app/,0',
'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5),com.elgato.WaveLink,/Applications/WaveLink.app/,0',
@ -81,12 +77,14 @@ WHERE -- Filter out stock exceptions to decrease overhead
'Developer ID Application: DBeaver Corporation (42B6MDKMW8),org.jkiss.dbeaver.core.product,/Applications/DBeaver.app/,501',
'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker.docker,/Applications/Docker.app/,501',
'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK),com.getdropbox.dropbox,/Applications/Dropbox.app/,501',
'Developer ID Application: Evernote Corporation (Q79WDW8YH9),com.evernote.Evernote,/Applications/Evernote.app/,501',
'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland,/Applications/GoLand.app/,501',
'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.pycharm,/Applications/PyCharm.app/,501',
'Developer ID Application: Loom, Inc (QGD2ZPXZZG),com.loom.desktop,/Applications/Loom.app/,501',
'Developer ID Application: Martijn Smit (GX645XXEAX),com.mutedeck.mac,/Applications/MuteDeck/MuteDeck.app/,501',
'Developer ID Application: Opentest, Inc. (QGD2ZPXZZG),com.loom.desktop,/Applications/Loom.app/,501',
'Developer ID Application: Postdot Technologies, Inc (H7H8Q7M5CK),com.postmanlabs.mac,/Applications/Postman.app/,501',
'Developer ID Application: Python Software Foundation (BMM5U3QVKW),org.python.python,/Library/Frameworks/Python.framework/Versions/3.11/Resources/Python.app/,0',
'Developer ID Application: Raycast Technologies Inc (SY64MV22J9),com.raycast.macos,/Applications/Raycast.app/,501',
'Developer ID Application: RescueTime, Inc (FSY4RB8H39),c]om.rescuetime.RescueTime,/Applications/RescueTime.app/,0',
'Developer ID Application: Sonos, Inc. (2G4LW83Q3E),com.sonos.macController,/Applications/Sonos.app/,501',
@ -94,23 +92,30 @@ WHERE -- Filter out stock exceptions to decrease overhead
'Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension,/Library/SystemExtensions/A30AF854-E980-4345-A658-17000BF66D00/io.tailscale.ipn.macsys.network-extension.systemextension/,0',
'Developer ID Application: VNG ONLINE CO.,LTD (CVB6BX97VM),com.vng.zalo,/Applications/Zalo.app/,501',
'Developer ID Application: Voicemod Sociedad Limitada. (S2MC4XQDSM),net.voicemod.desktop,/Applications/Voicemod.app/,0',
'Developer ID Application: Evernote Corporation (Q79WDW8YH9),com.evernote.Evernote,/Applications/Evernote.app/,501',
'Developer ID Application: Python Software Foundation (BMM5U3QVKW),org.python.python,/Library/Frameworks/Python.framework/Versions/3.11/Resources/Python.app/,0',
'Developer ID Application: Zed Industries, Inc. (MQ55VZLNZQ),dev.zed.Zed,/Applications/Zed.app/,501',
'Developer ID Application: Zed Industries, Inc. (MQ55VZLNZQ),dev.zed.Zed,/Volumes/Zed/Zed.app/,501',
',dnsmasq,/opt/homebrew/Cellar/dnsmasq/2.88/sbin/dnsmasq,0',
',iodined-55554944d1ffcb236a84363d9b667be6a1742a17,/usr/local/sbin/iodined,501',
',java,/opt/homebrew/Cellar/openjdk/19/libexec/openjdk.jdk/Contents/Home/bin/java,501',
'qbittorrent macos,org.qbittorrent.qBittorrent,/Applications/qbittorrent.app/,501',
'Software Signing,com.apple.audio.AUHostingService.arm64e,/System/Library/Frameworks/AudioToolbox.framework/XPCServices/AUHostingServiceXPC_arrow.xpc/,0',
'Software Signing,com.apple.audio.AUHostingService.x86-64,/System/Library/Frameworks/AudioToolbox.framework/XPCServices/AUHostingServiceXPC.xpc/,0',
'Software Signing,com.apple.audio.InfoHelper,/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.InfoHelper.xpc/,0',
'Software Signing,com.apple.controlcenter,/System/Library/CoreServices/ControlCenter.app/,0',
'Software Signing,com.apple.Music,/System/Applications/Music.app/,0',
'Software Signing,com.apple.nc,/usr/bin/nc,0',
'Software Signing,com.apple.netbiosd,/usr/sbin/netbiosd,0',
'Software Signing,com.apple.python3,/Applications/Xcode.app/Contents/Developer/Library/Frameworks/Python3.framework/Versions/3.9/Resources/Python.app/,0',
'Software Signing,com.apple.python3,/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.9/Resources/Python.app/,0',
'Software Signing,com.apple.rapportd,/usr/libexec/rapportd,0',
'Software Signing,com.apple.rpc,/usr/sbin/rpc.lockd,0',
'Software Signing,com.apple.Terminal,/System/Applications/Utilities/Terminal.app/,0',
'Software Signing,com.apple.WebKit.Networking,/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/,0',
'Software Signing,com.apple.WebKit.Networking,/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/,0',
'Software Signing,com.apple.audio.InfoHelper,/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.InfoHelper.xpc/,0',
'Software Signing,com.apple.controlcenter,/System/Library/CoreServices/ControlCenter.app/,0',
'Software Signing,com.apple.nc,/usr/bin/nc,0',
'Software Signing,com.apple.rapportd,/usr/libexec/rapportd,0',
'Software Signing,com.apple.netbiosd,/usr/sbin/netbiosd,0',
'Software Signing,com.apple.python3,/Applications/Xcode.app/Contents/Developer/Library/Frameworks/Python3.framework/Versions/3.9/Resources/Python.app/,0',
'Software Signing,com.apple.python3,/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.9/Resources/Python.app/,0',
'Software Signing,com.apple.xartstorageremoted,/usr/libexec/xartstorageremoted,0',
'Developer ID Application: Zed Industries, Inc. (MQ55VZLNZQ),dev.zed.Zed,/Applications/Zed.app/,501',
'qbittorrent macos,org.qbittorrent.qBittorrent,/Applications/qbittorrent.app/,501'
'/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/',
',,/Users/cpanato/code/src/github.com/sigstore/docs/node_modules/.bin/hugo/hugo,501',
',,/usr/local/sbin/iodined,501'
)
AND NOT exception_key LIKE ',a.out,/Users/%/dev/%,501'
AND NOT exception_key LIKE ',a.out,/Users/%/hugo,501'

16
detection/evasion/unexpected-etc-executables.sql
View File

@ -126,6 +126,8 @@ WHERE
'/etc/rdnssd',
'/etc/redhat-lsb',
'/etc/resolvconf/update.d',
'/etc/resolvconf/update-libc.d',
'/etc/schroot/setup.d',
'/etc/security',
'/etc/skel',
'/etc/smartmontools',
@ -152,26 +154,36 @@ WHERE
)
AND file.path NOT IN (
'/etc/cloud/clean.d/99-installer',
'/etc/grub2-efi.cfg',
'/etc/cloud/clean.d/99-installer-use-networkmanager',
'/etc/grub2.cfg',
'/etc/grub2-efi.cfg',
'/etc/hibernate.sh',
'/etc/pcp/pmie/rc',
'/etc/sddm/wayland-session',
'/etc/libpaper.d/texlive-base',
'/etc/modulefiles/vpl',
'/etc/nftables.conf',
'/etc/opt/chrome/native-messaging-hosts/com.google.endpoint_verification.api_helper.json',
'/etc/paths.d/100-rvictl',
'/etc/pcp/pmcd/rc.local',
'/etc/pcp/pmlogger/rc',
'/etc/pcp/pmproxy/rc',
'/etc/pki/tls/certs/make-dummy-cert',
'/etc/pki/tls/certs/renew-dummy-cert',
'/etc/postfix/postfix-script',
'/etc/postfix/post-install',
'/etc/profile',
'/etc/pwrstatd.conf',
'/etc/qemu-ifdown',
'/etc/qemu-ifup',
'/etc/modulefiles/vpl',
'/etc/rmt',
'/etc/sddm/Xsetup',
'/etc/sddm/Xstop',
'/etc/shutdown.sh',
'/etc/sudoers.d/lima',
'/etc/sv/ssh/finish',
'/etc/sv/ssh/run',
'/etc/udev/powersave.sh',
'/etc/vpl/vars.sh'
)
-- Nix (on macOS) -- actually a symbolic link

17
detection/evasion/unexpected-hidden-system-paths.sql
View File

@ -68,7 +68,9 @@ WHERE
'/etc/.java/',
'/etc/.resolv.conf.systemd-resolved.bak',
'/etc/selinux/.config_backup',
'/etc/skel/.local/',
'/etc/skel/.mozilla/',
'/etc/skel/.var/',
'/etc/.#sudoers',
'/.file',
'/.lesshst',
@ -80,6 +82,7 @@ WHERE
'/tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress',
'/tmp/.content-agent/',
'/tmp/._contentbarrier_installed',
'/tmp/.dl.log',
'/tmp/.docker/',
'/tmp/.docker-tmp/',
'/tmp/.dotnet/',
@ -108,15 +111,16 @@ WHERE
'/tmp/.ui-agent/',
'/tmp/.updater-agent/',
'/tmp/.vbox-t-ipc/',
'/tmp/.vscode.dmypy_status/',
'/tmp/.wsdl/',
'/tmp/.X0-lock',
'/tmp/.X11-unix/',
'/tmp/.X1-lock',
'/tmp/.X2-lock',
'/tmp/.XIM-unix/',
'/tmp/.dl.log',
'/usr/lib/jvm/.java-1.17.0-openjdk-amd64.jinfo',
'/usr/local/bin/.swtpm',
'/usr/local/libexec/.ksysguard/',
'/var/db/.AppleInstallType.plist',
'/var/db/.AppleUpgrade',
'/var/db/.com.apple.iokit.graphics',
@ -133,6 +137,7 @@ WHERE
'/var/db/.SoftwareUpdateOptions',
'/var/db/.StagedAppleUpgrade',
'/var/db/.SystemPolicy-default',
'/var/mail/.cache/',
'/var/.ntw_cache',
'/var/.Parallels_swap/',
'/var/.pwd_cache',
@ -142,20 +147,23 @@ WHERE
'/var/root/.CFUserTextEncoding',
'/var/root/.docker/',
'/var/root/.forward',
'/var/roothome/.bash_history',
'/var/roothome/.bash_logout',
'/var/roothome/.bash_profile',
'/var/roothome/.bashrc',
'/var/roothome/.cache/',
'/var/roothome/.config/',
'/var/roothome/.justfile',
'/var/roothome/.local/',
'/var/roothome/.osquery/',
'/var/roothome/.viminfo',
'/var/roothome/.ssh/',
'/etc/skel/.var/',
'/etc/skel/.local/',
'/var/roothome/.viminfo',
'/var/root/.lesshst',
'/var/root/.nix-channels',
'/var/root/.nix-defexpr/',
'/var/root/.nix-profile/',
'/var/root/.osquery/',
'/var/root/.PenTablet/',
'/var/root/.provisio',
'/var/root/.Trash/',
'/var/root/.viminfo',
@ -181,6 +189,7 @@ WHERE
AND file.path NOT LIKE '/lib/jvm/.java-%.jinfo'
AND file.path NOT LIKE '/tmp/.lark_cache_%'
AND file.path NOT LIKE '/tmp/.cdx.json%'
AND file.path NOT LIKE '/var/roothome/.xauth%'
AND file.path NOT LIKE '/tmp/.wine-%'
AND file.path NOT LIKE '/tmp/.%.gcode'
AND file.path NOT LIKE '/tmp/.vbox-%-ipc/'

1
detection/evasion/unexpected-kernel-extensions-macos.sql
View File

@ -28,3 +28,4 @@ WHERE
AND exception_key NOT LIKE '/Library/StagedExtensions/Library/Extensions/ufsd_NTFS.kext,com.paragon-software.filesystems.ntfs,%'
AND exception_key NOT LIKE '/Library/StagedExtensions/Library/Filesystems/macfuse.fs/Contents/Extensions/12/macfuse.kext,io.macfuse.filesystems.macfuse,%'
AND exception_key NOT LIKE '/Library/StagedExtensions/Library/Extensions/ufsd_ExtFS.kext,com.paragon-software.filesystems.extfs,%'
AND exception_key NOT LIKE '/Library/StagedExtensions/Library/Extensions/UAD2System.kext,com.uaudio.driver.UAD2System,%'

1
detection/evasion/unexpected-ld-so-files-linux.sql
View File

@ -31,6 +31,7 @@ WHERE
'/etc/ld.so.conf,0644,117,dad04a370e488aa85fb0a813a5c83cf6fd981ce01883fc59685447b092de84b5',
'/etc/ld.so.conf,0644,28,239c865e4c0746a01f82b03d38d620853bab2a2ba8e81d6f5606c503e0ea379f',
'/etc/ld.so.conf,0644,34,d4b198c463418b493208485def26a6f4c57279467b9dfa491b70433cedb602e8',
'/etc/ld.so.conf.d/homebrew.conf,0644,33,f4972e79fa4966d9976487a5b5d4152c4cd7020b236b173ad1f2a3d2fa86f74a',
'/etc/ld.so.conf,0644,154,785c6c3614a27ae6115a27c1ca55bbf333654780997c4ba7e181172b021d1bf3',
'/etc/ld.so.conf.d/000_cuda.conf,0644,41,a9327cff9435220eac872cffedc7f6144d915bdcb70d985304c72f4c3cb9a7d3',
'/etc/ld.so.conf.d/989_cuda-11.conf,0644,44,915b1ed4caa95cf65a62a74d8255c5ef80ef864cc2767933c85e240a78957167',

14
detection/evasion/unexpected-user-executables-macos.sql
View File

@ -136,27 +136,28 @@ WHERE
'~/.asdf/shims',
'~/.bazel/bin',
'~/.bin',
'~/.docker/scout',
'~/.cache/gitstatus',
'~/.config/kn',
'~/.config/nvim.bak',
'~/.docker/cli-plugins',
'~/.docker/scout',
'~/.dotnet/tools',
'~/.emacs.d/backups',
'~/Library/Logs/com.logmein.GoToOpener',
'~/.emacs.d.bak/bin',
'~/.fig/bin',
'~/.fzf',
'~/.fzf/bin',
'~/.gvm/bin',
'~/.vs-tekton',
'~/.dotnet/tools',
'~/.kn/plugins',
'~/Library/Mobile Documents/com~apple~CloudDocs',
'~/.kuberlr/darwin-amd64',
'~/Library/ApplicationSupport/iTerm2',
'~/Library/Dropbox/DropboxMacUpdate.app/Contents/MacOS',
'~/Library/Logs/Adobe',
'~/Library/Logs/com.logmein.GoToOpener',
'~/Library/Mobile Documents/com~apple~CloudDocs',
'~/.npm/sentry-cli',
'~/.oh-my-zsh/tools',
'~/.PenTablet',
'~/.provisio',
'~/.pulumi-dev/bin',
'~/.pyenv/shims',
@ -164,7 +165,10 @@ WHERE
'/Users/Shared/LGHUB',
'/Users/Shared/LogiOptionsPlus',
'/Users/Shared/logitune',
'/var/root/.PenTablet',
'~/.venv/bin',
'~/.vs-tekton',
'~/.wash/downloads',
'~/.wrangler/bin',
'~/.zed/gopls',
'~/.zsh_snap/zsh-autocomplete',

26
detection/evasion/unexpected-var-run-linux.sql
View File

@ -28,51 +28,53 @@ WHERE
AND file.type = "regular"
AND file.filename NOT IN (
'acpid.pid',
'adduser',
'agetty.reload',
'pulseaudio-enable-autospawn',
'alsactl.pid',
'apcupsd.pid',
'com.rapid7.cnchub.pid',
'apport.lock',
'atd.pid',
'ublue-update.lock',
'adduser',
'lima-boot-done',
'lima-ssh-ready',
'machine-id',
'motd.dynamic',
'multipathd.pid',
'auditd.pid',
'cron.reboot',
'com.rapid7.cnchub.pid',
'com.rapid7.component_insight_agent.pid',
'com.rapid7.ir_agent.pid',
'crond.pid',
'crond.reboot',
'cron.reboot',
'dnf-metadata.lock',
'docker.pid',
'lxcfs.pid',
'firefox-restart-required',
'gdm3.pid',
'gssproxy.pid',
'haproxy.pid',
'lightdm.pid',
'lima-boot-done',
'lima-ssh-ready',
'lxcfs.pid',
'machine-id',
'mcelog.pid',
'motd',
'motd.dynamic',
'multipathd.pid',
'nginx.pid',
'nvidia-powerd.pid',
'ostree-booted',
'nvidia_runtimepm_enabled',
'nvidia_runtimepm_supported',
'ostree-booted',
'pulseaudio-enable-autospawn',
'reboot-required',
'reboot-required.pkgs',
'rsyslogd.pid',
'sm-notify.pid',
'sshd.pid',
'ublue-update.lock',
'u-d-c-nvidia-drm-was-loaded',
'u-d-c-nvidia-was-loaded',
'ufw.lock',
'unattended-upgrades.lock',
'unattended-upgrades.pid',
'unattended-upgrades.progress',
'usbmuxd.pid',
'utmp',
'xtables.lock',
'zed.pid',

1
detection/evasion/unusual-executable-name-linux.sql
View File

@ -87,6 +87,7 @@ WHERE
AND pext NOT IN ("", "gui", "cli", "us", "node", "com")
)
AND NOT pname LIKE '.%-wrapped'
AND NOT pname LIKE '__debug_bin%'
AND pname NOT IN (
"xdg-permission-store",
"xdg-desktop-portal",

8
detection/evasion/unusually-tainted-kernel-linux.sql
View File

@ -42,12 +42,18 @@ FROM
-- 512 is a kernel warning
WHERE
taint NOT IN (0, 512, 4096, 4097)
-- Some day, folks will sign rootkits. That day isn't today.
AND is_unsigned = 1
AND NOT (
(
-- 12289 is an unsigned, out of tree, proprietary
-- 12801 is an unsigned, out of tree, proprietary with kernel warning. not great.
taint IN (12289, 12801)
AND modules LIKE "%,nvidia,%"
AND (
modules LIKE "%,nvidia,%"
OR modules LIKE "%,v42loopback,%"
OR modules LIKE "%,wl,%"
)
)
OR (
-- 12352 is unsigned, out of tree, requested by user space

18
detection/execution/exec-failed-launch-constraint-violation.sql
View File

@ -7,22 +7,22 @@
-- platform: darwin
-- tags: filesystem events
SELECT
s.identifier AS s_id,
s.authority AS s_auth,
-- Child
pe.path AS p0_path,
s.authority AS p0_sauth,
s.identifier AS p0_sid,
hash.sha256 AS p0_hash,
REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
COALESCE(REGEX_MATCH (pe.path, '.*/(.*)', 1), pe.path) AS p0_name,
TRIM(pe.cmdline) AS p0_cmd,
pe.time AS p0_time,
-- pe.cwd is NULL on macOS
p.cwd AS p0_cwd,
pe.pid AS p0_pid,
pe.euid AS p0_euid,
-- Parent
pe.parent AS p1_pid,
TRIM(COALESCE(p1.cmdline, pe1.cmdline)) AS p1_cmd,
COALESCE(p1.path, pe1.path) AS p1_path,
p1.cwd AS p1_cwd,
COALESCE(p1.path, pe1.path) AS p1_path,
COALESCE(p_hash1.sha256, pe_hash1.sha256) AS p1_hash,
REGEX_MATCH (COALESCE(p1.path, pe1.path), '.*/(.*)', 1) AS p1_name,
-- Grandparent
@ -44,10 +44,10 @@ SELECT
) AS p2_name
FROM
process_events pe
LEFT JOIN signature s ON pe.path = s.path
LEFT JOIN processes p ON pe.pid = p.pid
LEFT JOIN hash ON pe.path = hash.path
-- Parents (via two paths)
LEFT JOIN file f ON pe.path = f.path
LEFT JOIN signature S ON pe.path = s.path
LEFT JOIN users u ON pe.uid = u.uid
LEFT JOIN processes p ON pe.pid = p.pid -- Parents (via two paths)
LEFT JOIN processes p1 ON pe.parent = p1.pid
LEFT JOIN hash p_hash1 ON p1.path = p_hash1.path
LEFT JOIN process_events pe1 ON pe.parent = pe1.pid

1
detection/execution/recently-created-executables-long-lived-macos.sql
View File

@ -88,6 +88,7 @@ WHERE
'~/Library/Application Support/com.elgato.StreamDeck/',
'~/Library/Application Support/duckly/',
'/Library/Application Support/EcammLive',
'~/homebrew/Library/Homebrew/',
'~/Library/Application Support/Figma/',
'~/Library/Application Support/Foxit Software/',
'~/Library/Application Support/JetBrains/',

2
detection/execution/unexpected-execdir-linux.sql
View File

@ -60,6 +60,8 @@ WHERE
AND INSTR(path, "/opt/") != 1
AND INSTR(path, "/snap/") != 1
AND INSTR(path, "/var/lib/snapd/") != 1
AND INSTR(path, "/var/opt/Elastic/") != 1
AND INSTR(path, "/var/usrlocal/bin/") != 1
AND INSTR(path, "/usr/local/kolide-k2/bin/") != 1
AND INSTR(path, "/var/kolide-k2/") != 1
AND INSTR(path, "/usr/share/spotify") != 1

2
detection/execution/unexpected-executable-permissions.sql
View File

@ -117,7 +117,7 @@ WHERE
AND f.mode = '0754'
)
AND NOT (
f.path LIKE '/opt/Elastic/Agent/data/elastic-agent%/elastic-agent'
f.path LIKE '%/Elastic/Agent/data/elastic-agent%/elastic-agent'
AND f.mode = '0770'
)
AND NOT (

28
detection/initial_access/unexpected-shell-parent-events.sql
View File

@ -80,7 +80,6 @@ WHERE
'at-spi-bus-launcher',
'bash',
'build-script-build',
'sddm-helper',
'chainctl',
'chezmoi',
'clang-11',
@ -91,7 +90,6 @@ WHERE
'com.docker.backend',
'conmon',
'containerd-shim',
'idea',
'containerd-shim-runc-v2',
'cpptools',
'dash',
@ -99,10 +97,10 @@ WHERE
'demoit',
'direnv',
'doas',
'pacman',
'docker-credential-desktop',
'docker-credential-gcr',
'Docker Desktop',
'dpkg',
'Emacs-arm64-11',
'env',
'erl_child_setup',
@ -111,10 +109,9 @@ WHERE
'fish',
'gatherheaderdoc',
'gdm3',
'terraform',
'gdm-session-worker',
'gdm-x-session',
'gdm-wayland-session',
'gdm-x-session',
'git',
'gke-gcloud-auth-plugin',
'gnome-session-binary',
@ -122,23 +119,24 @@ WHERE
'gnome-terminal-server',
'go',
'goland',
'mc',
'gopls',
'helm',
'HP Diagnose & Fix',
'i3bar',
'i3blocks',
'idea',
'java',
'jetbrains-toolbox',
'kitty',
'nu',
'ko',
'konsole',
'kubectl',
'lightdm',
'local-path-provisioner',
'login',
'MacVim',
'make',
'mc',
'monorail',
'my_print_defaults',
'ninja',
@ -147,42 +145,45 @@ WHERE
'nix-daemon',
'nm-dispatcher',
'node',
'nu',
'nvim',
'obs',
'package_script_service',
'pacman',
'perl',
'PK-Backend',
'provisio',
'pulumi',
-- 'python' - do not include this, or you won't detect supply-chain attacks.
'ression-arm64',
'roxterm',
'sddm-helper',
'sdk',
'sdzoomplugin',
'sh',
'ShellLauncher',
'skhd',
'su',
'snyk',
'snyk-macos',
'sshd',
'obs',
'stable',
'Stream Deck',
'su',
'sudo',
'swift',
'systemd',
'systemd-sleep',
'terminator',
'terraform',
'terraform-ls',
'test2json',
'tmux',
'snyk-macos',
'ression-arm64',
'tmux:server',
'update-notifier',
'vi',
'vim',
'vim.nox',
'Vim',
'MacVim',
'vim.nox',
'watch',
'wezterm-gui',
'xargs',
@ -292,6 +293,7 @@ WHERE
'sh,500,Meeting Center,launchd',
'sh,500,cloud_sql_proxy,zsh',
'sh,500,docs,zsh',
'bash,500,ruby,zsh',
'bash,500,incusd,incusd',
'sh,500,snyk-macos,snyk',
'zsh,500,OpenLens,launchd',

1
detection/initial_access/unexpected-shell-parents.sql
View File

@ -142,6 +142,7 @@ WHERE
'sdk',
'sdzoomplugin',
'sh',
'vim-nox11',
'skhd',
'ssh',
'sshd',

73
detection/persistence/unexpected-active-systemd-units.sql
View File

@ -48,11 +48,6 @@ WHERE
'abrt-oops.service,ABRT kernel log watcher,',
'abrt-xorg.service,ABRT Xorg log watcher,',
'accounts-daemon.service,Accounts Service,',
'virtnwfilterd.socket,libvirt nwfilter daemon socket,',
'virtnetworkd.socket,libvirt network daemon socket,',
'virtqemud-admin.socket,libvirt QEMU daemon admin socket,',
'virtqemud-ro.socket,libvirt QEMU daemon read-only socket,',
'virtsecretd.socket,libvirt secret daemon socket,',
'acpid.path,ACPI Events Check,',
'acpid.service,ACPI Daemon,',
'acpid.service,ACPI event daemon,',
@ -77,6 +72,7 @@ WHERE
'archlinux-keyring-wkd-sync.timer,Refresh existing PGP keys of archlinux-keyring regularly,',
'atd.service,Deferred execution scheduler,',
'auditd.service,Security Auditing Service,',
'auditd.service,Security Audit Logging Service,',
'audit.service,Kernel Auditing,',
'avahi-daemon.service,Avahi mDNS/DNS-SD Stack,',
'avahi-daemon.socket,Avahi mDNS/DNS-SD Stack Activation Socket,',
@ -84,6 +80,10 @@ WHERE
'blk-availability.service,Availability of block devices,',
'bluetooth.service,Bluetooth service,',
'bolt.service,Thunderbolt system service,',
'bootupd.socket,bootupd.socket,',
'brew-update.service,Auto update brew for mutable brew installs,1000',
'brew-update.timer,Timer for brew update for mutable brew,',
'brew-upgrade.timer,Timer for brew upgrade for on image brew,',
'chronyd.service,NTP client/server,',
'chrony.service,chrony, an NTP client/server',
'cloud-config.service,Apply the settings specified in cloud-config,',
@ -110,6 +110,7 @@ WHERE
'dbus.service,D-Bus System Message Bus,',
'dbus.socket,D-Bus System Message Bus Socket,',
'dhcpcd.service,DHCP Client,',
'displaylink.service,DisplayLink Manager Service,',
'display-manager.service,Display Manager,',
'display-manager.service,X11 Server,',
'dkms.service,Builds and install new kernel modules through DKMS,',
@ -147,10 +148,6 @@ WHERE
'import-state.service,Import network configuration from initramfs,',
'incus-lxcfs.service,Incus - LXCFS daemon,',
'incus.service,Incus - Daemon,',
'brew-upgrade.timer,Timer for brew upgrade for on image brew,',
'brew-update.timer,Timer for brew update for mutable brew,',
'ublue-update.timer,Auto Update System Timer For Universal Blue,',
'ublue-system-setup.service,Configure system,',
'incus.service,Incus - Main daemon,',
'incus.socket,Incus - Daemon (unix socket),',
'incus-startup.service,Incus - Startup check,',
@ -160,6 +157,7 @@ WHERE
'iscsid.socket,Open-iSCSI iscsid Socket,',
'iscsiuio.socket,Open-iSCSI iscsiuio Socket,',
'iwd.service,Wireless service,',
'kde-sysmonitor-workaround.service,Workaround KDE System Monitor not having the correct caps,',
'kerneloops.service,Tool to automatically collect and submit kernel crash signatures,kernoops',
'keyboard-setup.service,Set the console keyboard layout,',
'kmod-static-nodes.service,Create List of Static Device Nodes,',
@ -181,6 +179,7 @@ WHERE
'lm_sensors.service,Initialize hardware monitoring sensors,',
'loadcpufreq.service,LSB: Load kernel modules needed to enable cpufreq scaling,',
'logrotate-checkconf.service,Logrotate configuration check,',
'logrotate.service,Rotate log files,',
'logrotate.timer,Daily rotation of log files,',
'logrotate.timer,logrotate.timer,',
'low-memory-monitor.service,Low Memory Monitor,',
@ -189,6 +188,7 @@ WHERE
'lxcfs.service,FUSE filesystem for LXC,',
'lxc-monitord.service,LXC Container Monitoring Daemon,',
'lxc-net.service,LXC network bridge setup,',
'lxc.service,LXC Container Initialization and Autoboot Code,',
'machine.slice,Virtual Machine and Container Slice,',
'man-db.service,Daily man-db regeneration,root',
'man-db.timer,Daily man-db regeneration,',
@ -213,6 +213,7 @@ WHERE
'NetworkManager.service,Network Manager,',
'NetworkManager-wait-online.service,Network Manager Wait Online,',
'network-setup.service,Networking Setup,',
'nginx.service,A high performance web server and a reverse proxy server,',
'nginx.service,Nginx Web Server,nginx',
'nis-domainname.service,Read and set NIS domainname from /etc/sysconfig/network,',
'nix-daemon.service,Nix Daemon,',
@ -227,7 +228,12 @@ WHERE
'openvpn.service,OpenVPN service,',
'orbit,/opt/orbit/bin/orbit/linux/stable/orbit,0',
'orbit.service,Orbit osquery,',
'ostree-finalize-staged-hold.service,Hold /boot Open for OSTree Finalize Staged Deployment,',
'ostree-finalize-staged.path,OSTree Monitor Staged Deployment,',
'ostree-finalize-staged.service,OSTree Finalize Staged Deployment,',
'ostree-remount.service,OSTree Remount OS/ Bind Mounts,',
'packagekit.service,PackageKit Daemon,root',
'passim.service,Local Caching Server,passim',
'pcscd.service,PC/SC Smart Card Daemon,',
'pcscd.socket,PC/SC Smart Card Daemon Activation Socket,',
'phpsessionclean.timer,Clean PHP session files every 30 mins,',
@ -237,6 +243,8 @@ WHERE
'plymouth-quit-wait.service,Hold until boot process finishes up,',
'plymouth-read-write.service,Tell Plymouth To Write Out Runtime Data,',
'plymouth-start.service,Show Plymouth Boot Screen,',
'pmcd.service,Performance Metrics Collector Daemon,',
'podman.socket,Podman API Socket,',
'polkit.service,Authorization Manager,',
'polkit.service,Authorization Manager,polkitd',
'postfix@-.service,Postfix Mail Transport Agent (instance -),',
@ -256,6 +264,10 @@ WHERE
'resolvconf.service,resolvconf update,',
'rngd.service,Hardware RNG Entropy Gatherer Daemon,',
'rpc-statd-notify.service,Notify NFS peers of a restart,',
'rpm-ostree-countme.service,Weekly rpm-ostree Count Me reporting,rpm-ostree',
'rpm-ostree-countme.timer,Weekly rpm-ostree Count Me timer,',
'rpm-ostreed-automatic.timer,rpm-ostree Automatic Update Trigger,',
'rpm-ostreed.service,rpm-ostree System Management Daemon,rpm-ostree',
'rsyslog.service,System Logging Service,',
'rtkit-daemon.service,RealtimeKit Scheduling Policy Service,',
'schroot.service,Recover schroot sessions,',
@ -288,6 +300,7 @@ WHERE
'swapfile.swap,/swapfile,',
'swap.img.swap,/swap.img,',
'switcheroo-control.service,Switcheroo Control Proxy service,',
'swtpm-workaround.service,Workaround swtpm not having the correct label,',
'syslog.socket,Syslog Socket,',
'sysstat-collect.timer,Run system activity accounting tool every 10 minutes,',
'sysstat.service,Resets System Activity Logs,root',
@ -331,6 +344,7 @@ WHERE
'systemd-pcrmachine.service,TPM2 PCR Machine ID Measurement,',
'systemd-pcrphase.service,TPM2 PCR Barrier (User),',
'systemd-pcrphase-sysinit.service,TPM2 PCR Barrier (Initialization),',
'systemd-pstore.service,Platform Persistent Storage Archival,',
'systemd-random-seed.service,Load/Save OS Random Seed,',
'systemd-random-seed.service,Load/Save Random Seed,',
'systemd-remount-fs.service,Remount Root and Kernel File Systems,',
@ -366,6 +380,9 @@ WHERE
'touchegg.service,Touchégg Daemon,',
'ua-timer.timer,Ubuntu Advantage Timer for running repeated jobs,',
'ua-timer.timer,Ubuntu Pro Timer for running repeated jobs,',
'ublue-system-setup.service,Configure system,',
'ublue-update.service,Universal Blue Update Oneshot Service,',
'ublue-update.timer,Auto Update System Timer For Universal Blue,',
'ubuntu-fan.service,Ubuntu FAN network setup,',
'udisks2.service,Disk Manager,',
'ufw.service,Uncomplicated firewall,',
@ -380,35 +397,68 @@ WHERE
'user.slice,User and Session Slice,',
'uuidd.service,Daemon for generating UUIDs,uuidd',
'uuidd.socket,UUID daemon activation socket,',
'v4l2-relayd.service,v4l2-relay daemon service,',
'vboxautostart-service.service,vboxautostart-service.service,',
'vboxballoonctrl-service.service,vboxballoonctrl-service.service,',
'vboxdrv.service,VirtualBox Linux kernel module,',
'vboxweb-service.service,vboxweb-service.service,',
'velociraptor_client.service,Velociraptor linux client,',
'velociraptor_server.service,Velociraptor server,velociraptor',
'virtinterfaced-admin.socket,libvirt interface daemon admin socket,',
'virtinterfaced-ro.socket,libvirt interface daemon read-only socket,',
'virtinterfaced.socket,libvirt interface daemon socket,',
'virtinterfaced.socket,Libvirt interface local socket,',
'virtlockd-admin.socket,libvirt locking daemon admin socket,',
'virtlockd.socket,libvirt locking daemon socket,',
'virtlockd.socket,Virtual machine lock manager socket,',
'virtlogd-admin.socket,libvirt logging daemon admin socket,',
'virtlogd-admin.socket,Virtual machine log manager socket,',
'virtlogd.service,Virtual machine log manager,',
'virtlogd.socket,libvirt logging daemon socket,',
'virtlogd.socket,Virtual machine log manager socket,',
'virtlxcd-admin.socket,libvirt LXC daemon admin socket,',
'virtlxcd-ro.socket,libvirt LXC daemon read-only socket,',
'virtlxcd.socket,libvirt LXC daemon socket,',
'virtnetworkd-admin.socket,libvirt network daemon admin socket,',
'virtnetworkd-ro.socket,libvirt network daemon read-only socket,',
'virtnetworkd.socket,libvirt network daemon socket,',
'virtnetworkd.socket,Libvirt network local socket,',
'virtnodedevd-admin.socket,libvirt nodedev daemon admin socket,',
'virtnodedevd-ro.socket,libvirt nodedev daemon read-only socket,',
'virtnodedevd.socket,libvirt nodedev daemon socket,',
'virtnodedevd.socket,Libvirt nodedev local socket,',
'virtnwfilterd-admin.socket,libvirt nwfilter daemon admin socket,',
'virtnwfilterd-ro.socket,libvirt nwfilter daemon read-only socket,',
'virtnwfilterd.socket,libvirt nwfilter daemon socket,',
'virtnwfilterd.socket,Libvirt nwfilter local socket,',
'virtproxyd-admin.socket,libvirt proxy daemon admin socket,',
'virtproxyd-ro.socket,libvirt proxy daemon read-only socket,',
'virtproxyd.socket,libvirt proxy daemon socket,',
'virtproxyd.socket,Libvirt proxy local socket,',
'virtqemud-admin.socket,Libvirt qemu admin socket,',
'virtqemud-admin.socket,libvirt QEMU daemon admin socket,',
'virtqemud-ro.socket,libvirt QEMU daemon read-only socket,',
'virtqemud-ro.socket,Libvirt qemu local read-only socket,',
'virtqemud.service,Virtualization qemu daemon,',
'virtqemud.socket,libvirt QEMU daemon socket,',
'virtqemud.socket,Libvirt qemu local socket,',
'virtsecretd-admin.socket,libvirt secret daemon admin socket,',
'virtsecretd-ro.socket,libvirt secret daemon read-only socket,',
'virtsecretd.socket,libvirt secret daemon socket,',
'virtsecretd.socket,Libvirt secret local socket,',
'virtstoraged-admin.socket,libvirt storage daemon admin socket,',
'virtstoraged-ro.socket,libvirt storage daemon read-only socket,',
'virtstoraged.socket,libvirt storage daemon socket,',
'virtstoraged.socket,Libvirt storage local socket,',
'virtvboxd-admin.socket,libvirt VirtualBox daemon admin socket,',
'virtvboxd-ro.socket,libvirt VirtualBox daemon read-only socket,',
'virtvboxd.socket,libvirt VirtualBox daemon socket,',
'whoopsie.path,Start whoopsie on modification of the /var/crash directory,',
'wpa_supplicant.service,WPA supplicant,',
'zfs-import-cache.service,Import ZFS pools by cache file,',
'zfs-load-key-rpool.service,Load ZFS key for rpool,',
'zfs-load-module.service,Install ZFS kernel module,',
'zfs-mount.service,Mount ZFS filesystems,',
'v4l2-relayd.service,v4l2-relay daemon service,',
'lxc.service,LXC Container Initialization and Autoboot Code,',
'zfs-scrub.service,ZFS pools scrubbing,',
'zfs-scrub.timer,zfs-scrub.timer,',
'zfs-share.service,ZFS file system shares,',
@ -427,6 +477,7 @@ WHERE
OR exception_key LIKE 'zfs-snapshot-%.service,zfs-snapshot-%.service,'
OR exception_key LIKE 'dbus-:1.%-org.freedesktop.problems@%.service,dbus-:%.%-org.freedesktop.problems@%.service,0'
OR exception_key LIKE 'run-media-%.mount,run-media-%.mount,'
OR exception_key LIKE 'drkonqi-coredump-processor@%.service,Pass systemd-coredump journal entries to relevant user for potential DrKonqi handling,'
OR id LIKE ''
OR id LIKE 'dev-disk-by%.swap'
OR id LIKE 'dev-mapper-%.swap'

202
detection/persistence/unexpected-chrome-extensions.sql
View File

@ -74,32 +74,41 @@ WHERE
)
)
AND NOT exception_key IN (
"true,Daniel Kladnik @ kiboke studio,I don't care about cookies,fihnjjcciajhdojfnbdddfaoknhalnja",
"true,Gareth Stephenson,My O'Reilly Downloader,deebiaolijlopiocielojiipnpnaldlk",
'false,,Grammarly: AI Writing and Grammar Checker App,cnlefmmeadmemmdciolhbnfeacpdfbkd',
'false,privacybadger-owner@eff.org,Privacy Badger,mkejgcgkdlddbggjhhflekkondicpnop',
'true,,Acorns Earn,facncfnojagdpibmijfjdmhkklabakgd',
'true,Adaware,Safe Torrent Scanner,aegnopegbbhjeeiganiajffnalhlkkjb',
'true,Adblock for Chrome Team,Adblock for Chrome™,onomjaelhagjjojbkcafidnepbfkpnee',
'true,,Adblock for Youtube™,cmedhionkhpnakcndndgjdbohmhepckk',
'true,Adblock, Inc.,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom',
'true,,Add to Amazon Wish List,ciagpekplgpbepdgggflgmahnjgiaced',
'true,,SalesLoft Connect,cffgjgigjfgjkfdopbobbdadaelbhepo',
'true,homerchen19,File Icons for GitHub and GitLab,ficfmibkjjnpogdcfhfokmihanoldbfe',
'true,,Ponyrun,ohfoafaaamjfbhmceahibpppkbnohaeg',
'true,,Copy Me That,lgjinjcobiflbbnhenlfkcjpeeacklfl',
'true,Adguard Software Ltd,AdGuard AdBlocker,bgnkhhnnamicmpeenaelnjfhikgbkllg',
'true,,Adobe Acrobat: PDF edit, convert, sign tools,efaidnbmnnnibpcajpcglclefindmkaj',
'true,AgileBits,1Password extension (desktop app required),aomjjhallfgjeglblehebfpbcfeobpgk',
'true,AgileBits,1Password Password Manager,aeblfdkhhhdcdjpifhhbdiojplfjncoa',
'true,Alexander Shutau,Dark Reader,eimadpbcbfnmbkopoojfekhnkhdbieeh',
'true,All uBlock contributors,uBlock - free ad blocker,epcnnfbjfcgphgdmggkamkmgojdagdnn',
'true,,Application Launcher For Drive (by Google),lmjegmlicamnimmfhcmpkclmigmmcbeh',
'true,,Awesome ChatGPT Screenshot & Screen Recorder,nlipoenfbbikpbjkfpfillcgkoblgpmj',
'true,,Awesome Screen Recorder & Screenshot,nlipoenfbbikpbjkfpfillcgkoblgpmj',
'true,,axe DevTools - Web Accessibility Testing,lhdoppojpmngadmnindnejefpokejbdd',
'true,,Bardeen - automate manual work,ihhkmalpkhkoedlmcnilbbhhbhnicjga',
'true,,Bardeen - automate workflows with one click,ihhkmalpkhkoedlmcnilbbhhbhnicjga',
'true,Benjamin Hollis,JSONView,gmegofmjomhknnokphhckolhcffdaihd',
'true,BetaFish,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom',
'true,,Bionic Reading,kdfkejelgkdjgfoolngegkhkiecmlflj',
'true,Bitwarden Inc.,Bitwarden - Free Password Manager,nngceckbapebfimnlniiiahkandclblb',
'true,Bitwarden Inc.,Bitwarden Password Manager,nngceckbapebfimnlniiiahkandclblb',
'true,,BlockSite: Block Websites & Stay Focused,eiimnmioipafcokbfikbljfdeojpcgbh',
'true,,Browsec VPN - Free VPN for Chrome,omghfjlpggmjjaagoclmmobgdodcjboh',
'true,,BrowserStack Local,mfiddfehmfdojjfdpfngagldgaaafcfo',
'true,,CSS Scan,gieabiemggnpnminflinemaickipbebg',
'true,CAD Team,Cookie AutoDelete,fhcgjolkccmbidfldomjliifgaodjagh',
'true,,Canvas Blocker - Fingerprint Protect,nomnklagbgmgghhjidfhnoelnjfndfpd',
'true,,Capital One Shopping: Add to Chrome for Free,nenlahapcbofgnanklpelkaejcehkggg',
'true,,Capital One Shopping: Save Now,nenlahapcbofgnanklpelkaejcehkggg',
'true,,Caret,fljalecfjciodhpcledpamjachpmelml',
'true,,Chrome Capture - Gif & Screenshot tool,ggaabchcecdbomdcnbahdfddfikjmphe',
'true,chromeos-recovery-tool-admin@google.com,Chromebook Recovery Utility,jndclpdbaamdhonoechobihbbiimdgai',
'true,,Chrome RDP for Google Cloud Platform,mpbbnannobiobpnfblimoapbephgifkm',
'true,,Chrome Remote Desktop,inomeogfingihgjfjlpeplalcfajhgai',
'true,,Chrome Web Store Payments,nmmhkkegccagdldgiimedpiccmgmieda',
@ -107,70 +116,105 @@ WHERE
'true,,Cisco Webex Extension,jlhmfgmfgeifomenelglieieghnjghma',
'true,,Clear Cache,cppjkneekbjaeellbfkmgnhonkkjfpdn',
'true,,ClickUp: Tasks, Screenshots, Email, Time,pliibjocnfmkagafnbkfcimonlnlpghj',
'true,,Clipboard History,cioiijhfebhhkmnijjjgbhkjjdlphjid',
'true,,Clockify Time Tracker,pmjeegjhjdlccodhacdgbgfagbpmccpe',
'true,,Cloud Vision,nblmokgbialjjgfhfofbgfcghhbkejac',
'true,Clockwise Inc.,Clockwise: AI Calendar & Scheduling Assistant,hjcneejoopafkkibfbcaeoldpjjiamog',
'true,Clockwise Inc.,Clockwise: Team Time & Calendar Management,hjcneejoopafkkibfbcaeoldpjjiamog',
'true,,Cloud9,nbdmccoknlfggadpfkmcpnamfnbkmkcp',
'true,,Cloud Vision,nblmokgbialjjgfhfofbgfcghhbkejac',
'true,,coLaboratory Notebook,pianggobfjcgeihlmfhfgkfalopndooo',
'true,,ColorPick Eyedropper,ohcpnigalekghcmgcdcenkpelffpdolg',
'true,,Go Links,gojgbkejhelijlkgpmlbbkklljgmfljj',
'true,,ColorZilla,bhlhnicpbhignbdhedgjhgdocnmhomnp',
'true,compose.ai,Compose AI: AI-powered Writing Tool,ddlbpiadoechcolndfeaonajmngmhblj',
'true,Contacts+,Contacts+ for Gmail,cnaibnehbbinoohhjafknihmlopdhhip',
'true,CookieBlock Team,CookieBlock,fbhiolckidkciamgcobkokpelckgnnol',
'true,,Cookie Tab Viewer,fdlghnedhhdgjjfgdpgpaaiddipafhgk',
'true,,Copper CRM for Gmail,hpfmedbkgaakgagknibnonpkimkibkla',
'true,,Copper CRM for Gmail™,hpfmedbkgaakgagknibnonpkimkibkla',
'true,,Copy Me That,lgjinjcobiflbbnhenlfkcjpeeacklfl',
'true,,Coupert - Automatic Coupon Finder & Cashback,mfidniedemcgceagapgdekdbmanojomk',
'true,,crouton integration,gcpneefbbnfalgjniomfjknbcgkbijom',
'true,Crowdcast, Inc.,Crowdcast Screensharing,kgmadhplahebfoiijgloflhakfjlkbpb',
'true,,Crunchbase - B2B Company & Contact Info,mdfjplgeknamfodpoghbmhhlcjoacnbp',
'true,,DEPRECATED Secure Shell App,pnhechapfaindjhompbnflcldabbghjo',
'true,,CSS Scan,gieabiemggnpnminflinemaickipbebg',
"true,Daniel Kladnik @ kiboke studio,I don't care about cookies,fihnjjcciajhdojfnbdddfaoknhalnja",
'true,,Datanyze Chrome Extension,mlholfadgbpidekmhdibonbjhdmpmafd',
'true,,DealFinder by VoucherCodes,jhgicjdnnonfaedodemjjinbgcoeiajo',
'true,,DEPRECATED Secure Shell App,pnhechapfaindjhompbnflcldabbghjo',
'true,,[DEPRECATED] Tag Assistant Legacy,kejbdjndbnbjgmefkgdddjlbokphdefk',
'true,,Disconnect,jeoacafpbcihiomhlakheieifhpjdfeo',
'true,,Distill Web Monitor,inlikjemeeknofckkjolnjbpehgadgge',
'true,,DuckDuckGo Privacy Essentials,bkdgflcldnnnapblkhphbgpggdiikppg',
'true,,Dux-Soup for LinkedIn Automation,ppdakpfeaodfophjplfdedpcodkdkbal',
'true,,EditThisCookie,fngmhnnpilhplaeedifhccceomclgfbg',
'true,,Emoji Keyboard - Emojis For Chrome,fbcgkphadgmbalmlklhbdagcicajenei',
'true,,Endpoint Verification,callobklhcbilhphinckomhgkigmfocg',
'true,,Eno® from Capital One®,clmkdohmabikagpnhjmgacbclihgmdje',
'true,,Espruino Web IDE,bleoifhkdalbjfbobjackfdifdneehpo',
'true,,Event Merge for Google Calendar™,idehaflielbgpaokehlhidbjlehlfcep',
'true,Evernote,Evernote Web Clipper,pioclpoplcdbaefihamjohnefbikjilc',
'true,ExpressVPN,ExpressVPN: VPN proxy for a better internet,fgddmllnllkalaagkghckoinaemmogpe',
'true,,Extensity,jjmflmamggggndanpgfnpelongoepncg',
'true,eyeo GmbH,Adblock Plus - free ad blocker,cfhdojbkjhnklbpkdaibdccddilifddb',
'true,,Facebook Pixel Helper,fdgfkebogiimcoedlicjlajpkdmockpc',
'true,,Fake Filler,bnjjngeaknajbdcgpfkgnonkmififhfo',
'true,,Fakespot Fake Amazon Reviews and eBay Sellers,nakplnnackehceedgkgkokbgbmfghain',
'true,Federico Brigante,GitHub Issue Link Status,nbiddhncecgemgccalnoanpnenalmkic',
'true,,feedly,hipbfijinpcgfogaopmgehiegacbhmob',
'true,,FoxyProxy Basic,dookpfaalaaappcdneeahomimbllocnb',
'true,François Duprat,Mobile simulator - responsive testing tool,ckejmhbmlajgoklhgbapkiccekfoccmk',
'true,,Free Maps Ruler,ejpahoknghmacibohhgleeacndkglgmo',
"true,Gareth Stephenson,My O'Reilly Downloader,deebiaolijlopiocielojiipnpnaldlk",
'true,Ghostery,Ghostery Privacy Ad Blocker,mlomiejdfkolichcflejclcbmpeaniij',
'true,Ghostery,Ghostery Tracker & Ad Blocker - Privacy AdBlock,mlomiejdfkolichcflejclcbmpeaniij',
'true,Ghostery,Ghostery Tracker Ad Blocker - Privacy AdBlock,mlomiejdfkolichcflejclcbmpeaniij',
'true,,GHunt Companion,dpdcofblfbmmnikcbmmiakkclocadjab',
'true,,GSConnect,jfnifeihccihocjbfcfhicmmgpjicaec',
'true,,GitHub Red Alert,kmiekjkmkbhbnlempjkaombjjcfhdnfe',
'true,,Github Absolute Dates,iepecohjelcmdnahbddleblfphbaheno',
'true,,GitHub Red Alert,kmiekjkmkbhbnlempjkaombjjcfhdnfe',
'true,,Gmail™ Email Templates by cloudHQ,llccdnmbipddnkhmldacpcjjcnljpoij',
'true,,Go Links,gojgbkejhelijlkgpmlbbkklljgmfljj',
'true,,GoLinks,mdkgfdijbhbcbajcdlebbodoppgnmhab',
'true,,GoToMeeting for Google Calendar,gaonpiemcjiihedemhopdoefaohcjoch',
'true,,GoToTraining Screensharing,copcmbdalilphnaiajfmonkegedhkndd',
'true,,Google Analytics Parameter Stripper,jbgedkkfkohoehhkknnmlodlobbhafge',
'true,,Google Docs Offline,ghbmnnjooekpmoecnnnilnnbdlolhkhi',
'true,,Google Drive,apdfllckaahabafndbhieahigkjlhalf',
'true,,Google Hangouts,nckgahadagoaajjgafhacjanaoiihapd',
'true,,Google Keep - Notes and Lists,hmjkmjkepdijhoojdojkdfohbdgmmhki',
'true,,Google Keep Chrome Extension,lpcaedmchfhocbbapmcbpinfpgnhiddi',
'true,,Google Keep - Notes and Lists,hmjkmjkepdijhoojdojkdfohbdgmmhki',
'true,,Google Mail Checker,mihcahmgecmbnbcchbopgniflfhgnkff',
'true,,Google Optimize,bhdplaindhdkiflmbfbciehdccfhegci',
'true,Bitwarden Inc.,Bitwarden Password Manager,nngceckbapebfimnlniiiahkandclblb',
'true,,Google Play Books,mmimngoggfoobjdlefbcabngfnmieonb',
'true,,Google Play Movies & TV,gdijeikdkaembjbdobgfkoidjkpbmlkd',
'true,Gordon Pedsersen,MarkDownload - Markdown Web Clipper,pcmpcfapbekmbjjkdalcgopdkipoggdi',
'true,,GoToMeeting for Google Calendar,gaonpiemcjiihedemhopdoefaohcjoch',
'true,,GoToTraining Screensharing,copcmbdalilphnaiajfmonkegedhkndd',
'true,,Grammarly: AI Writing and Grammar Checker App,kbfnbcaeplbcioakkpcpgfkobkghlhen',
'true,,Grammarly: Grammar Checker and AI Writing App,kbfnbcaeplbcioakkpcpgfkobkghlhen',
'true,,Grammarly: Grammar Checker and Writing App,kbfnbcaeplbcioakkpcpgfkobkghlhen',
'true,,Gravit Designer,pdagghjnpkeagmlbilmjmclfhjeaapaa',
'true,,Greenhouse Recruiting Chrome extension,naooopefdfeangnkgmjpklgblnfmbaea',
'true,,HTTPS Everywhere,gcbommkclmclpchllfjekcdonpmejbdp',
'true,,GSConnect,jfnifeihccihocjbfcfhicmmgpjicaec',
'true,Guilherme Nascimento,Prevent Duplicate Tabs,eednccpckdkpojaiemedoejdngappaag',
'true,homerchen19,File Icons for GitHub and GitLab,ficfmibkjjnpogdcfhfokmihanoldbfe',
'true,,Honey: Automatic Coupons & Cash Back,bmnlcjabgnpnenekpadlanbbkooimhnj',
'true,,Honey: Automatic Coupons & Rewards,bmnlcjabgnpnenekpadlanbbkooimhnj',
'true,,HTTPS Everywhere,gcbommkclmclpchllfjekcdonpmejbdp',
'true,https://metamask.io,MetaMask,nkbihfbeogaeaoehlefnkodbefgpgknn',
'true,,HubSpot Sales,oiiaigjnkhngdbnoookogelabohpglmd',
'true,,Hundred Handshakes,cmlngncglcblbobiehdpjcgbpoemidho',
'true,,IBA Opt-out (by Google),gbiekjoijknlhijdjbaadobpkdhmoebb',
'true,,iCloud Bookmarks,fkepacicchenbjecpbpbclokcabebhah',
'true,,Instapaper,ldjkgaaoikpmhmkelcgkgacicjfbofhh',
'true,,JSON Formatter,bcjindcccaagfpapjjmafapmmgkkhgoa',
'true,,JSON Viewer Pro,eifflpmocdbdmepbjaopkkhbfmdgijcc',
'true,James Anderson,LeechBlock NG,blaaajhemilngeeffpbfkdjjoefldkok',
'true,,Jamstash,jccdpflnecheidefpofmlblgebobbloc',
'true,,Jitsi Meetings,kglhbbefdnlheedjiejgomgmfplipfeb',
'true,,JSON Formatter,bcjindcccaagfpapjjmafapmmgkkhgoa',
'true,,JSON Viewer Pro,eifflpmocdbdmepbjaopkkhbfmdgijcc',
'true,,Kagi Search for Chrome,cdglnehniifkbagbbombnjghhcihifij',
'true,Kai Uwe Broulik <kde@privat.broulik.de>,Plasma Integration,cimiefiiaegbelhefglklhhakcgmhkai',
'true,Kas Elvirov,GitHub Gloc,kaodcnpebhdbpaeeemkiobcokcnegdki',
'true,Keepa GmbH,Keepa - Amazon Price Tracker,neebplgakaahbhdphmkckjjcegoiijjo',
'true,LastPass,LastPass: Free Password Manager,hdokiejnpimakedhajhdlcegeplioahd',
'true,Leadjet,Leadjet - Make your CRM work on LinkedIn,kojhcdejfimplnokhhhekhiapceggamn',
'true,,Lever Hire Extension,dgbcohbjchndmjocioegkgdniaffcaia',
'true,,Link to Text Fragment,pbcodcjpfjdpcineamnnmbkkmkdpajjg',
'true,,Lolli: Earn Bitcoin When You Shop,fleenceagaplaefnklabikkmocalkcpo',
@ -178,49 +222,68 @@ WHERE
'true,,Loom Screen Recorder & Screen Capture,liecbddmkiiihnedobmlmillhodjkdmb',
'true,,Lucidchart Diagrams,apboafhkiegglekeafbckfjldecefkhn',
'true,,Markdown Preview Plus,febilkbfcbhebfnokafefeacimjdckgl',
'true,Marker.io,Marker.io: Visual bug reporting for websites,jofhoojcehdmaiibilpcoofpdbbddkkl',
'true,,Media Hint,akipcefbjlmpbcejgdaopmmidpnjlhnb',
'true,,Meta Pixel Helper,fdgfkebogiimcoedlicjlajpkdmockpc',
'true,Microsoft Corporation,Microsoft 365,ndjpnladcallmjemlbaebfadecfhkepb',
'true,Microsoft Corporation,Microsoft Autofill,fiedbfgcleddlbcmgdigjgdfcggjcion',
'true,,Microsoft Single Sign On,ppnbnpeolgkicgegkbkbjmhlideopiji',
'true,Moustachauve,Cookie-Editor,hlkenndednhfkekhgcdicdfddnkalmdm',
'true,NortonLifeLock Inc,Norton Safe Web,fnpbeacklnhmkkilekogeiekaglbmmka',
'true,,NoScript,doojmbjmlfjjnbmnoijecmcbfeoakpjm',
'true,,Notion Web Clipper,knheggckgoiihginacbkhaalnibhilkk',
'true,,Office - Enable Copy and Paste,ifbmcpbgkhlpfcodhjhdbllhiaomkdej',
'true,,Office Editing for Docs, Sheets & Slides,gbkeegbaiigmenfmjfclcdgdpimamgkj',
'true,,Office - Enable Copy and Paste,ifbmcpbgkhlpfcodhjhdbllhiaomkdej',
'true,,Okta Browser Plugin,glnpjglilkicbckjpbgcfkogebgllemb',
'true,,OneLogin for Google Chrome,ioalpmibngobedobkmbhgmadaphocjdn',
'true,,OneTab,chphlpgkkbolifaimnlloiipkdnihall',
'true,Opera,Cashback Assistant,ompjkhnkeoicimmaehlcmgmpghobbjoj',
'true,Opera Norway AS,Opera AI Prompts,mljbnbeedpkgakdchcmfapkjhfcogaoc',
'true,Opera Software AS,Rich Hints Agent,enegjkbbakeegngfapepobipndnebkdk',
'true,,Outbrain Pixel Tracker,daebadnaphbiobojnpgcenlkgpihmbdc',
'true,,Outreach Everywhere,chmpifjjfpeodjljjadlobceoiflhdid',
'true,,Page Analytics (by Google),fnbdnhhicmebfgdgglcdacdapkcihcoh',
'true,,Password Alert,noondiphcddnnabmjcihcjfbhfklnnep',
'true,Pawel Psztyc,Advanced REST client,hgmloofddffdnphfgcellkdfbfbjeloo',
'true,,PhantomBuster,mdlnjfcpdiaclglfbdkbleiamdafilil',
'true,,Picture-in-Picture Extension (by Google),hkgfoiooedgoejojocmhlaklaeopbecg',
'true,,PlayTo for Chromecast™,jngkenaoceimiimeokpdbmejeonaaami',
'true,,Playback Rate,jgmkoefgnppfpagkhifpialkkkgnfgag',
'true,,PlayTo for Chromecast™,jngkenaoceimiimeokpdbmejeonaaami',
'true,,Ponyrun,ohfoafaaamjfbhmceahibpppkbnohaeg',
'true,,Postman,fhbjgbiflinjbdggehcddcbncdddomop',
'true,,Privacy Badger,pkehgijcmpdhfbdbbnkijodmdjhbjlgp',
'true,,Private Internet Access,jplnlifepflhkbkgonidnobkakhmpnmh',
'true,Pushbullet,Pushbullet,chlffgpmiacpedhhbkiomidkjlcfhogd',
'true,Quantier, LLC,Vim for Google Docs™,aphmodfjbhofkpibocbggkdfnpbpjmpp',
'true,Quantier, LLC,Vim for Google Docs\xE2\x84\xA2,aphmodfjbhofkpibocbggkdfnpbpjmpp',
'true,Quidco.com,Quidco Cashback Reminder,offafgdgnliocofjjiohlpjpenbogkbl',
'true,,QuillBot for Chrome,iidnbdjijdkbmajdffnidomddglmieko',
'true,,RSS Feed Reader,pnjaodmkngahhkoihejjehlcdlnohgmp',
'true,,RSS Subscription Extension (by Google),nlbjncdgjeocebhnmkbbbdekmmmcbfjd',
'true,Rakuten,Rakuten: Get Cash Back For Shopping,chhjbpecpncaggjpdakmflnfcopglcmi',
'true,Raymond Hill & contributors,uBlock Origin,cjpalhdlnbpafiamejdnhcphjbkeiagm',
'true,,React Developer Tools,fmkadmapgofadopljbjfkapdkoienihi',
'true,,Reader Mode,llimhhconnjiflfimocjggfjdlmlhblm',
'true,,Readwise Highlighter,jjhefcfhmnkfeepcpnilbbkaadhngkbi',
'true,Reddit Enhancement Suite contributors,Reddit Enhancement Suite,kbmfpngjjgdllneeigpgjifpgocmfgmb',
'true,,Redux DevTools,lmhkpmbekcpmknklioeibfkpmmfibljd',
'true,,Refined GitHub,hlepfoohegkhhmjieoechaddaejaokhf',
'true,,RetailMeNot Deal Finder™,jjfblogammkiefalfpafidabbnamoknm',
'true,,SSH for Google Cloud Platform,ojilllmhjhibplnppnamldakhpmdnibd',
'true,,RSS Feed Reader,pnjaodmkngahhkoihejjehlcdlnohgmp',
'true,,RSS Subscription Extension (by Google),nlbjncdgjeocebhnmkbbbdekmmmcbfjd',
'true,,Salesforce,jjghhkepijgakdammjldcbnjehfkfmha',
'true,,SalesLoft Connect,cffgjgigjfgjkfdopbobbdadaelbhepo',
'true,,SalesLoft Connect - Legacy,cffgjgigjfgjkfdopbobbdadaelbhepo',
'true,,Save to Google Drive,gmbmikajjgmnabiglmofipeabaddhgne',
'true,,Save to Pinterest,gpdjojdkbbmdfjfahjcgigfpmkopogic',
'true,,Save to Pocket,niloccemoadcdkdjlinkgdfekeahmflj',
'true,,Scraper,poegfpiagjgnenagjphgdklmgcpjaofi',
'true,,Screenshot & Screen Video Record by Screeny,djekgpcemgcnfkjldcclcpcjhemofcib',
'true,,Screenshot Master: Full Page Capture,ggacghlcchiiejclfdajbpkbjfgjhfol',
'true,,Screenshot & Screen Video Record by Screeny,djekgpcemgcnfkjldcclcpcjhemofcib',
'true,,Scribe: AI Documentation, SOPs & Screenshots,okfkdaglfjjjfefdcppliegebpoegaii',
'true,,Secure Shell,iodihamcpbpeioajjeobimgagajmlibd',
'true,,Selenium IDE,mooikfkahbdckldjjndioackbalphokd',
'true,,Send from Gmail (by Google),pgphcomnlaojlmmcjmiddhdapjpbgeoc',
'true,,Send to Kindle for Google Chrome<6D><65><EFBFBD>,cgdjpilhipecahhcilnafpblkieebhea',
'true,,Sendspark Video and Screen Recorder,blimjkpadkhcpmkeboeknjcmiaogbkph',
'true,,Send to Kindle for Google Chrome<6D><65><EFBFBD>,cgdjpilhipecahhcilnafpblkieebhea',
'true,,Session Buddy,edacconmaakjimmfgnblocblbcdcpbko',
'true,,Set Character Encoding,bpojelgakakmcfmjfilgdlmhefphglae',
'true,,Shodan,jjalcfnidlmpjhdfepjhjbhnhkbgleap',
@ -228,106 +291,51 @@ WHERE
'true,,Simple Tab Sorter,cgfpgnepljlgenjclbekbjdlgcodfmjp',
'true,,Skype Calling,blakpkgjpemejpbmfiglncklihnhjkij',
'true,,Slack,jeogkiiogjbmhklcnbgkdcjoioegiknm',
'true,,SSH for Google Cloud Platform,ojilllmhjhibplnppnamldakhpmdnibd',
'true,stefanXO,Tab Manager Plus for Chrome,cnkdjjdmfiffagllbiiilooaoofcoeff',
'true,,Super Dark Mode,nlgphodeccebbcnkgmokeegopgpnjfkc',
'true,,Superhuman,dcgcnpooblobhncpnddnhoendgbnglpn',
'true,,Tab Wrangler,egnjhciaieeiiohknchakcodbpgjnchh',
'true,Symantec Corporation,Norton Password Manager,admmjipmmciaobhojoghlmleefbicajg',
'true,,Tabli,igeehkedfibbnhbfponhjjplpkeomghi',
'true,,Tab Wrangler,egnjhciaieeiiohknchakcodbpgjnchh',
'true,,Tag Assistant Legacy (by Google),kejbdjndbnbjgmefkgdddjlbokphdefk',
'true,,Tampermonkey BETA,gcalenpjmijncebpfijmoaglllgpjagf',
'true,Team Octotree,Octotree - GitHub code tree,bkhaagjahfmjljalopjnoealnfndnagc',
'true,,The Marvellous Suspender,noogafoofpebimajpfpamcfhoaifemoa',
'true,Thomas Rientjes,Decentraleyes,ldpochfccmkkmhdbclfhpagapcfdljkj',
'true,,TickTick - Todo & Task List,diankknpkndanachmlckaikddgcehkod',
'true,,Todoist for Chrome,jldhpllghnbhlbpcmnajkpdmadaolakh',
'true,,Todoist for Gmail,clgenfnodoocmhnlnpknojdbjjnmecff',
'true,Tomas Popela, tpopela@redhat.com,Fedora User Agent,hojggiaghnldpcknpbciehjcaoafceil',
'true,,Trend Micro Ad Blocker: Powerful Ad Blocker,pmekfefnodgilnnjcfkkdjlebokonhpm',
'true,,UET Tag Helper (by Microsoft Advertising),naijndjklgmffmpembnkfbcjbognokbf',
'true,Tulio Ornelas <ornelas.tulio@gmail.com>,JSON Viewer,gbmdgpbipfallnflgajpaliibnhdgobh',
'true,,Ubiquiti Device Discovery Tool,hmpigflbjeapnknladcfphgkemopofig',
'true,,uBlock,epcnnfbjfcgphgdmggkamkmgojdagdnn',
'true,,UET Tag Helper (by Microsoft Advertising),naijndjklgmffmpembnkfbcjbognokbf',
'true,,Universal Video Downloader,cogmkaeijeflocngklepoknelfjpdjng',
'true,,User-Agent Switcher for Chrome,djflhoibgkdhkhhcedjiklpkjnoahfmg',
'true,,Utime,kpcibgnngaaabebmcabmkocdokepdaki',
'true,,Vidyard - Webcam & Screen Recorder for Sales,jiihcciniecimeajcniapbngjjbonjan',
'true,,VidyoWebConnector,mmedphfiemffkinodeemalghecnicmnh',
'true,,Vimcal,akopimcimmdmklcmegcflfidpfegngke',
'true,Vimeo,Vimeo Record - Screen & Webcam Recorder,ejfmffkmeigkphomnpabpdabfddeadcb',
'true,,Vimium,dbepggeogbaibhgnhhndojpepiihcmeb',
'true,,Vue.js devtools,nhdogjmejiglipccpnnnanhbledajbpd',
'true,Wappalyzer,Wappalyzer - Technology profiler,gppongmhjkpfnbhagpmjfkannfbllamg',
'true,,WAVE Evaluation Tool,jbbplnpkjmmeebjpijfedlgcdilocofh',
'true,Web to Figma,Web to Figma,mafpepbepbabkenbfpcdjmmjmeeemoal',
'true,,WhatFont,jabopobgcpjmedljpbcaablpmlmfcogm',
'true,,Wikiwand: Wikipedia Modernized,emffkefkbkpkgpdeeooapgaicgmcbolj',
'true,,Windows Accounts,ppnbnpeolgkicgegkbkbjmhlideopiji',
'true,,Windscribe - Free Proxy and Ad Blocker,hnmpcagpplmpfojmgmnngilcnanddlhb',
'true,,Wisdolia,ciknpklcipibmfbgjmdmfdfalklfdlne',
'true,,WiseStamp email signature,pbcgnkmbeodkmiijjfnliicelkjfcldg',
'true,,writeGPT - ChatGPT Prompt Engineer Assistant,dflcdbibjghipieemcligeelbmackgco',
'true,,Yesware Sales Engagement,gkjnkapjmjfpipfcccnjbjcbgdnahpjp',
'true,,Zoom Scheduler,kgjfgplpablkjnlkjmjdecgdpfankdle',
'true,Yuri Konotopov <ykonotopov@gnome.org>,GNOME Shell integration,gphhapmejobijbbhgpjhcjognlahblep',
'true,,Zoom,hmbjbjdpkobdjplfobhljndfdfdipjhg',
'true,,ZoomInfo Engage Chrome Extension,mnbjlpbmllanehlpbgilmbjgocpmcijp',
'true,,[DEPRECATED] Tag Assistant Legacy,kejbdjndbnbjgmefkgdddjlbokphdefk',
'true,,axe DevTools - Web Accessibility Testing,lhdoppojpmngadmnindnejefpokejbdd',
'true,,coLaboratory Notebook,pianggobfjcgeihlmfhfgkfalopndooo',
'true,,crouton integration,gcpneefbbnfalgjniomfjknbcgkbijom',
'true,,feedly,hipbfijinpcgfogaopmgehiegacbhmob',
'true,,iCloud Bookmarks,fkepacicchenbjecpbpbclokcabebhah',
'true,,uBlock,epcnnfbjfcgphgdmggkamkmgojdagdnn',
'true,,writeGPT - ChatGPT Prompt Engineer Assistant,dflcdbibjghipieemcligeelbmackgco',
'true,Adaware,Safe Torrent Scanner,aegnopegbbhjeeiganiajffnalhlkkjb',
'true,Adblock for Chrome Team,Adblock for Chrome™,onomjaelhagjjojbkcafidnepbfkpnee',
'true,Adblock, Inc.,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom',
'true,Adguard Software Ltd,AdGuard AdBlocker,bgnkhhnnamicmpeenaelnjfhikgbkllg',
'true,AgileBits,1Password extension (desktop app required),aomjjhallfgjeglblehebfpbcfeobpgk',
'true,AgileBits,1Password Password Manager,aeblfdkhhhdcdjpifhhbdiojplfjncoa',
'true,Alexander Shutau,Dark Reader,eimadpbcbfnmbkopoojfekhnkhdbieeh',
'true,All uBlock contributors,uBlock - free ad blocker,epcnnfbjfcgphgdmggkamkmgojdagdnn',
'true,Benjamin Hollis,JSONView,gmegofmjomhknnokphhckolhcffdaihd',
'true,BetaFish,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom',
'true,Bitwarden Inc.,Bitwarden - Free Password Manager,nngceckbapebfimnlniiiahkandclblb',
'true,CAD Team,Cookie AutoDelete,fhcgjolkccmbidfldomjliifgaodjagh',
'true,Clockwise Inc.,Clockwise: AI Calendar & Scheduling Assistant,hjcneejoopafkkibfbcaeoldpjjiamog',
'true,Clockwise Inc.,Clockwise: Team Time & Calendar Management,hjcneejoopafkkibfbcaeoldpjjiamog',
'true,Contacts+,Contacts+ for Gmail,cnaibnehbbinoohhjafknihmlopdhhip',
'true,Crowdcast, Inc.,Crowdcast Screensharing,kgmadhplahebfoiijgloflhakfjlkbpb',
'true,Evernote,Evernote Web Clipper,pioclpoplcdbaefihamjohnefbikjilc',
'true,Bitwarden Inc.,Bitwarden Password Manager,nngceckbapebfimnlniiiahkandclblb',
'true,ExpressVPN,ExpressVPN: VPN proxy for a better internet,fgddmllnllkalaagkghckoinaemmogpe',
'true,Federico Brigante,GitHub Issue Link Status,nbiddhncecgemgccalnoanpnenalmkic',
'true,François Duprat,Mobile simulator - responsive testing tool,ckejmhbmlajgoklhgbapkiccekfoccmk',
'true,Ghostery,Ghostery Tracker Ad Blocker - Privacy AdBlock,mlomiejdfkolichcflejclcbmpeaniij',
'true,Ghostery,Ghostery Privacy Ad Blocker,mlomiejdfkolichcflejclcbmpeaniij',
'true,Ghostery,Ghostery Tracker & Ad Blocker - Privacy AdBlock,mlomiejdfkolichcflejclcbmpeaniij',
'true,Gordon Pedsersen,MarkDownload - Markdown Web Clipper,pcmpcfapbekmbjjkdalcgopdkipoggdi',
'true,Guilherme Nascimento,Prevent Duplicate Tabs,eednccpckdkpojaiemedoejdngappaag',
'true,James Anderson,LeechBlock NG,blaaajhemilngeeffpbfkdjjoefldkok',
'true,Kas Elvirov,GitHub Gloc,kaodcnpebhdbpaeeemkiobcokcnegdki',
'false,,Grammarly: AI Writing and Grammar Checker App,cnlefmmeadmemmdciolhbnfeacpdfbkd',
'true,Keepa GmbH,Keepa - Amazon Price Tracker,neebplgakaahbhdphmkckjjcegoiijjo',
'true,LastPass,LastPass: Free Password Manager,hdokiejnpimakedhajhdlcegeplioahd',
'true,Leadjet,Leadjet - Make your CRM work on LinkedIn,kojhcdejfimplnokhhhekhiapceggamn',
'true,Marker.io,Marker.io: Visual bug reporting for websites,jofhoojcehdmaiibilpcoofpdbbddkkl',
'true,Microsoft Corporation,Microsoft 365,ndjpnladcallmjemlbaebfadecfhkepb',
'true,Microsoft Corporation,Microsoft Autofill,fiedbfgcleddlbcmgdigjgdfcggjcion',
'true,NortonLifeLock Inc,Norton Safe Web,fnpbeacklnhmkkilekogeiekaglbmmka',
'true,Opera Norway AS,Opera AI Prompts,mljbnbeedpkgakdchcmfapkjhfcogaoc',
'true,Opera Software AS,Rich Hints Agent,enegjkbbakeegngfapepobipndnebkdk',
'true,Opera,Cashback Assistant,ompjkhnkeoicimmaehlcmgmpghobbjoj',
'true,Pawel Psztyc,Advanced REST client,hgmloofddffdnphfgcellkdfbfbjeloo',
'true,Pushbullet,Pushbullet,chlffgpmiacpedhhbkiomidkjlcfhogd',
'true,Quantier, LLC,Vim for Google Docs\xE2\x84\xA2,aphmodfjbhofkpibocbggkdfnpbpjmpp',
'true,Quantier, LLC,Vim for Google Docs™,aphmodfjbhofkpibocbggkdfnpbpjmpp',
'true,Quidco.com,Quidco Cashback Reminder,offafgdgnliocofjjiohlpjpenbogkbl',
'true,Rakuten,Rakuten: Get Cash Back For Shopping,chhjbpecpncaggjpdakmflnfcopglcmi',
'true,Raymond Hill & contributors,uBlock Origin,cjpalhdlnbpafiamejdnhcphjbkeiagm',
'true,Reddit Enhancement Suite contributors,Reddit Enhancement Suite,kbmfpngjjgdllneeigpgjifpgocmfgmb',
'true,Symantec Corporation,Norton Password Manager,admmjipmmciaobhojoghlmleefbicajg',
'true,Team Octotree,Octotree - GitHub code tree,bkhaagjahfmjljalopjnoealnfndnagc',
'true,Thomas Rientjes,Decentraleyes,ldpochfccmkkmhdbclfhpagapcfdljkj',
'true,Tomas Popela, tpopela@redhat.com,Fedora User Agent,hojggiaghnldpcknpbciehjcaoafceil',
'true,Tulio Ornelas <ornelas.tulio@gmail.com>,JSON Viewer,gbmdgpbipfallnflgajpaliibnhdgobh',
'true,Vimeo,Vimeo Record - Screen & Webcam Recorder,ejfmffkmeigkphomnpabpdabfddeadcb',
'true,Wappalyzer,Wappalyzer - Technology profiler,gppongmhjkpfnbhagpmjfkannfbllamg',
'true,Yuri Konotopov <ykonotopov@gnome.org>,GNOME Shell integration,gphhapmejobijbbhgpjhcjognlahblep',
'true,chromeos-recovery-tool-admin@google.com,Chromebook Recovery Utility,jndclpdbaamdhonoechobihbbiimdgai',
'true,compose.ai,Compose AI: AI-powered Writing Tool,ddlbpiadoechcolndfeaonajmngmhblj',
'true,eyeo GmbH,Adblock Plus - free ad blocker,cfhdojbkjhnklbpkdaibdccddilifddb',
'true,https://metamask.io,MetaMask,nkbihfbeogaeaoehlefnkodbefgpgknn',
'true,stefanXO,Tab Manager Plus for Chrome,cnkdjjdmfiffagllbiiilooaoofcoeff'
'true,,Zoom Scheduler,kgjfgplpablkjnlkjmjdecgdpfankdle'
)
AND NOT (
exception_key IN (

17
detection/persistence/unexpected-global-lock.sql
View File

@ -37,15 +37,18 @@ WHERE
OR path LIKE "/dev/mqueue/.%.lock"
)
AND exception_key NOT IN (
'0,0,/var/run/apport.lock,regular,0600',
'0,0,/var/run/dnf-metadata.lock,regular,0644',
'0,0,/var/run/ublue-update.lock,regular,0755',
'0,0,/var/run/ufw.lock,regular,0644',
'0,0,/var/run/unattended-upgrades.lock,regular,0640',
'0,0,/var/run/xtables.lock,regular,0600',
'0,1,/var/run/VMware Fusion Services.lock,regular,0600',
'500,0,/tmp/mysql.sock.lock,regular,0600',
'500,0,/tmp/mysqlx.sock.lock,regular,0600',
'0,0,/var/run/xtables.lock,regular,0600',
'0,0,/var/run/dnf-metadata.lock,regular,0644',
'0,0,/var/run/ufw.lock,regular,0644',
'0,0,/var/run/apport.lock,regular,0600',
'0,0,/var/run/ublue-update.lock,regular,0755',
'500,1000,/tmp/golangci-lint.lock,regular,0600',
'500,1001,/tmp/nwg-dock.lock,regular,0600',
'74,0,/tmp/mysql.sock.lock,regular,0600',
'74,0,/tmp/mysqlx.sock.lock,regular,0600',
'500,1001,/tmp/nwg-dock.lock,regular,0600'
'74,0,/tmp/mysqlx.sock.lock,regular,0600'
)
AND NOT exception_key LIKE '500,1000,/tmp/keepassxc-%-linux.lock,regular,0644'

4
detection/persistence/unexpected-launchd-program-macos.sql
View File

@ -36,7 +36,7 @@ WHERE
'Developer ID Application: Canonical Group Limited (X4QN7LTP59)',
'Developer ID Application: Creative Labs Pte. Ltd. (5Q3552844F)',
'Developer ID Application: Docker Inc (9BNSXJN65R)',
'Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z)',
'Developer ID Application: Universal Audio (4KAC9AX6CG)',
'Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z)',
'Developer ID Application: Fortinet, Inc (AH4XFXJ7DK)',
'Developer ID Application: Hercules Labs Inc. (B8PC799ZGU)',
@ -48,8 +48,10 @@ WHERE
'Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R)',
'Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
'Developer ID Application: PACE Anti-Piracy, Inc. (TFZ8226T6X)',
'Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
'Developer ID Application: Rogue Amoeba Software, Inc. (7266XEXAPM)',
'Developer ID Application: Signify Netherlands B.V. (PREPN2W95S)',
'Developer ID Application: TPZ Solucoes Digitais Ltda (X37R283V2T)',
'Developer ID Application: Valve Corporation (MXGJJ98X76)',
'Developer ID Application: Wireshark Foundation (7Z6EMTD2C6)',

48
detection/persistence/unexpected-listening-port-linux.sql
View File

@ -68,36 +68,41 @@ WHERE
',',
p.name
) IN (
'1,1,500,ping',
'1,255,500,mtr-packet',
'10250,6,0,kubelet',
'10250,6,500,kubelet',
'10254,6,101,nginx-ingress-c',
'10256,6,0,kube-proxy',
'10256,6,500,kube-proxy',
'17,255,0,.tailscaled-wra',
'1,1,500,ping',
'1,255,500,mtr-packet',
'1337,6,500,kdenlive',
'1716,6,500,daemon.js',
'1716,6,500,gjs',
'1716,6,500,kdeconnectd',
'17,255,0,dhcpcd',
'17,255,0,tailscaled',
'17,255,0,.tailscaled-wra',
'17,255,500,dhcpcd',
'17,255,500,mtr-packet',
'1716,6,500,kdeconnectd',
'18000,6,500,kourier',
'22000,6,500,syncthing',
'22,6,0,sshd',
'22,6,0,systemd',
'22,6,500,sshd',
'22000,6,500,syncthing',
'2379,6,500,etcd',
'2380,6,500,etcd',
'24800,6,500,synergy-core',
'24802,6,500,synergy-service',
'255,255,500,mtr-packet',
'27036,6,500,steam',
'27500,6,500,passimd',
'3000,6,472,grafana-server',
'3000,6,500,grafana',
'3000,6,500,grafana-server',
'3000,6,500,node',
'32768,6,0,.tailscaled-wra',
'32768,6,0,tailscaled',
'32768,6,0,.tailscaled-wra',
'32768,6,500,com.docker.back',
'32768,6,500,com.docker.backend',
'32768,6,500,dleyna-renderer',
'32768,6,500,java',
@ -115,31 +120,39 @@ WHERE
'5001,6,0,registry',
'5050,6,500,rootlesskit',
'53,17,0,coredns',
'53,17,114,dnsmasq',
'53,17,130,dnsmasq',
'53,17,500,aardvark-dns',
'53,17,500,coredns',
'53,17,500,dnsmasq',
'5355,6,193,systemd-resolve',
'5355,6,500,systemd-resolve',
'53,6,0,coredns',
'53,6,114,dnsmasq',
'53,6,130,dnsmasq',
'53,6,500,coredns',
'53,6,500,dnsmasq',
'5355,6,193,systemd-resolve',
'5355,6,500,systemd-resolve',
'5432,6,70,postgres',
'546,17,500,dhcpcd',
'547,17,500,dnsmasq',
'5556,6,500,dex',
'5556,6,500,openshot-qt',
'5558,6,500,dex',
'58,255,0,NetworkManager',
'58,255,0,dhcpcd',
'58,255,0,NetworkManager',
'58,255,100,systemd-network',
'58,255,500,dhcpcd',
'58,255,500,dnsmasq',
'58,255,500,mtr-packet',
'58,255,500,systemd-network',
'631,17,0,cups-browsed',
'631,17,116,cups-browsed',
'631,17,121,cups-browsed',
'631,17,133,cups-browsed',
'6379,6,500,redis-server',
'6443,6,0,kube-apiserver',
'6443,6,500,kube-apiserver',
'67,17,114,dnsmasq',
'67,17,130,dnsmasq',
'67,17,500,dnsmasq',
'68,17,0,dhclient',
@ -147,12 +160,6 @@ WHERE
'68,17,500,dhcpcd',
'68,17,500,systemd-network',
'7000,6,500,ControlCenter',
'80,6,0,docker-proxy',
'80,6,101,nginx',
'80,6,60,nginx',
'53,17,114,dnsmasq',
'53,6,114,dnsmasq',
'67,17,114,dnsmasq',
'8001,6,500,__debug_bin,',
'8008,6,500,activator',
'8008,6,500,autoscaler',
@ -160,12 +167,12 @@ WHERE
'8008,6,500,resolvers',
'8008,6,500,webhook',
'8009,6,0,java',
'80,6,0,docker-proxy',
'80,6,101,nginx',
'80,6,60,nginx',
'8080,6,0,coredns',
'631,17,121,cups-browsed',
'8080,6,0,java',
'8081,6,500,main',
'32768,6,500,com.docker.back',
'1716,6,500,gjs',
'8086,6,0,influxd',
'8086,6,500,controller',
'8086,6,500,influxd',
@ -174,18 +181,13 @@ WHERE
'8181,6,0,coredns',
'8181,6,500,coredns',
'8443,6,0,kube-apiserver',
'631,17,133,cups-browsed',
'8443,6,101,nginx-ingress-c',
'58,255,500,dnsmasq',
'8443,6,500,controller',
'8443,6,500,controlplane',
'8443,6,500,webhook',
'8834,6,0,nessusd',
'631,17,116,cups-browsed',
'547,17,500,dnsmasq',
'9000,6,500,authentik-proxy',
'9000,6,500,main',
'27500,6,500,passimd',
'9090,6,500,controlplane',
'9153,6,0,coredns',
'9300,6,500,authentik-proxy',

91
detection/persistence/unexpected-listening-port-macos.sql
View File

@ -55,12 +55,18 @@ WHERE
'10011,6,0,launchd,Software Signing',
'10011,6,0,webfilterproxyd,Software Signing',
'1024,6,0,systemmigrationd,Software Signing',
'10250,6,500,OrbStack Helper,Developer ID Application: Orbital Labs, LLC (U.S.) (HUAQ24HBR6)',
'111,17,1,rpcbind,Software Signing',
'111,6,1,rpcbind,Software Signing',
'1234,6,500,qemu-system-aarch64,',
'1313,6,500,hugo,',
'1338,6,500,ec2-metadata-mock,',
'1338,6,500,registry,',
'137,17,0,launchd,Software Signing',
'137,17,222,netbiosd,Software Signing',
'138,17,0,launchd,Software Signing',
'138,17,222,netbiosd,Software Signing',
'15611,6,500,Postman,Developer ID Application: Postdot Technologies, Inc (H7H8Q7M5CK)',
'16587,6,500,RescueTime,Developer ID Application: RescueTime, Inc (FSY4RB8H39)',
'17500,6,500,Dropbox,Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)',
'1824,6,500,WaveLink,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
@ -68,86 +74,88 @@ WHERE
'2112,6,500,fake,',
'2112,6,500,rekor-server,',
'2112,6,500,timestamp-server,',
'22,6,0,launchd,Software Signing',
'22000,6,500,syncthing,',
'22000,6,500,syncthing,Developer ID Application: Jakob Borg (LQE5SYM783)',
'22000,6,500,syncthing,Developer ID Application: Kastelo AB (LQE5SYM783)',
'22,6,0,launchd,Software Signing',
'2345,6,500,dlv,',
'24678,6,500,node,',
'24802,6,500,synergy-service,Developer ID Application: Symless Ltd (4HX897Y6GJ)',
'26000,6,500,node20,Developer ID Application: Node.js Foundation (HX7739G8FX)',
'27036,6,500,steam_osx,Developer ID Application: Valve Corporation (MXGJJ98X76)',
'28197,6,500,Stream Deck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
'28198,6,500,Stream Deck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
'2968,6,500,EEventManager,Developer ID Application: Seiko Epson Corporation (TXAEAV5RN4)',
'3306,6,500,mariadbd,',
'443,6,500,crc,Developer ID Application: Red Hat, Inc. (HYSCB8KRL2)',
'3306,6,74,mysqld,Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
'33060,6,74,mysqld,Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
'3306,6,500,mariadbd,',
'3306,6,74,mysqld,Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
'33333,6,500,Ultimate,',
'3400,6,500,Sonos,Developer ID Application: Sonos, Inc. (2G4LW83Q3E)',
'3491,6,500,MuteDeck,Developer ID Application: Martijn Smit (GX645XXEAX)',
'3492,6,500,MuteDeck,Developer ID Application: Martijn Smit (GX645XXEAX)',
'3493,6,500,MuteDeck,Developer ID Application: Martijn Smit (GX645XXEAX)',
'4000,6,500,OrbStack Helper,Developer ID Application: Orbital Labs, LLC (U.S.) (HUAQ24HBR6)',
'41949,6,500,IPNExtension,Apple Mac OS Application Signing',
'43398,6,500,IPNExtension,Apple Mac OS Application Signing',
'44000,6,500,Podman Desktop,Developer ID Application: Red Hat, Inc. (HYSCB8KRL2)',
'443,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)',
'443,6,500,crc,Developer ID Application: Red Hat, Inc. (HYSCB8KRL2)',
'443,6,500,limactl,',
'1234,6,500,qemu-system-aarch64,',
'4000,6,500,OrbStack Helper,Developer ID Application: Orbital Labs, LLC (U.S.) (HUAQ24HBR6)',
'443,6,500,OrbStack Helper,Developer ID Application: Orbital Labs, LLC (U.S.) (HUAQ24HBR6)',
'44450,6,500,Linear Helper,Developer ID Application: Linear Orbit, Inc. (7VZ2S3V9RV)',
'44554,6,500,Luna Display,Developer ID Application: Astro HQ LLC (8356ZZ8Y5K)',
'45972,6,500,IPNExtension,Apple Mac OS Application Signing',
'4710,6,500,UA Mixer Engine,Developer ID Application: Universal Audio (4KAC9AX6CG)',
'49152,6,0,AirPlayXPCHelper,Software Signing',
'49152,6,0,launchd,Software Signing',
'3493,6,500,MuteDeck,Developer ID Application: Martijn Smit (GX645XXEAX)',
'26000,6,500,node20,Developer ID Application: Node.js Foundation (HX7739G8FX)',
'49152,6,0,remoted,Software Signing',
'49152,6,0,remotepairingdeviced,Software Signing',
'49152,6,500,CaptureCoreService,Developer ID Application: Capture One A/S (5WTDB5F65L)',
'49152,6,500,com.adguard.mac.adguard.network-extension,Developer ID Application: Adguard Software Limited (TC3Q7MAJXF)',
'49152,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)',
'49152,6,500,com.docker.supervisor,Developer ID Application: Docker Inc (9BNSXJN65R)',
'49152,6,500,dbeaver,Developer ID Application: DBeaver Corporation (42B6MDKMW8)',
'49152,6,500,EcammLiveRemoteXPCServer,Developer ID Application: Ecamm Network, LLC (5EJH68M642)',
'49152,6,500,GarageBand,Apple Mac OS Application Signing',
'49152,6,500,git-daemon,',
'49152,6,500,idea,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)',
'49152,6,500,IPNExtension,Apple Mac OS Application Signing',
'49152,6,500,java,Developer ID Application: Eclipse Foundation, Inc. (JCDTMS22B4)',
'49152,6,500,java,Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
'49152,6,500,jetbrains-toolbox,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)',
'49152,6,500,LogiMgrDaemon,Developer ID Application: Logitech Inc. (QED4VVPZWA)',
'49152,6,500,logioptionsplus_agent,Developer ID Application: Logitech Inc. (QED4VVPZWA)',
'49152,6,500,Luna Display,Developer ID Application: Astro HQ LLC (8356ZZ8Y5K)',
'49152,6,500,Music,Software Signing',
'49152,6,500,node,',
'49152,6,500,qemu-system-aarch64,',
'49152,6,500,rapportd,Software Signing',
'49152,6,500,Resolve,Developer ID Application: Blackmagic Design Inc (9ZGFBWLSYP)',
'49152,6,500,Signal Helper (Renderer),Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR)',
'49152,6,500,Signal,Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR)',
'49152,6,500,Signal Helper (Renderer),Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR)',
'49152,6,500,siriactionsd,Software Signing',
'49152,6,500,Sketch,Developer ID Application: Bohemian Coding (WUGMZZ5K46)',
'49152,6,500,SketchMirrorHelper,Developer ID Application: Bohemian Coding (WUGMZZ5K46)',
'49152,6,500,Spotify,Developer ID Application: Spotify (2FNC3A47ZF)',
'49152,6,500,Stream Deck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
'49152,6,500,Webcam-desktop,Developer ID Application: Shenzhen Arashi Vision Co., Ltd. (847R5ZLN8S)',
'49152,6,500,WorkflowAppControl,Developer ID Application: Brother Industries, LTD. (5HCL85FLGW)',
'49152,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)',
'49152,6,500,com.docker.supervisor,Developer ID Application: Docker Inc (9BNSXJN65R)',
'49152,6,500,dbeaver,Developer ID Application: DBeaver Corporation (42B6MDKMW8)',
'49152,6,500,java,Developer ID Application: Eclipse Foundation, Inc. (JCDTMS22B4)',
'49152,6,500,java,Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
'49152,6,500,jetbrains-toolbox,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)',
'49152,6,500,logioptionsplus_agent,Developer ID Application: Logitech Inc. (QED4VVPZWA)',
'49152,6,500,node,',
'49152,6,500,qemu-system-aarch64,',
'49152,6,500,rapportd,Software Signing',
'49152,6,500,telepresence,',
'49152,6,500,vpnkit-bridge,Developer ID Application: Docker Inc (9BNSXJN65R)',
'49152,6,500,Webcam-desktop,Developer ID Application: Shenzhen Arashi Vision Co., Ltd. (847R5ZLN8S)',
'49152,6,500,WebexHelper,Developer ID Application: Cisco (DE8Y96K9QP)',
'49152,6,500,WorkflowAppControl,Developer ID Application: Brother Industries, LTD. (5HCL85FLGW)',
'49152,6,65,mDNSResponder,Software Signing',
'49152,6,500,idea,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)',
'5000,6,500,ControlCenter,Software Signing',
'3491,6,500,MuteDeck,Developer ID Application: Martijn Smit (GX645XXEAX)',
'5001,6,500,crane,',
'5001,6,500,gvproxy,',
'5060,6,500,CommCenter,Software Signing',
'53,17,500,dnsmasq,',
'53,17,500,server,',
'53,17,65,mDNSResponder,Software Signing',
'443,6,500,OrbStack Helper,Developer ID Application: Orbital Labs, LLC (U.S.) (HUAQ24HBR6)',
'80,6,500,OrbStack Helper,Developer ID Application: Orbital Labs, LLC (U.S.) (HUAQ24HBR6)',
'53,6,500,dnsmasq,',
'53,6,65,mDNSResponder,Software Signing',
'80,6,500,crc,Developer ID Application: Red Hat, Inc. (HYSCB8KRL2)',
'443,6,500,crc,Developer ID Application: Red Hat, Inc. (HYSCB8KRL2)',
'49152,6,65,mDNSResponder,Software Signing',
'5454,6,0,xrdd,Developer ID Application: X-Rite, Incorporated (2K7GT73B4R)',
'546,17,0,configd,Software Signing',
'547,17,500,dhcp6d,Software Signing',
'49152,6,500,git-daemon,',
'5900,6,0,launchd,Software Signing',
'5900,6,0,screensharingd,Software Signing',
'5990,6,500,goland,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)',
@ -156,30 +164,21 @@ WHERE
'67,17,0,bootpd,Software Signing',
'67,17,0,launchd,Software Signing',
'68,17,0,configd,Software Signing',
'6996,6,500,sourcegraph-backend,Developer ID Application: SOURCEGRAPH INC (74A5FJ7P96)',
'7000,6,500,ControlCenter,Software Signing',
'7265,6,500,Raycast,Developer ID Application: Raycast Technologies Inc (SY64MV22J9)',
'80,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)',
'80,6,500,limactl,',
'10250,6,500,OrbStack Helper,Developer ID Application: Orbital Labs, LLC (U.S.) (HUAQ24HBR6)',
'8055,6,500,java,Developer ID Application: Eclipse Foundation, Inc. (JCDTMS22B4)',
'111,17,1,rpcbind,Software Signing',
'111,6,1,rpcbind,Software Signing',
'3492,6,500,MuteDeck,Developer ID Application: Martijn Smit (GX645XXEAX)',
'49152,6,500,com.adguard.mac.adguard.network-extension,Developer ID Application: Adguard Software Limited (TC3Q7MAJXF)',
'6996,6,500,sourcegraph-backend,Developer ID Application: SOURCEGRAPH INC (74A5FJ7P96)',
'9991,6,500,sourcegraph-backend,Developer ID Application: SOURCEGRAPH INC (74A5FJ7P96)',
'80,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)',
'80,6,500,crc,Developer ID Application: Red Hat, Inc. (HYSCB8KRL2)',
'80,6,500,limactl,',
'80,6,500,OrbStack Helper,Developer ID Application: Orbital Labs, LLC (U.S.) (HUAQ24HBR6)',
'8081,6,500,crane,',
'81,6,500,nginx,',
'49152,6,500,siriactionsd,Software Signing',
'8123,6,500,Brackets-node,Developer ID Application: CORE.AI SCIENTIFIC TECHNOLOGIES PRIVATE LIMITED (8F632A866K)',
'8125,6,500,Brackets-node,Developer ID Application: CORE.AI SCIENTIFIC TECHNOLOGIES PRIVATE LIMITED (8F632A866K)',
'81,6,500,nginx,',
'8770,6,500,sharingd,Software Signing',
'8771,6,500,sharingd,Software Signing',
'88,17,0,kdc,Software Signing',
'88,6,0,kdc,Software Signing',
'53,17,500,server,',
'1338,6,500,ec2-metadata-mock,',
'15611,6,500,Postman,Developer ID Application: Postdot Technologies, Inc (H7H8Q7M5CK)',
'8828,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'8829,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'8830,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
@ -188,8 +187,10 @@ WHERE
'8833,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'8834,6,0,nessusd,Developer ID Application: Tenable, Inc. (4B8J598M7U)',
'8834,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'88,6,0,kdc,Software Signing',
'8888,6,500,otel-desktop-viewer,',
'9101,6,500,github_actions_exporter,'
'9101,6,500,github_actions_exporter,',
'9991,6,500,sourcegraph-backend,Developer ID Application: SOURCEGRAPH INC (74A5FJ7P96)'
)
AND NOT exception_key LIKE '%,6,500,sourcegraph-backend,Developer ID Application: SOURCEGRAPH INC (74A5FJ7P96)'
AND NOT exception_key LIKE '88%,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)'

32
detection/persistence/unexpected-small-udev-entry-linux.sql
View File

@ -30,54 +30,56 @@ WHERE
file.path LIKE '/usr/lib/udev/rules.d/%'
AND file.size < 180
AND file.path NOT IN (
'/usr/lib/udev/rules.d/10-switch.rules',
'/usr/lib/udev/rules.d/20-crystalhd.rules',
'/usr/lib/udev/rules.d/30-linksys-ae1200.rules',
'/usr/lib/udev/rules.d/40-redhat-disable-dell-ir-camera.rules',
'/usr/lib/udev/rules.d/45-i2c-tools.rules',
'/usr/lib/udev/rules.d/88-neutron_hifi_dac.rules',
'/usr/lib/udev/rules.d/65-persistent-net-nbft.rules',
'/usr/lib/udev/rules.d/50-apport.rules',
'/usr/lib/udev/rules.d/60-ddcutil.rules',
'/usr/lib/udev/rules.d/60-ddcutil-i2c.rules',
'/usr/lib/udev/rules.d/92-viia.rules',
'/usr/lib/udev/rules.d/71-pid_codes-controllers.rules',
'/usr/lib/udev/rules.d/70-titan-key.rules',
'/usr/lib/udev/rules.d/60-sunshine-ublue.rules',
'/usr/lib/udev/rules.d/30-linksys-ae1200.rules',
'/usr/lib/udev/rules.d/10-switch.rules',
'/usr/lib/udev/rules.d/60-drm.rules',
'/usr/lib/udev/rules.d/70-rpiboot.rules',
'/usr/lib/udev/rules.d/60-net.rules',
'/usr/lib/udev/rules.d/72-intel-mipi-ipu6-camera.rules',
'/usr/lib/udev/rules.d/60-bridge-network-interface.rules',
'/usr/lib/udev/rules.d/60-ddcutil-i2c.rules',
'/usr/lib/udev/rules.d/60-ddcutil.rules',
'/usr/lib/udev/rules.d/60-drm.rules',
'/usr/lib/udev/rules.d/60-incus-agent.rules',
'/usr/lib/udev/rules.d/60-net.rules',
'/usr/lib/udev/rules.d/60-rfkill.rules',
'/usr/lib/udev/rules.d/60-sunshine-ublue.rules',
'/usr/lib/udev/rules.d/61-accelerometer.rules',
'/usr/lib/udev/rules.d/61-mutter.rules',
'/usr/lib/udev/rules.d/65-persistent-net-nbft.rules',
'/usr/lib/udev/rules.d/66-saned.rules',
'/usr/lib/udev/rules.d/70-hypervfcopy.rules',
'/usr/lib/udev/rules.d/70-hypervkvp.rules',
'/usr/lib/udev/rules.d/70-hypervvss.rules',
'/usr/lib/udev/rules.d/70-rpiboot.rules',
'/usr/lib/udev/rules.d/70-spice-vdagentd.rules',
'/usr/lib/udev/rules.d/70-spice-webdavd.rules',
'/usr/lib/udev/rules.d/70-titan-key.rules',
'/usr/lib/udev/rules.d/71-alpha_imaging_technology_co-vr.rules',
'/usr/lib/udev/rules.d/71-astro_gaming-controllers.rules',
'/usr/lib/udev/rules.d/71-betop-controllers.rules',
'/usr/lib/udev/rules.d/71-nacon-controllers.rules',
'/usr/lib/udev/rules.d/71-pid_codes-controllers.rules',
'/usr/lib/udev/rules.d/71-sony-vr.rules',
'/usr/lib/udev/rules.d/72-intel-mipi-ipu6-camera.rules',
'/usr/lib/udev/rules.d/75-davincipanel.rules',
'/usr/lib/udev/rules.d/75-probe_mtd.rules',
'/usr/lib/udev/rules.d/75-sdx.rules',
'/usr/lib/udev/rules.d/81-kvm-rhel.rules',
'/usr/lib/udev/rules.d/85-hdparm.rules',
'/usr/lib/udev/rules.d/85-regulatory.rules',
'/usr/lib/udev/rules.d/88-neutron_hifi_dac.rules',
'/usr/lib/udev/rules.d/90-daxctl-device.rules',
'/usr/lib/udev/rules.d/90-rdma-umad.rules',
'/usr/lib/udev/rules.d/90-usb-microbit.rules',
'/usr/lib/udev/rules.d/90-wireshark-usbmon.rules',
'/usr/lib/udev/rules.d/91-drm-modeset.rules',
'/usr/lib/udev/rules.d/92-viia.rules',
'/usr/lib/udev/rules.d/95-udev-late.rules',
'/usr/lib/udev/rules.d/96-e2scrub.rules',
'/usr/lib/udev/rules.d/99-BlackmagicDevices.rules',
'/usr/lib/udev/rules.d/99-DavinciPanel.rules',
'/usr/lib/udev/rules.d/99-fuse3.rules',
'/usr/lib/udev/rules.d/60-incus-agent.rules',
'/usr/lib/udev/rules.d/99-fuse.rules',
'/usr/lib/udev/rules.d/99-libsane1.rules',
'/usr/lib/udev/rules.d/99-lxd-agent.rules',

1
detection/persistence/unexpected-uid0-daemon-linux.sql
View File

@ -91,6 +91,7 @@ WHERE
'accounts-daemon,/usr/lib/accounts-daemon,0,system.slice,accounts-daemon.service,0755',
'accounts-daemon,/usr/libexec/accounts-daemon,0,system.slice,accounts-daemon.service,0755',
'acpid,/usr/sbin/acpid,0,system.slice,acpid.service,0755',
'pmdaxfs,/usr/libexec/pcp/pmdas/xfs/pmdaxfs,0,system.slice,pmcd.service,0755',
'agetty,/nix/store/__VERSION__/bin/agetty,0,system.slice,system-getty.slice,0555',
'agetty,/usr/bin/agetty,0,system.slice,system-getty.slice,0755',
'agetty,/usr/sbin/agetty,0,system.slice,system-getty.slice,0755',

59
detection/persistence/unexpected-uid0-daemon-macos.sql
View File

@ -63,6 +63,7 @@ WHERE -- Focus on longer-running programs
'/Applications/Parallels Desktop.app/Contents/MacOS/Parallels Service.app/Contents/MacOS/prl_disp_service',
'/Applications/Parallels Desktop.app/Contents/MacOS/prl_naptd',
'/Applications/VMware Fusion.app/Contents/Library/vmware-vmx',
'/bin/bash',
'/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS/XProtect',
'/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/XPCServices/XProtectPluginService.xpc/Contents/MacOS/XProtectPluginService',
'/Library/Application Support/Adobe/Adobe Desktop Common/ElevationManager/Adobe Installer',
@ -77,31 +78,37 @@ WHERE -- Focus on longer-running programs
'/Library/Application Support/VMware/VMware Fusion/Services/Contents/Library/vmware-usbarbitrator',
'/Library/Application Support/X-Rite/Frameworks/XRiteDevice.framework/Versions/B/Resources/xrdd',
'/Library/Audio/Plug-Ins/HAL/SolsticeDesktopSpeakers.driver/Contents/XPCServices/RelayXpc.xpc/Contents/MacOS/RelayXpc',
'/Library/Nessus/run/sbin/nessus-service',
'/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater',
'/Library/Nessus/run/sbin/nessusd',
'/Library/Nessus/run/sbin/nessus-service',
'/Library/PrivilegedHelperTools/com.adobe.acc.installer.v2',
'/Library/PrivilegedHelperTools/com.docker.vmnetd',
'/Library/PrivilegedHelperTools/MHLinkServer.app/Contents/MacOS/MHLinkServer',
'/Library/PrivilegedHelperTools/com.fortinet.forticlient.macos.PrivilegedHelper',
'/Library/PrivilegedHelperTools/com.macpaw.CleanMyMac4.Agent',
'/Library/PrivilegedHelperTools/keybase.Helper',
'/Library/PrivilegedHelperTools/licenseDaemon.app/Contents/MacOS/licenseDaemon',
'/Library/PrivilegedHelperTools/MHLinkServer.app/Contents/MacOS/MHLinkServer',
'/Library/SystemExtensions/0FDB5206-860F-465C-B4D3-D6A0F43F4302/com.google.one.NetworkExtension.systemextension/Contents/MacOS/com.google.one.NetworkExtension',
'/Library/SystemExtensions/2DA71D8A-7905-4012-A7D5-0B246D5AA77B/at.obdev.littlesnitch.networkextension.systemextension/Contents/MacOS/at.obdev.littlesnitch.networkextension',
'/Library/SystemExtensions/4D1BF33A-9817-45D7-A242-8C39810C7F11/com.redcanary.agent.securityextension.systemextension/Contents/MacOS/com.redcanary.agent.securityextension',
'/Library/SystemExtensions/CC9A335C-A6D0-4C87-B902-45EBDF4BFD85/com.google.one.NetworkExtension.systemextension/Contents/MacOS/com.google.one.NetworkExtension',
'/System/Library/CoreServices/CrashReporterSupportHelper',
'/System/Library/CoreServices/ReportCrash',
'/System/Library/CoreServices/Software Update.app/Contents/Resources/suhelperd',
'/System/Library/CoreServices/SubmitDiagInfo',
'/opt/homebrew/Cellar/telepresence-arm64/2.7.6/bin/telepresence',
'/opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd',
'/opt/socket_vmnet/bin/socket_vmnet',
'/sbin/launchd',
'/System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd',
'/System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd-helper',
'/System/Library/CoreServices/CrashReporterSupportHelper',
'/System/Library/CoreServices/iconservicesagent',
'/System/Library/CoreServices/launchservicesd',
'/System/Library/CoreServices/logind',
'/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow',
'/System/Library/CoreServices/osanalyticshelper',
'/System/Library/CoreServices/powerd.bundle/powerd',
'/System/Library/CoreServices/ReportCrash',
'/System/Library/CoreServices/sharedfilelistd',
'/System/Library/CoreServices/Software Update.app/Contents/Resources/suhelperd',
'/System/Library/CoreServices/SubmitDiagInfo',
'/System/Library/CryptoTokenKit/com.apple.ifdreader.slotd/Contents/MacOS/com.apple.ifdreader',
'/System/Library/CryptoTokenKit/com.apple.ifdreader.slotd/Contents/XPCServices/com.apple.ifdbundle.xpc/Contents/MacOS/com.apple.ifdbundle',
'/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/HIServices.framework/Versions/A/XPCServices/com.apple.hiservices-xpcservice.xpc/Contents/MacOS/com.apple.hiservices-xpcservice',
@ -130,12 +137,12 @@ WHERE -- Focus on longer-running programs
'/System/Library/Frameworks/SystemExtensions.framework/Versions/A/Helpers/sysextd',
'/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper',
'/System/Library/PrivateFrameworks/AmbientDisplay.framework/Versions/A/XPCServices/com.apple.AmbientDisplayAgent.xpc/Contents/MacOS/com.apple.AmbientDisplayAgent',
'/System/Library/PrivateFrameworks/AppSSO.framework/Support/AppSSODaemon',
'/System/Library/PrivateFrameworks/AppStoreDaemon.framework/Versions/A/XPCServices/com.apple.AppStoreDaemon.StorePrivilegedTaskService.xpc/Contents/MacOS/com.apple.AppStoreDaemon.StorePrivilegedTaskService',
'/System/Library/PrivateFrameworks/AppleCredentialManager.framework/AppleCredentialManagerDaemon',
'/System/Library/PrivateFrameworks/AppleNeuralEngine.framework/XPCServices/ANECompilerService.xpc/Contents/MacOS/ANECompilerService',
'/System/Library/PrivateFrameworks/AppleNeuralEngine.framework/XPCServices/ANEStorageMaintainer.xpc/Contents/MacOS/ANEStorageMaintainer',
'/System/Library/PrivateFrameworks/ApplePushService.framework/apsd',
'/System/Library/PrivateFrameworks/AppSSO.framework/Support/AppSSODaemon',
'/System/Library/PrivateFrameworks/AppStoreDaemon.framework/Versions/A/XPCServices/com.apple.AppStoreDaemon.StorePrivilegedTaskService.xpc/Contents/MacOS/com.apple.AppStoreDaemon.StorePrivilegedTaskService',
'/System/Library/PrivateFrameworks/AssetCacheServicesExtensions.framework/Versions/A/XPCServices/AssetCacheManagerService.xpc/Contents/MacOS/AssetCacheManagerService',
'/System/Library/PrivateFrameworks/AssetCacheServicesExtensions.framework/Versions/A/XPCServices/AssetCacheTetheratorService.xpc/Contents/MacOS/AssetCacheTetheratorService',
'/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd',
@ -174,38 +181,26 @@ WHERE -- Focus on longer-running programs
'/System/Library/PrivateFrameworks/WirelessDiagnostics.framework/Support/awdd',
'/System/Library/PrivateFrameworks/XprotectFramework.framework/Versions/A/XPCServices/XProtectBehaviorService.xpc/Contents/MacOS/XProtectBehaviorService',
'/System/Library/PrivateFrameworks/XprotectFramework.framework/Versions/A/XPCServices/XprotectService.xpc/Contents/MacOS/XprotectService',
'/bin/bash',
'/opt/homebrew/Cellar/telepresence-arm64/2.7.6/bin/telepresence',
'/opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd',
'/opt/socket_vmnet/bin/socket_vmnet',
'/sbin/launchd',
'/usr/bin/login',
'/usr/bin/sudo',
'/usr/bin/sysdiagnose',
'/usr/libexec/ASPCarryLog',
'/usr/libexec/AirPlayXPCHelper',
'/usr/libexec/ApplicationFirewall/socketfilterfw',
'/usr/libexec/IOMFB_bics_daemon',
'/usr/libexec/InternetSharing',
'/usr/libexec/PerfPowerServices',
'/usr/libexec/PowerUIAgent',
'/usr/libexec/TouchBarServer',
'/usr/libexec/UserEventAgent',
'/usr/libexec/airportd',
'/usr/libexec/amfid',
'/usr/libexec/aned',
'/usr/libexec/apfsd',
'/usr/libexec/applessdstatistics',
'/usr/libexec/ApplicationFirewall/socketfilterfw',
'/usr/libexec/ASPCarryLog',
'/usr/libexec/autofsd',
'/usr/libexec/automountd',
'/usr/libexec/batteryintelligenced',
'/usr/libexec/biokitaggdd',
'/usr/libexec/biometrickitd',
'/usr/libexec/bootinstalld',
'/usr/libexec/colorsync.displayservices',
'/usr/libexec/colorsyncd',
'/usr/libexec/colorsync.displayservices',
'/usr/libexec/configd',
'/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater',
'/usr/libexec/containermanagerd',
'/usr/libexec/corebrightnessd',
'/usr/libexec/coreduetd',
@ -219,6 +214,8 @@ WHERE -- Focus on longer-running programs
'/usr/libexec/endpointsecurityd',
'/usr/libexec/findmydeviced',
'/usr/libexec/firmwarecheckers/ethcheck/ethcheck',
'/usr/libexec/InternetSharing',
'/usr/libexec/IOMFB_bics_daemon',
'/usr/libexec/ioupsd',
'/usr/libexec/kernelmanagerd',
'/usr/libexec/keybagd',
@ -236,8 +233,10 @@ WHERE -- Focus on longer-running programs
'/usr/libexec/nesessionmanager',
'/usr/libexec/online-authd',
'/usr/libexec/opendirectoryd',
'/usr/libexec/PerfPowerServices',
'/usr/libexec/periodic-wrapper',
'/usr/libexec/powerdatad',
'/usr/libexec/PowerUIAgent',
'/usr/libexec/remoted',
'/usr/libexec/rtcreportingd',
'/usr/libexec/runningboardd',
@ -254,38 +253,40 @@ WHERE -- Focus on longer-running programs
'/usr/libexec/taskgated',
'/usr/libexec/thermald',
'/usr/libexec/thermalmonitord',
'/usr/libexec/TouchBarServer',
'/usr/libexec/trustdFileHelper',
'/usr/libexec/tzd',
'/usr/libexec/tzlinkd',
'/usr/libexec/usbd',
'/usr/libexec/UserEventAgent',
'/usr/libexec/usermanagerd',
'/usr/libexec/warmd',
'/usr/libexec/watchdogd',
'/usr/libexec/wifianalyticsd',
'/usr/libexec/wifip2pd',
'/usr/libexec/wifivelocityd',
'/usr/local/bin/warsaw/core',
'/usr/local/kolide-k2/bin/osquery-extension.ext',
'/usr/local/sbin/velociraptor',
'/usr/sbin/BTLEServer',
'/usr/sbin/BlueTool',
'/usr/sbin/KernelEventAgent',
'/usr/sbin/WirelessRadioManagerd',
'/usr/sbin/aslmanager',
'/usr/sbin/audioclocksyncd',
'/usr/sbin/auditd',
'/usr/sbin/BlueTool',
'/usr/sbin/bluetoothd',
'/usr/sbin/BTLEServer',
'/usr/sbin/cfprefsd',
'/usr/sbin/distnoted',
'/usr/sbin/filecoordinationd',
'/usr/sbin/KernelEventAgent',
'/usr/sbin/mDNSResponderHelper',
'/usr/sbin/notifyd',
'/usr/sbin/securityd',
'/usr/sbin/spindump',
'/usr/sbin/sshd',
'/usr/local/bin/warsaw/core',
'/usr/sbin/syslogd',
'/usr/sbin/systemsoundserverd',
'/usr/sbin/systemstats'
'/usr/sbin/systemstats',
'/usr/sbin/WirelessRadioManagerd'
)
AND NOT path LIKE '/nix/store/%-nix-%/bin/nix'
AND NOT path LIKE '/opt/homebrew/Cellar/btop/%/bin/btop'