fpr: multipass, go, macOS, Ubuntu, Opera, git, ko

2023-06-02 19:08:08 -04:00 · 2023-06-02 19:08:08 -04:00 · 066c88dc18
parent bda533eb9f
commit 066c88dc18
21 changed files with 44 additions and 9 deletions
--- a/detection/c2/unexpected-dns-traffic-events.sql
+++ b/detection/c2/unexpected-dns-traffic-events.sql
@ -103,6 +103,7 @@ WHERE
    '/Library/Nessus/run/sbin/nessusd',
    '/opt/google/chrome/chrome',
    '/usr/bin/apko',
+    '/usr/bin/melange',
    '/sbin/apk',
    '/System/Volumes/Preboot/Cryptexes/Incoming/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/Contents/MacOS/com.apple.WebKit.Networking',
    '/usr/lib/systemd/systemd-resolved'
--- a/detection/c2/unexpected-https-macos.sql
+++ b/detection/c2/unexpected-https-macos.sql
@ -111,6 +111,7 @@ WHERE
    '500,bash,bash,,bash',
    '0,EdgeUpdater,EdgeUpdater,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.EdgeUpdater',
    '500,cloud_sql_proxy,cloud_sql_proxy,,a.out',
+    '500,Install Spotify,Install Spotify,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.installer',
    '500,ngrok,ngrok,Developer ID Application: ngrok LLC (TEX8MHRDQ9),darwin_amd64',
    '500,Code Helper,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode.helper',
    '500,Code Helper (Plugin),Code Helper (Plugin),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
@ -148,6 +149,9 @@ WHERE
    '500,chainctl,chainctl,500u,20g',
    '500,chainlink,chainlink,500u,20g',
    '500,cosign,cosign,0u,500g',
+    '500,wolfictl,wolfictl,500u,20g',
+    '500,cosign,cosign,500u,20g',
+    '500,cilium,cilium,500u,123g',
    '500,cpu,cpu,500u,20g',
    '500,crane,crane,0u,500g',
    '500,crane,crane,500u,80g',
@ -170,13 +174,15 @@ WHERE
  AND NOT (
    exception_key IN (
      '500,Python,Python,,org.python.python',
-      '500,Python,Python,,Python'
+      '500,Python,Python,,Python',
+      '500,Python,Python,,'
    )
    AND (
      p0_cmd LIKE '%/gcloud.py%'
      OR p0_cmd LIKE '%pip install%'
      OR p0_cmd LIKE '%googlecloudsdk/core/metrics_reporter.py%'
      OR p0_cmd LIKE '%/bin/aws%'
+      OR p0_cmd LIKE "%/gsutil/gsutil %"
    )
  ) -- theScore and other iPhone apps
  AND NOT (
--- a/detection/c2/unexpected-libcurl-user-linux.sql
+++ b/detection/c2/unexpected-libcurl-user-linux.sql
@ -69,6 +69,7 @@ WHERE
  AND NOT exception_key IN (
    'flatpak-system-,/usr/libexec/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755',
    'fwupd,/usr/libexec/fwupd/fwupd,0,system.slice,fwupd.service,0755',
+    'zfs,/nix/store/__VERSION__/bin/zfs,0,system.slice,zfs-snapshot-frequent.service,0555',
    'zed,/nix/store/__VERSION__/bin/zed,0,system.slice,zfs-zed.service,0555',
    'fwupd,/usr/lib/fwupd/fwupd,0,system.slice,fwupd.service,0755',
    'dnf,/usr/bin/python__VERSION__,0,system.slice,dnf-makecache.service,0755',
--- a/detection/c2/unexpected-talkers-macos.sql
+++ b/detection/c2/unexpected-talkers-macos.sql
@ -150,6 +150,7 @@ WHERE
    '500,6,80,Telegram,Telegram,Apple Mac OS Application Signing,ru.keepcoder.Telegram',
    '500,6,80,WhatsApp,WhatsApp,Developer ID Application: WhatsApp Inc. (57T9237FN3),WhatsApp',
    '500,6,80,thunderbird,thunderbird,Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird',
+    '500,6,22,Transmit,Transmit,Developer ID Application: Panic, Inc. (VE8FC488U5),com.panic.Transmit',
    '500,6,80,Twitter,Twitter,Apple Mac OS Application Signing,maccatalyst.com.atebits.Tweetie2',
    '500,6,993,Mimestream,Mimestream,Developer ID Application: Mimestream, LLC (P2759L65T8),com.mimestream.Mimestream',
    '500,6,993,thunderbird,thunderbird,Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird'
--- a/detection/evasion/missing-from-disk-macos.sql
+++ b/detection/evasion/missing-from-disk-macos.sql
@ -61,7 +61,9 @@ WHERE
      OR p.path LIKE '/usr/local/Cellar/%/bin/%'
      OR p.path LIKE '/private/var/folders/zz/%/T/PKInstallSandboxTrash/%.sandboxTrash/%'
      OR p.path LIKE '/Users/%/node_modules/.pnpm/%'
+      OR p.path LIKE '/Users/%/go/bin/%'
      OR p.path LIKE '/Users/%/homebrew/Cellar/%/bin/%'
+      OR p.path LIKE '/Users/%/.terraform/providers/%/terraform-provider-%'
      OR p.path LIKE '/Users/%/.local/share/nvim/mason/packages/%'
      OR cmd LIKE '/opt/homebrew/opt/%'
      OR cmd LIKE '/private/var/folders/%/Visual Studio Code.app/Contents/%'
--- a/detection/evasion/unexpected-hidden-system-paths.sql
+++ b/detection/evasion/unexpected-hidden-system-paths.sql
@ -71,7 +71,7 @@ WHERE
    '/.file',
    '/.lesshst',
    '/lib/jvm/.java-1.17.0-openjdk-amd64.jinfo',
-    '/.mozilla',
+    '/.mozilla/',
    '/tmp/.accounts-agent/',
    '/tmp/.audio-agent/',
    '/tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress',
--- a/detection/evasion/unexpected-tmp-executables-linux.sql
+++ b/detection/evasion/unexpected-tmp-executables-linux.sql
@ -56,6 +56,7 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
          OR file.path LIKE '%/ci/%'
          OR file.path LIKE '%/Rakefile'
          OR file.path LIKE '%/debug/%'
+          OR file.path LIKE '/tmp/ko%/out'
          OR file.path LIKE '%/dist/%'
          OR file.path LIKE '%/flow/%.npmzS_cacachezStmpzSgit-clone%'
          OR file.path LIKE '%/git/%'
--- a/detection/execution/recently-created-executables-macos.sql
+++ b/detection/execution/recently-created-executables-macos.sql
@ -93,6 +93,7 @@ WHERE
        '~/Library/Application Support/Zed/',
        '~/Library/Application Support/WebEx Folder/',
        '/Library/Application Support/EcammLive',
+        '/usr/local/kolide-k2/Kolide.app/Contents/MacOS',
        '~/Library/Application Support/Foxit Software/',
        '~/Library/Application Support/JetBrains/',
        '~/Library/Application Support/OpenLens',
@ -113,6 +114,7 @@ WHERE
        '~/code/bin',
        '~/go/bin',
        '~/Library/Application Support/cloud-code/installer/google-cloud-sdk/bin',
+        '/usr/local/kolide-k2/Kolide.app/Contents/MacOS',
        '~/Library/Application Support/dev.warp.Warp-Stable',
        '~/Library/Application Support/snyk-ls',
        '~/Library/Application Support/zoom.us/Plugins/aomhost.app/Contents/MacOS',
@ -159,6 +161,7 @@ WHERE
    'Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D)',
    'Developer ID Application: GitHub (VEKTX9H2N7)',
    'Developer ID Application: Google LLC (EQHXZ8M8AV)',
+    'Developer ID Application: Kolide, Inc (X98UFR7HA3)',
    'Developer ID Application: GPGTools GmbH (PKV8ZPD836)',
    'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)',
    'Developer ID Application: Kandji, Inc. (P3FGV63VK7)',
--- a/detection/execution/unexpected-env-values-linux.sql
+++ b/detection/execution/unexpected-env-values-linux.sql
@ -54,13 +54,18 @@ WHERE -- This time should match the interval
    pe.key = 'LD_PRELOAD'
    AND NOT pe.value = ''
    AND NOT p0.path LIKE '%/firefox'
-    AND NOT pe.value IN ('libfakeroot.so', '/usr/local/lib/libmimalloc.so')
+    AND NOT pe.value IN (
+      'libfakeroot.so',
+      '/usr/local/lib/libmimalloc.so',
+      '/usr/lib/libjemalloc.so'
+    )
    AND NOT pe.value LIKE ':/home/%/.local/share/Steam'
    AND NOT pe.value LIKE ':/home/%/.var/app/com.valvesoftware.Steam/%'
    AND NOT pe.value LIKE ':/home/%/.local/share/Steam/ubuntu%/gameoverlayrenderer.so:/home/%/.local/share/Steam/ubuntu%/gameoverlayrenderer.so'
    AND NOT pe.value LIKE ':/snap/%'
    AND NOT pe.value LIKE '/app/bin/%'
    AND NOT pe.value LIKE 'libmozsandbox.so%'
+    AND NOT p0.cgroup_path LIKE '/system.slice/docker-%'
  )
  -- setuid
  OR (
--- a/detection/execution/unexpected-execdir-events-macos.sql
+++ b/detection/execution/unexpected-execdir-events-macos.sql
@ -178,6 +178,7 @@ WHERE
    '~/Downloads/google-cloud-sdk/bin',
    '~/Downloads/protoc/bin',
    '~/go/bin',
+    '~/Library/Application Support/Alfred/Assistant',
    '~/Library/Application Support/cloud-code/installer/google-cloud-sdk/bin',
    '~/Library/Application Support/dev.warp.Warp-Stable',
    '/Library/Application Support/Kandji/Kandji Menu/Kandji Menu.app/Contents/MacOS',
@ -278,9 +279,11 @@ WHERE
  AND dir NOT LIKE '~/%sigstore%'
  AND dir NOT LIKE '%/.terraform/providers/%'
  AND dir NOT LIKE '/Volumes/com.getdropbox.dropbox-%' -- These signers can run from wherever the hell they want.
+  AND s.identifier != 'org.sparkle-project.Sparkle.Autoupdate'
  AND s.authority NOT IN (
    'Apple iPhone OS Application Signing',
    'Apple Mac OS Application Signing',
+    'Developer ID Application: reMarkable AS (4FFUD2H2F6)',
    'Developer ID Application: Adobe Inc. (JQ525L2MZD)',
    'Developer ID Application: Cisco (DE8Y96K9QP)',
    'Developer ID Application: Brother Industries, LTD. (5HCL85FLGW)',
--- a/detection/execution/unexpected-security-framework-program-macos.sql
+++ b/detection/execution/unexpected-security-framework-program-macos.sql
@ -113,6 +113,7 @@ WHERE
    '500,Final Cut Pro,com.apple.FinalCut,Apple Mac OS Application Signing',
    '500,git,git,',
    '500,gitsign,a.out,',
+    '500,ko,,',
    '500,gitsign-credential-cache,a.out,',
    '500,GitterHelperApp,com.troupe.gitter.mac.GitterHelperApp,Developer ID Application: Troupe Technology Limited (A86QBWJ43W)',
    '500,go,a.out,',
--- a/detection/initial_access/unexpected-diskimage-source-macos.sql
+++ b/detection/initial_access/unexpected-diskimage-source-macos.sql
@ -38,6 +38,7 @@ WHERE
  AND file.btime > (strftime('%s', 'now') -86400)
  AND domain NOT IN (
    'adobe.com',
+    'vmware.com',
    'akmedia.digidesign.com',
    'alfredapp.com',
    'android.com',
--- a/detection/initial_access/unexpected-shell-parent-events.sql
+++ b/detection/initial_access/unexpected-shell-parent-events.sql
@ -258,6 +258,7 @@ WHERE
      'bash,500,Private Internet Access,launchd',
      'bash,500,steam,bash',
      'bash,500,xdg-desktop-portal,systemd',
+      'dash,0,dpkg,apt',
      'dash,0,anacron,systemd',
      'dash,0,dpkg,python3.10',
      'dash,0,kindnetd,containerd-shim-runc-v2',
--- a/detection/initial_access/unexpected-shell-parents.sql
+++ b/detection/initial_access/unexpected-shell-parents.sql
@ -56,6 +56,7 @@ WHERE
    'Alfred',
    'anacron',
    'bash',
+    'git-remote-http',
    'buildkit-runc',
    'build-script-build',
    'chezmoi',
--- a/detection/persistence/unexpected-chrome-extensions.sql
+++ b/detection/persistence/unexpected-chrome-extensions.sql
@ -62,9 +62,11 @@ WHERE
    'false,,NVD Cleaner,',
    'false,,Trotto go links,nkeoojidblilnkcbbmfhaeebndapehjk',
    'false,,YouTube,agimnkijcaahngcdmfeangaknmldooml',
+    'true,Benjamin Hollis,JSONView,gmegofmjomhknnokphhckolhcffdaihd',
    'true,,Acorns Earn,facncfnojagdpibmijfjdmhkklabakgd',
    'true,Adaware,Safe Torrent Scanner,aegnopegbbhjeeiganiajffnalhlkkjb',
    'true,,Adblock for Youtube™,cmedhionkhpnakcndndgjdbohmhepckk',
+    'false,,Edge relevant text changes,jmjflgjpcpepeafmmgdpfkogkghcpiha',
    'true,Adblock, Inc.,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom',
    'true,,Add to Amazon Wish List,ciagpekplgpbepdgggflgmahnjgiaced',
    'true,,Adobe Acrobat: PDF edit, convert, sign tools,efaidnbmnnnibpcajpcglclefindmkaj',
--- a/detection/persistence/unexpected-launchd-program-arguments.sql
+++ b/detection/persistence/unexpected-launchd-program-arguments.sql
@ -69,6 +69,7 @@ WHERE
    '/opt/homebrew/opt/dnsmasq/sbin/dnsmasq --keep-in-foreground -C /opt/homebrew/etc/dnsmasq.conf -7 /opt/homebrew/etc/dnsmasq.d,*.conf',
    '/opt/homebrew/opt/jenkins/bin/jenkins --httpListenAddress=127.0.0.1 --httpPort=8080',
    '/opt/homebrew/opt/mariadb/bin/mysqld_safe',
+    '/opt/homebrew/opt/pueue/bin/pueued --verbose',
    '/opt/homebrew/opt/nginx/bin/nginx -g daemon off;',
    '/opt/homebrew/opt/skhd/bin/skhd',
    '/opt/homebrew/opt/tailscale/bin/tailscaled',
--- a/detection/persistence/unexpected-lock-opener.sql
+++ b/detection/persistence/unexpected-lock-opener.sql
@ -56,7 +56,7 @@ FROM
  LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
 WHERE
  pof.path LIKE "%.lock"
-  AND pof.path NOT LIKE "/run/user/%/%.lock"
+  AND NOT pof.path NOT LIKE "/run/user/%/%.lock"
  AND NOT p0.path LIKE '/System/%'
  AND NOT exception_key IN (
    '0,com.apple.MobileSoftwareUpdate.CryptegraftService,/private/var/db/softwareupdate/SplunkHistory',
@ -64,6 +64,7 @@ WHERE
    '500,flyctl,~/.fly',
    '500,iMovie,~/Movies/iMovie Library.imovielibrary',
    '200,softwareupdated,/private~/SplunkHistory',
+    '500,Opera,~/Library/Application Support/com.operasoftware.Opera',
    '500,com.docker.build,~/.docker/desktop-build',
    '500,Ecamm Live Stream Deck Plugin,~/Library/Application Support/com.elgato.StreamDeck/Sentry',
    '500,Beeper,~/Library/Application Support/Beeper/EventStore',
@ -86,6 +87,8 @@ WHERE
  )
  AND NOT exception_key LIKE '500,com.apple.Virtualization.VirtualMachine,~/%'
  AND NOT exception_key LIKE '500,iMovie,%.imovielibrary'
+  AND NOT exception_key LIKE '500,go,~/go/pkg/mod/cache/download/%'
+  AND NOT exception_key LIKE '500,remindd,/private/var/folders/%/T/.AddressBookLocks'
  AND NOT exception_key LIKE '500,com.apple.Virtualization.VirtualMachine,/private/var/folders/%'
  AND NOT exception_key LIKE '500,lua-language-server,~/%'
  AND NOT exception_key LIKE '500,ykman-gui,/private/var/folders/%/T'
--- a/detection/persistence/unexpected-uid0-daemon-linux.sql
+++ b/detection/persistence/unexpected-uid0-daemon-linux.sql
@ -72,12 +72,13 @@ WHERE
  p0.euid = 0
  AND p0.parent > 0
  AND p0.path != ""
-  AND p0.start_time < (strftime('%s', 'now') - 900)
+  AND p0.start_time < (strftime('%s', 'now') - 1200)
  AND exception_key NOT IN (
    'abrt-dump-journ,/usr/bin/abrt-dump-journal-core,0,system.slice,abrt-journal-core.service,0755',
    'abrt-dump-journ,/usr/bin/abrt-dump-journal-oops,0,system.slice,abrt-oops.service,0755',
    'abrt-dump-journ,/usr/bin/abrt-dump-journal-xorg,0,system.slice,abrt-xorg.service,0755',
    'abrtd,/usr/sbin/abrtd,0,system.slice,abrtd.service,0755',
+    'sudo,/usr/bin/sudo,1000,user.slice,user-1000.slice,4755',
    'accounts-daemon,/nix/store/__VERSION__/libexec/accounts-daemon,0,system.slice,accounts-daemon.service,0555',
    'accounts-daemon,/usr/lib/accounts-daemon,0,system.slice,accounts-daemon.service,0755',
    'accounts-daemon,/usr/libexec/accounts-daemon,0,system.slice,accounts-daemon.service,0755',
--- a/detection/persistence/unexpected-uid0-daemon-macos.sql
+++ b/detection/persistence/unexpected-uid0-daemon-macos.sql
@ -298,6 +298,7 @@ WHERE -- Focus on longer-running programs
    'Developer ID Application: Kandji, Inc. (P3FGV63VK7)',
    'Developer ID Application: Keybase, Inc. (99229SGT5K)',
    'Developer ID Application: Kolide, Inc (X98UFR7HA3)',
+    'Developer ID Application: Canonical Group Limited (X4QN7LTP59)',
    'Developer ID Application: Kolide Inc (YZ3EM74M78)',
    'Developer ID Application: Logitech Inc. (QED4VVPZWA)',
    'Developer ID Application: MacPaw Inc. (S8EX82NJP6)',
--- a/detection/privesc/unexpected-elevated-children-events_linux.sql
+++ b/detection/privesc/unexpected-elevated-children-events_linux.sql
@ -116,6 +116,7 @@ WHERE
    '/usr/lib/systemd/systemd --user',
    '/bin/sh -c /usr/bin/pkexec /usr/share/apport/apport-gtk'
  )
+  AND NOT p0_cmd = '/usr/bin/pkexec /usr/lib/update-notifier/package-system-locked'
  AND NOT (
    p0_name = 'polkit-agent-helper-1'
    AND p1_path IN (
@ -131,8 +132,7 @@ WHERE
  AND NOT (
    p0_name IN ('dash', 'pkexec')
    AND p1_path = '/usr/bin/update-notifier'
-  )
-  -- A bizarro persistent false-positive from an Arch linux host
+  ) -- A bizarro persistent false-positive from an Arch linux host
  AND NOT (
    p.cgroup_path = "/init.scope"
    AND p1.cgroup_path != "/init.scope"
--- a/policy/unexpected-rsa-keys-mdfind.sql
+++ b/policy/unexpected-rsa-keys-mdfind.sql
@ -11,8 +11,8 @@ SELECT
  ea.value AS url
 FROM
  mdfind
-  LEFT JOIN file ON mdfind.path = file.path
-  LEFT JOIN users u ON file.uid = u.uid
+  JOIN file ON mdfind.path = file.path
+  JOIN users u ON file.uid = u.uid
  LEFT JOIN hash ON mdfind.path = hash.path
  LEFT JOIN extended_attributes ea ON mdfind.path = ea.path
  AND ea.key = 'where_from'