RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-02-20 12:06:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #219 from tstromberg/fpr-mar14

Browse Source 
fpr: yum, systemd, cloud-sql-proxy, image-automation-controller, helm…
This commit is contained in:
Thomas Strömberg 2023-03-14 19:02:37 -04:00 committed by GitHub
commit 0db565a079
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
37 changed files with 163 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
detection/c2/unexpected-https-client-linux.sql
View File

@ -111,16 +111,21 @@ WHERE
'500,chainctl,500u,500g,chainctl',
'500,chrome,0u,0g,chrome',
'500,cloud_sql_proxy,0u,0g,cloud_sql_proxy',
'500,bom-linux-amd64,500u,500g,bom-linux-amd64',
'500,code,0u,0g,code',
'500,slirp4netns,0u,0g,slirp4netns',
'500,grafana,u,g,grafana',
'500,code,500u,500g,code',
'500,cosign,500u,500g,cosign',
'500,aws,500u,500g,aws',
'500,helm,0u,0g,helm',
'500,cosign-linux-amd64,0u,0g,cosign',
'500,crane,0u,0g,crane',
'500,crane,500u,500g,crane',
'500,flux,500u,500g,flux',
'500,curl,0u,0g,curl',
'500,tilt,500u,500g,tilt',
'80,6,500,python3.11,0u,0g,yum',
'500,Discord,0u,0g,Discord',
'500,Discord,u,g,Discord',
'500,docker,0u,0g,docker',

9
detection/c2/unexpected-talkers-linux.sql
View File

@ -79,7 +79,7 @@ WHERE
AND NOT (
s.remote_address LIKE '100.%'
AND s.local_address LIKE '100.%'
AND exception_key = '32768,6,74,sshd,0u,0g,sshd'
AND exception_key = '32768,6,%,sshd,0u,0g,sshd'
)
AND NOT exception_key IN (
'123,17,114,chronyd,0u,0g,chronyd',
@ -94,6 +94,7 @@ WHERE
'22,6,0,tailscaled,0u,0g,tailscaled',
'22,6,500,cargo,0u,0g,cargo',
'22,6,500,cargo,500u,500g,cargo',
'22,6,500,image-automation-controller,u,g,image-automatio',
'22,6,500,netcat,0u,0g,nc',
'22,6,500,ssh,0u,0g,ssh',
'22,6,500,terraform,500u,500g,terraform',
@ -101,6 +102,7 @@ WHERE
'3000,6,500,chrome,0u,0g,chrome',
'32768,6,0,tailscaled,0u,0g,tailscaled',
'32768,6,500,ssh,0u,0g,ssh',
'3307,6,500,cloud_sql_proxy,0u,0g,cloud_sql_proxy',
'3443,6,500,chrome,0u,0g,chrome',
'3478,6,500,chrome,0u,0g,chrome',
'3478,6,500,firefox,0u,0g,firefox',
@ -144,6 +146,8 @@ WHERE
'80,6,0,python3.10,0u,0g,yum',
'80,6,0,python3.11,0u,0g,dnf',
'80,6,0,python3.11,0u,0g,yum',
'80,6,0,python3.9,u,g,yum',
'80,6,0,systemd-hwdb,0u,0g,systemd-hwdb',
'80,6,0,tailscaled,0u,0g,tailscaled',
'80,6,0,.tailscaled-wrapped,0u,0g,.tailscaled-wra',
'80,6,0,/usr/python2.7,u,g,yum',
@ -161,6 +165,7 @@ WHERE
'80,6,500,firefox,0u,0g,firefox',
'80,6,500,firefox,0u,0g,.firefox-wrappe',
'80,6,500,gnome-software,0u,0g,gnome-software',
'80,6,500,main,500u,500g,main',
'80,6,500,mconvert,500u,500g,mconvert',
'80,6,500,obs-browser-page,u,g,obs-browser-pag',
'80,6,500,pacman,0u,0g,pacman',
@ -238,7 +243,7 @@ WHERE
AND s.protocol = 6
AND p.euid > 500
)
AND NOT (
AND NOT (
p.name = 'brave'
AND f.filename = 'brave'
AND s.remote_port > 3000

50
detection/c2/unexpected-talkers-macos.sql
View File

@ -137,13 +137,13 @@ WHERE
)
)
AND NOT exception_key IN (
'123,17,500,gvproxy,,',
'123,17,500,gvproxy,a.out,',
'22,6,500,Cyberduck,ch.sudo.cyberduck,Developer ID Application: David Kocher (G69SCX94XU)',
'22,6,500,ssh,,',
'22,6,500,ssh,com.apple.openssh,Software Signing',
'22,6,500,ssh,com.apple.ssh,Software Signing',
'22,6,500,ssh,ssh,',
'9418,6,500,git,com.apple.git,Software Signing',
'22,6,500,ssh,ssh-55554944fbf65684ab9b37c2bad3a27ef78b23f4,',
'30004,6,500,java,net.java.openjdk.java,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'30011,6,500,java,net.java.openjdk.java,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
@ -157,47 +157,42 @@ WHERE
'443,17,500,GitKraken Boards,com.axosoft.glo,Apple iPhone OS Application Signing',
'443,17,500,old,dev.warp.Warp-Stable,Developer ID Application: Denver Technologies, Inc (2BBY89MBSN)',
'443,17,500,Reflect Helper,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)',
'443,17,500,Signal Helper,org.whispersystems.signal-desktop.helper,Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR)',
'443,17,500,Slack Helper,,',
'123,17,500,gvproxy,,',
'443,17,500,Slack Helper,com.tinyspeck.slackmacgap.helper,Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL)',
'443,6,0,Adobe Installer,com.adobe.AAMHelper,Developer ID Application: Adobe Inc. (JQ525L2MZD)',
'443,6,0,com.apple.MobileSoftwareUpdate.UpdateBrainService,com.apple.MobileSoftwareUpdate.UpdateBrainService,Software Signing',
'443,6,0,com.apple.NRD.UpdateBrainService,com.apple.NRD.UpdateBrainService,Software Signing',
'443,6,0,Install,com.adobe.Install,Developer ID Application: Adobe Inc. (JQ525L2MZD)',
'443,6,0,launcher,com.kolide.agent,Developer ID Application: Kolide, Inc (X98UFR7HA3)',
'443,6,0,launcher,launcher,Developer ID Application: Kolide Inc (YZ3EM74M78)',
'443,6,0,nessusd,nessusd,Developer ID Application: Tenable, Inc. (4B8J598M7U)',
'80,6,500,mconvert,a.out,',
'443,6,500,mconvert,a.out,',
'443,6,0,com.paragon-software.extfsd,com.paragon-software.extfsd,Developer ID Application: Paragon Software GmbH (LSJ6YVK468)', -- update checks
'443,6,0,com.paragon-software.ntfsd,com.paragon-software.ntfsd,Developer ID Application: Paragon Software GmbH (LSJ6YVK468)', -- update checks
'443,6,0,Install,com.adobe.cc.Install,Developer ID Application: Adobe Inc. (JQ525L2MZD)',
'443,6,0,Install,com.adobe.Install,Developer ID Application: Adobe Inc. (JQ525L2MZD)',
'443,6,0,io.tailscale.ipn.macsys.network-extension,io.tailscale.ipn.macsys.network-extension,Developer ID Application: Tailscale Inc. (W5364U7YZB)',
'443,6,0,launcher,com.kolide.agent,Developer ID Application: Kolide, Inc (X98UFR7HA3)',
'443,6,0,launcher,launcher,Developer ID Application: Kolide, Inc (X98UFR7HA3)',
'443,6,0,launcher,launcher,Developer ID Application: Kolide Inc (YZ3EM74M78)',
'443,6,0,nessusd,nessusd,Developer ID Application: Tenable, Inc. (4B8J598M7U)',
'443,6,0,nix,nix,',
'443,6,500,go,,',
'443,6,0,OneDrivePkgTelemetry,com.microsoft.OneDrivePkgTelemetry,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'443,6,0,Setup,com.adobe.acc.Setup,Developer ID Application: Adobe Inc. (JQ525L2MZD)',
'443,6,500,,,',
'443,6,500,steampipe-plugin-aws.plugin,a.out,',
'443,6,500,Kindle,com.amazon.Lassen,TestFlight Beta Distribution',
'443,6,500,Acrobat Update Helper,com.adobe.ARMDCHelper,Developer ID Application: Adobe Inc. (JQ525L2MZD)',
'443,6,500,Amazon Photos Installer,com.amazon.clouddrive.mac.installer,Developer ID Application: AMZN Mobile LLC (94KV3E626L)',
'443,6,500,apko,a.out,',
'443,6,500,aws,37c466-aws,Developer ID Application: AMZN Mobile LLC (94KV3E626L)',
'443,6,500,aws,e956a0-aws,Developer ID Application: AMZN Mobile LLC (94KV3E626L)',
'443,6,0,io.tailscale.ipn.macsys.network-extension,io.tailscale.ipn.macsys.network-extension,Developer ID Application: Tailscale Inc. (W5364U7YZB)',
'443,6,500,bash,bash,',
'443,6,500,BlockBlock Installer,com.objective-see.blockblock.installer,Developer ID Application: Objective-See, LLC (VBG97UB4TA)',
'443,6,500,bom,,',
'443,6,500,chainctl,,',
'443,6,500,chainctl,a.out,',
'443,6,500,Transmit,com.panic.Transmit,Developer ID Application: Panic, Inc. (VE8FC488U5)',
'443,6,0,launcher,launcher,Developer ID Application: Kolide, Inc (X98UFR7HA3)',
'443,6,500,chainctl,chainctl,',
'443,6,500,trivy,,',
'443,6,500,chainctl_darwin_arm64,a.out,',
'443,6,500,chainctl_Darwin_arm64,a.out,',
'443,6,500,civo,a.out,',
'443,6,500,cloud_sql_proxy,a.out,',
'443,6,500,Paintbrush,com.soggywaffles.paintbrush,Developer ID Application: Michael Schreiber (G966ML7VBG)',
'443,6,500,Code Helper,com.microsoft.VSCode.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'443,6,500,Code Helper (Plugin),com.github.Electron.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'443,6,500,Code Helper (Renderer),com.github.Electron.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'443,6,500,com.docker.backend,com.docker,Developer ID Application: Docker Inc (9BNSXJN65R)',
'443,6,500,com.docker.extensions,com.docker,Developer ID Application: Docker Inc (9BNSXJN65R)',
@ -205,9 +200,7 @@ WHERE
'443,6,500,cosign,a.out,',
'443,6,500,cosign,cosign,',
'443,6,500,crane,,',
'443,17,500,Signal Helper,org.whispersystems.signal-desktop.helper,Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR)',
'443,6,500,crane,a.out,',
'443,6,500,Amazon Photos Installer,com.amazon.clouddrive.mac.installer,Developer ID Application: AMZN Mobile LLC (94KV3E626L)',
'443,6,500,crane,crane,',
'443,6,500,ctclient,a.out,',
'443,6,500,curl,com.apple.curl,Software Signing',
@ -221,9 +214,12 @@ WHERE
'443,6,500,Evernote Helper,com.evernote.Evernote.helper,Apple Mac OS Application Signing',
'443,6,500,figma_agent,com.figma.agent,Developer ID Application: Figma, Inc. (T8RA8NE3B7)',
'443,6,500,FlyDelta,com.delta.iphone.ver1,Apple iPhone OS Application Signing',
'443,6,500,FOX Sports Helper,Electron Helper,',
'443,6,500,gh,a.out,',
'443,6,500,gh,gh,',
'443,6,500,gh-sbom,gh-sbom-b3d347c0b2c99e6c265dff64210a79ddfac85a72,',
'443,6,500,git,com.apple.git,Software Signing',
'443,6,500,git-credential-manager,git-credential-manager,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'443,6,500,git-credential-osxkeychain,git-credential-osxkeychain,',
'443,6,500,git,git,',
'443,6,500,GitHub Desktop Helper,com.github.GitHubClient.helper,Developer ID Application: GitHub (VEKTX9H2N7)',
@ -231,14 +227,17 @@ WHERE
'443,6,500,GitKraken Boards,com.axosoft.glo,Apple iPhone OS Application Signing',
'443,6,500,git-remote-http,,',
'443,6,500,git-remote-http,com.apple.git-remote-http,Software Signing',
'443,6,500,git-remote-http,git-remote-http,',
'443,6,500,gitsign,,',
'443,6,500,gitsign,a.out,',
'443,6,500,gitsign,gitsign,',
'443,6,500,go,,',
'443,6,500,go,a.out,',
'443,6,500,go,org.golang.go,Developer ID Application: Google LLC (EQHXZ8M8AV)',
'443,6,500,grype,grype,',
'443,6,500,grype,grype,Developer ID Application: ANCHORE, INC. (9MJHKYX5AT)',
'443,6,500,gvproxy,a.out,',
'443,6,500,helm,,',
'443,6,500,helm,a.out,',
'443,6,500,Install,com.adobe.cc.Install,Developer ID Application: Adobe Inc. (JQ525L2MZD)',
'443,6,500,istioctl,a.out,',
@ -247,6 +246,7 @@ WHERE
'443,6,500,java,net.java.openjdk.java,Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
'443,6,500,Java Updater,com.oracle.java.Java-Updater,Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
'443,6,500,jx,,',
'443,6,500,Kindle,com.amazon.Lassen,TestFlight Beta Distribution',
'443,6,500,ko,a.out,',
'443,6,500,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV)',
'443,6,500,kubectl,,',
@ -254,6 +254,7 @@ WHERE
'443,6,500,legitify,legitify,Developer ID Application: LEGIT SECURITY LTD (8V693922X7)',
'443,6,500,limactl,,',
'443,6,500,main,a.out,',
'443,6,500,mconvert,a.out,',
'443,6,500,melange,a.out,',
'443,6,500,minikube,,',
'443,6,500,ngrok,darwin_amd64,Developer ID Application: ngrok LLC (TEX8MHRDQ9)',
@ -262,19 +263,18 @@ WHERE
'443,6,500,old,dev.warp.Warp-Stable,Developer ID Application: Denver Technologies, Inc (2BBY89MBSN)',
'443,6,500,OneDriveStandaloneUpdater,com.microsoft.OneDriveStandaloneUpdater,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'443,6,500,op,com.1password.op,Developer ID Application: AgileBits Inc. (2BUA8C4S2C)',
'443,6,500,Paintbrush,com.soggywaffles.paintbrush,Developer ID Application: Michael Schreiber (G966ML7VBG)',
'443,6,500,PlexMobile,com.plexapp.plex,Apple iPhone OS Application Signing',
'443,6,500,policy-tester,a.out,',
'443,6,500,prober,a.out,',
'443,6,500,provisio,,',
'443,6,500,pulumi-resource-gcp,a.out,',
'443,6,500,Code Helper (Plugin),com.github.Electron.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'443,6,500,pulumi-resource-github,a.out,',
'443,6,500,python2.7,python2.7,',
'443,6,500,python3.10,python3.10,',
'443,6,500,Python,com.apple.python3,Software Signing',
'443,6,500,Python,org.python.python,',
'443,6,500,Python,Python,',
'443,6,500,git-remote-http,git-remote-http,',
'443,6,500,rclone,a.out,',
'443,6,500,Reflect,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)',
'443,6,500,Reflect Helper,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)',
@ -289,15 +289,16 @@ WHERE
'443,6,500,Slack Helper,com.tinyspeck.slackmacgap.helper,Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL)',
'443,6,500,snyk,snyk_darwin_amd64,Developer ID Application: Snyk Limited (97QYW7LHSF)',
'443,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
'443,6,500,steampipe-plugin-aws.plugin,a.out,',
'443,6,500,step,step,',
'443,6,500,sublime_text,com.sublimetext.4,Developer ID Application: Sublime HQ Pty Ltd (Z6D26JE4Y4)',
'443,6,500,syft,syft,Developer ID Application: ANCHORE, INC. (9MJHKYX5AT)',
'443,6,500,terraform-ls,terraform-ls,Developer ID Application: Hashicorp, Inc. (D38WU7D763)',
'443,6,500,terraform,terraform,Developer ID Application: Hashicorp, Inc. (D38WU7D763)',
'443,6,500,Transmit,com.panic.Transmit,Developer ID Application: Panic, Inc. (VE8FC488U5)',
'443,6,500,trivy,,',
'443,6,500,trivy,a.out,',
'443,6,0,Install,com.adobe.cc.Install,Developer ID Application: Adobe Inc. (JQ525L2MZD)',
'443,6,500,vegeta,a.out,',
'443,6,500,FOX Sports Helper,Electron Helper,',
'443,6,500,vim,vim,',
'443,6,500,wolfictl,a.out,',
'443,6,500,zoom.us,us.zoom.xos,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)',
@ -311,9 +312,12 @@ WHERE
'80,6,0,com.google.one.NetworkExtension,com.google.one.NetworkExtension,Developer ID Application: Google LLC (EQHXZ8M8AV)',
'80,6,500,curl,com.apple.curl,Software Signing',
'80,6,500,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV)',
'80,6,500,mconvert,a.out,',
'80,6,500,ngrok,darwin_amd64,Developer ID Application: ngrok LLC (TEX8MHRDQ9)',
'80,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
'80,6,500,webhook.test,a.out,',
'8801,17,500,zoom.us,us.zoom.xos,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)'
'8801,17,500,zoom.us,us.zoom.xos,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)',
'9418,6,500,git,com.apple.git,Software Signing'
)
AND NOT exception_key LIKE '443,6,500,java,com.oracle.java.%.java,Developer ID Application: Oracle America, Inc. (VB5E2TV963)'
-- Steam uses ports in the 27xxx range

4
detection/collection/high-disk-bytes-written.sql
View File

@ -125,12 +125,13 @@ WHERE
'gopls',
'grype',
'idea',
'melange-run',
'Install',
'java',
'jetbrains-toolb',
'launcher',
'limactl',
'melange-run',
'monorail',
'nessusd',
'ninja',
'node',
@ -150,6 +151,7 @@ WHERE
'tracker-miner-f',
'trivy',
'trivy-db',
'unattended-upgr',
'wineserver',
'yum'
)

7
detection/evasion/empty_root_environ_linux.sql
View File

@ -61,7 +61,12 @@ WHERE
'zfs',
'zypak-sandbox'
)
AND NOT pp.name IN ('systemd-userdbd', 'crond', 'systemd')
AND NOT pp.name IN (
'systemd-userdbd',
'crond',
'systemd',
'(udev-worker)'
)
AND NOT (
p.name LIKE 'systemd-%'
AND p.parent = 1

1
detection/evasion/missing-from-disk-linux.sql
View File

@ -47,3 +47,4 @@ WHERE
AND file.inode IS NULL
-- Snap packages?
AND p.path NOT LIKE '/tmp/.mount_%'
AND p.path NOT LIKE '/home/%/.cache/yay/1password-cli/pkg/1password-cli/usr/bin/op'

1
detection/evasion/parent-missing-from-disk-linux.sql
View File

@ -60,6 +60,7 @@ WHERE
'usr/sbin/auditd',
'/usr/bin/tmux',
'/usr/share/code/code',
'/usr/libexec/gdm-wayland-session',
'/usr/bin/osqueryd',
'/usr/bin/sudo',
'/usr/bin/yay',

2
detection/evasion/unexpected-hidden-system-paths.sql
View File

@ -82,6 +82,8 @@ WHERE
'/tmp/.last_update_check.json',
'/tmp/.last_survey_prompt.yaml',
'/tmp/.Test-unix/',
'/tmp/.docker/',
'/tmp/.docker-tmp/',
'/tmp/.vbox-t-ipc/',
'/tmp/.X0-lock',
'/tmp/.X11-unix/',

6
detection/execution/exotic-command-events-macos.sql
View File

@ -124,6 +124,7 @@ WHERE
OR (
INSTR(p0_cmd, 'history') > 0
AND p0_cmd LIKE '%history'
AND p0_cmd NOT LIKE '% history'
)
OR p0_cmd LIKE '%echo%|%base64 --decode %|%'
OR p0_cmd LIKE '%launchctl bootout%'
@ -163,8 +164,12 @@ WHERE
'/bin/launchctl bootout system/com.docker.socket',
'/bin/rm -f /tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress',
'git history',
'chmod 0777 /Users/Shared/logitune',
'nix profile history',
'helm history',
'rm -f /tmp/mysql.sock',
'nc -h',
'nc -uv 8.8.8.8 53',
'/Library/Apple/System/Library/StagedFrameworks/Safari/SafariShared.framework/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History',
'/usr/bin/csrutil report',
'/usr/bin/csrutil status',
@ -179,6 +184,7 @@ WHERE
AND NOT p0_cmd LIKE '-history%'
AND NOT p0_cmd LIKE 'dirname %history'
AND NOT p0_cmd LIKE '/bin/rm -f /tmp/periodic.%'
AND NOT p0_cmd LIKE '/bin/rm -f /tmp/nix-shell.%'
AND NOT p0_cmd LIKE 'touch -r . /private/tmp/nix-build%'
AND NOT p0_cmd LIKE '%GNU Libtool%touch -r%'
AND NOT p0_cmd LIKE 'rm -f /tmp/locate%/_updatedb%'

3
detection/execution/recently-created-executables-linux.sql
View File

@ -58,6 +58,7 @@ WHERE
'/opt/sublime_text/sublime_text',
'/usr/lib/systemd/systemd-machined',
'/usr/lib/upowerd',
'/usr/bin/nvidia-persistenced',
'/usr/bin/alacritty',
'/usr/bin/dash',
'/usr/bin/bash',
@ -104,6 +105,8 @@ WHERE
'/usr/libexec/ibus-engine-simple',
'/usr/libexec/ibus-extension-gtk3',
'/usr/libexec/ibus-portal',
'/usr/lib/polkit-gnome/polkit-gnome-authentication-agent-1',
'/usr/lib/systemd/systemd-hostnamed',
'/usr/libexec/ibus-x11',
'/usr/bin/hugo',
'/usr/libexec/snapd/snapd',

8
detection/execution/recently-created-executables-macos.sql
View File

@ -93,7 +93,8 @@ WHERE
AND NOT path LIKE '/usr/local/Cellar/%'
AND NOT path LIKE '/usr/local/kolide-k2/%'
AND NOT path LIKE '%/.vscode/extensions/%'
GROUP BY path
GROUP BY
path
)
AND (p0.start_time - MAX(f.ctime, f.btime)) < 120
AND f.ctime > 0
@ -108,6 +109,8 @@ WHERE
'Developer ID Application: CodeWeavers Inc. (9C6B7X7Z8E)',
'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
'Developer ID Application: Objective-See, LLC (VBG97UB4TA)',
'Developer ID Application: Denver Technologies, Inc (2BBY89MBSN)',
'Developer ID Application: Parallels International GmbH (4C6364ACXT)',
'Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R)',
'Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'Developer ID Application: Docker Inc (9BNSXJN65R)',
@ -145,9 +148,10 @@ WHERE
AND p0.cmdline LIKE './%'
)
AND NOT (
p0.path LIKE '/Users/%/Library/Printers/EPSON%/Contents/MacOS/PrinterProxy'
p0.path LIKE '/Users/%/Library/Printers/%/Contents/MacOS/PrinterProxy'
AND s.identifier = 'com.apple.print.PrinterProxy'
AND s.authority = ''
AND p0.uid > 499
)
GROUP BY
p0.pid

6
detection/execution/relative-exec-low-uid-events.sql
View File

@ -61,9 +61,11 @@ WHERE
AND p0_cmd NOT IN (
'./conftest',
'./configure',
'./ksinstall --install=Keystone.tbz'
'./ksinstall --install=Keystone.tbz',
'./podinfo --port=9898 --port-metrics=9797 --grpc-port=9999 --grpc-service-name=podinfo --level=info --random-delay=false --random-error=false'
)
AND p0_cmd NOT LIKE './tools/bpf/resolve_btfids/resolve_btfids -b vmlinux /var/lib/dkms/%'
AND p0_cmd NOT LIKE './tools/objtool/objtool --hacks=jump_label%'
AND p0_cmd NOT LIKE './tools/objtool/objtool%--hacks%'
AND p0_cmd NOT LIKE './out/osqtool-% %'
AND p0_path NOT LIKE '/private/tmp/PKInstallSandbox.%/Scripts/com.microsoft.OneDrive.%/OneDrivePkgTelemetry'
AND NOT p0_cgroup LIKE '/system.slice/docker-%'

7
detection/execution/unexpected-execdir-events-macos.sql
View File

@ -22,6 +22,7 @@ SELECT
'(~*/.*?/.*?/.*?)/',
1
) AS top3_dir,
u.directory AS user_home_dir,
-- Child
pe.path AS p0_path,
REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
@ -103,6 +104,7 @@ WHERE
'~/proj',
'~/projects',
'~/Projects',
'~/workspace',
'~/.provisio',
'~/.pulumi',
'~/.pyenv',
@ -118,14 +120,15 @@ WHERE
'/Library/Apple/System',
'/Library/Application Support/Adobe',
'~/Library/Application Support/BraveSoftware',
'/Library/Application Support/Canon_Inc_IC',
'~/Library/Application Support/com.elgato.StreamDeck',
'/Library/Application Support/EcammLive',
'~/Library/Application Support/Foxit Software',
'/Library/Application Support/GPGTools',
'~/Library/Application Support/JetBrains',
'~/Library/Application Support/zoom.us',
'~/Library/Caches/com.knollsoft.Rectangle',
'~/Library/Caches/com.mimestream.Mimestream',
'/Library/Application Support/Canon_Inc_IC',
'~/Library/Caches/snyk',
'/Library/Developer/CommandLineTools',
'~/Library/Developer/Xcode',
@ -133,7 +136,6 @@ WHERE
'~/Library/Google/GoogleSoftwareUpdate',
'/Library/Java/JavaVirtualMachines',
'/Library/Plug-Ins/FxPlug',
'~/Library/Application Support/Foxit Software',
'/opt/homebrew/Caskroom',
'/opt/homebrew/Cellar',
'/opt/homebrew/Library',
@ -141,6 +143,7 @@ WHERE
'/usr/libexec/rosetta',
'/usr/local/Cellar',
'/usr/local/kolide-k2',
'/Volumes/Google Chrome/Google Chrome.app',
'/Volumes/Slack/Slack.app'
)
AND dir NOT IN (

2
detection/execution/unexpected-execdir-macos.sql
View File

@ -97,6 +97,7 @@ WHERE
'~/Library/Application Support/cloud-code/installer/google-cloud-sdk/bin',
'~/Library/Application Support/dev.warp.Warp-Stable',
'~/Library/Application Support/zoom.us/Plugins/aomhost.app/Contents/MacOS',
'~/.local/share/gh/extensions/gh-sbom',
'~/.local/bin',
'~/.magefile',
'~/projects/go/bin'
@ -140,6 +141,7 @@ WHERE
'~/Library/Application Support/OpenLens',
'~/Library/Caches/com.mimestream.Mimestream/',
'~/Library/Caches/com.sempliva.Tiles/',
'~/Library/Caches/org.gpgtools.updater/',
'~/Library/Caches/snyk/',
'/Library/Developer/Xcode/',
'~/.terraform.d/plugin-cache/registry.terraform.io/'

1
detection/execution/unexpected-fetcher-parent-events.sql
View File

@ -13,6 +13,7 @@ SELECT
TRIM(pe.cmdline) AS p0_cmd,
pe.cwd AS p0_cwd,
pe.pid AS p0_pid,
pe.euid AS p0_euid,
p.cgroup_path AS p0_cgroup,
-- Parent
pe.parent AS p1_pid,

1
detection/execution/unexpected-osascript-calls.sql
View File

@ -83,6 +83,7 @@ WHERE
p0_cmd IN ('osascript -e user locale of (get system info)')
OR p0_cmd LIKE '%"CFBundleName" of property list file (app_path & ":Contents:Info.plist")'
OR p0_cmd LIKE 'osascript -e set zoomStatus to "closed"%'
OR p0_cmd LIKE 'osascript -l JavaScript%com.elgato.StreamDeck%'
OR p0_cmd LIKE 'osascript -e%tell application "System Preferences"%reveal anchor "shortcutsTab"%"com.apple.preference.keyboard"'
OR p0_cmd LIKE 'osascript -e tell application "zoom.us"%'
OR p0_cmd LIKE 'osascript -l JavaScript /tmp/PKInstallSandbox.%/Scripts/org.gpgtools.gpgmailloader.pkg.%/mailbundle-enabled.jxa -- GPGMailLoader.mailbundle'

8
detection/execution/unexpected-root-signer-macos.sql
View File

@ -97,6 +97,14 @@ WHERE
AND pe.path LIKE "/nix/store/%-nix-%/bin/nix"
AND p1.path = "/sbin/launchd"
)
AND NOT (
s.authority = ""
AND (
pe.path LIKE "/nix/store/%-nix-%/bin/nix-%"
OR pe.path LIKE "/private/var/folders/%/T/tmp.%/nix-installer"
)
AND p1.path = "/usr/bin/sudo"
)
AND NOT (
s.authority = ""
AND p0_path LIKE "/opt/%/bin/socket_vmnet"

12
detection/execution/unexpected-security-framework-program-macos.sql
View File

@ -53,7 +53,7 @@ WHERE
FROM
processes
WHERE
start_time < (strftime('%s', 'now') - 900)
start_time < (strftime('%s', 'now') - 3600)
AND parent != 0
-- Assume STP
AND NOT path LIKE '/System/%'
@ -82,6 +82,10 @@ WHERE
'500,Bitwarden Helper (GPU),com.bitwarden.desktop.helper.GPU,Apple Mac OS Application Signing',
'500,Bitwarden Helper (Renderer),com.bitwarden.desktop.helper.Renderer,Apple Mac OS Application Signing',
'500,bufls,a.out,',
'500,stern,a.out,',
'500,registry,a.out,',
'500,mattermost,a.out,',
'500,plugin-darwin-arm64,a.out,',
'500,testing,com.yourcompany.testing,', -- Xcode iPhone emulator
'500,.cargo-wrapped,.cargo-wrapped,',
'500,cloud_sql_proxy,a.out,',
@ -105,6 +109,7 @@ WHERE
'500,InternalFiltersXPC,com.apple.InternalFiltersXPC,Apple Mac OS Application Signing',
'500,ipcserver,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
'500,ipcserver.old,,',
'500,debug.test,a.out,',
'500,Bazecor Helper,,',
'500,ko,a.out,',
'500,kubectl,a.out,',
@ -118,6 +123,7 @@ WHERE
'500,PrinterProxy,com.apple.print.PrinterProxy,',
'500,BloomRPC Helper,,',
'500,melange-run,a.out,',
'500,dlv,a.out,',
'500,registry-redirect,a.out,',
'500,Runner.Listener,apphost-55554944a938bab90f04347d83659c53dd1197d6,',
'500,rust-analyzer,rust_analyzer-d11ae4e1bae4360d,',
@ -144,6 +150,10 @@ WHERE
'500,WinAppHelper,,',
'500,WinAppHelper,WinAppHelper,'
)
AND NOT (
exception_key LIKE '500,%,a.out,'
AND p0.path LIKE '/private/var/folders%/T/go-build%/exe/%'
)
AND NOT exception_key LIKE '500,terraform-provider-%,a.out,'
AND NOT exception_key LIKE '500,Runner.%,apphost-%,'
AND NOT exception_key LIKE '500,kubectl.%,a.out,'

1
detection/execution/unexpected-xattr-calls-macos.sql
View File

@ -83,6 +83,7 @@ WHERE
AND p0_cmd NOT LIKE '%xattr -r -d com.apple.quarantine /Applications/%.app'
AND p0_cmd NOT LIKE '%xattr -d com.apple.quarantine /Applications/%.app'
AND p0_cmd NOT LIKE '%xattr -d com.apple.quarantine /Applications/%.app/%.xpc'
AND p0_cmd NOT LIKE '%xattr -d com.apple.FinderInfo /Applications/Parallels Desktop.app'
AND NOT (
pe.euid > 500
AND p0_cmd LIKE '%xattr -l %'

2
detection/exfil/high_disk_bytes_read.sql
View File

@ -74,6 +74,7 @@ WHERE
'nix-daemon',
'nvim',
'osqueryd',
'unattended-upgr',
'qemu-system-aarch64',
'qemu-system-x86',
'qemu-system-x86-64',
@ -98,6 +99,7 @@ WHERE
'/usr/libexec/coreduetd',
'/usr/libexec/diskmanagementd',
'/usr/bin/update-notifier',
'/System/Volumes/Preboot/Cryptexes/App/System/Applications/Safari.app/Contents/XPCServices/com.apple.Safari.BrowserDataImportingService.xpc/Contents/MacOS/com.apple.Safari.BrowserDataImportingService',
'/usr/libexec/flatpak-system-helper',
'/usr/libexec/logd',
'/usr/libexec/logd_helper',

1
detection/initial_access/sketchy-mounted-diskimage.sql
View File

@ -94,6 +94,7 @@ WHERE
OR vol_name LIKE "%Update"
)
AND file.directory LIKE "/Volumes/%/Contents/MacOS"
AND signature.authority != "Logitech Inc. (QED4VVPZWA)"
) -- 6. Volumes containing a hidden top-level folder or binary, such as yWnBJLaF (1302.app)
OR (
file.bsd_flags = "HIDDEN"

5
detection/initial_access/unexpected-diskimage-source-macos.sql
View File

@ -64,7 +64,6 @@ WHERE
'epson.com',
'fcix.net',
'gaomon.net',
'kagi.com',
'getutm.app',
'gimp.org',
'github.io',
@ -74,6 +73,7 @@ WHERE
'integodownload.com',
'irccloud.com',
'jetbrains.com',
'kagi.com',
'libreoffice.org',
'logitech.com',
'loom.com',
@ -83,6 +83,7 @@ WHERE
'mirrorservice.org',
'mojang.com',
'mozilla.org',
'mutedeck.com',
'mysql.com',
'notion.so',
'notion-static.com',
@ -104,6 +105,7 @@ WHERE
'techsmith.com',
'ubuntu.com',
'umd.edu',
'usa.canon.com',
'vc.logitech.com',
'virtualbox.org',
'warp.dev',
@ -120,6 +122,7 @@ WHERE
'discord.com',
'dl.discordapp.net',
'dl.google.com',
'mutedeck.com',
'duckduckgo.com',
'dygma.com',
'emacsformacosx.com',

3
detection/initial_access/unexpected-shell-parent-events.sql
View File

@ -199,6 +199,7 @@ WHERE
'/bin/sh -c lsb_release -a --short',
'/bin/sh -c ps ax -ww -o pid,ppid,uid,gid,args',
'/bin/sh -c scutil --get ComputerName',
"/bin/sh -c defaults delete 'com.cisco.webexmeetingsapp'",
'/bin/sh -c sysctl hw.model kern.osrelease',
'/bin/sh /usr/bin/lsb_release -a',
'/bin/sh /usr/bin/lsb_release -a --short',
@ -243,6 +244,7 @@ WHERE
'bash,0,kube-apiserver,containerd-shim-runc-v2',
'bash,0,pia-daemon,launchd',
'bash,0,udevadm,udevadm',
'sh,500,Meeting Center,launchd',
'bash,500,com.docker.dev-envs,com.docker.backend',
'bash,500,Foxit PDF Reader,launchd',
'bash,500,gnome-session-binary,systemd',
@ -274,6 +276,7 @@ WHERE
OR p0_cmd LIKE '/bin/sh %/bin/gcloud%config config-helper%'
OR p0_cmd LIKE '/bin/sh -c pkg-config %'
OR p0_cmd LIKE '/bin/sh %/docker-credential-gcloud get'
OR p0_cmd LIKE '/bin/bash %git credential-osxkeychain get'
OR p0_cmd LIKE '/bin/sh /usr/bin/xdg-open %'
OR p0_cmd LIKE '/bin/sh /usr/bin/xdg-settings check %'
OR p0_cmd LIKE '/bin/sh /usr/bin/xdg-settings get %'

4
detection/initial_access/unexpected-shell-parents.sql
View File

@ -59,6 +59,7 @@ WHERE
'Docker Desktop',
'dumb-init',
'erl_child_setup',
'Runner.Worker',
'find',
'FinderSyncExtension',
'fish',
@ -107,6 +108,7 @@ WHERE
'sshd',
'steam_osx',
'LogiTune',
'inittool2',
'swift',
'systemd',
'terminator',
@ -136,6 +138,7 @@ WHERE
'/Applications/Parallels Desktop.app/Contents/MacOS/Parallels Service',
'/Applications/Parallels Desktop.app/Contents/MacOS/prl_update_helper',
'/bin/dash',
'/usr/bin/dash',
'/bin/sh',
'/Library/Developer/CommandLineTools/usr/bin/git',
'/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateDaemon',
@ -144,6 +147,7 @@ WHERE
'/System/Library/Frameworks/Security.framework/authtrampoline',
'/usr/bin/alacritty',
'/usr/bin/apt-get',
'/usr/bin/apt',
'/usr/bin/bash',
'/usr/bin/bwrap',
'/usr/bin/crond',

6
detection/initial_access/unexpected-volume-contents.sql
View File

@ -77,6 +77,11 @@ WHERE
'.background',
'.disk_label',
'.keystone_install',
'.CFUserTextEncoding',
'.actrc',
'.angular-config.json',
'.bash_history',
'.bashrc',
'.disk_label_2x',
'.DS_Store',
'.file',
@ -103,6 +108,7 @@ WHERE
AND trimpath NOT IN (
'/Volumes/Google Chrome/.keystone_install',
'/Volumes/Google Chrome Canary/.keystone_install',
'/Volumes/PMHOME_3601DL/PMH_INST.pkg',
'/Volumes/Jabra Direct Setup/JabraDirectSetup.pkg'
)
AND trimpath NOT LIKE '/Volumes/JDK %/JDK %.pkg'

2
detection/initial_access/unexpected-webmail-downloads.sql
View File

@ -45,6 +45,7 @@ WHERE
'jfif',
'jpeg',
'jpg',
'key',
'mov',
'mp3',
'mp4',
@ -57,6 +58,7 @@ WHERE
'pem',
'pgp',
'png',
'potx',
'ppt',
'pptx',
'pub',

1
detection/persistence/unexpected-active-systemd-units.sql
View File

@ -184,6 +184,7 @@ WHERE
'livesys-late.service,SYSV: Late init script for live image.,,450',
'livesys.service,LSB: Init script for live image.,,450',
'lm_sensors.service,Hardware Monitoring Sensors,,225',
'lm-sensors.service,Initialize hardware monitoring sensors,,0',
'lm_sensors.service,Initialize hardware monitoring sensors,,225',
'local-fs-pre.target,Local File Systems (Pre),,225',
'local-fs-pre.target,Preparation for Local File Systems,,450',

7
detection/persistence/unexpected-chrome-extensions.sql
View File

@ -57,9 +57,7 @@ WHERE
'false,,Google Drive,aghbiahbpaijignceidepookljebhfak', -- Deprecated Google Extension
'false,,Google Photos,ncmjhecbjeaamljdfahankockkkdmedg', -- Deprecated Google Extension
'false,julienv3@gmail.com,treasure-clicker,',
"true,Gareth Stephenson,My O'Reilly Downloader,deebiaolijlopiocielojiipnpnaldlk",
'false,juverm@chainguard.dev,auto-close-gitsign,',
'true,,Jamstash,jccdpflnecheidefpofmlblgebobbloc',
'false,,Trotto go links,nkeoojidblilnkcbbmfhaeebndapehjk',
'false,,YouTube,agimnkijcaahngcdmfeangaknmldooml', -- Deprecated Google Extension
'true,Adaware,Safe Torrent Scanner,aegnopegbbhjeeiganiajffnalhlkkjb',
@ -98,6 +96,7 @@ WHERE
'true,,CSS Scan,gieabiemggnpnminflinemaickipbebg',
"true,Daniel Kladnik @ kiboke studio,I don't care about cookies,fihnjjcciajhdojfnbdddfaoknhalnja",
'true,,Datanyze Chrome Extension,mlholfadgbpidekmhdibonbjhdmpmafd',
'true,,DealFinder by VoucherCodes,jhgicjdnnonfaedodemjjinbgcoeiajo',
'true,,DEPRECATED Secure Shell App,pnhechapfaindjhompbnflcldabbghjo',
'true,,Disconnect,jeoacafpbcihiomhlakheieifhpjdfeo',
'true,,DuckDuckGo Privacy Essentials,bkdgflcldnnnapblkhphbgpggdiikppg',
@ -109,6 +108,7 @@ WHERE
'true,ExpressVPN,ExpressVPN: VPN proxy for a better internet,fgddmllnllkalaagkghckoinaemmogpe',
'true,eyeo GmbH,Adblock Plus - free ad blocker,cfhdojbkjhnklbpkdaibdccddilifddb',
'true,,Facebook Pixel Helper,fdgfkebogiimcoedlicjlajpkdmockpc',
"true,Gareth Stephenson,My O'Reilly Downloader,deebiaolijlopiocielojiipnpnaldlk",
'true,,Github Absolute Dates,iepecohjelcmdnahbddleblfphbaheno',
'true,,Google Analytics Parameter Stripper,jbgedkkfkohoehhkknnmlodlobbhafge',
'true,,Google Docs Offline,ghbmnnjooekpmoecnnnilnnbdlolhkhi',
@ -127,6 +127,7 @@ WHERE
'true,,HTTPS Everywhere,gcbommkclmclpchllfjekcdonpmejbdp',
'true,https://metamask.io,MetaMask,nkbihfbeogaeaoehlefnkodbefgpgknn',
'true,James Anderson,LeechBlock NG,blaaajhemilngeeffpbfkdjjoefldkok',
'true,,Jamstash,jccdpflnecheidefpofmlblgebobbloc',
'true,,Jitsi Meetings,kglhbbefdnlheedjiejgomgmfplipfeb',
'true,,JSON Formatter,bcjindcccaagfpapjjmafapmmgkkhgoa',
'true,,JSON Viewer Pro,eifflpmocdbdmepbjaopkkhbfmdgijcc',
@ -169,6 +170,7 @@ WHERE
'true,,RSS Subscription Extension (by Google),nlbjncdgjeocebhnmkbbbdekmmmcbfjd',
'true,,Save to Google Drive,gmbmikajjgmnabiglmofipeabaddhgne',
'true,,Save to Pocket,niloccemoadcdkdjlinkgdfekeahmflj',
'true,,Scraper,poegfpiagjgnenagjphgdklmgcpjaofi',
'true,,Secure Shell,iodihamcpbpeioajjeobimgagajmlibd',
'true,,Selenium IDE,mooikfkahbdckldjjndioackbalphokd',
'true,,Send from Gmail (by Google),pgphcomnlaojlmmcjmiddhdapjpbgeoc',
@ -200,6 +202,7 @@ WHERE
'true,Wappalyzer,Wappalyzer - Technology profiler,gppongmhjkpfnbhagpmjfkannfbllamg',
'true,,Windscribe - Free Proxy and Ad Blocker,hnmpcagpplmpfojmgmnngilcnanddlhb',
'true,,WiseStamp email signature,pbcgnkmbeodkmiijjfnliicelkjfcldg',
'true,,writeGPT - ChatGPT Prompt Engineer Assistant,dflcdbibjghipieemcligeelbmackgco',
'true,,Zoom Scheduler,kgjfgplpablkjnlkjmjdecgdpfankdle'
)
GROUP BY

6
detection/persistence/unexpected-launchd-program-arguments.sql
View File

@ -39,6 +39,7 @@ WHERE
'Developer ID Application: Google LLC (EQHXZ8M8AV)',
'Developer ID Application: Google, Inc. (EQHXZ8M8AV)',
'Developer ID Application: Keybase, Inc. (99229SGT5K)',
'Developer ID Application: Krisp Technologies, Inc. (U5R26XM5Z2)',
'Developer ID Application: Kolide Inc (YZ3EM74M78)',
'Developer ID Application: Kolide, Inc (X98UFR7HA3)',
'Developer ID Application: Logitech Inc. (QED4VVPZWA)',
@ -62,10 +63,13 @@ WHERE
)
AND program_arguments NOT IN (
'/Applications/Stream Deck.app/Contents/MacOS/Stream Deck --runinbk',
'/Library/Application Support/WirelessAutoImport/WirelessImporterDaemon',
'/Library/Application Support/Sony Application Launcher/SonyAutoLauncher.app/Contents/MacOS/SonyAutoLauncher',
'/opt/homebrew/opt/dnsmasq/sbin/dnsmasq --keep-in-foreground -C /opt/homebrew/etc/dnsmasq.conf -7 /opt/homebrew/etc/dnsmasq.d,*.conf',
'/opt/homebrew/opt/jenkins/bin/jenkins --httpListenAddress=127.0.0.1 --httpPort=8080',
'/opt/homebrew/opt/mariadb/bin/mysqld_safe',
'/opt/homebrew/opt/nginx/bin/nginx -g daemon off;',
'/opt/homebrew/opt/skhd/bin/skhd',
'/opt/homebrew/opt/dnsmasq/sbin/dnsmasq --keep-in-foreground -C /opt/homebrew/etc/dnsmasq.conf -7 /opt/homebrew/etc/dnsmasq.d,*.conf',
'/opt/homebrew/opt/tailscale/bin/tailscaled',
'/opt/homebrew/opt/yubikey-agent/bin/yubikey-agent -l /opt/homebrew/var/run/yubikey-agent.sock',
'/usr/local/MacGPG2/libexec/fixGpgHome'

6
detection/persistence/unexpected-listening-port-linux.sql
View File

@ -153,7 +153,13 @@ WHERE
'8443,6,101,nginx-ingress-c',
'8443,6,500,controller',
'8443,6,500,controlplane',
'53,6,500,coredns',
'3000,6,500,grafana',
'8443,6,500,webhook',
'53,17,500,coredns',
'8081,6,500,main',
'6443,6,500,kube-apiserver',
'8181,6,500,coredns',
'8834,6,0,nessusd',
'9000,6,500,authentik-proxy',
'9000,6,500,main',

1
detection/persistence/unexpected-systemctl-calls-linux.sql
View File

@ -73,6 +73,7 @@ WHERE
'systemctl,0,,containerd-shim-runc-v2',
'systemctl,0,dash,logrotate',
'systemctl,0,pacman,pacman',
'systemctl,500,zsh,tmux',
'systemctl,0,pacman,sudo',
'systemctl,0,snapd,systemd',
'systemctl,0,tailscaled,',

1
detection/persistence/unexpected-uid0-daemon-linux.sql
View File

@ -137,6 +137,7 @@ WHERE
'gpg-agent,/usr/bin/gpg-agent,0,system.slice,packagekit.service,0755',
'gpg-agent,/usr/bin/gpg-agent,0,user.slice,user-1000.slice,0755',
'gssproxy,/usr/sbin/gssproxy,0,system.slice,gssproxy.service,0755',
'haproxy,/usr/sbin/haproxy,0,system.slice,haproxy.service,0755',
'iio-sensor-prox,/usr/libexec/iio-sensor-proxy,0,system.slice,iio-sensor-proxy.service,0755',
'irqbalance,/usr/sbin/irqbalance,0,system.slice,irqbalance.service,0755',
'iwd,/usr/lib/iwd/iwd,0,system.slice,iwd.service,0755',

5
detection/privesc/unexpected-elevated-children-events_linux.sql
View File

@ -116,7 +116,10 @@ WHERE
)
AND NOT (
p0_name = 'polkit-agent-helper-1'
AND p1_path = '/usr/bin/gnome-shell'
AND p1_path IN (
'/usr/bin/gnome-shell',
'/usr/lib/polkit-gnome/polkit-gnome-authentication-agent-1'
)
)
AND NOT (
p0_name = 'fusermount3'

14
detection/privesc/unexpected-elevated-children-events_macos.sql
View File

@ -60,15 +60,19 @@ FROM
LEFT JOIN processes p ON pe.pid = p.pid
LEFT JOIN signature s ON pe.path = s.path
-- Parents (via two paths)
LEFT JOIN processes p1 ON pe.parent = p1.pid AND p1.start_time <= pe.start_time
LEFT JOIN processes p1 ON pe.parent = p1.pid
AND p1.start_time <= pe.time
LEFT JOIN hash p_hash1 ON p1.path = p_hash1.path
LEFT JOIN process_events pe1 ON pe.parent = pe1.pid AND pe1.start_time <= pe.start_time
LEFT JOIN process_events pe1 ON pe.parent = pe1.pid
AND pe1.time <= pe.time
AND pe1.cmdline != ''
LEFT JOIN hash pe_hash1 ON pe1.path = pe_hash1.path
LEFT JOIN signature pe_sig1 ON pe1.path = pe_sig1.path
-- Grandparents (via 3 paths)
LEFT JOIN processes p1_p2 ON p1.parent = p1_p2.pid AND p1_p2.start_time <= p1.start_time
LEFT JOIN processes pe1_p2 ON pe1.parent = pe1_p2.pid AND pe1_p2.start_time <= pe1.start_time
LEFT JOIN processes p1_p2 ON p1.parent = p1_p2.pid
AND p1_p2.start_time <= p1.start_time
LEFT JOIN processes pe1_p2 ON pe1.parent = pe1_p2.pid
AND pe1_p2.start_time <= pe1.time
LEFT JOIN process_events pe1_pe2 ON pe1.parent = pe1_p2.pid
AND pe1_pe2.cmdline != '' -- Past grandparent via parent events
LEFT JOIN hash p1_p2_hash ON p1_p2.path = p1_p2_hash.path
@ -97,10 +101,12 @@ WHERE
-- Exclude weird bad data we've seen due to badly recorded macOS parent/child relationships, fixable by reboot
AND NOT p0_cmd IN (
'/usr/sbin/cupsd -l',
'/usr/sbin/cfprefsd agent',
'/usr/libexec/PerfPowerServicesExtended',
'/usr/libexec/mdmclient daemon',
'/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker_shared -s mdworker -c MDSImporterWorker -m com.apple.mdworker.shared'
)
AND NOT exception_key IN ('containermanagerd,262,com.docker.backend,Docker')
AND NOT (
pe.euid = 262 -- core media helper id
AND pe.path = '/System/Library/Frameworks/CoreMediaIO.framework/Versions/A/Resources/AppleCamera.plugin/Contents/Resources/AppleCameraAssistant'

1
detection/privesc/unexpected-privilege-escalation_linux.sql
View File

@ -53,6 +53,7 @@ WHERE
AND NOT path IN (
'/bin/ps',
'/usr/bin/doas',
'/usr/lib/xorg/Xorg',
'/usr/bin/fusermount',
'/usr/bin/fusermount3',
'/usr/libexec/Xorg',

11
detection/privesc/unexpected-setxid-process.sql
View File

@ -26,27 +26,28 @@ WHERE
f.mode NOT LIKE '0%'
AND f.path NOT IN (
'/Applications/Parallels Desktop.app/Contents/MacOS/Parallels Service',
'/Applications/VMware Fusion.app/Contents/Library/vmware-vmx',
'/bin/ps',
'/Library/Application Support/org.pqrs/Karabiner-Elements/bin/karabiner_session_monitor',
'/Library/DropboxHelperTools/Dropbox_u501/dbkextd',
'/opt/1Password/1Password-BrowserSupport',
'/opt/1Password/1Password-KeyringHelper',
'/usr/bin/keybase-redirector',
'/usr/lib/polkit-1/polkit-agent-helper-1',
'/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent',
'/usr/bin/doas',
'/usr/bin/fusermount',
'/usr/bin/fusermount3',
'/usr/bin/keybase-redirector',
'/usr/bin/login',
'/usr/bin/mount',
'/usr/bin/op',
'/usr/bin/ssh-agent',
'/usr/bin/su',
'/usr/bin/sudo',
'/usr/bin/top',
'/usr/lib/polkit-1/polkit-agent-helper-1',
'/usr/lib/xf86-video-intel-backlight-helper',
'/usr/lib/Xorg.wrap',
'/usr/sbin/traceroute',
'/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent',
'/Applications/VMware Fusion.app/Contents/Library/vmware-vmx'
'/usr/sbin/traceroute'
)
AND f.path NOT LIKE '/Users/%/homebrew/Cellar/socket_vmnet/%/bin/socket_vmnet'
AND f.path NOT LIKE '/opt/homebrew/Cellar/dnsmasq/%/sbin/dnsmasq'

2
policy/unexpected-rsa-keys.sql
View File

@ -44,4 +44,4 @@ WHERE
REPLACE(LOWER(TRIM(description)), " ", "-")
) == 1
-- Common filenames that are non-controversial
AND NOT file.filename LIKE '%melange.rsa%'
AND NOT INSTR(file.filename, 'melange.rsa') > 0