RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2024-12-16 11:04:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #128 from tstromberg/fp3

Browse Source 
False positives: homekit, setxid overflows, buildx, tmp, Messenger, etc
This commit is contained in:
Thomas Strömberg 2023-01-18 10:58:46 -05:00 committed by GitHub
commit 0ea1146cd5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
25 changed files with 220 additions and 104 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
detection/c2/unexpected-https-client-linux.sql
View File

@ -192,7 +192,9 @@ WHERE
'500,/usr/java,u,g,java',
'500,/usr/kbfsfuse,0u,0g,kbfsfuse',
'500,/usr/keybase,0u,0g,keybase',
'500,/home/trivy,500u,500g,trivy',
'500,/usr/ko,u,g,ko',
'500,/usr/gvfsd-google,0u,0g,gvfsd-google',
'500,/usr/kubectl,500u,500g,kubectl',
'500,/usr/lens,0u,0g,lens',
'500,/usr/melange,u,g,melange',

4
detection/c2/unexpected-talkers-macos.sql
View File

@ -246,6 +246,7 @@ WHERE
'443,6,500,Signal Helper (Renderer),org.whispersystems.signal-desktop.helper.Renderer,Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR)',
'443,6,500,Signal,org.whispersystems.signal-desktop,Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR)',
'443,6,500,Slack Helper,,',
'443,17,500,Slack Helper,com.tinyspeck.slackmacgap.helper,Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL)',
'443,6,500,Slack Helper,com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
'443,6,500,Slack Helper,com.tinyspeck.slackmacgap.helper,Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL)',
'443,6,500,snyk,snyk_darwin_amd64,Developer ID Application: Snyk Limited (97QYW7LHSF)',
@ -256,9 +257,12 @@ WHERE
'443,6,500,terraform-ls,terraform-ls,Developer ID Application: Hashicorp, Inc. (D38WU7D763)',
'443,6,500,terraform,terraform,Developer ID Application: Hashicorp, Inc. (D38WU7D763)',
'443,6,500,trivy,a.out,',
'31580,6,500,kubectl.1.23,a.out,',
'443,6,500,docker-index,docker-index,Developer ID Application: Docker Inc (9BNSXJN65R)',
'443,6,500,vegeta,a.out,',
'443,6,500,policy-tester,a.out,',
'443,6,500,vim,vim,',
'443,6,500,git-credential-osxkeychain,git-credential-osxkeychain,',
'443,6,500,wolfictl,a.out,',
'443,6,500,op,com.1password.op,Developer ID Application: AgileBits Inc. (2BUA8C4S2C)',
'443,6,500,zoom.us,us.zoom.xos,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)',

6
detection/collection/high-disk-bytes-written.sql
View File

@ -28,8 +28,8 @@ FROM
processes p
LEFT JOIN hash ON p.path = hash.path
WHERE
bytes_per_second > 3000000
AND age > 120
bytes_per_second > 6500000
AND age > 30
AND pid > 2
AND p.path NOT IN (
'/bin/bash',
@ -38,6 +38,7 @@ WHERE
'/usr/bin/apt',
'/usr/bin/aptd',
'/usr/bin/pacman',
'/usr/bin/git',
'/usr/bin/bash',
'/usr/lib/baloo_file_extractor',
'/usr/bin/bwrap',
@ -114,6 +115,7 @@ WHERE
'esbuild',
'firefox',
'fsdaemon',
'docker-index',
'go',
'goland',
'node',

2
detection/evasion/hidden-home-library-dir.sql
View File

@ -41,6 +41,8 @@ WHERE
'~/Library/Finance/.finance_local_SUPPORT/_EXTERNAL_DATA',
'~/Library/Group Containers/.SiriTodayViewExtension/Library',
'~/Library/Group Containers/.SiriTodayViewExtension',
'~/Library/HomeKit/.core-cloudkit_SUPPORT/_EXTERNAL_DATA',
'~/Library/HomeKit/.core-cloudkit-shared_SUPPORT/_EXTERNAL_DATA',
'~/Library/Caches/.sigstore/gitsign',
'~/Library/GroupContainersAlias/.SiriTodayViewExtension/Library',
'~/Library/GroupContainersAlias/.SiriTodayViewExtension'

1
detection/evasion/missing-from-disk-macos.sql
View File

@ -54,6 +54,7 @@ WHERE
'/Applications/Slack.app/Contents/Frameworks/Slack Helper.app/Contents/MacOS/Slack Helper'
)
OR cmd LIKE '/opt/homebrew/Cellar/%'
OR p.path LIKE '/Users/%/Library/Application Support/Steam/Steam.AppBundle/Steam/Contents/MacOS/ipcserver.old'
OR p.path LIKE '/opt/homebrew/Cellar/%/bin/%'
OR p.path LIKE '/private/var/folders/zz/%/T/PKInstallSandboxTrash/%.sandboxTrash/%'
OR p.path LIKE '/Users/%/node_modules/.pnpm/%'

1
detection/evasion/unexpected-library-entries-macos.sql
View File

@ -80,6 +80,7 @@ WHERE
'/Library/KernelCollections/.file',
'/Library/Keyboard Layouts/',
'/Library/Keychains/',
'/Library/Tailscale/',
'/Library/LaunchAgents/',
'/Library/LaunchDaemons/',
'/Library/.localized',

64
detection/evasion/unexpected-tmp-executables.sql
View File

@ -5,22 +5,21 @@
--
-- tags: persistent
-- platform: posix
SELECT
file.path,
SELECT file.path,
uid,
gid,
mode,
REGEX_MATCH (RTRIM(file.path, '/'), '.*\.(.*?)$', 1) AS extension,
file.btime,
file.ctime,
file.mtime,
file.size,
hash.sha256,
magic.data
FROM
file
FROM file
LEFT JOIN hash on file.path = hash.path
LEFT JOIN magic ON file.path = magic.path
WHERE
(
WHERE (
-- Recursive queries don't seem to work well with hidden directories :(
file.path LIKE '/tmp/%%'
OR file.path LIKE '/tmp/.%/%%'
@ -51,6 +50,7 @@ WHERE
OR file.path LIKE '/tmp/tmp.%'
OR file.path LIKE '%/bin/%-gen'
OR file.path LIKE '%/bin/%'
OR file.path LIKE '%/sbin/%'
OR file.path LIKE '%/CCLBS/%'
OR file.path LIKE '/tmp/%/target/debug/build/%'
OR file.path LIKE '%/ko/%'
@ -60,7 +60,23 @@ WHERE
(
file.size < 50000
AND file.uid > 500
AND extension IN ('sh', 'py', 'pl', 'perl', 'json', 'js', 'txt', 'log')
AND extension IN (
'adoc',
'bat',
'java',
'js',
'json',
'log',
'perl',
'pl',
'py',
'script',
'sh',
'txt',
'yaml',
'yml'
)
AND magic.data NOT LIKE "ELF 64-bit LSB%"
)
)
) -- Nix
@ -89,8 +105,7 @@ WHERE
AND (strftime('%s', 'now') - ctime) < 30
) -- macOS updates
AND NOT file.directory LIKE '/tmp/msu-target-%' -- I don't know man. I don't work here.
AND NOT file.directory LIKE '/tmp/UpdateBrain-%/AssetData/com.apple.MobileSoftwareUpdate.UpdateBrainService.xpc/Contents/MacOS'
-- terraform
AND NOT file.directory LIKE '/tmp/UpdateBrain-%/AssetData/com.apple.MobileSoftwareUpdate.UpdateBrainService.xpc/Contents/MacOS' -- terraform
AND NOT (
uid > 500
AND file.path LIKE '/tmp/terraform_%/terraform'
@ -99,14 +114,37 @@ WHERE
file.path LIKE '/tmp/%compressed'
AND size < 4000
AND uid > 500
)
-- Executables too small to even hold '#!/bin/sh\nuid'
) -- Executables too small to even hold '#!/bin/sh\nuid'
AND NOT (
file.type = 'regular'
AND size < 10
)
-- Common shell scripts
) -- Common shell scripts
AND NOT (
file.filename IN ("configure", "mkinstalldirs")
AND magic.data = "POSIX shell script, ASCII text executable"
)
AND NOT (
(
file.directory LIKE "%/lib"
OR file.directory LIKE "%/lib64"
)
AND file.uid > 500
AND (
file.filename LIKE "%.so.%"
OR file.filename LIKE "%.so"
)
AND (
magic.data LIKE "ELF 64-bit LSB shared object%"
OR magic.data LIKE "symbolic link to %"
)
) -- Binaries we might actually see
AND NOT (
file.path LIKE '/tmp/%'
AND file.uid > 500
AND magic.data LIKE "ELF 64-bit LSB executable%"
AND (
file.filename LIKE "%ctl"
OR file.filename LIKE "%adm"
OR file.filename LIKE "%-cli"
)
)

83
detection/execution/exotic-command-events-linux.sql
View File

@ -9,39 +9,40 @@
-- tags: transient process events
-- platform: linux
-- interval: 30
SELECT
p.pid,
p.path,
TRIM(
REPLACE(
p.path,
RTRIM(p.path, REPLACE(p.path, '/', '')),
''
)
) AS basename,
-- On macOS there is often a trailing space
TRIM(p.cmdline) AS cmd,
p.mode,
p.cwd,
p.euid,
p.parent,
pp.cgroup_path,
hash.sha256,
pp.path AS parent_path,
pp.name AS parent_name,
TRIM(p.cmdline) AS parent_cmd,
pp.euid AS parent_euid,
phash.sha256 AS parent_sha256
FROM
uptime,
process_events p
LEFT JOIN processes pp ON p.parent = pp.pid
LEFT JOIN hash ON p.path = hash.path
LEFT JOIN hash AS phash ON pp.path = phash.path
SELECT pe.path AS path,
REGEX_MATCH (pe.path, '.*/(.*)', 1) AS child_name,
TRIM(pe.cmdline) AS cmd,
pe.pid AS pid,
pe.euid AS euid,
pe.parent AS parent_pid,
TRIM(IIF(pp.cmdline != NULL, pp.cmdline, ppe.cmdline)) AS parent_cmd,
TRIM(IIF(pp.path != NULL, pp.path, ppe.path)) AS parent_path,
REGEX_MATCH (
IIF(pp.path != NULL, pp.path, ppe.path),
'.*/(.*)',
1
) AS parent_name,
TRIM(IIF(pp.path != NULL, hash.sha256, ehash.sha256)) AS parent_hash,
TRIM(IIF(gp.cmdline != NULL, gp.cmdline, gpe.cmdline)) AS gparent_cmd,
TRIM(IIF(gp.path != NULL, gp.path, gpe.path)) AS gparent_path,
REGEX_MATCH (
IIF(gp.path != NULL, gp.path, gpe.path),
'.*/(.*)',
1
) AS gparent_name,
IIF(pp.parent != NULL, pp.parent, ppe.parent) AS gparent_pid
FROM process_events pe, uptime
LEFT JOIN processes p ON pe.pid = p.pid
LEFT JOIN processes pp ON pe.parent = pp.pid
LEFT JOIN process_events ppe ON pe.parent = ppe.pid
LEFT JOIN processes gp ON gp.pid = pp.parent
LEFT JOIN process_events gpe ON ppe.parent = gpe.pid
LEFT JOIN hash ON pp.path = hash.path
LEFT JOIN hash ehash ON ppe.path = ehash.path
WHERE
p.time > (strftime('%s', 'now') -30)
pe.time > (strftime('%s', 'now') -30)
AND (
basename IN (
child_name IN (
'bitspin',
'bpftool',
'heyoka',
@ -70,8 +71,8 @@ WHERE
-- Chrome Stealer
OR cmd LIKE '%chrome%-load-extension%'
-- Known attack scripts
OR basename LIKE '%pwn%'
OR basename LIKE '%attack%'
OR child_name LIKE '%pwn%'
OR child_name LIKE '%attack%'
-- Unusual behaviors
OR cmd LIKE '%ufw disable%'
OR cmd LIKE '%powershell%'
@ -94,7 +95,7 @@ WHERE
OR cmd LIKE '%pkill -f%'
OR (
cmd LIKE '%xargs kill -9%'
AND p.euid = 0
AND pe.euid = 0
)
OR cmd LIKE '%rm -rf /boot%'
OR cmd LIKE '%nohup /bin/bash%'
@ -122,16 +123,16 @@ WHERE
OR INSTR(cmd, 'Socket.') > 0
OR (
cmd LIKE '%tail -f /dev/null%'
AND cgroup_path NOT LIKE '/system.slice/docker-%'
AND p.cgroup_path NOT LIKE '/system.slice/docker-%'
)
) -- Things that could reasonably happen at boot.
AND NOT (
p.path IN ('/usr/bin/kmod', '/bin/kmod')
pe.path IN ('/usr/bin/kmod', '/bin/kmod')
AND parent_path = '/usr/lib/systemd/systemd'
AND parent_cmd = '/sbin/init'
)
AND NOT (
p.path IN ('/usr/bin/kmod', '/bin/kmod')
pe.path IN ('/usr/bin/kmod', '/bin/kmod')
AND parent_name IN (
'firewalld',
'mkinitramfs',
@ -141,11 +142,11 @@ WHERE
)
)
AND NOT (
p.path IN ('/usr/bin/kmod', '/bin/kmod')
pe.path IN ('/usr/bin/kmod', '/bin/kmod')
AND uptime.total_seconds < 15
)
AND NOT (
p.path = '/usr/bin/mkfifo'
pe.path = '/usr/bin/mkfifo'
AND cmd LIKE '%/org.gpgtools.log.%/fifo'
)
AND NOT cmd LIKE '%modprobe -va%'
@ -158,5 +159,7 @@ WHERE
AND NOT cmd LIKE 'pkill -f cut -c3%'
AND NOT cmd LIKE 'dirname %history'
AND NOT cmd LIKE 'tail /%history'
AND NOT cmd LIKE '%/usr/bin/cmake%Socket.h'
AND NOT cmd LIKE '%/usr/bin/cmake%Socket.cpp'
AND NOT cmd LIKE 'find . -executable -type f -name %grep -l GNU Libtool%touch -r%'
AND NOT basename IN ('cc1', 'compile')
AND NOT child_name IN ('cc1', 'compile', 'cmake', 'cc1plus')

91
detection/execution/exotic-command-events-macos.sql
View File

@ -9,43 +9,53 @@
-- tags: transient process events
-- platform: darwin
-- interval: 45
SELECT
p.pid,
p.path,
REPLACE(
p.path,
RTRIM(p.path, REPLACE(p.path, '/', '')),
''
) AS basename,
-- On macOS there is often a trailing space
TRIM(p.cmdline) AS cmd,
p.mode,
p.cwd,
p.euid,
p.parent,
p.syscall,
hash.sha256,
pp.path AS parent_path,
pp.name AS parent_name,
TRIM(pp.cmdline) AS parent_cmd,
TRIM(ppp.cmdline) AS gparent_cmd,
pp.euid AS parent_euid,
ppp.path AS gparent_path,
ppp.name AS gparent_name,
phash.sha256 AS parent_sha256,
gphash.sha256 AS gparent_sha256
FROM
uptime,
process_events p
LEFT JOIN processes pp ON p.parent = pp.pid
LEFT JOIN processes ppp ON pp.parent = ppp.pid
LEFT JOIN hash ON p.path = hash.path
LEFT JOIN hash AS phash ON pp.path = phash.path
LEFT JOIN hash AS gphash ON ppp.path = gphash.path
SELECT pe.path AS path,
REGEX_MATCH (pe.path, '.*/(.*)', 1) AS name,
TRIM(pe.cmdline) AS cmd,
pe.pid AS pid,
pe.euid AS euid,
pe.parent AS parent_pid,
TRIM(IIF(pp.cmdline != NULL, pp.cmdline, ppe.cmdline)) AS parent_cmd,
TRIM(IIF(pp.path != NULL, pp.path, ppe.path)) AS parent_path,
REGEX_MATCH (
IIF(pp.path != NULL, pp.path, ppe.path),
'.*/(.*)',
1
) AS parent_name,
TRIM(IIF(pp.path != NULL, hash.sha256, ehash.sha256)) AS parent_hash,
TRIM(IIF(gp.cmdline != NULL, gp.cmdline, gpe.cmdline)) AS gparent_cmd,
TRIM(IIF(gp.path != NULL, gp.path, gpe.path)) AS gparent_path,
REGEX_MATCH (
IIF(gp.path != NULL, gp.path, gpe.path),
'.*/(.*)',
1
) AS gparent_name,
IIF(pp.parent != NULL, pp.parent, ppe.parent) AS gparent_pid,
IIF(
signature.identifier != NULL,
signature.identifier,
esignature.identifier
) AS parent_identifier,
IIF(
signature.authority != NULL,
signature.authority,
esignature.authority
) AS parent_authority
FROM process_events pe
LEFT JOIN processes p ON pe.pid = p.pid
LEFT JOIN processes pp ON pe.parent = pp.pid
LEFT JOIN process_events ppe ON pe.parent = ppe.pid
LEFT JOIN processes gp ON gp.pid = pp.parent
LEFT JOIN process_events gpe ON ppe.parent = gpe.pid
LEFT JOIN hash ON pp.path = hash.path
LEFT JOIN hash ehash ON ppe.path = ehash.path
LEFT JOIN signature ON pp.path = signature.path
LEFT JOIN signature esignature ON ppe.path = esignature.path
WHERE
p.time > (strftime('%s', 'now') -45)
pe.time > (strftime('%s', 'now') -45)
AND pe.status = 0
AND (
basename IN (
name IN (
'bitspin',
'bpftool',
'csrutil',
@ -66,8 +76,8 @@ WHERE
) -- Chrome Stealer
OR cmd LIKE '%set visible of front window to false%'
OR cmd LIKE '%chrome%-load-extension%' -- Known attack scripts
OR basename LIKE '%pwn%'
OR basename LIKE '%attack%' -- Unusual behaviors
OR name LIKE '%pwn%'
OR name LIKE '%attack%' -- Unusual behaviors
OR cmd LIKE '%powershell%'
OR cmd LIKE '%chattr -ia%'
OR cmd LIKE '%chmod%777 %'
@ -79,7 +89,7 @@ WHERE
OR cmd LIKE '%killall Terminal%'
OR cmd LIKE '%iptables stop'
OR (
p.euid = 0
pe.euid = 0
AND (
cmd LIKE '%pkill -f%'
OR cmd LIKE '%xargs kill -9%'
@ -114,7 +124,7 @@ WHERE
OR INSTR(cmd, 'Socket.') > 0
) -- Things that could reasonably happen at boot.
AND NOT (
p.path = '/usr/bin/mkfifo'
pe.path = '/usr/bin/mkfifo'
AND cmd LIKE '%/org.gpgtools.log.%/fifo'
)
AND NOT (
@ -135,7 +145,7 @@ WHERE
'xpcproxy com.apple.Safari.History'
)
-- The source of these commands is still a mystery to me.
OR p.parent = -1
OR pe.parent = -1
)
AND NOT cmd LIKE '/bin/launchctl load -wF /Users/%/Library/PreferencePanes/../LaunchAgents/com.adobe.GC.Invoker-1.0.plist'
AND NOT cmd LIKE '/bin/launchctl load -w /Users/%/Library/LaunchAgents/keybase.%.plist'
@ -149,3 +159,4 @@ WHERE
AND NOT cmd LIKE '%find /Applications/LogiTuneInstaller.app -type d -exec chmod 777 {}%'
AND NOT cmd LIKE '/bin/rm -f /tmp/com.adobe.%.updater/%'
AND NOT cmd LIKE '%history'
AND NOT name IN ('cc1', 'compile')

1
detection/execution/recently-created-executables-linux.sql
View File

@ -60,6 +60,7 @@ WHERE
'/usr/bin/docker-proxy',
'/usr/bin/gedit',
'/usr/bin/gnome-keyring-daemon',
'/usr/bin/fusermount3',
'/usr/bin/kbfsfuse',
'/usr/bin/keybase',
'/usr/bin/keybase-redirector',

1
detection/execution/sketchy-fetcher-events.sql
View File

@ -138,6 +138,7 @@ WHERE
-- Ignore local addresses (Docker development)
OR addr NOT LIKE '%.%'
OR ip LIKE '172.2%'
OR ip LIKE '192.168.%'
)
)

3
detection/execution/sketchy-fetcher.sql
View File

@ -132,7 +132,8 @@ WHERE
addr IN ('releases.hashicorp.com', 'github.com', 'dl.enforce.dev')
-- Ignore local addresses (Docker development)
OR addr NOT LIKE '%.%'
OR addr LIKE '172.21.%'
OR ip LIKE '172.21.%'
OR ip LIKE '192.168.%'
)
)

1
detection/execution/unexpected-execdir-macos.sql
View File

@ -106,6 +106,7 @@ WHERE
'~/code/bin',
'~/Downloads/google-cloud-sdk/bin',
'~/Library/Application Support/dev.warp.Warp-Stable',
'~/Library/Application Support/zoom.us/Plugins/aomhost.app/Contents/MacOS',
'~/go/bin',
'~/Library/Application Support/cloud-code/installer/google-cloud-sdk/bin',
'~/.local/bin',

2
detection/execution/unexpected-fetcher-parents.sql
View File

@ -45,6 +45,8 @@ WHERE
'curl,500,bash,nix-daemon',
'curl,500,bash,bash',
'curl,500,bash,ShellLauncher',
'curl,500,bash,fakeroot',
'curl,500,makepkg,yay',
'curl,500,bash,zsh',
'curl,500,env,env',
'curl,500,fish,gnome-terminal-',

4
detection/execution/unexpected-osascript-calls.sql
View File

@ -59,6 +59,8 @@ FROM
WHERE
pe.path IN ('/usr/bin/osascript', '/usr/bin/osacompile')
AND pe.time > (strftime('%s', 'now') -900)
-- Only include successful executions: On macOS, process_events includes unsuccessful path lookups!
AND pe.status = 0
AND NOT (
pe.euid > 500
AND (
@ -85,4 +87,4 @@ WHERE
-- The following apply to all uids
AND NOT cmd = 'osascript -e user locale of (get system info)'
GROUP BY
pe.pid
pe.pid, pe.cmd

6
detection/execution/unexpected-root-signer-macos.sql
View File

@ -47,6 +47,7 @@ WHERE
'Developer ID Application: Kolide Inc (YZ3EM74M78)',
'Developer ID Application: Logitech Inc. (QED4VVPZWA)',
'Developer ID Application: Mersive Technologies (63B5A5WDNG)',
'Developer ID Application: Keybase, Inc. (99229SGT5K)',
'Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R)',
'Developer ID Application: Objective-See, LLC (VBG97UB4TA)',
@ -68,4 +69,9 @@ WHERE
AND p.path LIKE "/opt/%/bin/socket_vmnet"
AND pp.path IN ("/usr/bin/sudo", "/sbin/launchd")
)
AND NOT (
signature.authority = "Developer ID Application: Node.js Foundation (HX7739G8FX)"
AND p.name = "node"
AND parent_name IN ("vim", "nvim")
)

3
detection/execution/unexpected-security-framework-program-macos.sql
View File

@ -43,13 +43,16 @@ WHERE
'500,Bitwarden Helper,com.bitwarden.desktop.helper,Apple Mac OS Application Signing',
'500,Bitwarden Helper (GPU),com.bitwarden.desktop.helper.GPU,Apple Mac OS Application Signing',
'500,Bitwarden Helper (Renderer),com.bitwarden.desktop.helper.Renderer,Apple Mac OS Application Signing',
'500,bufls,a.out,',
'500,.cargo-wrapped,.cargo-wrapped,',
'500,cloud_sql_proxy,a.out,',
'500,cosign,a.out,',
'500,cpu,cpu-555549441132dc6b7af538428ce3359ae94eab37,',
'500,Emacs-arm64-11,Emacs-arm64-11,Developer ID Application: Galvanix (5BRAQAFB8B)',
'500,epdfinfo,epdfinfo,',
'500,esbuild,a.out,',
'500,fake,a.out,',
'500,Final Cut Pro,com.apple.FinalCut,Apple Mac OS Application Signing',
'500,gitsign-credential-cache,a.out,',
'500,GitterHelperApp,com.troupe.gitter.mac.GitterHelperApp,Developer ID Application: Troupe Technology Limited (A86QBWJ43W)',
'500,gopls,a.out,',

1
detection/execution/unexpected-sysctl-calls.sql
View File

@ -49,6 +49,7 @@ WHERE
'/usr/sbin/sysctl'
)
AND NOT p.parent IS NULL
AND NOT p.parent = -1
AND NOT child_cmd IN (
'sysctl -n hw.optional.arm64',
'sysctl -n sysctl.proc_translated',

16
detection/execution/unexpected-xattr-calls-macos.sql
View File

@ -3,7 +3,7 @@
-- false positives:
-- * none observed, but they are expected
--
-- interval: 300
-- interval: 60
-- platform: darwin
-- tags: process events
SELECT pe.path AS path,
@ -49,8 +49,18 @@ FROM process_events pe
LEFT JOIN signature ON pp.path = signature.path
LEFT JOIN signature esignature ON ppe.path = esignature.path
WHERE pe.path = '/usr/bin/xattr'
AND pe.time > (strftime('%s', 'now') -300)
AND cmd != '/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app'
AND pe.status = 0
AND pe.time > (strftime('%s', 'now') -60)
AND cmd NOT IN (
'/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app',
'/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app/Contents/Frameworks/1Password Helper.app',
'/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app/Contents/Frameworks/1Password Helper (GPU).app',
'/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app/Contents/Frameworks/1Password Helper (Plugin).app',
'/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app/Contents/Frameworks/1Password Helper (Renderer).app',
'/usr/bin/xattr -d com.apple.quarantine /Applications/Keybase.app',
'/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app/Contents/Library/LoginItems/1Password Browser Helper.app',
'xattr -d -r com.apple.quarantine /Applications/Google Chrome.app'
)
AND NOT (
pe.euid > 500
AND cmd LIKE '%xattr -l %'

15
detection/initial_access/unexpected-diskimage-source-macos.sql
View File

@ -15,14 +15,19 @@ SELECT
file.size,
datetime(file.btime, 'unixepoch') AS file_created,
magic.data,
hash.sha256,
signature.identifier,
signature.authority,
ea.value AS url,
REGEX_MATCH (ea.value, '/[\w_-]+\.([\w\._-]+)[:/]', 1) AS domain,
REGEX_MATCH (ea.value, '/([\w_-]+\.[\w\._-]+)[:/]', 1) AS host
FROM
mdfind
LEFT JOIN file ON mdfind.path = file.path
LEFT JOIN hash ON mdfind.path = hash.path
LEFT JOIN extended_attributes ea ON mdfind.path = ea.path
LEFT JOIN magic ON file.path = magic.path
LEFT JOIN magic ON mdfind.path = magic.path
LEFT JOIN signature ON mdfind.path = signature.path
WHERE
(
mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.iso'"
@ -58,6 +63,7 @@ WHERE
'docker.com',
'duckduckgo.com',
'eclipse.org',
'whatsapp.com',
'gimp.org',
'github.io',
'githubusercontent.com',
@ -66,6 +72,7 @@ WHERE
'jetbrains.com',
'libreoffice.org',
'loom.com',
'zoomgov.com',
'microsoft.com',
'minecraft.net',
'mirrorservice.org',
@ -108,6 +115,7 @@ WHERE
'warp-releases.storage.googleapis.com',
'mail.google.com',
'github.com',
'obdev.at',
'ubuntu.com',
'balsamiq.com',
'tableplus.com',
@ -140,7 +148,10 @@ WHERE
AND host NOT LIKE '%release%.storage.googleapis.com'
AND NOT (
host LIKE '%.fbcdn.net'
AND file.filename LIKE 'Messenger.%.dmg'
AND (
file.filename LIKE 'Messenger.%.dmg'
OR file.filename LIKE '%WhatsApp.dmg'
)
)
GROUP BY
ea.value

6
detection/initial_access/unexpected-shell-parents.sql
View File

@ -47,6 +47,7 @@ WHERE
'configure',
'conmon',
'containerd-shim',
'buildkit-runc',
'dash',
'demoit',
'direnv',
@ -89,6 +90,7 @@ WHERE
'swift',
'systemd',
'terminator',
'kue',
'test2json',
'tmux',
'tmux:server',
@ -155,6 +157,10 @@ WHERE
pp.cmdline LIKE 'perl%/help2man%'
AND p.cmdline LIKE 'sh -c man/%'
)
AND NOT (
pp.cmdline LIKE '%/google-cloud-sdk/bin/docker-credential-gcloud get'
AND parent_path LIKE '/private/var/folders/%/T/go-build%.test'
)
AND NOT p.cmdline LIKE '%/Library/Apple/System/Library/InstallerSandboxes%'
AND NOT p.cmdline LIKE '%gcloud config config-helper%'
AND NOT p.cmdline LIKE '%hugo/hugo server%'

2
detection/persistence/unexpected-chrome-extensions.sql
View File

@ -63,8 +63,10 @@ WHERE
'true,,Adblock for Youtube™,cmedhionkhpnakcndndgjdbohmhepckk,storage, unlimitedStorage, webRequest, webRequestBlocking, <all_urls>',
'true,Adblock, Inc.,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom,tabs, <all_urls>, contextMenus, webRequest, webRequestBlocking, webNavigation, storage, unlimitedStorage, notifications, idle, alarms',
'true,,Add to Amazon Wish List,ciagpekplgpbepdgggflgmahnjgiaced,tabs, http://*/*, https://*/*',
'true,Vimeo,Vimeo Record - Screen & Webcam Recorder,ejfmffkmeigkphomnpabpdabfddeadcb,<all_urls>, storage, cookies, notifications, desktopCapture, tabCapture, contextMenus, ://.vimeo.com/',
'true,,Adobe Acrobat: PDF edit, convert, sign tools,efaidnbmnnnibpcajpcglclefindmkaj,contextMenus, <all_urls>, tabs, downloads, nativeMessaging, webRequest, storage, webRequestBlocking',
'true,,Adobe Acrobat: PDF edit, convert, sign tools,efaidnbmnnnibpcajpcglclefindmkaj,contextMenus, <all_urls>, tabs, downloads, nativeMessaging, webRequest, webRequestBlocking',
'true,Rakuten,Rakuten: Get Cash Back For Shopping,chhjbpecpncaggjpdakmflnfcopglcmi,tabs, webNavigation, webRequest, storage, <all_urls>, cookies, alarms',
'true,,Adobe Acrobat: PDF edit, convert, sign tools,efaidnbmnnnibpcajpcglclefindmkaj,contextMenus, tabs, downloads, nativeMessaging, webRequest, webNavigation, storage, scripting, alarms, declarativeNetRequest',
'true,AgileBits,1Password extension (desktop app required),aomjjhallfgjeglblehebfpbcfeobpgk,contextMenus, nativeMessaging, storage, tabs, webRequest, webRequestBlocking, http://*/*, https://*/*',
'true,AgileBits,1Password Password Manager,aeblfdkhhhdcdjpifhhbdiojplfjncoa,<all_urls>, alarms, contextMenus, downloads, idle, management, nativeMessaging, notifications, privacy, tabs, webNavigation, webRequest, webRequestBlocking',

5
detection/persistence/unexpected-listening-port-linux.sql
View File

@ -8,12 +8,14 @@ SELECT
lp.address,
lp.port,
lp.protocol,
p.uid,
p.euid,
p.parent,
p.pid,
p.name,
p.path,
p.cmdline,
p.cgroup_path,
datetime(file.mtime,'unixepoch') AS mtime,
p.cwd,
hash.sha256,
CONCAT (
@ -28,6 +30,7 @@ SELECT
FROM
listening_ports lp
LEFT JOIN processes p ON lp.pid = p.pid
LEFT JOIN file ON p.path = file.path
LEFT JOIN hash ON p.path = hash.path
WHERE
port != 0

2
detection/privesc/setxid-cmdline-overflow-attempt.sql
View File

@ -23,4 +23,4 @@ FROM
WHERE
p.time > (strftime('%s', 'now') -60)
AND file.mode NOT LIKE '0%'
AND p.cmdline_size > 1024
AND p.cmdline_size > 2048

2
detection/privesc/unexpected-privileged-containers.sql
View File

@ -31,6 +31,8 @@ WHERE
AND image NOT IN (
'cgr.dev/chainguard/melange',
'cgr.dev/chainguard/sdk',
'moby/buildkit:buildx-stable-1',
'cgr.dev/chainguard/wolfi-base',
'distroless.dev/melange',
'distroless.dev/melange:latest',
'wolfi:test'