diff --git a/detection/c2/unexpected-https-client-linux.sql b/detection/c2/unexpected-https-client-linux.sql index 16eeb74..91cf23c 100644 --- a/detection/c2/unexpected-https-client-linux.sql +++ b/detection/c2/unexpected-https-client-linux.sql @@ -192,7 +192,9 @@ WHERE '500,/usr/java,u,g,java', '500,/usr/kbfsfuse,0u,0g,kbfsfuse', '500,/usr/keybase,0u,0g,keybase', + '500,/home/trivy,500u,500g,trivy', '500,/usr/ko,u,g,ko', + '500,/usr/gvfsd-google,0u,0g,gvfsd-google', '500,/usr/kubectl,500u,500g,kubectl', '500,/usr/lens,0u,0g,lens', '500,/usr/melange,u,g,melange', diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql index e5e351a..29d60eb 100644 --- a/detection/c2/unexpected-talkers-macos.sql +++ b/detection/c2/unexpected-talkers-macos.sql @@ -246,6 +246,7 @@ WHERE '443,6,500,Signal Helper (Renderer),org.whispersystems.signal-desktop.helper.Renderer,Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR)', '443,6,500,Signal,org.whispersystems.signal-desktop,Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR)', '443,6,500,Slack Helper,,', + '443,17,500,Slack Helper,com.tinyspeck.slackmacgap.helper,Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL)', '443,6,500,Slack Helper,com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing', '443,6,500,Slack Helper,com.tinyspeck.slackmacgap.helper,Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL)', '443,6,500,snyk,snyk_darwin_amd64,Developer ID Application: Snyk Limited (97QYW7LHSF)', @@ -256,9 +257,12 @@ WHERE '443,6,500,terraform-ls,terraform-ls,Developer ID Application: Hashicorp, Inc. (D38WU7D763)', '443,6,500,terraform,terraform,Developer ID Application: Hashicorp, Inc. (D38WU7D763)', '443,6,500,trivy,a.out,', + '31580,6,500,kubectl.1.23,a.out,', + '443,6,500,docker-index,docker-index,Developer ID Application: Docker Inc (9BNSXJN65R)', '443,6,500,vegeta,a.out,', '443,6,500,policy-tester,a.out,', '443,6,500,vim,vim,', + '443,6,500,git-credential-osxkeychain,git-credential-osxkeychain,', '443,6,500,wolfictl,a.out,', '443,6,500,op,com.1password.op,Developer ID Application: AgileBits Inc. (2BUA8C4S2C)', '443,6,500,zoom.us,us.zoom.xos,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)', diff --git a/detection/collection/high-disk-bytes-written.sql b/detection/collection/high-disk-bytes-written.sql index 0fa686c..04a9661 100644 --- a/detection/collection/high-disk-bytes-written.sql +++ b/detection/collection/high-disk-bytes-written.sql @@ -28,8 +28,8 @@ FROM processes p LEFT JOIN hash ON p.path = hash.path WHERE - bytes_per_second > 3000000 - AND age > 120 + bytes_per_second > 6500000 + AND age > 30 AND pid > 2 AND p.path NOT IN ( '/bin/bash', @@ -38,6 +38,7 @@ WHERE '/usr/bin/apt', '/usr/bin/aptd', '/usr/bin/pacman', + '/usr/bin/git', '/usr/bin/bash', '/usr/lib/baloo_file_extractor', '/usr/bin/bwrap', @@ -114,6 +115,7 @@ WHERE 'esbuild', 'firefox', 'fsdaemon', + 'docker-index', 'go', 'goland', 'node', diff --git a/detection/evasion/hidden-home-library-dir.sql b/detection/evasion/hidden-home-library-dir.sql index 107d6c6..ee13d40 100644 --- a/detection/evasion/hidden-home-library-dir.sql +++ b/detection/evasion/hidden-home-library-dir.sql @@ -41,6 +41,8 @@ WHERE '~/Library/Finance/.finance_local_SUPPORT/_EXTERNAL_DATA', '~/Library/Group Containers/.SiriTodayViewExtension/Library', '~/Library/Group Containers/.SiriTodayViewExtension', + '~/Library/HomeKit/.core-cloudkit_SUPPORT/_EXTERNAL_DATA', + '~/Library/HomeKit/.core-cloudkit-shared_SUPPORT/_EXTERNAL_DATA', '~/Library/Caches/.sigstore/gitsign', '~/Library/GroupContainersAlias/.SiriTodayViewExtension/Library', '~/Library/GroupContainersAlias/.SiriTodayViewExtension' diff --git a/detection/evasion/missing-from-disk-macos.sql b/detection/evasion/missing-from-disk-macos.sql index c3fa0fe..22c0c66 100644 --- a/detection/evasion/missing-from-disk-macos.sql +++ b/detection/evasion/missing-from-disk-macos.sql @@ -54,6 +54,7 @@ WHERE '/Applications/Slack.app/Contents/Frameworks/Slack Helper.app/Contents/MacOS/Slack Helper' ) OR cmd LIKE '/opt/homebrew/Cellar/%' + OR p.path LIKE '/Users/%/Library/Application Support/Steam/Steam.AppBundle/Steam/Contents/MacOS/ipcserver.old' OR p.path LIKE '/opt/homebrew/Cellar/%/bin/%' OR p.path LIKE '/private/var/folders/zz/%/T/PKInstallSandboxTrash/%.sandboxTrash/%' OR p.path LIKE '/Users/%/node_modules/.pnpm/%' diff --git a/detection/evasion/unexpected-library-entries-macos.sql b/detection/evasion/unexpected-library-entries-macos.sql index e5d173a..68eb065 100644 --- a/detection/evasion/unexpected-library-entries-macos.sql +++ b/detection/evasion/unexpected-library-entries-macos.sql @@ -80,6 +80,7 @@ WHERE '/Library/KernelCollections/.file', '/Library/Keyboard Layouts/', '/Library/Keychains/', + '/Library/Tailscale/', '/Library/LaunchAgents/', '/Library/LaunchDaemons/', '/Library/.localized', diff --git a/detection/evasion/unexpected-tmp-executables.sql b/detection/evasion/unexpected-tmp-executables.sql index b38c74e..295a6b9 100644 --- a/detection/evasion/unexpected-tmp-executables.sql +++ b/detection/evasion/unexpected-tmp-executables.sql @@ -5,22 +5,21 @@ -- -- tags: persistent -- platform: posix -SELECT - file.path, +SELECT file.path, uid, gid, mode, REGEX_MATCH (RTRIM(file.path, '/'), '.*\.(.*?)$', 1) AS extension, + file.btime, + file.ctime, file.mtime, file.size, hash.sha256, magic.data -FROM - file +FROM file LEFT JOIN hash on file.path = hash.path LEFT JOIN magic ON file.path = magic.path -WHERE - ( +WHERE ( -- Recursive queries don't seem to work well with hidden directories :( file.path LIKE '/tmp/%%' OR file.path LIKE '/tmp/.%/%%' @@ -51,6 +50,7 @@ WHERE OR file.path LIKE '/tmp/tmp.%' OR file.path LIKE '%/bin/%-gen' OR file.path LIKE '%/bin/%' + OR file.path LIKE '%/sbin/%' OR file.path LIKE '%/CCLBS/%' OR file.path LIKE '/tmp/%/target/debug/build/%' OR file.path LIKE '%/ko/%' @@ -60,7 +60,23 @@ WHERE ( file.size < 50000 AND file.uid > 500 - AND extension IN ('sh', 'py', 'pl', 'perl', 'json', 'js', 'txt', 'log') + AND extension IN ( + 'adoc', + 'bat', + 'java', + 'js', + 'json', + 'log', + 'perl', + 'pl', + 'py', + 'script', + 'sh', + 'txt', + 'yaml', + 'yml' + ) + AND magic.data NOT LIKE "ELF 64-bit LSB%" ) ) ) -- Nix @@ -89,8 +105,7 @@ WHERE AND (strftime('%s', 'now') - ctime) < 30 ) -- macOS updates AND NOT file.directory LIKE '/tmp/msu-target-%' -- I don't know man. I don't work here. - AND NOT file.directory LIKE '/tmp/UpdateBrain-%/AssetData/com.apple.MobileSoftwareUpdate.UpdateBrainService.xpc/Contents/MacOS' - -- terraform + AND NOT file.directory LIKE '/tmp/UpdateBrain-%/AssetData/com.apple.MobileSoftwareUpdate.UpdateBrainService.xpc/Contents/MacOS' -- terraform AND NOT ( uid > 500 AND file.path LIKE '/tmp/terraform_%/terraform' @@ -99,14 +114,37 @@ WHERE file.path LIKE '/tmp/%compressed' AND size < 4000 AND uid > 500 - ) - -- Executables too small to even hold '#!/bin/sh\nuid' + ) -- Executables too small to even hold '#!/bin/sh\nuid' AND NOT ( file.type = 'regular' AND size < 10 - ) - -- Common shell scripts + ) -- Common shell scripts AND NOT ( file.filename IN ("configure", "mkinstalldirs") AND magic.data = "POSIX shell script, ASCII text executable" ) + AND NOT ( + ( + file.directory LIKE "%/lib" + OR file.directory LIKE "%/lib64" + ) + AND file.uid > 500 + AND ( + file.filename LIKE "%.so.%" + OR file.filename LIKE "%.so" + ) + AND ( + magic.data LIKE "ELF 64-bit LSB shared object%" + OR magic.data LIKE "symbolic link to %" + ) + ) -- Binaries we might actually see + AND NOT ( + file.path LIKE '/tmp/%' + AND file.uid > 500 + AND magic.data LIKE "ELF 64-bit LSB executable%" + AND ( + file.filename LIKE "%ctl" + OR file.filename LIKE "%adm" + OR file.filename LIKE "%-cli" + ) + ) diff --git a/detection/execution/exotic-command-events-linux.sql b/detection/execution/exotic-command-events-linux.sql index 3ff2d55..b8f3f38 100644 --- a/detection/execution/exotic-command-events-linux.sql +++ b/detection/execution/exotic-command-events-linux.sql @@ -9,39 +9,40 @@ -- tags: transient process events -- platform: linux -- interval: 30 -SELECT - p.pid, - p.path, - TRIM( - REPLACE( - p.path, - RTRIM(p.path, REPLACE(p.path, '/', '')), - '' - ) - ) AS basename, - -- On macOS there is often a trailing space - TRIM(p.cmdline) AS cmd, - p.mode, - p.cwd, - p.euid, - p.parent, - pp.cgroup_path, - hash.sha256, - pp.path AS parent_path, - pp.name AS parent_name, - TRIM(p.cmdline) AS parent_cmd, - pp.euid AS parent_euid, - phash.sha256 AS parent_sha256 -FROM - uptime, - process_events p - LEFT JOIN processes pp ON p.parent = pp.pid - LEFT JOIN hash ON p.path = hash.path - LEFT JOIN hash AS phash ON pp.path = phash.path +SELECT pe.path AS path, + REGEX_MATCH (pe.path, '.*/(.*)', 1) AS child_name, + TRIM(pe.cmdline) AS cmd, + pe.pid AS pid, + pe.euid AS euid, + pe.parent AS parent_pid, + TRIM(IIF(pp.cmdline != NULL, pp.cmdline, ppe.cmdline)) AS parent_cmd, + TRIM(IIF(pp.path != NULL, pp.path, ppe.path)) AS parent_path, + REGEX_MATCH ( + IIF(pp.path != NULL, pp.path, ppe.path), + '.*/(.*)', + 1 + ) AS parent_name, + TRIM(IIF(pp.path != NULL, hash.sha256, ehash.sha256)) AS parent_hash, + TRIM(IIF(gp.cmdline != NULL, gp.cmdline, gpe.cmdline)) AS gparent_cmd, + TRIM(IIF(gp.path != NULL, gp.path, gpe.path)) AS gparent_path, + REGEX_MATCH ( + IIF(gp.path != NULL, gp.path, gpe.path), + '.*/(.*)', + 1 + ) AS gparent_name, + IIF(pp.parent != NULL, pp.parent, ppe.parent) AS gparent_pid +FROM process_events pe, uptime + LEFT JOIN processes p ON pe.pid = p.pid + LEFT JOIN processes pp ON pe.parent = pp.pid + LEFT JOIN process_events ppe ON pe.parent = ppe.pid + LEFT JOIN processes gp ON gp.pid = pp.parent + LEFT JOIN process_events gpe ON ppe.parent = gpe.pid + LEFT JOIN hash ON pp.path = hash.path + LEFT JOIN hash ehash ON ppe.path = ehash.path WHERE - p.time > (strftime('%s', 'now') -30) + pe.time > (strftime('%s', 'now') -30) AND ( - basename IN ( + child_name IN ( 'bitspin', 'bpftool', 'heyoka', @@ -70,8 +71,8 @@ WHERE -- Chrome Stealer OR cmd LIKE '%chrome%-load-extension%' -- Known attack scripts - OR basename LIKE '%pwn%' - OR basename LIKE '%attack%' + OR child_name LIKE '%pwn%' + OR child_name LIKE '%attack%' -- Unusual behaviors OR cmd LIKE '%ufw disable%' OR cmd LIKE '%powershell%' @@ -94,7 +95,7 @@ WHERE OR cmd LIKE '%pkill -f%' OR ( cmd LIKE '%xargs kill -9%' - AND p.euid = 0 + AND pe.euid = 0 ) OR cmd LIKE '%rm -rf /boot%' OR cmd LIKE '%nohup /bin/bash%' @@ -122,16 +123,16 @@ WHERE OR INSTR(cmd, 'Socket.') > 0 OR ( cmd LIKE '%tail -f /dev/null%' - AND cgroup_path NOT LIKE '/system.slice/docker-%' + AND p.cgroup_path NOT LIKE '/system.slice/docker-%' ) ) -- Things that could reasonably happen at boot. AND NOT ( - p.path IN ('/usr/bin/kmod', '/bin/kmod') + pe.path IN ('/usr/bin/kmod', '/bin/kmod') AND parent_path = '/usr/lib/systemd/systemd' AND parent_cmd = '/sbin/init' ) AND NOT ( - p.path IN ('/usr/bin/kmod', '/bin/kmod') + pe.path IN ('/usr/bin/kmod', '/bin/kmod') AND parent_name IN ( 'firewalld', 'mkinitramfs', @@ -141,11 +142,11 @@ WHERE ) ) AND NOT ( - p.path IN ('/usr/bin/kmod', '/bin/kmod') + pe.path IN ('/usr/bin/kmod', '/bin/kmod') AND uptime.total_seconds < 15 ) AND NOT ( - p.path = '/usr/bin/mkfifo' + pe.path = '/usr/bin/mkfifo' AND cmd LIKE '%/org.gpgtools.log.%/fifo' ) AND NOT cmd LIKE '%modprobe -va%' @@ -158,5 +159,7 @@ WHERE AND NOT cmd LIKE 'pkill -f cut -c3%' AND NOT cmd LIKE 'dirname %history' AND NOT cmd LIKE 'tail /%history' + AND NOT cmd LIKE '%/usr/bin/cmake%Socket.h' + AND NOT cmd LIKE '%/usr/bin/cmake%Socket.cpp' AND NOT cmd LIKE 'find . -executable -type f -name %grep -l GNU Libtool%touch -r%' - AND NOT basename IN ('cc1', 'compile') + AND NOT child_name IN ('cc1', 'compile', 'cmake', 'cc1plus') diff --git a/detection/execution/exotic-command-events-macos.sql b/detection/execution/exotic-command-events-macos.sql index 816e19c..9d6e065 100644 --- a/detection/execution/exotic-command-events-macos.sql +++ b/detection/execution/exotic-command-events-macos.sql @@ -9,43 +9,53 @@ -- tags: transient process events -- platform: darwin -- interval: 45 -SELECT - p.pid, - p.path, - REPLACE( - p.path, - RTRIM(p.path, REPLACE(p.path, '/', '')), - '' - ) AS basename, - -- On macOS there is often a trailing space - TRIM(p.cmdline) AS cmd, - p.mode, - p.cwd, - p.euid, - p.parent, - p.syscall, - hash.sha256, - pp.path AS parent_path, - pp.name AS parent_name, - TRIM(pp.cmdline) AS parent_cmd, - TRIM(ppp.cmdline) AS gparent_cmd, - pp.euid AS parent_euid, - ppp.path AS gparent_path, - ppp.name AS gparent_name, - phash.sha256 AS parent_sha256, - gphash.sha256 AS gparent_sha256 -FROM - uptime, - process_events p - LEFT JOIN processes pp ON p.parent = pp.pid - LEFT JOIN processes ppp ON pp.parent = ppp.pid - LEFT JOIN hash ON p.path = hash.path - LEFT JOIN hash AS phash ON pp.path = phash.path - LEFT JOIN hash AS gphash ON ppp.path = gphash.path +SELECT pe.path AS path, + REGEX_MATCH (pe.path, '.*/(.*)', 1) AS name, + TRIM(pe.cmdline) AS cmd, + pe.pid AS pid, + pe.euid AS euid, + pe.parent AS parent_pid, + TRIM(IIF(pp.cmdline != NULL, pp.cmdline, ppe.cmdline)) AS parent_cmd, + TRIM(IIF(pp.path != NULL, pp.path, ppe.path)) AS parent_path, + REGEX_MATCH ( + IIF(pp.path != NULL, pp.path, ppe.path), + '.*/(.*)', + 1 + ) AS parent_name, + TRIM(IIF(pp.path != NULL, hash.sha256, ehash.sha256)) AS parent_hash, + TRIM(IIF(gp.cmdline != NULL, gp.cmdline, gpe.cmdline)) AS gparent_cmd, + TRIM(IIF(gp.path != NULL, gp.path, gpe.path)) AS gparent_path, + REGEX_MATCH ( + IIF(gp.path != NULL, gp.path, gpe.path), + '.*/(.*)', + 1 + ) AS gparent_name, + IIF(pp.parent != NULL, pp.parent, ppe.parent) AS gparent_pid, + IIF( + signature.identifier != NULL, + signature.identifier, + esignature.identifier + ) AS parent_identifier, + IIF( + signature.authority != NULL, + signature.authority, + esignature.authority + ) AS parent_authority +FROM process_events pe + LEFT JOIN processes p ON pe.pid = p.pid + LEFT JOIN processes pp ON pe.parent = pp.pid + LEFT JOIN process_events ppe ON pe.parent = ppe.pid + LEFT JOIN processes gp ON gp.pid = pp.parent + LEFT JOIN process_events gpe ON ppe.parent = gpe.pid + LEFT JOIN hash ON pp.path = hash.path + LEFT JOIN hash ehash ON ppe.path = ehash.path + LEFT JOIN signature ON pp.path = signature.path + LEFT JOIN signature esignature ON ppe.path = esignature.path WHERE - p.time > (strftime('%s', 'now') -45) + pe.time > (strftime('%s', 'now') -45) + AND pe.status = 0 AND ( - basename IN ( + name IN ( 'bitspin', 'bpftool', 'csrutil', @@ -66,8 +76,8 @@ WHERE ) -- Chrome Stealer OR cmd LIKE '%set visible of front window to false%' OR cmd LIKE '%chrome%-load-extension%' -- Known attack scripts - OR basename LIKE '%pwn%' - OR basename LIKE '%attack%' -- Unusual behaviors + OR name LIKE '%pwn%' + OR name LIKE '%attack%' -- Unusual behaviors OR cmd LIKE '%powershell%' OR cmd LIKE '%chattr -ia%' OR cmd LIKE '%chmod%777 %' @@ -79,7 +89,7 @@ WHERE OR cmd LIKE '%killall Terminal%' OR cmd LIKE '%iptables stop' OR ( - p.euid = 0 + pe.euid = 0 AND ( cmd LIKE '%pkill -f%' OR cmd LIKE '%xargs kill -9%' @@ -114,7 +124,7 @@ WHERE OR INSTR(cmd, 'Socket.') > 0 ) -- Things that could reasonably happen at boot. AND NOT ( - p.path = '/usr/bin/mkfifo' + pe.path = '/usr/bin/mkfifo' AND cmd LIKE '%/org.gpgtools.log.%/fifo' ) AND NOT ( @@ -135,7 +145,7 @@ WHERE 'xpcproxy com.apple.Safari.History' ) -- The source of these commands is still a mystery to me. - OR p.parent = -1 + OR pe.parent = -1 ) AND NOT cmd LIKE '/bin/launchctl load -wF /Users/%/Library/PreferencePanes/../LaunchAgents/com.adobe.GC.Invoker-1.0.plist' AND NOT cmd LIKE '/bin/launchctl load -w /Users/%/Library/LaunchAgents/keybase.%.plist' @@ -149,3 +159,4 @@ WHERE AND NOT cmd LIKE '%find /Applications/LogiTuneInstaller.app -type d -exec chmod 777 {}%' AND NOT cmd LIKE '/bin/rm -f /tmp/com.adobe.%.updater/%' AND NOT cmd LIKE '%history' + AND NOT name IN ('cc1', 'compile') \ No newline at end of file diff --git a/detection/execution/recently-created-executables-linux.sql b/detection/execution/recently-created-executables-linux.sql index 3ca7098..a506f11 100644 --- a/detection/execution/recently-created-executables-linux.sql +++ b/detection/execution/recently-created-executables-linux.sql @@ -60,6 +60,7 @@ WHERE '/usr/bin/docker-proxy', '/usr/bin/gedit', '/usr/bin/gnome-keyring-daemon', + '/usr/bin/fusermount3', '/usr/bin/kbfsfuse', '/usr/bin/keybase', '/usr/bin/keybase-redirector', diff --git a/detection/execution/sketchy-fetcher-events.sql b/detection/execution/sketchy-fetcher-events.sql index 696d231..a4ab50b 100644 --- a/detection/execution/sketchy-fetcher-events.sql +++ b/detection/execution/sketchy-fetcher-events.sql @@ -138,6 +138,7 @@ WHERE -- Ignore local addresses (Docker development) OR addr NOT LIKE '%.%' OR ip LIKE '172.2%' + OR ip LIKE '192.168.%' ) ) diff --git a/detection/execution/sketchy-fetcher.sql b/detection/execution/sketchy-fetcher.sql index 87314ea..ffb7b50 100644 --- a/detection/execution/sketchy-fetcher.sql +++ b/detection/execution/sketchy-fetcher.sql @@ -132,7 +132,8 @@ WHERE addr IN ('releases.hashicorp.com', 'github.com', 'dl.enforce.dev') -- Ignore local addresses (Docker development) OR addr NOT LIKE '%.%' - OR addr LIKE '172.21.%' + OR ip LIKE '172.21.%' + OR ip LIKE '192.168.%' ) ) diff --git a/detection/execution/unexpected-execdir-macos.sql b/detection/execution/unexpected-execdir-macos.sql index f4b84f1..f6d2d17 100644 --- a/detection/execution/unexpected-execdir-macos.sql +++ b/detection/execution/unexpected-execdir-macos.sql @@ -106,6 +106,7 @@ WHERE '~/code/bin', '~/Downloads/google-cloud-sdk/bin', '~/Library/Application Support/dev.warp.Warp-Stable', + '~/Library/Application Support/zoom.us/Plugins/aomhost.app/Contents/MacOS', '~/go/bin', '~/Library/Application Support/cloud-code/installer/google-cloud-sdk/bin', '~/.local/bin', diff --git a/detection/execution/unexpected-fetcher-parents.sql b/detection/execution/unexpected-fetcher-parents.sql index c6db493..94db1ea 100644 --- a/detection/execution/unexpected-fetcher-parents.sql +++ b/detection/execution/unexpected-fetcher-parents.sql @@ -45,6 +45,8 @@ WHERE 'curl,500,bash,nix-daemon', 'curl,500,bash,bash', 'curl,500,bash,ShellLauncher', + 'curl,500,bash,fakeroot', + 'curl,500,makepkg,yay', 'curl,500,bash,zsh', 'curl,500,env,env', 'curl,500,fish,gnome-terminal-', diff --git a/detection/execution/unexpected-osascript-calls.sql b/detection/execution/unexpected-osascript-calls.sql index 2066992..30b2b60 100644 --- a/detection/execution/unexpected-osascript-calls.sql +++ b/detection/execution/unexpected-osascript-calls.sql @@ -59,6 +59,8 @@ FROM WHERE pe.path IN ('/usr/bin/osascript', '/usr/bin/osacompile') AND pe.time > (strftime('%s', 'now') -900) + -- Only include successful executions: On macOS, process_events includes unsuccessful path lookups! + AND pe.status = 0 AND NOT ( pe.euid > 500 AND ( @@ -85,4 +87,4 @@ WHERE -- The following apply to all uids AND NOT cmd = 'osascript -e user locale of (get system info)' GROUP BY - pe.pid + pe.pid, pe.cmd diff --git a/detection/execution/unexpected-root-signer-macos.sql b/detection/execution/unexpected-root-signer-macos.sql index 909180e..6889e19 100644 --- a/detection/execution/unexpected-root-signer-macos.sql +++ b/detection/execution/unexpected-root-signer-macos.sql @@ -47,6 +47,7 @@ WHERE 'Developer ID Application: Kolide Inc (YZ3EM74M78)', 'Developer ID Application: Logitech Inc. (QED4VVPZWA)', 'Developer ID Application: Mersive Technologies (63B5A5WDNG)', + 'Developer ID Application: Keybase, Inc. (99229SGT5K)', 'Developer ID Application: Microsoft Corporation (UBF8T346G9)', 'Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R)', 'Developer ID Application: Objective-See, LLC (VBG97UB4TA)', @@ -68,4 +69,9 @@ WHERE AND p.path LIKE "/opt/%/bin/socket_vmnet" AND pp.path IN ("/usr/bin/sudo", "/sbin/launchd") ) + AND NOT ( + signature.authority = "Developer ID Application: Node.js Foundation (HX7739G8FX)" + AND p.name = "node" + AND parent_name IN ("vim", "nvim") + ) diff --git a/detection/execution/unexpected-security-framework-program-macos.sql b/detection/execution/unexpected-security-framework-program-macos.sql index 7d7814c..10dd779 100644 --- a/detection/execution/unexpected-security-framework-program-macos.sql +++ b/detection/execution/unexpected-security-framework-program-macos.sql @@ -43,13 +43,16 @@ WHERE '500,Bitwarden Helper,com.bitwarden.desktop.helper,Apple Mac OS Application Signing', '500,Bitwarden Helper (GPU),com.bitwarden.desktop.helper.GPU,Apple Mac OS Application Signing', '500,Bitwarden Helper (Renderer),com.bitwarden.desktop.helper.Renderer,Apple Mac OS Application Signing', + '500,bufls,a.out,', '500,.cargo-wrapped,.cargo-wrapped,', + '500,cloud_sql_proxy,a.out,', '500,cosign,a.out,', '500,cpu,cpu-555549441132dc6b7af538428ce3359ae94eab37,', '500,Emacs-arm64-11,Emacs-arm64-11,Developer ID Application: Galvanix (5BRAQAFB8B)', '500,epdfinfo,epdfinfo,', '500,esbuild,a.out,', '500,fake,a.out,', + '500,Final Cut Pro,com.apple.FinalCut,Apple Mac OS Application Signing', '500,gitsign-credential-cache,a.out,', '500,GitterHelperApp,com.troupe.gitter.mac.GitterHelperApp,Developer ID Application: Troupe Technology Limited (A86QBWJ43W)', '500,gopls,a.out,', diff --git a/detection/execution/unexpected-sysctl-calls.sql b/detection/execution/unexpected-sysctl-calls.sql index c1887c6..cb179c2 100644 --- a/detection/execution/unexpected-sysctl-calls.sql +++ b/detection/execution/unexpected-sysctl-calls.sql @@ -49,6 +49,7 @@ WHERE '/usr/sbin/sysctl' ) AND NOT p.parent IS NULL + AND NOT p.parent = -1 AND NOT child_cmd IN ( 'sysctl -n hw.optional.arm64', 'sysctl -n sysctl.proc_translated', diff --git a/detection/execution/unexpected-xattr-calls-macos.sql b/detection/execution/unexpected-xattr-calls-macos.sql index fe3271a..1aff748 100644 --- a/detection/execution/unexpected-xattr-calls-macos.sql +++ b/detection/execution/unexpected-xattr-calls-macos.sql @@ -3,7 +3,7 @@ -- false positives: -- * none observed, but they are expected -- --- interval: 300 +-- interval: 60 -- platform: darwin -- tags: process events SELECT pe.path AS path, @@ -49,8 +49,18 @@ FROM process_events pe LEFT JOIN signature ON pp.path = signature.path LEFT JOIN signature esignature ON ppe.path = esignature.path WHERE pe.path = '/usr/bin/xattr' - AND pe.time > (strftime('%s', 'now') -300) - AND cmd != '/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app' + AND pe.status = 0 + AND pe.time > (strftime('%s', 'now') -60) + AND cmd NOT IN ( + '/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app', + '/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app/Contents/Frameworks/1Password Helper.app', + '/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app/Contents/Frameworks/1Password Helper (GPU).app', + '/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app/Contents/Frameworks/1Password Helper (Plugin).app', + '/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app/Contents/Frameworks/1Password Helper (Renderer).app', + '/usr/bin/xattr -d com.apple.quarantine /Applications/Keybase.app', + '/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app/Contents/Library/LoginItems/1Password Browser Helper.app', + 'xattr -d -r com.apple.quarantine /Applications/Google Chrome.app' + ) AND NOT ( pe.euid > 500 AND cmd LIKE '%xattr -l %' diff --git a/detection/initial_access/unexpected-diskimage-source-macos.sql b/detection/initial_access/unexpected-diskimage-source-macos.sql index 4547baa..2925b65 100644 --- a/detection/initial_access/unexpected-diskimage-source-macos.sql +++ b/detection/initial_access/unexpected-diskimage-source-macos.sql @@ -15,14 +15,19 @@ SELECT file.size, datetime(file.btime, 'unixepoch') AS file_created, magic.data, + hash.sha256, + signature.identifier, + signature.authority, ea.value AS url, REGEX_MATCH (ea.value, '/[\w_-]+\.([\w\._-]+)[:/]', 1) AS domain, REGEX_MATCH (ea.value, '/([\w_-]+\.[\w\._-]+)[:/]', 1) AS host FROM mdfind LEFT JOIN file ON mdfind.path = file.path + LEFT JOIN hash ON mdfind.path = hash.path LEFT JOIN extended_attributes ea ON mdfind.path = ea.path - LEFT JOIN magic ON file.path = magic.path + LEFT JOIN magic ON mdfind.path = magic.path + LEFT JOIN signature ON mdfind.path = signature.path WHERE ( mdfind.query = "kMDItemWhereFroms != '' && kMDItemFSName == '*.iso'" @@ -58,6 +63,7 @@ WHERE 'docker.com', 'duckduckgo.com', 'eclipse.org', + 'whatsapp.com', 'gimp.org', 'github.io', 'githubusercontent.com', @@ -66,6 +72,7 @@ WHERE 'jetbrains.com', 'libreoffice.org', 'loom.com', + 'zoomgov.com', 'microsoft.com', 'minecraft.net', 'mirrorservice.org', @@ -108,6 +115,7 @@ WHERE 'warp-releases.storage.googleapis.com', 'mail.google.com', 'github.com', + 'obdev.at', 'ubuntu.com', 'balsamiq.com', 'tableplus.com', @@ -140,7 +148,10 @@ WHERE AND host NOT LIKE '%release%.storage.googleapis.com' AND NOT ( host LIKE '%.fbcdn.net' - AND file.filename LIKE 'Messenger.%.dmg' + AND ( + file.filename LIKE 'Messenger.%.dmg' + OR file.filename LIKE '%WhatsApp.dmg' + ) ) GROUP BY ea.value diff --git a/detection/initial_access/unexpected-shell-parents.sql b/detection/initial_access/unexpected-shell-parents.sql index 7d2c80b..ba760a6 100644 --- a/detection/initial_access/unexpected-shell-parents.sql +++ b/detection/initial_access/unexpected-shell-parents.sql @@ -47,6 +47,7 @@ WHERE 'configure', 'conmon', 'containerd-shim', + 'buildkit-runc', 'dash', 'demoit', 'direnv', @@ -89,6 +90,7 @@ WHERE 'swift', 'systemd', 'terminator', + 'kue', 'test2json', 'tmux', 'tmux:server', @@ -155,6 +157,10 @@ WHERE pp.cmdline LIKE 'perl%/help2man%' AND p.cmdline LIKE 'sh -c man/%' ) + AND NOT ( + pp.cmdline LIKE '%/google-cloud-sdk/bin/docker-credential-gcloud get' + AND parent_path LIKE '/private/var/folders/%/T/go-build%.test' + ) AND NOT p.cmdline LIKE '%/Library/Apple/System/Library/InstallerSandboxes%' AND NOT p.cmdline LIKE '%gcloud config config-helper%' AND NOT p.cmdline LIKE '%hugo/hugo server%' diff --git a/detection/persistence/unexpected-chrome-extensions.sql b/detection/persistence/unexpected-chrome-extensions.sql index 8d26105..36df4b4 100644 --- a/detection/persistence/unexpected-chrome-extensions.sql +++ b/detection/persistence/unexpected-chrome-extensions.sql @@ -63,8 +63,10 @@ WHERE 'true,,Adblock for Youtube™,cmedhionkhpnakcndndgjdbohmhepckk,storage, unlimitedStorage, webRequest, webRequestBlocking, ', 'true,Adblock, Inc.,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom,tabs, , contextMenus, webRequest, webRequestBlocking, webNavigation, storage, unlimitedStorage, notifications, idle, alarms', 'true,,Add to Amazon Wish List,ciagpekplgpbepdgggflgmahnjgiaced,tabs, http://*/*, https://*/*', + 'true,Vimeo,Vimeo Record - Screen & Webcam Recorder,ejfmffkmeigkphomnpabpdabfddeadcb,, storage, cookies, notifications, desktopCapture, tabCapture, contextMenus, ://.vimeo.com/', 'true,,Adobe Acrobat: PDF edit, convert, sign tools,efaidnbmnnnibpcajpcglclefindmkaj,contextMenus, , tabs, downloads, nativeMessaging, webRequest, storage, webRequestBlocking', 'true,,Adobe Acrobat: PDF edit, convert, sign tools,efaidnbmnnnibpcajpcglclefindmkaj,contextMenus, , tabs, downloads, nativeMessaging, webRequest, webRequestBlocking', + 'true,Rakuten,Rakuten: Get Cash Back For Shopping,chhjbpecpncaggjpdakmflnfcopglcmi,tabs, webNavigation, webRequest, storage, , cookies, alarms', 'true,,Adobe Acrobat: PDF edit, convert, sign tools,efaidnbmnnnibpcajpcglclefindmkaj,contextMenus, tabs, downloads, nativeMessaging, webRequest, webNavigation, storage, scripting, alarms, declarativeNetRequest', 'true,AgileBits,1Password extension (desktop app required),aomjjhallfgjeglblehebfpbcfeobpgk,contextMenus, nativeMessaging, storage, tabs, webRequest, webRequestBlocking, http://*/*, https://*/*', 'true,AgileBits,1Password – Password Manager,aeblfdkhhhdcdjpifhhbdiojplfjncoa,, alarms, contextMenus, downloads, idle, management, nativeMessaging, notifications, privacy, tabs, webNavigation, webRequest, webRequestBlocking', diff --git a/detection/persistence/unexpected-listening-port-linux.sql b/detection/persistence/unexpected-listening-port-linux.sql index 80072a0..8d1de00 100644 --- a/detection/persistence/unexpected-listening-port-linux.sql +++ b/detection/persistence/unexpected-listening-port-linux.sql @@ -8,12 +8,14 @@ SELECT lp.address, lp.port, lp.protocol, - p.uid, + p.euid, + p.parent, p.pid, p.name, p.path, p.cmdline, p.cgroup_path, + datetime(file.mtime,'unixepoch') AS mtime, p.cwd, hash.sha256, CONCAT ( @@ -28,6 +30,7 @@ SELECT FROM listening_ports lp LEFT JOIN processes p ON lp.pid = p.pid + LEFT JOIN file ON p.path = file.path LEFT JOIN hash ON p.path = hash.path WHERE port != 0 diff --git a/detection/privesc/setxid-cmdline-overflow-attempt.sql b/detection/privesc/setxid-cmdline-overflow-attempt.sql index 85b9ca7..ae6ae6f 100644 --- a/detection/privesc/setxid-cmdline-overflow-attempt.sql +++ b/detection/privesc/setxid-cmdline-overflow-attempt.sql @@ -23,4 +23,4 @@ FROM WHERE p.time > (strftime('%s', 'now') -60) AND file.mode NOT LIKE '0%' - AND p.cmdline_size > 1024 + AND p.cmdline_size > 2048 \ No newline at end of file diff --git a/detection/privesc/unexpected-privileged-containers.sql b/detection/privesc/unexpected-privileged-containers.sql index 7a70c7a..82b67a4 100644 --- a/detection/privesc/unexpected-privileged-containers.sql +++ b/detection/privesc/unexpected-privileged-containers.sql @@ -31,6 +31,8 @@ WHERE AND image NOT IN ( 'cgr.dev/chainguard/melange', 'cgr.dev/chainguard/sdk', + 'moby/buildkit:buildx-stable-1', + 'cgr.dev/chainguard/wolfi-base', 'distroless.dev/melange', 'distroless.dev/melange:latest', 'wolfi:test'