From 111c15e20b7469e5f2e865e4826115c4683bb6ee Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Tue, 23 May 2023 11:31:37 -0400 Subject: [PATCH] fpr: macOS, yubikey, Premiere, dnf, vagrant, etc --- Makefile | 2 +- detection/c2/unexpected-https-linux.sql | 3 + detection/c2/unexpected-https-macos.sql | 13 +- .../c2/unexpected-libcurl-user-linux.sql | 1 + detection/c2/unexpected-talkers-linux.sql | 2 + detection/c2/unexpected-talkers-macos.sql | 13 +- detection/evasion/hidden-parent-pid.sql | 31 ---- .../parent-missing-from-disk-linux.sql | 1 + .../unexpected-hidden-system-paths.sql | 1 + .../unexpected-tmp-executables-macos.sql | 9 +- .../evasion/unexpected-var-run-macos.sql | 3 +- .../recently-created-executables-linux.sql | 10 +- .../recently-created-executables-macos.sql | 2 + detection/execution/sketchy-fetcher.sql | 167 ++++++++++-------- .../unexpected-execdir-events-macos.sql | 9 +- .../execution/unexpected-fetcher-parents.sql | 1 + .../execution/unexpected-osascript-calls.sql | 7 +- .../unexpected-root-signer-macos.sql | 27 +-- ...ected-security-framework-program-macos.sql | 2 + .../unexpected-diskimage-source-macos.sql | 1 + .../unexpected-shell-parents.sql | 121 +++++++------ detection/persistence/low-fd-socket.sql | 49 +++-- .../minimal-socket-client-linux.sql | 62 ++++--- .../minimal-socket-client-macos.sql | 3 +- .../unexpected-active-systemd-units.sql | 17 +- .../persistence/unexpected-global-lock.sql | 1 + .../persistence/unexpected-lock-opener.sql | 44 +++-- ...xpected-elevated-children-events_macos.sql | 19 +- fragments/process_event_parents_macos.sql | 1 + fragments/process_parents.sql | 3 +- policy/gcp-service-account-keys-mdfind.sql | 1 + policy/gcp-service-account-keys.sql | 2 +- 32 files changed, 376 insertions(+), 252 deletions(-) delete mode 100644 detection/evasion/hidden-parent-pid.sql diff --git a/Makefile b/Makefile index 89ad20e..6282cd5 100644 --- a/Makefile +++ b/Makefile @@ -72,7 +72,7 @@ verify-ci: ./out/osqtool-$(ARCH) verify: ./out/osqtool-$(ARCH) $(SUDO) ./out/osqtool-$(ARCH) --max-results=150000 --max-query-duration=10s --max-total-daily-duration=15m verify incident_response $(SUDO) ./out/osqtool-$(ARCH) --max-results=0 --max-query-duration=6s --max-total-daily-duration=10m verify policy - $(SUDO) ./out/osqtool-$(ARCH) --max-results=0 --max-query-duration=8s --max-total-daily-duration=2h15m --max-query-daily-duration=1h verify detection + $(SUDO) ./out/osqtool-$(ARCH) --max-results=0 --max-query-duration=8s --max-total-daily-duration=2h25m --max-query-daily-duration=1h verify detection all: out/odk-packs.zip diff --git a/detection/c2/unexpected-https-linux.sql b/detection/c2/unexpected-https-linux.sql index c991fe4..bdd0adb 100644 --- a/detection/c2/unexpected-https-linux.sql +++ b/detection/c2/unexpected-https-linux.sql @@ -83,6 +83,7 @@ WHERE '0,python3.10,0u,0g,dnf', '0,python3.10,0u,0g,dnf-automatic', '0,python3.10,0u,0g,yum', + '500,evolution-source-registry,0u,0g,evolution-sourc', '0,python3.11,0u,0g,dnf', '0,python3.11,0u,0g,dnf-automatic', '0,python3.11,0u,0g,yum', @@ -247,6 +248,7 @@ WHERE '500,spotify,500u,500g,spotify', '500,spotify,u,g,spotify', '500,steam,500u,100g,steam', + '500,buildkite-agent,500u,500g,buildkite-agent', '500,steam,500u,500g,steam', '500,steamwebhelper,500u,100g,steamwebhelper', '500,steamwebhelper,500u,500g,steamwebhelper', @@ -264,6 +266,7 @@ WHERE '500,todoist,0u,0g,todoist', '500,trivy,0u,0g,trivy', '500,trivy,500u,500g,trivy', + '500,firefox-bin,u,g,firefox-bin', '500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr', '500,wget,0u,0g,wget', '500,wine64-preloader,500u,500g,Root.exe', diff --git a/detection/c2/unexpected-https-macos.sql b/detection/c2/unexpected-https-macos.sql index ed8da72..3592afc 100644 --- a/detection/c2/unexpected-https-macos.sql +++ b/detection/c2/unexpected-https-macos.sql @@ -102,15 +102,19 @@ WHERE pos.protocol IN (6, 17) AND s.authority = 'Software Signing' ) AND NOT exception_key IN ( + '0,com.google.one.NetworkExtension,com.google.one.NetworkExtension,Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.one.NetworkExtension', '0,launcher,launcher,Developer ID Application: Kolide, Inc (X98UFR7HA3),com.kolide.agent', '0,Setup,Setup,Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.acc.Setup', '500,bash,bash,,bash', + '0,EdgeUpdater,EdgeUpdater,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.EdgeUpdater', '500,cloud_sql_proxy,cloud_sql_proxy,,a.out', + '500,ngrok,ngrok,Developer ID Application: ngrok LLC (TEX8MHRDQ9),darwin_amd64', '500,Code Helper,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode.helper', '500,Code Helper (Plugin),Code Helper (Plugin),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper', '500,Code Helper (Renderer),Code Helper (Renderer),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper', '500,Ecamm Live Stream Deck Plugin,Ecamm Live Stream Deck Plugin,Developer ID Application: Ecamm Network, LLC (5EJH68M642),Ecamm Live Stream Deck Plugin', '500,Electron,Electron,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode', + '500,Fleet,~/Library/Caches/JetBrains/Fleet', '500,git-remote-http,git-remote-http,,git-remote-http-55554944748a32c47cdc35cfa7f071bb69a39ce4', '500,go,go,Developer ID Application: Google LLC (EQHXZ8M8AV),org.golang.go', '500,grype,grype,Developer ID Application: ANCHORE, INC. (9MJHKYX5AT),grype', @@ -126,6 +130,7 @@ WHERE pos.protocol IN (6, 17) '500,Reflect,Reflect,Developer ID Application: Reflect App, LLC (789ULN5MZB),app.reflect.ReflectDesktop', '500,sdaudioswitch,sdaudioswitch,,sdaudioswitch', '500,snyk-ls_darwin_arm64,snyk-ls_darwin_arm64,,a.out', + '500,steam_osx,steam_osx,Developer ID Application: Valve Corporation (MXGJJ98X76),com.valvesoftware.steam', '500,syncthing,syncthing,,syncthing', '500,terraform,terraform,Developer ID Application: Hashicorp, Inc. (D38WU7D763),terraform', '500,Transmit,Transmit,Developer ID Application: Panic, Inc. (VE8FC488U5),com.panic.Transmit', @@ -137,7 +142,9 @@ WHERE pos.protocol IN (6, 17) '500,chainlink,chainlink,500u,20g', '500,cpu,cpu,500u,20g', '500,cosign,cosign,0u,500g', + '500,chainctl,chainctl,500u,20g', '500,crane,crane,500u,80g', + '500,pulumi-resource-gcp,pulumi-resource-gcp,500u,20g', '500,go,go,500u,80g', '500,git-remote-http,git-remote-http,500u,80g', '500,vim,vim,0u,500g', @@ -147,6 +154,11 @@ WHERE pos.protocol IN (6, 17) ) AND NOT alt_exception_key LIKE '500,terraform-provider-%,terraform-provider-%,500u,20g' AND NOT p0.path LIKE '/private/var/folders/%/T/GoLand/%' + AND NOT ( + exception_key = '500,Python,Python,,org.python.python' + AND p0_cmd LIKE '% main.py' + AND p0_cwd LIKE "%/neko" + ) AND NOT ( exception_key IN ( '500,Python,Python,,org.python.python', @@ -156,7 +168,6 @@ WHERE pos.protocol IN (6, 17) p0_cmd LIKE '%/gcloud.py%' OR p0_cmd LIKE '%pip install%' OR p0_cmd LIKE '%googlecloudsdk/core/metrics_reporter.py%' - OR p0_cmd LIKE '%/main.py' OR p0_cmd LIKE '%/bin/aws%' ) ) -- theScore and other iPhone apps diff --git a/detection/c2/unexpected-libcurl-user-linux.sql b/detection/c2/unexpected-libcurl-user-linux.sql index 2e259c8..be3a393 100644 --- a/detection/c2/unexpected-libcurl-user-linux.sql +++ b/detection/c2/unexpected-libcurl-user-linux.sql @@ -69,6 +69,7 @@ WHERE AND NOT exception_key IN ( 'flatpak-system-,/usr/libexec/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755', 'fwupd,/usr/libexec/fwupd/fwupd,0,system.slice,fwupd.service,0755', + 'zed,/nix/store/__VERSION__/bin/zed,0,system.slice,zfs-zed.service,0555', 'fwupd,/usr/lib/fwupd/fwupd,0,system.slice,fwupd.service,0755', 'dnf,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755', 'libvirtd,/usr/bin/libvirtd,0,system.slice,libvirtd.service,0755', diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql index a2cc5ca..6b92979 100644 --- a/detection/c2/unexpected-talkers-linux.sql +++ b/detection/c2/unexpected-talkers-linux.sql @@ -130,7 +130,9 @@ WHERE '80,6,0,applydeltarpm,0u,0g,applydeltarpm', '80,6,0,appstreamcli,0u,0g,appstreamcli', '80,6,0,bash,0u,0g,bash', + '43,6,500,whois.md,0u,0g,whois', '80,6,0,bash,0u,0g,mkinitcpio', + '3306,6,500,java,u,g,java', '80,6,0,bash,0u,0g,sh', '80,6,0,bash,0u,0g,update-ca-trust', '80,6,0,cp,0u,0g,cp', diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql index 6862d4e..0c91d4b 100644 --- a/detection/c2/unexpected-talkers-macos.sql +++ b/detection/c2/unexpected-talkers-macos.sql @@ -116,6 +116,8 @@ WHERE ) AND NOT exception_key IN ( '0,6,80,prl_naptd,prl_naptd,Developer ID Application: Parallels International GmbH (4C6364ACXT),com.parallels.naptd', + '500,6,4318,Code Helper (Plugin),Code Helper (Plugin),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper', + '500,6,5223,KakaoTalk,KakaoTalk,Apple Mac OS Application Signing,com.kakao.KakaoTalkMac', '500,17,8801,zoom.us,zoom.us,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3),us.zoom.xos', '500,17,9000,Meeting Center,Meeting Center,Developer ID Application: Cisco (DE8Y96K9QP),com.webex.meetingmanager', '500,6,22,Cyberduck,Cyberduck,Developer ID Application: David Kocher (G69SCX94XU),ch.sudo.cyberduck', @@ -139,27 +141,31 @@ WHERE '500,6,80,launcher-Helper,launcher-Helper,Developer ID Application: Mojang AB (HR992ZEAE6),com.mojang.mclauncher.helper', '500,6,80,node,node,Developer ID Application: Node.js Foundation (HX7739G8FX),node', '500,6,80,Signal Helper (Renderer),Signal Helper (Renderer),Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR),org.whispersystems.signal-desktop.helper.Renderer', + '500,6,80,Slack Helper,Slack Helper,Apple Mac OS Application Signing,com.tinyspeck.slackmacgap.helper', '500,6,80,Snagit 2020,Snagit 2020,Apple Mac OS Application Signing,com.TechSmith.Snagit2020', '500,6,80,Snagit 2023,Snagit 2023,Developer ID Application: TechSmith Corporation (7TQL462TU8),com.TechSmith.Snagit2023', '500,6,80,SnagitHelper2020,SnagitHelper2020,Apple Mac OS Application Signing,com.techsmith.snagit.capturehelper2020', '500,6,80,SnagitHelper2023,SnagitHelper2023,Developer ID Application: TechSmith Corporation (7TQL462TU8),com.techsmith.snagit.capturehelper2023', '500,6,80,Spotify,Spotify,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client', + '500,6,80,steam_osx,steam_osx,Developer ID Application: Valve Corporation (MXGJJ98X76),com.valvesoftware.steam', '500,6,80,Telegram,Telegram,Apple Mac OS Application Signing,ru.keepcoder.Telegram', + '500,6,80,WhatsApp,WhatsApp,Developer ID Application: WhatsApp Inc. (57T9237FN3),WhatsApp', '500,6,80,thunderbird,thunderbird,Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird', '500,6,80,Twitter,Twitter,Apple Mac OS Application Signing,maccatalyst.com.atebits.Tweetie2', '500,6,993,Mimestream,Mimestream,Developer ID Application: Mimestream, LLC (P2759L65T8),com.mimestream.Mimestream', '500,6,993,thunderbird,thunderbird,Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird' ) -- Useful for unsigned binaries AND NOT alt_exception_key IN ( + '500,6,80,firefox,firefox,500u,20g', '500,6,22,ssh,ssh,0u,500g', '500,6,22,ssh,ssh,500u,0g', '500,6,22,ssh,ssh,500u,20g', '500,6,22,ssh,ssh,500u,80g', - '500,6,80,qemu-system-aarch64,qemu-system-aarch64,500u,80g', '500,6,3307,cloud_sql_proxy,cloud_sql_proxy,0u,0g', - '500,6,3307,cloud_sql_proxy,cloud_sql_proxy,500u,20g', '500,6,3307,cloud-sql-proxy,cloud-sql-proxy,500u,20g', - '500,6,80,copilot-agent-macos-arm64,copilot-agent-macos-arm64,500u,20g' + '500,6,3307,cloud_sql_proxy,cloud_sql_proxy,500u,20g', + '500,6,80,copilot-agent-macos-arm64,copilot-agent-macos-arm64,500u,20g', + '500,6,80,qemu-system-aarch64,qemu-system-aarch64,500u,80g' ) AND NOT ( alt_exception_key LIKE '500,6,%,syncthing,syncthing,0u,500g' @@ -179,6 +185,7 @@ WHERE OR pos.remote_port > 3000 ) AND id_exception_key IN ( + 'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker', 'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4),com.brave.Browser.helper', 'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.Chrome.helper', 'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.edgemac.helper', diff --git a/detection/evasion/hidden-parent-pid.sql b/detection/evasion/hidden-parent-pid.sql deleted file mode 100644 index e381f5f..0000000 --- a/detection/evasion/hidden-parent-pid.sql +++ /dev/null @@ -1,31 +0,0 @@ --- Find a process which has a parent that is not listed in the process table --- --- Works well for revealing boopkit, so long as boopkit has a child process. --- --- references: --- * https://github.com/krisnova/boopkit --- * https://attack.mitre.org/techniques/T1014/ (Rootkit) --- --- false positives: --- * None observed --- --- tags: persistent daemon -SELECT - p.*, - hash.sha256, - GROUP_CONCAT(DISTINCT pof.path) AS open_files -FROM - processes p - LEFT JOIN hash ON p.path = hash.path - LEFT JOIN process_open_files pof ON p.pid = pof.pid -WHERE - p.parent NOT IN ( - SELECT - pid - FROM - processes - ) - AND p.parent != 0 - AND p.parent IS NOT NULL -GROUP BY - p.pid diff --git a/detection/evasion/parent-missing-from-disk-linux.sql b/detection/evasion/parent-missing-from-disk-linux.sql index 7fa6ebb..15caa0e 100644 --- a/detection/evasion/parent-missing-from-disk-linux.sql +++ b/detection/evasion/parent-missing-from-disk-linux.sql @@ -55,6 +55,7 @@ WHERE '/usr/bin/doas', '/usr/bin/dockerd', '/usr/bin/fusermount3', + '/usr/libexec/at-spi-bus-launcher', '/usr/bin/gnome-shell', '/usr/bin/ibus-daemon', '/usr/bin/kitty', diff --git a/detection/evasion/unexpected-hidden-system-paths.sql b/detection/evasion/unexpected-hidden-system-paths.sql index f1605af..cd8671f 100644 --- a/detection/evasion/unexpected-hidden-system-paths.sql +++ b/detection/evasion/unexpected-hidden-system-paths.sql @@ -141,6 +141,7 @@ WHERE AND file.directory NOT IN ('/etc/skel', '/etc/skel/.config') AND file.path NOT LIKE '/%bin/bootstrapping/.default_components' AND file.path NOT LIKE '/tmp/.#%' + AND file.path NOT LIKE '/tmp/.lark_cache_%' AND file.path NOT LIKE '/tmp/.wine-%' AND file.path NOT LIKE '/tmp/.%.gcode' AND file.path NOT LIKE '/tmp/.vbox-%-ipc/' diff --git a/detection/evasion/unexpected-tmp-executables-macos.sql b/detection/evasion/unexpected-tmp-executables-macos.sql index aa99a04..72fe582 100644 --- a/detection/evasion/unexpected-tmp-executables-macos.sql +++ b/detection/evasion/unexpected-tmp-executables-macos.sql @@ -14,6 +14,7 @@ SELECT DISTINCT file.btime, file.ctime, file.mtime, + file.type, file.size, hash.sha256, magic.data, @@ -110,6 +111,7 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f ) -- macOS updates AND NOT file.directory LIKE '/tmp/msu-target-%' -- I don't know man. I don't work here. AND NOT file.directory LIKE '/tmp/UpdateBrain-%/AssetData/com.apple.MobileSoftwareUpdate.UpdateBrainService.xpc/Contents/MacOS' -- terraform + AND NOT file.directory LIKE '/tmp/staged-updates%' AND NOT ( uid > 500 AND file.path LIKE '/tmp/terraform_%/terraform' @@ -135,12 +137,12 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f AND ( magic.data IN ('JSON data', 'ASCII text') OR magic.data LIKE 'ELF %-bit %SB executable%' - OR magic.data LIKE 'symbolic link to l%.so.%' + OR magic.data LIKE 'symbolic link to %' OR magic.data LIKE 'ELF %-bit LSB shared object%' OR magic.data LIKE 'libtool library file,%' OR ( - file.filename IN ("configure", "mkinstalldirs") - AND magic.data = "POSIX shell script, ASCII text executable" + file.filename IN ("configure", "mkinstalldirs", "config.status") + AND magic.data LIKE "POSIX shell script, ASCII text executable%" ) OR ( file.size < 50000 @@ -159,6 +161,7 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f 'py', 'script', 'sh', + 'status', 'strings', 'txt', 'yaml', diff --git a/detection/evasion/unexpected-var-run-macos.sql b/detection/evasion/unexpected-var-run-macos.sql index c9118ac..a866c10 100644 --- a/detection/evasion/unexpected-var-run-macos.sql +++ b/detection/evasion/unexpected-var-run-macos.sql @@ -31,6 +31,7 @@ WHERE 'auditd.pid', '.autoBackup', 'automount.initialized', + 'bootpd.pid', 'com.apple.DumpPanic.finishedPMUFaultHandling', 'com.apple.DumpPanic.finishedThisBoot', 'com.apple.logind.didRunThisBoot', @@ -44,13 +45,13 @@ WHERE 'FirstBootAfterUpdate', 'FirstBootCleanupHandled', 'hdiejectd.pid', - 'signpost_reporter_running', 'kdc.pid', 'prl_disp_service.pid', 'prl_naptd.pid', 'prl_watchdog-ebdba5702a20.pid', 'resolv.conf', 'rtadvd.pid', + 'signpost_reporter_running', 'socketfilterfw.launchd', 'syslog.pid', 'systemkeychaincheck.done', diff --git a/detection/execution/recently-created-executables-linux.sql b/detection/execution/recently-created-executables-linux.sql index f1d796e..1285e14 100644 --- a/detection/execution/recently-created-executables-linux.sql +++ b/detection/execution/recently-created-executables-linux.sql @@ -6,8 +6,8 @@ -- tags: transient process state often -- platform: linux SELECT - f.ctime, - f.mtime, + f.ctime AS p0_ctime, + f.mtime AS p0_mtime, -- Child p0.pid AS p0_pid, p0.path AS p0_path, @@ -53,8 +53,11 @@ WHERE -- What I would give for osquery to support binary signature verification on Linux AND NOT p0.path IN ( '', + '/usr/sbin/irqbalance', '/opt/google/chrome/chrome', '/usr/bin/packer', + '/usr/bin/cmake', + '/usr/sbin/cups-browsed', '/opt/google/chrome/chrome_crashpad_handler', '/opt/google/chrome/nacl_helper', '/usr/bin/gnome-software', @@ -209,6 +212,9 @@ WHERE AND p0.cmdline LIKE './%' ) AND NOT p1.path IN ('/usr/bin/gnome-shell') -- Filter out developers working on their own code + AND NOT p1.name = 'makepkg' + AND NOT p2.path = '/usr/bin/yay' + AND NOT p2.cmdline LIKE '/usr/bin/yay %' AND NOT ( p0.path LIKE '/home/%' AND p0.uid > 499 diff --git a/detection/execution/recently-created-executables-macos.sql b/detection/execution/recently-created-executables-macos.sql index f393da3..97dbc9a 100644 --- a/detection/execution/recently-created-executables-macos.sql +++ b/detection/execution/recently-created-executables-macos.sql @@ -109,6 +109,7 @@ WHERE '~/bin', '~/code/bin', '~/go/bin', + '~/Library/Application Support/snyk-ls', '~/Library/Application Support/cloud-code/installer/google-cloud-sdk/bin', '~/Library/Application Support/dev.warp.Warp-Stable', '~/Library/Application Support/zoom.us/Plugins/aomhost.app/Contents/MacOS', @@ -118,6 +119,7 @@ WHERE '~/projects/go/bin' ) OR dir LIKE '~/%/node_modules/.bin/%' + OR dir LIKE '~/%/node_modules/esbuild%/bin' OR f.path LIKE '%go-build%' OR f.path LIKE '~/%/src/%.test' OR f.path LIKE '~/%/pkg/%.test' diff --git a/detection/execution/sketchy-fetcher.sql b/detection/execution/sketchy-fetcher.sql index a9224b3..f64fe82 100644 --- a/detection/execution/sketchy-fetcher.sql +++ b/detection/execution/sketchy-fetcher.sql @@ -7,42 +7,52 @@ -- tags: transient process state -- platform: posix SELECT - p.pid, - p.path, - p.name, - p.cmdline, - p.start_time, - REGEX_MATCH (p.cmdline, '(\w+:\/\/.*)\b', 1) AS url, - REGEX_MATCH (p.cmdline, '//(\d+\.\d+\.\d+\.\d+)[:/]', 1) AS ip, - REGEX_MATCH (p.cmdline, ':(\d+)', 1) AS port, - REGEX_MATCH (p.cmdline, '//([\w\-\.]+)[:/]', 1) AS addr, - REGEX_MATCH (p.cmdline, '//[\w\-\.]+\.(\w+)[:/]', 1) AS tld, - p.cwd, - p.euid, - p.parent, - p.cgroup_path, - pp.path AS parent_path, - pp.name AS parent_name, - pp.cmdline AS parent_cmdline, - pp.euid AS parent_euid, - gp.name AS gparent_name, - gp.cmdline AS gparent_cmdline, - pp.pid AS gparent_pid, - hash.sha256 AS parent_sha256 + REGEX_MATCH (p0.cmdline, '(\w+:\/\/.*)\b', 1) AS url, + REGEX_MATCH (p0.cmdline, '//(\d+\.\d+\.\d+\.\d+)[:/]', 1) AS ip, + REGEX_MATCH (p0.cmdline, ':(\d+)', 1) AS port, + REGEX_MATCH (p0.cmdline, '//([\w\-\.]+)[:/]', 1) AS addr, + REGEX_MATCH (p0.cmdline, '//[\w\-\.]+\.(\w+)[:/]', 1) AS tld, + -- Child + p0.pid AS p0_pid, + p0.path AS p0_path, + p0.name AS p0_name, + p0.start_time AS p0_start, + p0.cmdline AS p0_cmd, + p0.cwd AS p0_cwd, + p0.cgroup_path AS p0_cgroup, + p0.euid AS p0_euid, + p0_hash.sha256 AS p0_sha256, + -- Parent + p0.parent AS p1_pid, + p1.path AS p1_path, + p1.name AS p1_name, + p1.start_time AS p1_start, + p1.euid AS p1_euid, + p1.cmdline AS p1_cmd, + p1_hash.sha256 AS p1_sha256, + -- Grandparent + p1.parent AS p2_pid, + p2.name AS p2_name, + p2.start_time AS p2_start, + p2.path AS p2_path, + p2.cmdline AS p2_cmd, + p2_hash.sha256 AS p2_sha256 FROM - processes p - LEFT JOIN processes pp ON p.parent = pp.pid - LEFT JOIN processes gp ON pp.parent = gp.pid - LEFT JOIN hash ON pp.path = hash.path + processes p0 + LEFT JOIN hash p0_hash ON p0.path = p0_hash.path + LEFT JOIN processes p1 ON p0.parent = p1.pid + LEFT JOIN hash p1_hash ON p1.path = p1_hash.path + LEFT JOIN processes p2 ON p1.parent = p2.pid + LEFT JOIN hash p2_hash ON p2.path = p2_hash.path WHERE -- NOTE: Sync remaining portion with sketchy-fetcher-events ( - INSTR(p.cmdline, 'wget ') > 0 - OR INSTR(p.cmdline, 'curl ') > 0 + INSTR(p0.cmdline, 'wget ') > 0 + OR INSTR(p0.cmdline, 'curl ') > 0 ) -- Sketchy fetcher events always seem to contain a switch - AND p.cmdline LIKE '%-%' - AND p.cmdline LIKE '%/%' + AND p0.cmdline LIKE '%-%' + AND p0.cmdline LIKE '%/%' AND ( ip NOT IN ('', '127.0.0.1', '::1') OR port != '' @@ -67,65 +77,65 @@ WHERE 'so', 'uk' ) - OR p.cmdline LIKE '%chmod%' - OR p.cmdline LIKE '%.onion%' - OR p.cmdline LIKE '%tor2web%' - OR p.cmdline LIKE '%aliyun%' - OR p.cmdline LIKE '%pastebin%' - OR p.cmdline LIKE '%curl %--user-agent%' - OR p.cmdline LIKE '%curl -k%' - OR p.cmdline LIKE '%curl -sL %' - OR p.cmdline LIKE '%curl%-o-%' - OR p.cmdline LIKE '%curl%--insecure%' - OR p.cmdline LIKE '%wget %--user-agent%' - OR p.cmdline LIKE '%wget %--no-check-certificate%' - OR p.cmdline LIKE '%curl%--connect-timeout%' - OR p.cmdline LIKE '%wget -nc%' - OR p.cmdline LIKE '%wget -t%' - OR p.cmdline LIKE '%wget -q%' + OR p0.cmdline LIKE '%chmod%' + OR p0.cmdline LIKE '%.onion%' + OR p0.cmdline LIKE '%tor2web%' + OR p0.cmdline LIKE '%aliyun%' + OR p0.cmdline LIKE '%pastebin%' + OR p0.cmdline LIKE '%curl %--user-agent%' + OR p0.cmdline LIKE '%curl -k%' + OR p0.cmdline LIKE '%curl -sL %' + OR p0.cmdline LIKE '%curl%-o-%' + OR p0.cmdline LIKE '%curl%--insecure%' + OR p0.cmdline LIKE '%wget %--user-agent%' + OR p0.cmdline LIKE '%wget %--no-check-certificate%' + OR p0.cmdline LIKE '%curl%--connect-timeout%' + OR p0.cmdline LIKE '%wget -nc%' + OR p0.cmdline LIKE '%wget -t%' + OR p0.cmdline LIKE '%wget -q%' OR ( - p.cmdline LIKE '%wget %' - AND p.euid < 500 + p0.cmdline LIKE '%wget %' + AND p0.euid < 500 -- TODO: Update this query to understand containers - AND pp.path NOT IN ( + AND p1.path NOT IN ( "/usr/bin/bwrap", "/bin/busybox", "/usr/bin/melange" ) ) OR ( - p.cmdline LIKE '%curl %' - AND p.euid < 500 - AND p.cmdline NOT LIKE "%./configure %--with-curl%" + p0.cmdline LIKE '%curl %' + AND p0.euid < 500 + AND p0.cmdline NOT LIKE "%./configure %--with-curl%" ) ) -- Exceptions for all calls - AND pp.name NOT IN ('makepkg') -- Exceptions for non-privileged calls + AND p1.name NOT IN ('makepkg') -- Exceptions for non-privileged calls AND NOT ( - p.euid > 500 + p0.euid > 500 AND ( - p.cmdline LIKE '%--dump-header%' - OR p.cmdline LIKE '%/api/v%' - OR p.cmdline LIKE '%curl -X %' - OR p.cmdline LIKE '%go mod %' - OR p.cmdline LIKE '%application/json%' - OR p.cmdline LIKE '%grpcurl%' - OR p.cmdline LIKE '%Homebrew%' - OR p.cmdline LIKE '%Nixpkgs/%' - OR p.cmdline LIKE '%If-None-Match%' - OR p.cmdline LIKE '%ctlog%' - OR p.cmdline LIKE '%.well-known/openid-configuration%' - OR p.cmdline LIKE '%/openid/v1/jwks%' - OR p.cmdline LIKE '%--progress-bar%' - OR parent_cmdline LIKE '%brew.rb%' - OR parent_cmdline LIKE '%brew.sh%' - OR parent_cmdline LIKE '/nix/store/%-builder.sh' - OR p.cmdline LIKE 'git %' - OR p.cmdline LIKE '%LICENSES/vendor/%' - OR p.cmdline LIKE 'curl -sL wttr.in%' - OR p.cmdline LIKE '%localhost:%' - OR p.cmdline LIKE '%127.0.0.1:%' - OR p.name IN ('apko') + p0.cmdline LIKE '%--dump-header%' + OR p0.cmdline LIKE '%/api/v%' + OR p0.cmdline LIKE '%curl -X %' + OR p0.cmdline LIKE '%go mod %' + OR p0.cmdline LIKE '%application/json%' + OR p0.cmdline LIKE '%grpcurl%' + OR p0.cmdline LIKE '%Homebrew%' + OR p0.cmdline LIKE '%Nixpkgs/%' + OR p0.cmdline LIKE '%If-None-Match%' + OR p0.cmdline LIKE '%ctlog%' + OR p0.cmdline LIKE '%.well-known/openid-configuration%' + OR p0.cmdline LIKE '%/openid/v1/jwks%' + OR p0.cmdline LIKE '%--progress-bar%' + OR p1.cmdline LIKE '%brew.rb%' + OR p1.cmdline LIKE '%brew.sh%' + OR p1.cmdline LIKE '/nix/store/%-builder.sh' + OR p0.cmdline LIKE 'git %' + OR p0.cmdline LIKE '%LICENSES/vendor/%' + OR p0.cmdline LIKE 'curl -sL wttr.in%' + OR p0.cmdline LIKE '%localhost:%' + OR p0.cmdline LIKE '%127.0.0.1:%' + OR p0.name IN ('apko') ) ) -- These are typically curl -k calls @@ -145,3 +155,8 @@ WHERE OR ip LIKE '192.168.%' ) ) + -- Qualys Cloud Agent + AND NOT ( + addr = "169.254.169.254" + AND p2.path = "/usr/local/qualys/cloud-agent/bin/qualys-scan-util" + ) diff --git a/detection/execution/unexpected-execdir-events-macos.sql b/detection/execution/unexpected-execdir-events-macos.sql index e707e4d..3cb5f77 100644 --- a/detection/execution/unexpected-execdir-events-macos.sql +++ b/detection/execution/unexpected-execdir-events-macos.sql @@ -35,7 +35,6 @@ SELECT '(.*)/', 1 ) AS top3_dir, - u.directory AS user_home_dir, s.identifier AS s_id, s.authority AS s_auth, -- Child @@ -100,6 +99,7 @@ WHERE '~/Applications (Parallels)', '~/bin', '~/.cargo', + '~/melange', '~/chainguard', '~/dev', '~/code', @@ -137,6 +137,8 @@ WHERE '/Library/Application Support/Adobe', '~/Library/Application Support/BraveSoftware', '/Library/Application Support/Canon_Inc_IC', + '~/.docker/cli-plugins/docker-sbom', + '~/.docker/cli-plugins', '~/Library/Application Support/com.elgato.StreamDeck', '~/Library/Application Support/com.grammarly.ProjectLlama', '/Library/Application Support/EcammLive', @@ -170,7 +172,9 @@ WHERE AND dir NOT IN ( '/bin', '~/bin', + '~/.cache/gitstatus', '~/code/bin', + '~/.docker/cli-plugins', '~/Downloads/google-cloud-sdk/bin', '~/Downloads/protoc/bin', '~/go/bin', @@ -192,6 +196,7 @@ WHERE '/Library/Image Capture/Devices/EPSON Scanner.app/Contents/MacOS', '/Library/Kandji/Kandji Agent.app/Contents/MacOS', '/Library/Kandji/Kandji Agent.app/Contents/MacOS/', + '/Library/Printers/Brother/Filter/rastertobrother2130.bundle/Contents/MacOS', '/Library/Printers/Brother/Filter/rastertobrother2300.bundle/Contents/MacOS', '/Library/Printers/Brother/Utilities/Server/LOGINserver.app/Contents/MacOS', '/Library/Printers/Brother/Utilities/Server/NETserver.app/Contents/MacOS', @@ -203,6 +208,7 @@ WHERE '/Library/TeX/texbin', '~/.local/bin', '~/.magefile', + '~/melange', '/node_modules/.bin', '/opt/homebrew/bin', '/opt/osquery/lib/osquery.app/Contents/MacOS', @@ -226,6 +232,7 @@ WHERE '/usr/lib/fwupd', '/usr/lib/ibus', '/usr/lib/system', + '/usr/local/aws-cli', '/usr/local/bin', '/usr/local/MacGPG2/bin', '/usr/sbin', diff --git a/detection/execution/unexpected-fetcher-parents.sql b/detection/execution/unexpected-fetcher-parents.sql index 3b8df82..232c9f1 100644 --- a/detection/execution/unexpected-fetcher-parents.sql +++ b/detection/execution/unexpected-fetcher-parents.sql @@ -40,6 +40,7 @@ WHERE -- NOTE: The remainder of this query is synced with unexpected-fetcher-par child_name IN ('curl', 'wget', 'ftp', 'tftp') -- And not a regular local user AND NOT exception_key IN ( 'curl,0,09-timezone,nm-dispatcher', + 'curl,0,sh,qualys-cloud-ag', 'curl,0,build.sh,buildkit-runc', 'curl,0,nm-dispatcher,', 'curl,0,nm-dispatcher,nm-dispatcher', diff --git a/detection/execution/unexpected-osascript-calls.sql b/detection/execution/unexpected-osascript-calls.sql index 11d1fed..87bb80c 100644 --- a/detection/execution/unexpected-osascript-calls.sql +++ b/detection/execution/unexpected-osascript-calls.sql @@ -112,6 +112,11 @@ WHERE ) ) -- The following apply to all uids - AND NOT p0_cmd = 'osascript -e user locale of (get system info)' + AND NOT p0_cmd IN ( + 'osascript -e do shell script "/bin/rm -Rf /opt/vagrant /usr/local/bin/vagrant" with administrator privileges', + 'osascript -e user locale of (get system info)', + '/usr/bin/osascript -e do shell script "/bin/rm -Rf /opt/vagrant /usr/local/bin/vagrant" with administrator privileges + ) + GROUP BY pe.pid diff --git a/detection/execution/unexpected-root-signer-macos.sql b/detection/execution/unexpected-root-signer-macos.sql index 5aa11d7..af678df 100644 --- a/detection/execution/unexpected-root-signer-macos.sql +++ b/detection/execution/unexpected-root-signer-macos.sql @@ -9,18 +9,23 @@ SELECT REGEX_MATCH (p.path, '(/.*?/.*?)/', 1) AS top_dir, -- Child pe.path AS p0_path, - pe.time, + pe.time AS p0_time, + pe.euid AS p0_euid, s.authority AS p0_sauth, s.identifier AS p0_sid, + hash.sha256 AS p0_hash, REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name, TRIM(pe.cmdline) AS p0_cmd, - pe.cwd AS p0_cwd, + -- pe.cwd is NULL on macOS + p.cwd AS p0_cwd, pe.pid AS p0_pid, pe.euid AS p0_euid, -- Parent pe.parent AS p1_pid, TRIM(COALESCE(p1.cmdline, pe1.cmdline)) AS p1_cmd, + COALESCE(p1.start_time, pe1.time) AS p1_start, COALESCE(p1.path, pe1.path) AS p1_path, + p1.cwd AS p1_cwd, COALESCE(p_hash1.sha256, pe_hash1.sha256) AS p1_hash, REGEX_MATCH (COALESCE(p1.path, pe1.path), '.*/(.*)', 1) AS p1_name, -- Grandparent @@ -28,6 +33,7 @@ SELECT TRIM( COALESCE(p1_p2.cmdline, pe1_p2.cmdline, pe1_pe2.cmdline) ) AS p2_cmd, + p1_p2.cwd AS p2_cwd, COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path) AS p2_path, COALESCE( p1_p2_hash.path, @@ -41,10 +47,11 @@ SELECT ) AS p2_name FROM process_events pe - LEFT JOIN signature s ON pe.path = s.path LEFT JOIN file f ON pe.path = f.path LEFT JOIN users u ON pe.uid = u.uid + LEFT JOIN signature s ON pe.path = s.path LEFT JOIN processes p ON pe.pid = p.pid + LEFT JOIN hash ON pe.path = hash.path -- Parents (via two paths) LEFT JOIN processes p1 ON pe.parent = p1.pid LEFT JOIN hash p_hash1 ON p1.path = p_hash1.path @@ -60,9 +67,9 @@ FROM LEFT JOIN hash pe1_p2_hash ON pe1_p2.path = pe1_p2_hash.path LEFT JOIN hash pe1_pe2_hash ON pe1_pe2.path = pe1_pe2_hash.path WHERE - -- query optimization: Exclude SIP protected directories - p.euid = 0 + p0_euid = 0 AND pe.time > (strftime('%s', 'now') -900) + -- query optimization: Exclude SIP protected directories AND top_dir NOT IN ( '/Library/Apple', '/System/Library', @@ -107,21 +114,21 @@ WHERE pe.path LIKE "/nix/store/%-nix-%/bin/nix-%" OR pe.path LIKE "/private/var/folders/%/T/tmp.%/nix-installer" ) - AND p1.path = "/usr/bin/sudo" + AND p1_path = "/usr/bin/sudo" ) AND NOT ( s.authority = "" - AND p0_path LIKE "/opt/%/bin/socket_vmnet" + AND pe.path LIKE "/opt/%/bin/socket_vmnet" AND p1_path IN ("/usr/bin/sudo", "/sbin/launchd") ) AND NOT ( s.authority = "" - AND p0_path LIKE "/opt/homebrew/Cellar/mariadb/%/bin/mariadbd" + AND pe.path LIKE "/opt/homebrew/Cellar/mariadb/%/bin/mariadbd" AND p0_cmd LIKE "/opt/homebrew/opt/mariadb/bin/mariadbd %" ) AND NOT ( s.authority = "" - AND p0_path LIKE "/opt/homebrew/Cellar/tailscale/%/bin/tailscaled" + AND pe.path LIKE "/opt/homebrew/Cellar/tailscale/%/bin/tailscaled" AND p0_cmd LIKE "/opt/homebrew/Cellar/tailscale/%/bin/tailscaled %" ) AND NOT ( @@ -129,4 +136,4 @@ WHERE AND p0_name = "node" AND p1_name IN ("vim", "nvim") ) - AND NOT p0_path LIKE '/usr/local/Cellar/htop/%/bin/htop' + AND NOT pe.path LIKE '/usr/local/Cellar/htop/%/bin/htop' diff --git a/detection/execution/unexpected-security-framework-program-macos.sql b/detection/execution/unexpected-security-framework-program-macos.sql index ff9e59c..9b02261 100644 --- a/detection/execution/unexpected-security-framework-program-macos.sql +++ b/detection/execution/unexpected-security-framework-program-macos.sql @@ -146,7 +146,9 @@ WHERE '500,scdaemon,scdaemon,', '500,tflint-ruleset-aws,a.out,', '500,sdaudioswitch,,', + '500,monorail,a.out,', '500,sdaudioswitch,sdaudioswitch,', + '500,k9s,a.out,', '500,sdzoomplugin,,', '500,Slack,com.tinyspeck.slackmacgap,Apple Mac OS Application Signing', '500,Slack Helper,com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing', diff --git a/detection/initial_access/unexpected-diskimage-source-macos.sql b/detection/initial_access/unexpected-diskimage-source-macos.sql index 441f5d4..6eeaf32 100644 --- a/detection/initial_access/unexpected-diskimage-source-macos.sql +++ b/detection/initial_access/unexpected-diskimage-source-macos.sql @@ -123,6 +123,7 @@ WHERE 'adoptium.net', 'balsamiq.com', 'brave.com', + 'cron.com', 'discord.com', 'dl.discordapp.net', 'dl.google.com', diff --git a/detection/initial_access/unexpected-shell-parents.sql b/detection/initial_access/unexpected-shell-parents.sql index a0d8a69..309734d 100644 --- a/detection/initial_access/unexpected-shell-parents.sql +++ b/detection/initial_access/unexpected-shell-parents.sql @@ -11,28 +11,45 @@ -- interval: 60 -- platform: posix SELECT - p.name, - p.path AS path, - p.cmdline AS cmd, - p.pid, - p.cgroup_path, - p.parent, - p.cwd, - pp.name AS parent_name, - pp.path AS parent_path, - pp.cmdline AS parent_cmd, - hash.sha256 AS parent_sha256 + -- Child + p0.pid AS p0_pid, + p0.path AS p0_path, + p0.name AS p0_name, + p0.start_time AS p0_start, + p0.cmdline AS p0_cmd, + p0.cwd AS p0_cwd, + p0.cgroup_path AS p0_cgroup, + p0.euid AS p0_euid, + p0_hash.sha256 AS p0_sha256, + -- Parent + p0.parent AS p1_pid, + p1.path AS p1_path, + p1.name AS p1_name, + p1.start_time AS p1_start, + p1.euid AS p1_euid, + p1.cmdline AS p1_cmd, + p1_hash.sha256 AS p1_sha256, + -- Grandparent + p1.parent AS p2_pid, + p2.name AS p2_name, + p2.start_time AS p2_start, + p2.path AS p2_path, + p2.cmdline AS p2_cmd, + p2_hash.sha256 AS p2_sha256 FROM - processes p - LEFT JOIN processes pp ON pp.pid = p.parent - LEFT JOIN hash ON pp.path = hash.path + processes p0 + LEFT JOIN hash p0_hash ON p0.path = p0_hash.path + LEFT JOIN processes p1 ON p0.parent = p1.pid + LEFT JOIN hash p1_hash ON p1.path = p1_hash.path + LEFT JOIN processes p2 ON p1.parent = p2.pid + LEFT JOIN hash p2_hash ON p2.path = p2_hash.path WHERE - p.name IN ('sh', 'fish', 'zsh', 'bash', 'dash') + p0.name IN ('sh', 'fish', 'zsh', 'bash', 'dash') -- Ignore partial table joins - AND parent_path != '' + AND p1_path != '' -- Editors & terminals mostly. -- I know it's tempting to list "electron" here but please find a more specific exclusion. - AND pp.name NOT IN ( + AND p1.name NOT IN ( 'abrt-action-per', 'abrt-handle-eve', 'alacritty', @@ -129,7 +146,7 @@ WHERE 'zellij', 'zsh' ) - AND parent_path NOT IN ( + AND p1_path NOT IN ( '/Applications/Docker.app/Contents/MacOS/Docker', '/Applications/Docker.app/Contents/MacOS/install', '/Applications/Docker.app/Contents/Resources/bin/com.docker.cli', @@ -142,6 +159,7 @@ WHERE '/Applications/Amazon Photos.app/Contents/MacOS/Amazon Photos', '/bin/dash', '/bin/sh', + '/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent', '/Library/Application Support/Logitech.localized/LogiOptionsPlus/logioptionsplus_agent.app/Contents/MacOS/logioptionsplus_agent', '/Library/Developer/CommandLineTools/usr/bin/git', '/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateDaemon', @@ -169,10 +187,11 @@ WHERE '/usr/libexec/periodic-wrapper', '/usr/lib/xorg/Xorg' ) - AND NOT p.cmdline IN ( + AND NOT p0.cmdline IN ( -- npm run server 'sh -c -- exec-bin node_modules/.bin/hugo/hugo server', '/bin/sh -c ioreg -rd1 -c IOPlatformExpertDevice', + '/bin/sh -c sysctl hw.model kern.osrelease', '/bin/bash -c ioreg -l -w 0 | grep SecureInput', "sh -c acpi -b | grep -v 'unavailable'", 'sh -c xcode-select --print-path >/dev/null 2>&1 && xcrun --sdk macosx --show-sdk-path 2>/dev/null', @@ -180,43 +199,43 @@ WHERE 'sh -c ps -xcocommand,pid | grep "LOGINserver"' ) AND NOT ( - pp.name = 'sshd' - AND p.cmdline LIKE '%askpass%' + p1.name = 'sshd' + AND p0.cmdline LIKE '%askpass%' ) AND NOT ( - pp.name = 'steam' - AND p.cmdline LIKE 'sh -c %steamwebhelper.sh%' + p1.name = 'steam' + AND p0.cmdline LIKE 'sh -c %steamwebhelper.sh%' ) AND NOT ( - pp.name = 'bash' - AND p.cmdline LIKE 'sh -s _hostname %' + p1.name = 'bash' + AND p0.cmdline LIKE 'sh -s _hostname %' ) AND NOT ( - pp.cmdline LIKE 'perl%/help2man%' - AND p.cmdline LIKE 'sh -c man/%' + p1.cmdline LIKE 'perl%/help2man%' + AND p0.cmdline LIKE 'sh -c man/%' ) - AND NOT p.cmdline LIKE '/bin/sh %/bin/docker-credential-gcloud get' - AND NOT parent_path LIKE '/private/var/folders/%/T/go-build%.test' - AND NOT parent_path LIKE '/private/tmp/PKInstallSandbox.%/tmp/Python/Python3.framework/Versions/%/Resources/Python.app/Contents/MacOS/Python' - AND NOT p.cmdline LIKE '%/Library/Apple/System/Library/InstallerSandboxes%' - AND NOT p.cmdline LIKE '%gcloud config config-helper%' - AND NOT p.cmdline LIKE '%hugo/hugo server%' - AND NOT pp.cmdline LIKE '/Applications/Warp.app/%' - AND NOT pp.cmdline = 'npm run start' - AND NOT pp.cmdline LIKE '%brew.rb%' - AND NOT pp.cmdline LIKE '%/Homebrew/build.rb%' - AND NOT pp.cmdline LIKE '%Code Helper%' - AND NOT pp.cmdline LIKE '%gcloud.py config config-helper%' - AND NOT pp.cmdline LIKE '/usr/lib/electron19/electron /usr/lib/code/out/bootstrap-fork --type=ptyHost --logsPath /home/%/.config/Code - OSS/logs/%' - AND NOT pp.name LIKE '%term%' - AND NOT pp.name LIKE '%Term%' - AND NOT pp.name LIKE 'Emacs%' - AND NOT pp.name LIKE 'terraform-provider-%' - AND NOT pp.path LIKE '/Users/%/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwareUpdateAgent' + AND NOT p0.cmdline LIKE '/bin/sh %/bin/docker-credential-gcloud get' + AND NOT p1_path LIKE '/private/var/folders/%/T/go-build%.test' + AND NOT p1_path LIKE '/private/tmp/PKInstallSandbox.%/tmp/Python/Python3.framework/Versions/%/Resources/Python.app/Contents/MacOS/Python' + AND NOT p0.cmdline LIKE '%/Library/Apple/System/Library/InstallerSandboxes%' + AND NOT p0.cmdline LIKE '%gcloud config config-helper%' + AND NOT p0.cmdline LIKE '%hugo/hugo server%' + AND NOT p1.cmdline LIKE '/Applications/Warp.app/%' + AND NOT p1.cmdline = 'npm run start' + AND NOT p1.cmdline LIKE '%brew.rb%' + AND NOT p1.cmdline LIKE '%/Homebrew/build.rb%' + AND NOT p1.cmdline LIKE '%Code Helper%' + AND NOT p1.cmdline LIKE '%gcloud.py config config-helper%' + AND NOT p1.cmdline LIKE '/usr/lib/electron19/electron /usr/lib/code/out/bootstrap-fork --type=ptyHost --logsPath /home/%/.config/Code - OSS/logs/%' + AND NOT p1.name LIKE '%term%' + AND NOT p1.name LIKE '%Term%' + AND NOT p1.name LIKE 'Emacs%' + AND NOT p1.name LIKE 'terraform-provider-%' + AND NOT p1.path LIKE '/Users/%/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwareUpdateAgent' -- Oh, NixOS. - AND NOT pp.name LIKE '%/bin/bash' - AND NOT pp.name LIKE '%/bin/direnv' - AND NOT parent_path LIKE '/nix/store/%sh' - AND NOT parent_path LIKE '/opt/homebrew/%' - AND NOT p.cgroup_path LIKE '/system.slice/docker-%' - AND NOT p.cgroup_path LIKE '/system.slice/system.slice:docker:%' + AND NOT p1.name LIKE '%/bin/bash' + AND NOT p1.name LIKE '%/bin/direnv' + AND NOT p1_path LIKE '/nix/store/%sh' + AND NOT p1_path LIKE '/opt/homebrew/%' + AND NOT p0.cgroup_path LIKE '/system.slice/docker-%' + AND NOT p0.cgroup_path LIKE '/system.slice/system.slice:docker:%' diff --git a/detection/persistence/low-fd-socket.sql b/detection/persistence/low-fd-socket.sql index b56d229..f78cb0a 100644 --- a/detection/persistence/low-fd-socket.sql +++ b/detection/persistence/low-fd-socket.sql @@ -8,20 +8,45 @@ -- -- tags: process state -- platform: posix -SELECT p.uid, - p.euid, - pos.protocol, +SELECT pos.protocol, pos.pid, pos.remote_address, pos.local_address, pos.local_port, pos.remote_port, - p.name, - p.start_time, - p.parent, - p.cgroup_path, - p.path, - pos.state -FROM processes p - JOIN process_open_sockets pos ON p.pid = pos.pid - WHERE fd < 3 AND family != 1; + pos.state, + -- Child + p0.pid AS p0_pid, + p0.path AS p0_path, + p0.name AS p0_name, + p0.start_time AS p0_start, + p0.cmdline AS p0_cmd, + p0.cwd AS p0_cwd, + p0.cgroup_path AS p0_cgroup, + p0.euid AS p0_euid, + p0_hash.sha256 AS p0_sha256, + -- Parent + p0.parent AS p1_pid, + p1.path AS p1_path, + p1.name AS p1_name, + p1.start_time AS p1_start, + p1.euid AS p1_euid, + p1.cmdline AS p1_cmd, + p1_hash.sha256 AS p1_sha256, + -- Grandparent + p1.parent AS p2_pid, + p2.name AS p2_name, + p2.start_time AS p2_start, + p2.path AS p2_path, + p2.cmdline AS p2_cmd, + p2_hash.sha256 AS p2_sha256 +FROM process_open_sockets pos + JOIN processes p0 ON pos.pid = p0.pid + LEFT JOIN hash p0_hash ON p0.path = p0_hash.path + LEFT JOIN processes p1 ON p0.parent = p1.pid + LEFT JOIN hash p1_hash ON p1.path = p1_hash.path + LEFT JOIN processes p2 ON p1.parent = p2.pid + LEFT JOIN hash p2_hash ON p2.path = p2_hash.path +WHERE pos.fd < 3 + AND pos.family != 1 + AND p0.path NOT IN ('/usr/libexec/bootpd') \ No newline at end of file diff --git a/detection/persistence/minimal-socket-client-linux.sql b/detection/persistence/minimal-socket-client-linux.sql index def37ad..82e849c 100644 --- a/detection/persistence/minimal-socket-client-linux.sql +++ b/detection/persistence/minimal-socket-client-linux.sql @@ -8,43 +8,47 @@ -- -- tags: persistent process state seldom -- platform: linux -SELECT p.uid, - p.euid, - pos.protocol, +SELECT pos.protocol, pos.pid, pos.remote_address, pos.local_address, pos.local_port, pos.remote_port, - p.start_time, - p.name, - p.parent, - p.cgroup_path, - p.path, pos.state, GROUP_CONCAT(DISTINCT pmm.path) AS libs, - COUNT(DISTINCT pmm.path) AS lib_count -FROM processes p - JOIN process_open_sockets pos ON p.pid = pos.pid AND pos.family != 1 - JOIN process_memory_map pmm ON pos.pid = pmm.pid -WHERE p.pid IN ( - SELECT pid - FROM processes - WHERE path NOT IN ( - '/usr/bin/containerd', - '/usr/bin/fusermount3', - '/usr/sbin/acpid', - '/usr/bin/dash', - '/usr/bin/docker', - '/usr/sbin/mcelog', - '/usr/bin/docker-proxy', - '/usr/bin/cat', - '/usr/lib/electron/chrome-sandbox', - '/usr/bin/i3blocks' - ) - AND name NOT IN ('chrome_crashpad', 'dhcpcd', 'Brackets-node') - GROUP BY processes.path + COUNT(DISTINCT pmm.path) AS lib_count, + -- Child + p0.pid AS p0_pid, + p0.path AS p0_path, + p0.name AS p0_name, + p0.start_time AS p0_start, + p0.cmdline AS p0_cmd, + p0.cwd AS p0_cwd, + p0.cgroup_path AS p0_cgroup, + p0.euid AS p0_euid, + p0_hash.sha256 AS p0_sha256 +FROM processes p0 + JOIN process_open_sockets pos ON p0.pid = pos.pid + JOIN process_memory_map pmm ON p0.pid = pmm.pid + LEFT JOIN hash p0_hash ON p0.path = p0_hash.path +WHERE + pos.family != 1 + AND pos.pid > 0 + AND pos.state != 'LISTEN' + AND p0.path NOT IN ( + '/usr/bin/containerd', + '/usr/bin/fusermount3', + '/usr/sbin/acpid', + '/usr/bin/dash', + '/usr/bin/docker', + '/usr/sbin/mcelog', + '/usr/libexec/docker/docker-proxy', + '/usr/bin/docker-proxy', + '/usr/bin/cat', + '/usr/lib/electron/chrome-sandbox', + '/usr/bin/i3blocks' ) + AND p0.name NOT IN ('chrome_crashpad', 'dhcpcd', 'Brackets-node') AND pmm.path LIKE "%.so.%" GROUP BY pos.pid -- libc.so, ld-linux HAVING lib_count IN (1, 2) \ No newline at end of file diff --git a/detection/persistence/minimal-socket-client-macos.sql b/detection/persistence/minimal-socket-client-macos.sql index 2f06909..5301178 100644 --- a/detection/persistence/minimal-socket-client-macos.sql +++ b/detection/persistence/minimal-socket-client-macos.sql @@ -23,7 +23,7 @@ SELECT p.cgroup_path, p.path, pos.state, - GROUP_CONCAT(pmm.path) AS libs, + GROUP_CONCAT(DISTINCT pmm.path) AS libs, COUNT(DISTINCT pmm.path) AS lib_count, -- Normally we would use signatures for exceptions, but it was triggering -- an unusual performance issue in osquery. @@ -68,6 +68,7 @@ WHERE AND exception_key NOT IN ( '500,Todoist,/Applications/Todoist.app/Contents/MacOS/Todoist', '500,Slack,/Applications/Slack.app/Contents/MacOS/Slack', + '500,WhatsApp Helper (GPU),/Applications/WhatsApp.app/Contents/Frameworks/WhatsApp Helper (GPU).app/Contents/MacOS/WhatsApp Helper (GPU)', '500,Slack Helper (Renderer),/Applications/Slack.app/Contents/Frameworks/Slack Helper (Renderer).app/Contents/MacOS/Slack Helper (Renderer)', '500,Snagit 2020,/Applications/Snagit 2020.app/Contents/MacOS/Snagit 2020', '500,SnagitHelper2020,/Applications/Snagit 2020.app/Contents/Library/LoginItems/SnagitHelper2020.app/Contents/MacOS/SnagitHelper2020' diff --git a/detection/persistence/unexpected-active-systemd-units.sql b/detection/persistence/unexpected-active-systemd-units.sql index 7d269d9..895d7fe 100644 --- a/detection/persistence/unexpected-active-systemd-units.sql +++ b/detection/persistence/unexpected-active-systemd-units.sql @@ -49,10 +49,13 @@ WHERE AND ( exception_key IN ( 'abrtd.service,ABRT Automated Bug Reporting Tool,,450', + 'abrtd.service,ABRT Daemon,,225', + 'abrt-journal-core.service,ABRT coredumpctl message creator,,0', 'abrt-journal-core.service,Creates ABRT problems from coredumpctl messages,,225', 'abrt-oops.service,ABRT kernel log watcher,,225', 'abrt-xorg.service,ABRT Xorg log watcher,,225', 'accounts-daemon.service,Accounts Service,,1800', + 'accounts-daemon.service,Accounts Service,,2025', 'accounts-daemon.service,Accounts Service,,675', 'acpid.path,ACPI Events Check,,0', 'acpid.service,ACPI Daemon,,1125', @@ -138,6 +141,7 @@ WHERE 'fprintd.service,Fingerprint Authentication Daemon,,675', 'fprintd.service,Fingerprint Authentication Daemon,,900', 'fstrim.service,Discard unused blocks on filesystems from /etc/fstab,,225', + 'fstrim.service,Discard unused blocks on filesystems from /etc/fstab,,450', 'fstrim.timer,Discard unused blocks once a week,,225', 'fwupd-refresh.service,Refresh fwupd metadata and update motd,fwupd-refresh,225', 'fwupd-refresh.service,Refresh fwupd metadata and update motd,fwupd-refresh,450', @@ -176,6 +180,7 @@ WHERE 'lm-sensors.service,Initialize hardware monitoring sensors,,0', 'lm_sensors.service,Initialize hardware monitoring sensors,,225', 'logrotate-checkconf.service,Logrotate configuration check,,1125', + 'logrotate-checkconf.service,Logrotate configuration check,,900', 'logrotate.timer,Daily rotation of log files,,0', 'logrotate.timer,logrotate.timer,,0', 'low-memory-monitor.service,Low Memory Monitor,,675', @@ -201,6 +206,7 @@ WHERE 'netcf-transaction.service,Rollback uncommitted netcf network config change transactions,,225', 'networkd-dispatcher.service,Dispatcher daemon for systemd-networkd,,225', "networking.service,Raise network interfaces,,450", + 'network-local-commands.service,Extra networking commands.,,1125', 'network-local-commands.service,Extra networking commands.,,1350', 'NetworkManager-dispatcher.service,Network Manager Script Dispatcher Service,,450', 'NetworkManager-dispatcher.service,Network Manager Script Dispatcher Service,,675', @@ -208,11 +214,13 @@ WHERE 'NetworkManager.service,Network Manager,,1350', 'NetworkManager-wait-online.service,Network Manager Wait Online,,1125', 'network-setup.service,Networking Setup,,1350', + 'nginx.service,Nginx Web Server,nginx,2250', 'nginx.service,Nginx Web Server,nginx,2400', 'nix-daemon.service,Nix Daemon,,225', 'nix-daemon.socket,Nix Daemon Socket,,225', 'nix-gc.timer,nix-gc.timer,,0', 'nscd.service,Name Service Cache Daemon,nscd,1800', + 'nscd.service,Name Service Cache Daemon (nsncd),nscd,1350', 'nvidia-fallback.service,Fallback to nouveau as nvidia did not load,,225', 'nvidia-persistenced.service,NVIDIA Persistence Daemon,,225', 'nvidia-powerd.service,nvidia-powerd service,,0', @@ -235,6 +243,7 @@ WHERE 'proc-sys-fs-binfmt_misc.automount,Arbitrary Executable File Formats File System Automount Point,,675', 'pwrstatd.service,The monitor UPS software.,,225', 'qemu-kvm.service,QEMU KVM preparation - module, ksm, hugepages,,225', + 'qualys-cloud-agent.service,Qualys cloud agent daemon,,225', 'raid-check.timer,Weekly RAID setup health check,,0', 'realmd.service,Realm and Domain Configuration,,0', 'reflector.service,Refresh Pacman mirrorlist with Reflector.,,1350', @@ -253,14 +262,7 @@ WHERE 'setvtrgb.service,Set console scheme,,225', 'shadow.service,Verify integrity of password and group files,,900', 'shadow.timer,Daily verification of password and group files,,0', - 'abrt-journal-core.service,ABRT coredumpctl message creator,,0', - 'abrtd.service,ABRT Daemon,,225', - 'nginx.service,Nginx Web Server,nginx,2250', - 'network-local-commands.service,Extra networking commands.,,1125', - 'logrotate-checkconf.service,Logrotate configuration check,,900', '-.slice,Root Slice,,0', - 'accounts-daemon.service,Accounts Service,,2025', - 'nscd.service,Name Service Cache Daemon (nsncd),nscd,1350', 'smartd.service,Self Monitoring and Reporting Technology (SMART) Daemon,,225', 'smartd.service,Self Monitoring and Reporting Technology (SMART) Daemon,,450', 'snapd.apparmor.service,Load AppArmor profiles managed internally by snapd,,675', @@ -310,6 +312,7 @@ WHERE 'systemd-journald.service,Journal Service,,1800', 'systemd-journald.service,Journal Service,,2025', 'systemd-journald.service,Journal Service,,2200', + 'systemd-journald.service,Journal Service,,2250', 'systemd-journald.socket,Journal Socket,,900', 'systemd-journal-flush.service,Flush Journal to Persistent Storage,,675', 'systemd-localed.service,Locale Service,,1125', diff --git a/detection/persistence/unexpected-global-lock.sql b/detection/persistence/unexpected-global-lock.sql index 08608bf..7189749 100644 --- a/detection/persistence/unexpected-global-lock.sql +++ b/detection/persistence/unexpected-global-lock.sql @@ -36,6 +36,7 @@ WHERE ( AND exception_key NOT IN ( '0,0,/var/run/unattended-upgrades.lock,regular,0640', '0,0,/var/run/xtables.lock,regular,0600', + '0,0,/var/run/dnf-metadata.lock,regular,0644', '0,0,/var/run/apport.lock,regular,0600', '74,0,/tmp/mysql.sock.lock,regular,0600', '74,0,/tmp/mysqlx.sock.lock,regular,0600' diff --git a/detection/persistence/unexpected-lock-opener.sql b/detection/persistence/unexpected-lock-opener.sql index 8e2881b..653374b 100644 --- a/detection/persistence/unexpected-lock-opener.sql +++ b/detection/persistence/unexpected-lock-opener.sql @@ -23,15 +23,31 @@ SELECT CONCAT( ) ) AS exception_key, pof.path AS lock, - -- Child - p0.pid AS p0_pid, - p0.path AS p0_path, - p0.name AS p0_name, - p0.cmdline AS p0_cmd, - p0.cwd AS p0_cwd, - p0.cgroup_path AS p0_cgroup, - p0.euid AS p0_euid, - p0_hash.sha256 AS p0_sha256 + -- Child + p0.pid AS p0_pid, + p0.path AS p0_path, + p0.name AS p0_name, + p0.start_time AS p0_start, + p0.cmdline AS p0_cmd, + p0.cwd AS p0_cwd, + p0.cgroup_path AS p0_cgroup, + p0.euid AS p0_euid, + p0_hash.sha256 AS p0_sha256, + -- Parent + p0.parent AS p1_pid, + p1.path AS p1_path, + p1.name AS p1_name, + p1.start_time AS p1_start, + p1.euid AS p1_euid, + p1.cmdline AS p1_cmd, + p1_hash.sha256 AS p1_sha256, + -- Grandparent + p1.parent AS p2_pid, + p2.name AS p2_name, + p2.start_time AS p2_start, + p2.path AS p2_path, + p2.cmdline AS p2_cmd, + p2_hash.sha256 AS p2_sha256 FROM processes p0 JOIN users u ON p0.euid = u.uid LEFT JOIN process_open_files pof ON p0.pid = pof.pid @@ -41,19 +57,23 @@ FROM processes p0 LEFT JOIN processes p2 ON p1.parent = p2.pid LEFT JOIN hash p2_hash ON p2.path = p2_hash.path WHERE pof.path LIKE "%.lock" - AND pof.path NOT LIKE "/run/user/1%/%.lock" + AND pof.path NOT LIKE "/run/user/%/%.lock" AND NOT exception_key IN ( '0,com.apple.MobileSoftwareUpdate.CryptegraftService,/private/var/db/softwareupdate/SplunkHistory', '0,snapd,/var/lib/snapd', + '500,flyctl,~/.fly', '200,softwareupdated,/private~/SplunkHistory', + '500,Ecamm Live Stream Deck Plugin,~/Library/Application Support/com.elgato.StreamDeck/Sentry', '500,Beeper,~/Library/Application Support/Beeper/EventStore', '500,bridge-gui,~/Library/Application Support/protonmail/bridge-v3/sentry_cache', '500,bridge-gui,~/Library/Caches/protonmail/bridge-v3', + '200,NRDUpdated,/private~/SplunkHistory', '500,bridge,~/Library/Application Support/protonmail/bridge-v3/sentry_cache', '500,Stream Deck,~/Library/Application Support/com.elgato.StreamDeck/Sentry', '500,bridge,~/Library/Caches/protonmail/bridge-v3', '500,Craft,~/Library/Containers/com.lukilabs.lukiapp/Data/Library/Application Support/com.lukilabs.lukiapp', '500,buildkitd,~/.local/share/buildkit', + '500,Adobe Premiere Pro 2023,~/Library/Caches/Adobe/Premiere Pro/23.0/SentryIO-db', '500,com.docker.backend,~/Library/Containers/com.docker.docker', '500,photolibraryd,~/Library/Photos/Libraries/Syndication.photoslibrary/database', '500,photolibraryd,~/Pictures/Photos Library.photoslibrary/database', @@ -62,7 +82,9 @@ WHERE pof.path LIKE "%.lock" AND NOT exception_key LIKE '500,com.apple.Virtualization.VirtualMachine,~/%' AND NOT exception_key LIKE '500,com.apple.Virtualization.VirtualMachine,/private/var/folders/%' AND NOT exception_key LIKE '500,lua-language-server,~/%' - AND NOT exception_key LIKE '0,prl_disp_service,/Users/%/Parallels/%/vm.lock' + AND NOT exception_key LIKE '500,ykman-gui,/private/var/folders/%/T' + AND NOT exception_key LIKE '500,golangci-lint,/private/var/folders/%/T' + AND NOT exception_key LIKE '0,prl_disp_service,/Users/%/Parallels/%.pvm' AND NOT exception_key LIKE '500,iTermServer-%,~/Library/Application Support/iTerm2' AND NOT exception_key LIKE '500,%,/private/var/folders/%/T/Sentry_StreamDeck' AND NOT exception_key LIKE '500,gnome-software,/var/tmp/flatpak-cache-%' diff --git a/detection/privesc/unexpected-elevated-children-events_macos.sql b/detection/privesc/unexpected-elevated-children-events_macos.sql index 231befb..a2de2b3 100644 --- a/detection/privesc/unexpected-elevated-children-events_macos.sql +++ b/detection/privesc/unexpected-elevated-children-events_macos.sql @@ -107,16 +107,19 @@ WHERE '/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker_shared -s mdworker -c MDSImporterWorker -m com.apple.mdworker.shared' ) AND NOT exception_key IN ( - 'containermanagerd,262,com.docker.backend,Docker', - 'sysextd,0,LogiTune,launchd', - 'CAReportingService,0,LogiTune,launchd', - 'biometrickitd,0,LogiTune,launchd', - 'suhelperd,0,LogiTune,launchd', - 'com.apple.AccountPolicyHelper,0,LogiTune,launchd', 'amfid,0,com.docker.backend,Docker', - 'dprivacyd,0,com.docker.backend,Docker', + 'biometrickitd,0,LogiTune,launchd', + 'bioutil,0,callservicesd,launchd', + 'CAReportingService,0,LogiTune,launchd', + 'com.apple.AccountPolicyHelper,0,LogiTune,launchd', 'com.apple.geod,262,com.docker.backend,Docker', - 'SCHelper,0,com.docker.backend,Docker' + 'com.apple.WebKit.WebContent,200,zsh,Emacs-arm64-11', + 'containermanagerd,262,com.docker.backend,Docker', + 'dprivacyd,0,com.docker.backend,Docker', + 'SCHelper,0,com.docker.backend,Docker', + 'suhelperd,0,LogiTune,launchd', + 'sysextd,0,LogiTune,launchd', + 'system_profiler,0,callservicesd,launchd' ) AND NOT ( pe.euid = 262 -- core media helper id diff --git a/fragments/process_event_parents_macos.sql b/fragments/process_event_parents_macos.sql index 4bd41ca..d94a62c 100644 --- a/fragments/process_event_parents_macos.sql +++ b/fragments/process_event_parents_macos.sql @@ -15,6 +15,7 @@ SELECT -- Parent pe.parent AS p1_pid, TRIM(COALESCE(p1.cmdline, pe1.cmdline)) AS p1_cmd, + COALESCE(p1.start_time, pe1.time) AS p1_start, COALESCE(p1.path, pe1.path) AS p1_path, p1.cwd AS p1_cwd, COALESCE(p_hash1.sha256, pe_hash1.sha256) AS p1_hash, diff --git a/fragments/process_parents.sql b/fragments/process_parents.sql index 44e2938..3533420 100644 --- a/fragments/process_parents.sql +++ b/fragments/process_parents.sql @@ -26,8 +26,7 @@ SELECT p2.cmdline AS p2_cmd, p2_hash.sha256 AS p2_sha256 FROM - process_open_sockets pop - LEFT JOIN processes p0 ON pop.pid = p0.pid + processes p0 LEFT JOIN hash p0_hash ON p0.path = p0_hash.path LEFT JOIN processes p1 ON p0.parent = p1.pid LEFT JOIN hash p1_hash ON p1.path = p1_hash.path diff --git a/policy/gcp-service-account-keys-mdfind.sql b/policy/gcp-service-account-keys-mdfind.sql index fd522dd..e4c181c 100644 --- a/policy/gcp-service-account-keys-mdfind.sql +++ b/policy/gcp-service-account-keys-mdfind.sql @@ -85,6 +85,7 @@ WHERE '4b4be8c1bc7e3bc7ea1f02932a024466db5faf3eaad885cf31ac7383484b1b1c', '6e55f3eccad59a615189c82cbcbd1133ce94509f7c5d42e3e7fbd00e65f0731f', 'e99b4e6dfbbefa19c9ec9c82bb0c3445a443702f960c2a05f882bb5577a59ef8', + '421899fb9bfa0252ce7921969339918a5bbacbc7b9cd500e03a88f9c4e33bae4', '81bce2313cd00ffc42303fbf7c08e4d068fccc9c0076867903ef94616d795e12', '8d740893c1f9163ddfd8c193d9a95caf15da3740b42f2739c4b107ad12661809', '998ddcb7d1a7c2931c8546576873e47b399f23cef719227052f245c8240c6528', diff --git a/policy/gcp-service-account-keys.sql b/policy/gcp-service-account-keys.sql index 4a74f30..df37000 100644 --- a/policy/gcp-service-account-keys.sql +++ b/policy/gcp-service-account-keys.sql @@ -4,6 +4,7 @@ -- platform: posix SELECT file.path, + file.filename, file.type, file.size, file.mtime, @@ -48,6 +49,5 @@ WHERE AND NOT file.filename LIKE 'ulabs-%' AND NOT hash.sha256 IN ( "c7d6bac8e942511e25973889ac38656d4d46f68044650d694721017fda23716e", - "bd5f4c01ebb5636b94584ee4ae42514b27d371859f7344f6aa5a37332ee714ba", "bd5f4c01ebb5636b94584ee4ae42514b27d371859f7344f6aa5a37332ee714ba" )