fpr: macOS, yubikey, Premiere, dnf, vagrant, etc

Makefile

@@ -72,7 +72,7 @@ verify-ci: ./out/osqtool-$(ARCH)
 verify: ./out/osqtool-$(ARCH)
 	$(SUDO) ./out/osqtool-$(ARCH) --max-results=150000 --max-query-duration=10s --max-total-daily-duration=15m verify incident_response
 	$(SUDO) ./out/osqtool-$(ARCH) --max-results=0 --max-query-duration=6s --max-total-daily-duration=10m verify policy
-	$(SUDO) ./out/osqtool-$(ARCH) --max-results=0 --max-query-duration=8s --max-total-daily-duration=2h15m --max-query-daily-duration=1h verify detection
+	$(SUDO) ./out/osqtool-$(ARCH) --max-results=0 --max-query-duration=8s --max-total-daily-duration=2h25m --max-query-daily-duration=1h verify detection
 
 all: out/odk-packs.zip
 

detection/c2/unexpected-https-linux.sql

@@ -83,6 +83,7 @@ WHERE
     '0,python3.10,0u,0g,dnf',
     '0,python3.10,0u,0g,dnf-automatic',
     '0,python3.10,0u,0g,yum',
+    '500,evolution-source-registry,0u,0g,evolution-sourc',
     '0,python3.11,0u,0g,dnf',
     '0,python3.11,0u,0g,dnf-automatic',
     '0,python3.11,0u,0g,yum',
@@ -247,6 +248,7 @@ WHERE
     '500,spotify,500u,500g,spotify',
     '500,spotify,u,g,spotify',
     '500,steam,500u,100g,steam',
+    '500,buildkite-agent,500u,500g,buildkite-agent',
     '500,steam,500u,500g,steam',
     '500,steamwebhelper,500u,100g,steamwebhelper',
     '500,steamwebhelper,500u,500g,steamwebhelper',
@@ -264,6 +266,7 @@ WHERE
     '500,todoist,0u,0g,todoist',
     '500,trivy,0u,0g,trivy',
     '500,trivy,500u,500g,trivy',
+    '500,firefox-bin,u,g,firefox-bin',
     '500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
     '500,wget,0u,0g,wget',
     '500,wine64-preloader,500u,500g,Root.exe',

detection/c2/unexpected-https-macos.sql

@@ -102,15 +102,19 @@ WHERE pos.protocol IN (6, 17)
     AND s.authority = 'Software Signing'
   )
   AND NOT exception_key IN (
+    '0,com.google.one.NetworkExtension,com.google.one.NetworkExtension,Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.one.NetworkExtension',
     '0,launcher,launcher,Developer ID Application: Kolide, Inc (X98UFR7HA3),com.kolide.agent',
     '0,Setup,Setup,Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.acc.Setup',
     '500,bash,bash,,bash',
+    '0,EdgeUpdater,EdgeUpdater,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.EdgeUpdater',
     '500,cloud_sql_proxy,cloud_sql_proxy,,a.out',
+    '500,ngrok,ngrok,Developer ID Application: ngrok LLC (TEX8MHRDQ9),darwin_amd64',
     '500,Code Helper,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode.helper',
     '500,Code Helper (Plugin),Code Helper (Plugin),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
     '500,Code Helper (Renderer),Code Helper (Renderer),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
     '500,Ecamm Live Stream Deck Plugin,Ecamm Live Stream Deck Plugin,Developer ID Application: Ecamm Network, LLC (5EJH68M642),Ecamm Live Stream Deck Plugin',
     '500,Electron,Electron,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode',
+    '500,Fleet,~/Library/Caches/JetBrains/Fleet',
     '500,git-remote-http,git-remote-http,,git-remote-http-55554944748a32c47cdc35cfa7f071bb69a39ce4',
     '500,go,go,Developer ID Application: Google LLC (EQHXZ8M8AV),org.golang.go',
     '500,grype,grype,Developer ID Application: ANCHORE, INC. (9MJHKYX5AT),grype',
@@ -126,6 +130,7 @@ WHERE pos.protocol IN (6, 17)
     '500,Reflect,Reflect,Developer ID Application: Reflect App, LLC (789ULN5MZB),app.reflect.ReflectDesktop',
     '500,sdaudioswitch,sdaudioswitch,,sdaudioswitch',
     '500,snyk-ls_darwin_arm64,snyk-ls_darwin_arm64,,a.out',
+    '500,steam_osx,steam_osx,Developer ID Application: Valve Corporation (MXGJJ98X76),com.valvesoftware.steam',
     '500,syncthing,syncthing,,syncthing',
     '500,terraform,terraform,Developer ID Application: Hashicorp, Inc. (D38WU7D763),terraform',
     '500,Transmit,Transmit,Developer ID Application: Panic, Inc. (VE8FC488U5),com.panic.Transmit',
@@ -137,7 +142,9 @@ WHERE pos.protocol IN (6, 17)
     '500,chainlink,chainlink,500u,20g',
     '500,cpu,cpu,500u,20g',
     '500,cosign,cosign,0u,500g',
+    '500,chainctl,chainctl,500u,20g',
     '500,crane,crane,500u,80g',
+    '500,pulumi-resource-gcp,pulumi-resource-gcp,500u,20g',
     '500,go,go,500u,80g',
     '500,git-remote-http,git-remote-http,500u,80g',
     '500,vim,vim,0u,500g',
@@ -147,6 +154,11 @@ WHERE pos.protocol IN (6, 17)
   )
   AND NOT alt_exception_key LIKE '500,terraform-provider-%,terraform-provider-%,500u,20g'
   AND NOT p0.path LIKE '/private/var/folders/%/T/GoLand/%'
+  AND NOT (
+    exception_key = '500,Python,Python,,org.python.python'
+    AND p0_cmd LIKE '% main.py'
+    AND p0_cwd LIKE "%/neko"
+  )
   AND NOT (
     exception_key IN (
       '500,Python,Python,,org.python.python',
@@ -156,7 +168,6 @@ WHERE pos.protocol IN (6, 17)
       p0_cmd LIKE '%/gcloud.py%'
       OR p0_cmd LIKE '%pip install%'
       OR p0_cmd LIKE '%googlecloudsdk/core/metrics_reporter.py%'
-      OR p0_cmd LIKE '%/main.py'
       OR p0_cmd LIKE '%/bin/aws%'
     )
   ) -- theScore and other iPhone apps

detection/c2/unexpected-libcurl-user-linux.sql

@@ -69,6 +69,7 @@ WHERE
   AND NOT exception_key IN (
     'flatpak-system-,/usr/libexec/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755',
     'fwupd,/usr/libexec/fwupd/fwupd,0,system.slice,fwupd.service,0755',
+    'zed,/nix/store/__VERSION__/bin/zed,0,system.slice,zfs-zed.service,0555',
     'fwupd,/usr/lib/fwupd/fwupd,0,system.slice,fwupd.service,0755',
     'dnf,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755',
     'libvirtd,/usr/bin/libvirtd,0,system.slice,libvirtd.service,0755',

detection/c2/unexpected-talkers-linux.sql

@@ -130,7 +130,9 @@ WHERE
     '80,6,0,applydeltarpm,0u,0g,applydeltarpm',
     '80,6,0,appstreamcli,0u,0g,appstreamcli',
     '80,6,0,bash,0u,0g,bash',
+    '43,6,500,whois.md,0u,0g,whois',
     '80,6,0,bash,0u,0g,mkinitcpio',
+    '3306,6,500,java,u,g,java',
     '80,6,0,bash,0u,0g,sh',
     '80,6,0,bash,0u,0g,update-ca-trust',
     '80,6,0,cp,0u,0g,cp',

detection/c2/unexpected-talkers-macos.sql

@@ -116,6 +116,8 @@ WHERE
   )
   AND NOT exception_key IN (
     '0,6,80,prl_naptd,prl_naptd,Developer ID Application: Parallels International GmbH (4C6364ACXT),com.parallels.naptd',
+    '500,6,4318,Code Helper (Plugin),Code Helper (Plugin),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
+    '500,6,5223,KakaoTalk,KakaoTalk,Apple Mac OS Application Signing,com.kakao.KakaoTalkMac',
     '500,17,8801,zoom.us,zoom.us,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3),us.zoom.xos',
     '500,17,9000,Meeting Center,Meeting Center,Developer ID Application: Cisco (DE8Y96K9QP),com.webex.meetingmanager',
     '500,6,22,Cyberduck,Cyberduck,Developer ID Application: David Kocher (G69SCX94XU),ch.sudo.cyberduck',
@@ -139,27 +141,31 @@ WHERE
     '500,6,80,launcher-Helper,launcher-Helper,Developer ID Application: Mojang AB (HR992ZEAE6),com.mojang.mclauncher.helper',
     '500,6,80,node,node,Developer ID Application: Node.js Foundation (HX7739G8FX),node',
     '500,6,80,Signal Helper (Renderer),Signal Helper (Renderer),Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR),org.whispersystems.signal-desktop.helper.Renderer',
+    '500,6,80,Slack Helper,Slack Helper,Apple Mac OS Application Signing,com.tinyspeck.slackmacgap.helper',
     '500,6,80,Snagit 2020,Snagit 2020,Apple Mac OS Application Signing,com.TechSmith.Snagit2020',
     '500,6,80,Snagit 2023,Snagit 2023,Developer ID Application: TechSmith Corporation (7TQL462TU8),com.TechSmith.Snagit2023',
     '500,6,80,SnagitHelper2020,SnagitHelper2020,Apple Mac OS Application Signing,com.techsmith.snagit.capturehelper2020',
     '500,6,80,SnagitHelper2023,SnagitHelper2023,Developer ID Application: TechSmith Corporation (7TQL462TU8),com.techsmith.snagit.capturehelper2023',
     '500,6,80,Spotify,Spotify,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client',
+    '500,6,80,steam_osx,steam_osx,Developer ID Application: Valve Corporation (MXGJJ98X76),com.valvesoftware.steam',
     '500,6,80,Telegram,Telegram,Apple Mac OS Application Signing,ru.keepcoder.Telegram',
+    '500,6,80,WhatsApp,WhatsApp,Developer ID Application: WhatsApp Inc. (57T9237FN3),WhatsApp',
     '500,6,80,thunderbird,thunderbird,Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird',
     '500,6,80,Twitter,Twitter,Apple Mac OS Application Signing,maccatalyst.com.atebits.Tweetie2',
     '500,6,993,Mimestream,Mimestream,Developer ID Application: Mimestream, LLC (P2759L65T8),com.mimestream.Mimestream',
     '500,6,993,thunderbird,thunderbird,Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird'
   ) -- Useful for unsigned binaries
   AND NOT alt_exception_key IN (
+    '500,6,80,firefox,firefox,500u,20g',
     '500,6,22,ssh,ssh,0u,500g',
     '500,6,22,ssh,ssh,500u,0g',
     '500,6,22,ssh,ssh,500u,20g',
     '500,6,22,ssh,ssh,500u,80g',
-    '500,6,80,qemu-system-aarch64,qemu-system-aarch64,500u,80g',
     '500,6,3307,cloud_sql_proxy,cloud_sql_proxy,0u,0g',
-    '500,6,3307,cloud_sql_proxy,cloud_sql_proxy,500u,20g',
     '500,6,3307,cloud-sql-proxy,cloud-sql-proxy,500u,20g',
-    '500,6,80,copilot-agent-macos-arm64,copilot-agent-macos-arm64,500u,20g'
+    '500,6,3307,cloud_sql_proxy,cloud_sql_proxy,500u,20g',
+    '500,6,80,copilot-agent-macos-arm64,copilot-agent-macos-arm64,500u,20g',
+    '500,6,80,qemu-system-aarch64,qemu-system-aarch64,500u,80g'
   )
   AND NOT (
     alt_exception_key LIKE '500,6,%,syncthing,syncthing,0u,500g'
@@ -179,6 +185,7 @@ WHERE
       OR pos.remote_port > 3000
     )
     AND id_exception_key IN (
+      'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker',
       'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4),com.brave.Browser.helper',
       'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.Chrome.helper',
       'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.edgemac.helper',

detection/evasion/hidden-parent-pid.sql

@@ -1,31 +0,0 @@
--- Find a process which has a parent that is not listed in the process table
---
--- Works well for revealing boopkit, so long as boopkit has a child process.
---
--- references:
---   * https://github.com/krisnova/boopkit
---   * https://attack.mitre.org/techniques/T1014/ (Rootkit)
---
--- false positives:
---   * None observed
---
--- tags: persistent daemon
-SELECT
-  p.*,
-  hash.sha256,
-  GROUP_CONCAT(DISTINCT pof.path) AS open_files
-FROM
-  processes p
-  LEFT JOIN hash ON p.path = hash.path
-  LEFT JOIN process_open_files pof ON p.pid = pof.pid
-WHERE
-  p.parent NOT IN (
-    SELECT
-      pid
-    FROM
-      processes
-  )
-  AND p.parent != 0
-  AND p.parent IS NOT NULL
-GROUP BY
-  p.pid

detection/evasion/parent-missing-from-disk-linux.sql

@@ -55,6 +55,7 @@ WHERE
     '/usr/bin/doas',
     '/usr/bin/dockerd',
     '/usr/bin/fusermount3',
+    '/usr/libexec/at-spi-bus-launcher',
     '/usr/bin/gnome-shell',
     '/usr/bin/ibus-daemon',
     '/usr/bin/kitty',

detection/evasion/unexpected-hidden-system-paths.sql

@@ -141,6 +141,7 @@ WHERE
   AND file.directory NOT IN ('/etc/skel', '/etc/skel/.config')
   AND file.path NOT LIKE '/%bin/bootstrapping/.default_components'
   AND file.path NOT LIKE '/tmp/.#%'
+  AND file.path NOT LIKE '/tmp/.lark_cache_%'
   AND file.path NOT LIKE '/tmp/.wine-%'
   AND file.path NOT LIKE '/tmp/.%.gcode'
   AND file.path NOT LIKE '/tmp/.vbox-%-ipc/'

detection/evasion/unexpected-tmp-executables-macos.sql

@@ -14,6 +14,7 @@ SELECT DISTINCT
   file.btime,
   file.ctime,
   file.mtime,
+  file.type,
   file.size,
   hash.sha256,
   magic.data,
@@ -110,6 +111,7 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
       ) -- macOS updates
       AND NOT file.directory LIKE '/tmp/msu-target-%' -- I don't know man. I don't work here.
       AND NOT file.directory LIKE '/tmp/UpdateBrain-%/AssetData/com.apple.MobileSoftwareUpdate.UpdateBrainService.xpc/Contents/MacOS' -- terraform
+      AND NOT file.directory LIKE '/tmp/staged-updates%'
       AND NOT (
         uid > 500
         AND file.path LIKE '/tmp/terraform_%/terraform'
@@ -135,12 +137,12 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
     AND (
       magic.data IN ('JSON data', 'ASCII text')
       OR magic.data LIKE 'ELF %-bit %SB executable%'
-      OR magic.data LIKE 'symbolic link to l%.so.%'
+      OR magic.data LIKE 'symbolic link to %'
       OR magic.data LIKE 'ELF %-bit LSB shared object%'
       OR magic.data LIKE 'libtool library file,%'
       OR (
-        file.filename IN ("configure", "mkinstalldirs")
+        file.filename IN ("configure", "mkinstalldirs", "config.status")
-        AND magic.data = "POSIX shell script, ASCII text executable"
+        AND magic.data LIKE "POSIX shell script, ASCII text executable%"
       )
       OR (
         file.size < 50000
@@ -159,6 +161,7 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
           'py',
           'script',
           'sh',
+          'status',
           'strings',
           'txt',
           'yaml',

detection/evasion/unexpected-var-run-macos.sql

@@ -31,6 +31,7 @@ WHERE
     'auditd.pid',
     '.autoBackup',
     'automount.initialized',
+    'bootpd.pid',
     'com.apple.DumpPanic.finishedPMUFaultHandling',
     'com.apple.DumpPanic.finishedThisBoot',
     'com.apple.logind.didRunThisBoot',
@@ -44,13 +45,13 @@ WHERE
     'FirstBootAfterUpdate',
     'FirstBootCleanupHandled',
     'hdiejectd.pid',
-    'signpost_reporter_running',
     'kdc.pid',
     'prl_disp_service.pid',
     'prl_naptd.pid',
     'prl_watchdog-ebdba5702a20.pid',
     'resolv.conf',
     'rtadvd.pid',
+    'signpost_reporter_running',
     'socketfilterfw.launchd',
     'syslog.pid',
     'systemkeychaincheck.done',

detection/execution/recently-created-executables-linux.sql

@@ -6,8 +6,8 @@
 -- tags: transient process state often
 -- platform: linux
 SELECT
-  f.ctime,
+  f.ctime AS p0_ctime,
-  f.mtime,
+  f.mtime AS p0_mtime,
   -- Child
   p0.pid AS p0_pid,
   p0.path AS p0_path,
@@ -53,8 +53,11 @@ WHERE
   -- What I would give for osquery to support binary signature verification on Linux
   AND NOT p0.path IN (
     '',
+    '/usr/sbin/irqbalance',
     '/opt/google/chrome/chrome',
     '/usr/bin/packer',
+    '/usr/bin/cmake',
+    '/usr/sbin/cups-browsed',
     '/opt/google/chrome/chrome_crashpad_handler',
     '/opt/google/chrome/nacl_helper',
     '/usr/bin/gnome-software',
@@ -209,6 +212,9 @@ WHERE
     AND p0.cmdline LIKE './%'
   )
   AND NOT p1.path IN ('/usr/bin/gnome-shell') -- Filter out developers working on their own code
+  AND NOT p1.name = 'makepkg'
+  AND NOT p2.path = '/usr/bin/yay'
+  AND NOT p2.cmdline LIKE '/usr/bin/yay %'
   AND NOT (
     p0.path LIKE '/home/%'
     AND p0.uid > 499

detection/execution/recently-created-executables-macos.sql

@@ -109,6 +109,7 @@ WHERE
         '~/bin',
         '~/code/bin',
         '~/go/bin',
+        '~/Library/Application Support/snyk-ls',
         '~/Library/Application Support/cloud-code/installer/google-cloud-sdk/bin',
         '~/Library/Application Support/dev.warp.Warp-Stable',
         '~/Library/Application Support/zoom.us/Plugins/aomhost.app/Contents/MacOS',
@@ -118,6 +119,7 @@ WHERE
         '~/projects/go/bin'
       )
       OR dir LIKE '~/%/node_modules/.bin/%'
+      OR dir LIKE '~/%/node_modules/esbuild%/bin'
       OR f.path LIKE '%go-build%'
       OR f.path LIKE '~/%/src/%.test'
       OR f.path LIKE '~/%/pkg/%.test'

detection/execution/sketchy-fetcher.sql

@@ -7,42 +7,52 @@
 -- tags: transient process state
 -- platform: posix
 SELECT
-  p.pid,
+  REGEX_MATCH (p0.cmdline, '(\w+:\/\/.*)\b', 1) AS url,
-  p.path,
+  REGEX_MATCH (p0.cmdline, '//(\d+\.\d+\.\d+\.\d+)[:/]', 1) AS ip,
-  p.name,
+  REGEX_MATCH (p0.cmdline, ':(\d+)', 1) AS port,
-  p.cmdline,
+  REGEX_MATCH (p0.cmdline, '//([\w\-\.]+)[:/]', 1) AS addr,
-  p.start_time,
+  REGEX_MATCH (p0.cmdline, '//[\w\-\.]+\.(\w+)[:/]', 1) AS tld,
-  REGEX_MATCH (p.cmdline, '(\w+:\/\/.*)\b', 1) AS url,
+  -- Child
-  REGEX_MATCH (p.cmdline, '//(\d+\.\d+\.\d+\.\d+)[:/]', 1) AS ip,
+  p0.pid AS p0_pid,
-  REGEX_MATCH (p.cmdline, ':(\d+)', 1) AS port,
+  p0.path AS p0_path,
-  REGEX_MATCH (p.cmdline, '//([\w\-\.]+)[:/]', 1) AS addr,
+  p0.name AS p0_name,
-  REGEX_MATCH (p.cmdline, '//[\w\-\.]+\.(\w+)[:/]', 1) AS tld,
+  p0.start_time AS p0_start,
-  p.cwd,
+  p0.cmdline AS p0_cmd,
-  p.euid,
+  p0.cwd AS p0_cwd,
-  p.parent,
+  p0.cgroup_path AS p0_cgroup,
-  p.cgroup_path,
+  p0.euid AS p0_euid,
-  pp.path AS parent_path,
+  p0_hash.sha256 AS p0_sha256,
-  pp.name AS parent_name,
+  -- Parent
-  pp.cmdline AS parent_cmdline,
+  p0.parent AS p1_pid,
-  pp.euid AS parent_euid,
+  p1.path AS p1_path,
-  gp.name AS gparent_name,
+  p1.name AS p1_name,
-  gp.cmdline AS gparent_cmdline,
+  p1.start_time AS p1_start,
-  pp.pid AS gparent_pid,
+  p1.euid AS p1_euid,
-  hash.sha256 AS parent_sha256
+  p1.cmdline AS p1_cmd,
+  p1_hash.sha256 AS p1_sha256,
+  -- Grandparent
+  p1.parent AS p2_pid,
+  p2.name AS p2_name,
+  p2.start_time AS p2_start,
+  p2.path AS p2_path,
+  p2.cmdline AS p2_cmd,
+  p2_hash.sha256 AS p2_sha256
 FROM
-  processes p
+  processes p0
-  LEFT JOIN processes pp ON p.parent = pp.pid
+  LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
-  LEFT JOIN processes gp ON pp.parent = gp.pid
+  LEFT JOIN processes p1 ON p0.parent = p1.pid
-  LEFT JOIN hash ON pp.path = hash.path
+  LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
+  LEFT JOIN processes p2 ON p1.parent = p2.pid
+  LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
 WHERE
   -- NOTE: Sync remaining portion with sketchy-fetcher-events
   (
-    INSTR(p.cmdline, 'wget ') > 0
+    INSTR(p0.cmdline, 'wget ') > 0
-    OR INSTR(p.cmdline, 'curl ') > 0
+    OR INSTR(p0.cmdline, 'curl ') > 0
   )
   -- Sketchy fetcher events always seem to contain a switch
-  AND p.cmdline LIKE '%-%'
+  AND p0.cmdline LIKE '%-%'
-  AND p.cmdline LIKE '%/%'
+  AND p0.cmdline LIKE '%/%'
   AND (
     ip NOT IN ('', '127.0.0.1', '::1')
     OR port != ''
@@ -67,65 +77,65 @@ WHERE
       'so',
       'uk'
     )
-    OR p.cmdline LIKE '%chmod%'
+    OR p0.cmdline LIKE '%chmod%'
-    OR p.cmdline LIKE '%.onion%'
+    OR p0.cmdline LIKE '%.onion%'
-    OR p.cmdline LIKE '%tor2web%'
+    OR p0.cmdline LIKE '%tor2web%'
-    OR p.cmdline LIKE '%aliyun%'
+    OR p0.cmdline LIKE '%aliyun%'
-    OR p.cmdline LIKE '%pastebin%'
+    OR p0.cmdline LIKE '%pastebin%'
-    OR p.cmdline LIKE '%curl %--user-agent%'
+    OR p0.cmdline LIKE '%curl %--user-agent%'
-    OR p.cmdline LIKE '%curl -k%'
+    OR p0.cmdline LIKE '%curl -k%'
-    OR p.cmdline LIKE '%curl -sL %'
+    OR p0.cmdline LIKE '%curl -sL %'
-    OR p.cmdline LIKE '%curl%-o-%'
+    OR p0.cmdline LIKE '%curl%-o-%'
-    OR p.cmdline LIKE '%curl%--insecure%'
+    OR p0.cmdline LIKE '%curl%--insecure%'
-    OR p.cmdline LIKE '%wget %--user-agent%'
+    OR p0.cmdline LIKE '%wget %--user-agent%'
-    OR p.cmdline LIKE '%wget %--no-check-certificate%'
+    OR p0.cmdline LIKE '%wget %--no-check-certificate%'
-    OR p.cmdline LIKE '%curl%--connect-timeout%'
+    OR p0.cmdline LIKE '%curl%--connect-timeout%'
-    OR p.cmdline LIKE '%wget -nc%'
+    OR p0.cmdline LIKE '%wget -nc%'
-    OR p.cmdline LIKE '%wget -t%'
+    OR p0.cmdline LIKE '%wget -t%'
-    OR p.cmdline LIKE '%wget -q%'
+    OR p0.cmdline LIKE '%wget -q%'
     OR (
-      p.cmdline LIKE '%wget %'
+      p0.cmdline LIKE '%wget %'
-      AND p.euid < 500
+      AND p0.euid < 500
       -- TODO: Update this query to understand containers
-      AND pp.path NOT IN (
+      AND p1.path NOT IN (
         "/usr/bin/bwrap",
         "/bin/busybox",
         "/usr/bin/melange"
       )
     )
     OR (
-      p.cmdline LIKE '%curl %'
+      p0.cmdline LIKE '%curl %'
-      AND p.euid < 500
+      AND p0.euid < 500
-      AND p.cmdline NOT LIKE "%./configure %--with-curl%"
+      AND p0.cmdline NOT LIKE "%./configure %--with-curl%"
     )
   )
   -- Exceptions for all calls
-  AND pp.name NOT IN ('makepkg') -- Exceptions for non-privileged calls
+  AND p1.name NOT IN ('makepkg') -- Exceptions for non-privileged calls
   AND NOT (
-    p.euid > 500
+    p0.euid > 500
     AND (
-      p.cmdline LIKE '%--dump-header%'
+      p0.cmdline LIKE '%--dump-header%'
-      OR p.cmdline LIKE '%/api/v%'
+      OR p0.cmdline LIKE '%/api/v%'
-      OR p.cmdline LIKE '%curl -X %'
+      OR p0.cmdline LIKE '%curl -X %'
-      OR p.cmdline LIKE '%go mod %'
+      OR p0.cmdline LIKE '%go mod %'
-      OR p.cmdline LIKE '%application/json%'
+      OR p0.cmdline LIKE '%application/json%'
-      OR p.cmdline LIKE '%grpcurl%'
+      OR p0.cmdline LIKE '%grpcurl%'
-      OR p.cmdline LIKE '%Homebrew%'
+      OR p0.cmdline LIKE '%Homebrew%'
-      OR p.cmdline LIKE '%Nixpkgs/%'
+      OR p0.cmdline LIKE '%Nixpkgs/%'
-      OR p.cmdline LIKE '%If-None-Match%'
+      OR p0.cmdline LIKE '%If-None-Match%'
-      OR p.cmdline LIKE '%ctlog%'
+      OR p0.cmdline LIKE '%ctlog%'
-      OR p.cmdline LIKE '%.well-known/openid-configuration%'
+      OR p0.cmdline LIKE '%.well-known/openid-configuration%'
-      OR p.cmdline LIKE '%/openid/v1/jwks%'
+      OR p0.cmdline LIKE '%/openid/v1/jwks%'
-      OR p.cmdline LIKE '%--progress-bar%'
+      OR p0.cmdline LIKE '%--progress-bar%'
-      OR parent_cmdline LIKE '%brew.rb%'
+      OR p1.cmdline LIKE '%brew.rb%'
-      OR parent_cmdline LIKE '%brew.sh%'
+      OR p1.cmdline LIKE '%brew.sh%'
-      OR parent_cmdline LIKE '/nix/store/%-builder.sh'
+      OR p1.cmdline LIKE '/nix/store/%-builder.sh'
-      OR p.cmdline LIKE 'git %'
+      OR p0.cmdline LIKE 'git %'
-      OR p.cmdline LIKE '%LICENSES/vendor/%'
+      OR p0.cmdline LIKE '%LICENSES/vendor/%'
-      OR p.cmdline LIKE 'curl -sL wttr.in%'
+      OR p0.cmdline LIKE 'curl -sL wttr.in%'
-      OR p.cmdline LIKE '%localhost:%'
+      OR p0.cmdline LIKE '%localhost:%'
-      OR p.cmdline LIKE '%127.0.0.1:%'
+      OR p0.cmdline LIKE '%127.0.0.1:%'
-      OR p.name IN ('apko')
+      OR p0.name IN ('apko')
     )
   )
   -- These are typically curl -k calls
@@ -145,3 +155,8 @@ WHERE
       OR ip LIKE '192.168.%'
     )
   )
+  -- Qualys Cloud Agent
+  AND NOT (
+    addr = "169.254.169.254"
+    AND p2.path = "/usr/local/qualys/cloud-agent/bin/qualys-scan-util"
+  )

detection/execution/unexpected-execdir-events-macos.sql

@@ -35,7 +35,6 @@ SELECT
     '(.*)/',
     1
   ) AS top3_dir,
-  u.directory AS user_home_dir,
   s.identifier AS s_id,
   s.authority AS s_auth,
   -- Child
@@ -100,6 +99,7 @@ WHERE
     '~/Applications (Parallels)',
     '~/bin',
     '~/.cargo',
+    '~/melange',
     '~/chainguard',
     '~/dev',
     '~/code',
@@ -137,6 +137,8 @@ WHERE
     '/Library/Application Support/Adobe',
     '~/Library/Application Support/BraveSoftware',
     '/Library/Application Support/Canon_Inc_IC',
+    '~/.docker/cli-plugins/docker-sbom',
+    '~/.docker/cli-plugins',
     '~/Library/Application Support/com.elgato.StreamDeck',
     '~/Library/Application Support/com.grammarly.ProjectLlama',
     '/Library/Application Support/EcammLive',
@@ -170,7 +172,9 @@ WHERE
   AND dir NOT IN (
     '/bin',
     '~/bin',
+    '~/.cache/gitstatus',
     '~/code/bin',
+    '~/.docker/cli-plugins',
     '~/Downloads/google-cloud-sdk/bin',
     '~/Downloads/protoc/bin',
     '~/go/bin',
@@ -192,6 +196,7 @@ WHERE
     '/Library/Image Capture/Devices/EPSON Scanner.app/Contents/MacOS',
     '/Library/Kandji/Kandji Agent.app/Contents/MacOS',
     '/Library/Kandji/Kandji Agent.app/Contents/MacOS/',
+    '/Library/Printers/Brother/Filter/rastertobrother2130.bundle/Contents/MacOS',
     '/Library/Printers/Brother/Filter/rastertobrother2300.bundle/Contents/MacOS',
     '/Library/Printers/Brother/Utilities/Server/LOGINserver.app/Contents/MacOS',
     '/Library/Printers/Brother/Utilities/Server/NETserver.app/Contents/MacOS',
@@ -203,6 +208,7 @@ WHERE
     '/Library/TeX/texbin',
     '~/.local/bin',
     '~/.magefile',
+    '~/melange',
     '/node_modules/.bin',
     '/opt/homebrew/bin',
     '/opt/osquery/lib/osquery.app/Contents/MacOS',
@@ -226,6 +232,7 @@ WHERE
     '/usr/lib/fwupd',
     '/usr/lib/ibus',
     '/usr/lib/system',
+    '/usr/local/aws-cli',
     '/usr/local/bin',
     '/usr/local/MacGPG2/bin',
     '/usr/sbin',

detection/execution/unexpected-fetcher-parents.sql

@@ -40,6 +40,7 @@ WHERE -- NOTE: The remainder of this query is synced with unexpected-fetcher-par
   child_name IN ('curl', 'wget', 'ftp', 'tftp') -- And not a regular local user
   AND NOT exception_key IN (
     'curl,0,09-timezone,nm-dispatcher',
+    'curl,0,sh,qualys-cloud-ag',
     'curl,0,build.sh,buildkit-runc',
     'curl,0,nm-dispatcher,',
     'curl,0,nm-dispatcher,nm-dispatcher',

detection/execution/unexpected-osascript-calls.sql

@@ -112,6 +112,11 @@ WHERE
     )
   )
   -- The following apply to all uids
-  AND NOT p0_cmd = 'osascript -e user locale of (get system info)'
+  AND NOT p0_cmd IN (
+    'osascript -e do shell script "/bin/rm -Rf /opt/vagrant /usr/local/bin/vagrant" with administrator privileges',
+    'osascript -e user locale of (get system info)',
+    '/usr/bin/osascript -e do shell script "/bin/rm -Rf /opt/vagrant /usr/local/bin/vagrant" with administrator privileges
+  )
+
 GROUP BY
   pe.pid

detection/execution/unexpected-root-signer-macos.sql

@@ -9,18 +9,23 @@ SELECT
   REGEX_MATCH (p.path, '(/.*?/.*?)/', 1) AS top_dir,
   -- Child
   pe.path AS p0_path,
-  pe.time,
+  pe.time AS p0_time,
+  pe.euid AS p0_euid,
   s.authority AS p0_sauth,
   s.identifier AS p0_sid,
+  hash.sha256 AS p0_hash,
   REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
   TRIM(pe.cmdline) AS p0_cmd,
-  pe.cwd AS p0_cwd,
+  -- pe.cwd is NULL on macOS
+  p.cwd AS p0_cwd,
   pe.pid AS p0_pid,
   pe.euid AS p0_euid,
   -- Parent
   pe.parent AS p1_pid,
   TRIM(COALESCE(p1.cmdline, pe1.cmdline)) AS p1_cmd,
+  COALESCE(p1.start_time, pe1.time) AS p1_start,
   COALESCE(p1.path, pe1.path) AS p1_path,
+  p1.cwd AS p1_cwd,
   COALESCE(p_hash1.sha256, pe_hash1.sha256) AS p1_hash,
   REGEX_MATCH (COALESCE(p1.path, pe1.path), '.*/(.*)', 1) AS p1_name,
   -- Grandparent
@@ -28,6 +33,7 @@ SELECT
   TRIM(
     COALESCE(p1_p2.cmdline, pe1_p2.cmdline, pe1_pe2.cmdline)
   ) AS p2_cmd,
+  p1_p2.cwd AS p2_cwd,
   COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path) AS p2_path,
   COALESCE(
     p1_p2_hash.path,
@@ -41,10 +47,11 @@ SELECT
   ) AS p2_name
 FROM
   process_events pe
-  LEFT JOIN signature s ON pe.path = s.path
   LEFT JOIN file f ON pe.path = f.path
   LEFT JOIN users u ON pe.uid = u.uid
+  LEFT JOIN signature s ON pe.path = s.path
   LEFT JOIN processes p ON pe.pid = p.pid
+  LEFT JOIN hash ON pe.path = hash.path
   -- Parents (via two paths)
   LEFT JOIN processes p1 ON pe.parent = p1.pid
   LEFT JOIN hash p_hash1 ON p1.path = p_hash1.path
@@ -60,9 +67,9 @@ FROM
   LEFT JOIN hash pe1_p2_hash ON pe1_p2.path = pe1_p2_hash.path
   LEFT JOIN hash pe1_pe2_hash ON pe1_pe2.path = pe1_pe2_hash.path
 WHERE
-  -- query optimization: Exclude SIP protected directories
+  p0_euid = 0
-  p.euid = 0
   AND pe.time > (strftime('%s', 'now') -900)
+  -- query optimization: Exclude SIP protected directories
   AND top_dir NOT IN (
     '/Library/Apple',
     '/System/Library',
@@ -107,21 +114,21 @@ WHERE
       pe.path LIKE "/nix/store/%-nix-%/bin/nix-%"
       OR pe.path LIKE "/private/var/folders/%/T/tmp.%/nix-installer"
     )
-    AND p1.path = "/usr/bin/sudo"
+    AND p1_path = "/usr/bin/sudo"
   )
   AND NOT (
     s.authority = ""
-    AND p0_path LIKE "/opt/%/bin/socket_vmnet"
+    AND pe.path LIKE "/opt/%/bin/socket_vmnet"
     AND p1_path IN ("/usr/bin/sudo", "/sbin/launchd")
   )
   AND NOT (
     s.authority = ""
-    AND p0_path LIKE "/opt/homebrew/Cellar/mariadb/%/bin/mariadbd"
+    AND pe.path LIKE "/opt/homebrew/Cellar/mariadb/%/bin/mariadbd"
     AND p0_cmd LIKE "/opt/homebrew/opt/mariadb/bin/mariadbd %"
   )
   AND NOT (
     s.authority = ""
-    AND p0_path LIKE "/opt/homebrew/Cellar/tailscale/%/bin/tailscaled"
+    AND pe.path LIKE "/opt/homebrew/Cellar/tailscale/%/bin/tailscaled"
     AND p0_cmd LIKE "/opt/homebrew/Cellar/tailscale/%/bin/tailscaled %"
   )
   AND NOT (
@@ -129,4 +136,4 @@ WHERE
     AND p0_name = "node"
     AND p1_name IN ("vim", "nvim")
   )
-  AND NOT p0_path LIKE '/usr/local/Cellar/htop/%/bin/htop'
+  AND NOT pe.path LIKE '/usr/local/Cellar/htop/%/bin/htop'

detection/execution/unexpected-security-framework-program-macos.sql

@@ -146,7 +146,9 @@ WHERE
     '500,scdaemon,scdaemon,',
     '500,tflint-ruleset-aws,a.out,',
     '500,sdaudioswitch,,',
+    '500,monorail,a.out,',
     '500,sdaudioswitch,sdaudioswitch,',
+    '500,k9s,a.out,',
     '500,sdzoomplugin,,',
     '500,Slack,com.tinyspeck.slackmacgap,Apple Mac OS Application Signing',
     '500,Slack Helper,com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',

detection/initial_access/unexpected-diskimage-source-macos.sql

@@ -123,6 +123,7 @@ WHERE
     'adoptium.net',
     'balsamiq.com',
     'brave.com',
+    'cron.com',
     'discord.com',
     'dl.discordapp.net',
     'dl.google.com',

detection/initial_access/unexpected-shell-parents.sql

@@ -11,28 +11,45 @@
 -- interval: 60
 -- platform: posix
 SELECT
-  p.name,
+  -- Child
-  p.path AS path,
+  p0.pid AS p0_pid,
-  p.cmdline AS cmd,
+  p0.path AS p0_path,
-  p.pid,
+  p0.name AS p0_name,
-  p.cgroup_path,
+  p0.start_time AS p0_start,
-  p.parent,
+  p0.cmdline AS p0_cmd,
-  p.cwd,
+  p0.cwd AS p0_cwd,
-  pp.name AS parent_name,
+  p0.cgroup_path AS p0_cgroup,
-  pp.path AS parent_path,
+  p0.euid AS p0_euid,
-  pp.cmdline AS parent_cmd,
+  p0_hash.sha256 AS p0_sha256,
-  hash.sha256 AS parent_sha256
+  -- Parent
+  p0.parent AS p1_pid,
+  p1.path AS p1_path,
+  p1.name AS p1_name,
+  p1.start_time AS p1_start,
+  p1.euid AS p1_euid,
+  p1.cmdline AS p1_cmd,
+  p1_hash.sha256 AS p1_sha256,
+  -- Grandparent
+  p1.parent AS p2_pid,
+  p2.name AS p2_name,
+  p2.start_time AS p2_start,
+  p2.path AS p2_path,
+  p2.cmdline AS p2_cmd,
+  p2_hash.sha256 AS p2_sha256
 FROM
-  processes p
+  processes p0
-  LEFT JOIN processes pp ON pp.pid = p.parent
+  LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
-  LEFT JOIN hash ON pp.path = hash.path
+  LEFT JOIN processes p1 ON p0.parent = p1.pid
+  LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
+  LEFT JOIN processes p2 ON p1.parent = p2.pid
+  LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
 WHERE
-  p.name IN ('sh', 'fish', 'zsh', 'bash', 'dash')
+  p0.name IN ('sh', 'fish', 'zsh', 'bash', 'dash')
   -- Ignore partial table joins
-  AND parent_path != ''
+  AND p1_path != ''
   -- Editors & terminals mostly.
   -- I know it's tempting to list "electron" here but please find a more specific exclusion.
-  AND pp.name NOT IN (
+  AND p1.name NOT IN (
     'abrt-action-per',
     'abrt-handle-eve',
     'alacritty',
@@ -129,7 +146,7 @@ WHERE
     'zellij',
     'zsh'
   )
-  AND parent_path NOT IN (
+  AND p1_path NOT IN (
     '/Applications/Docker.app/Contents/MacOS/Docker',
     '/Applications/Docker.app/Contents/MacOS/install',
     '/Applications/Docker.app/Contents/Resources/bin/com.docker.cli',
@@ -142,6 +159,7 @@ WHERE
     '/Applications/Amazon Photos.app/Contents/MacOS/Amazon Photos',
     '/bin/dash',
     '/bin/sh',
+    '/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent',
     '/Library/Application Support/Logitech.localized/LogiOptionsPlus/logioptionsplus_agent.app/Contents/MacOS/logioptionsplus_agent',
     '/Library/Developer/CommandLineTools/usr/bin/git',
     '/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateDaemon',
@@ -169,10 +187,11 @@ WHERE
     '/usr/libexec/periodic-wrapper',
     '/usr/lib/xorg/Xorg'
   )
-  AND NOT p.cmdline IN (
+  AND NOT p0.cmdline IN (
     -- npm run server
     'sh -c -- exec-bin node_modules/.bin/hugo/hugo server',
     '/bin/sh -c ioreg -rd1 -c IOPlatformExpertDevice',
+    '/bin/sh -c sysctl hw.model kern.osrelease',
     '/bin/bash -c ioreg -l -w 0 | grep SecureInput',
     "sh -c acpi -b | grep -v 'unavailable'",
     'sh -c xcode-select --print-path >/dev/null 2>&1 && xcrun --sdk macosx --show-sdk-path 2>/dev/null',
@@ -180,43 +199,43 @@ WHERE
     'sh -c ps -xcocommand,pid | grep "LOGINserver"'
   )
   AND NOT (
-    pp.name = 'sshd'
+    p1.name = 'sshd'
-    AND p.cmdline LIKE '%askpass%'
+    AND p0.cmdline LIKE '%askpass%'
   )
   AND NOT (
-    pp.name = 'steam'
+    p1.name = 'steam'
-    AND p.cmdline LIKE 'sh -c %steamwebhelper.sh%'
+    AND p0.cmdline LIKE 'sh -c %steamwebhelper.sh%'
   )
   AND NOT (
-    pp.name = 'bash'
+    p1.name = 'bash'
-    AND p.cmdline LIKE 'sh -s _hostname %'
+    AND p0.cmdline LIKE 'sh -s _hostname %'
   )
   AND NOT (
-    pp.cmdline LIKE 'perl%/help2man%'
+    p1.cmdline LIKE 'perl%/help2man%'
-    AND p.cmdline LIKE 'sh -c man/%'
+    AND p0.cmdline LIKE 'sh -c man/%'
   )
-  AND NOT p.cmdline LIKE '/bin/sh %/bin/docker-credential-gcloud get'
+  AND NOT p0.cmdline LIKE '/bin/sh %/bin/docker-credential-gcloud get'
-  AND NOT parent_path LIKE '/private/var/folders/%/T/go-build%.test'
+  AND NOT p1_path LIKE '/private/var/folders/%/T/go-build%.test'
-  AND NOT parent_path LIKE '/private/tmp/PKInstallSandbox.%/tmp/Python/Python3.framework/Versions/%/Resources/Python.app/Contents/MacOS/Python'
+  AND NOT p1_path LIKE '/private/tmp/PKInstallSandbox.%/tmp/Python/Python3.framework/Versions/%/Resources/Python.app/Contents/MacOS/Python'
-  AND NOT p.cmdline LIKE '%/Library/Apple/System/Library/InstallerSandboxes%'
+  AND NOT p0.cmdline LIKE '%/Library/Apple/System/Library/InstallerSandboxes%'
-  AND NOT p.cmdline LIKE '%gcloud config config-helper%'
+  AND NOT p0.cmdline LIKE '%gcloud config config-helper%'
-  AND NOT p.cmdline LIKE '%hugo/hugo server%'
+  AND NOT p0.cmdline LIKE '%hugo/hugo server%'
-  AND NOT pp.cmdline LIKE '/Applications/Warp.app/%'
+  AND NOT p1.cmdline LIKE '/Applications/Warp.app/%'
-  AND NOT pp.cmdline = 'npm run start'
+  AND NOT p1.cmdline = 'npm run start'
-  AND NOT pp.cmdline LIKE '%brew.rb%'
+  AND NOT p1.cmdline LIKE '%brew.rb%'
-  AND NOT pp.cmdline LIKE '%/Homebrew/build.rb%'
+  AND NOT p1.cmdline LIKE '%/Homebrew/build.rb%'
-  AND NOT pp.cmdline LIKE '%Code Helper%'
+  AND NOT p1.cmdline LIKE '%Code Helper%'
-  AND NOT pp.cmdline LIKE '%gcloud.py config config-helper%'
+  AND NOT p1.cmdline LIKE '%gcloud.py config config-helper%'
-  AND NOT pp.cmdline LIKE '/usr/lib/electron19/electron /usr/lib/code/out/bootstrap-fork --type=ptyHost --logsPath /home/%/.config/Code - OSS/logs/%'
+  AND NOT p1.cmdline LIKE '/usr/lib/electron19/electron /usr/lib/code/out/bootstrap-fork --type=ptyHost --logsPath /home/%/.config/Code - OSS/logs/%'
-  AND NOT pp.name LIKE '%term%'
+  AND NOT p1.name LIKE '%term%'
-  AND NOT pp.name LIKE '%Term%'
+  AND NOT p1.name LIKE '%Term%'
-  AND NOT pp.name LIKE 'Emacs%'
+  AND NOT p1.name LIKE 'Emacs%'
-  AND NOT pp.name LIKE 'terraform-provider-%'
+  AND NOT p1.name LIKE 'terraform-provider-%'
-  AND NOT pp.path LIKE '/Users/%/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwareUpdateAgent'
+  AND NOT p1.path LIKE '/Users/%/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwareUpdateAgent'
   -- Oh, NixOS.
-  AND NOT pp.name LIKE '%/bin/bash'
+  AND NOT p1.name LIKE '%/bin/bash'
-  AND NOT pp.name LIKE '%/bin/direnv'
+  AND NOT p1.name LIKE '%/bin/direnv'
-  AND NOT parent_path LIKE '/nix/store/%sh'
+  AND NOT p1_path LIKE '/nix/store/%sh'
-  AND NOT parent_path LIKE '/opt/homebrew/%'
+  AND NOT p1_path LIKE '/opt/homebrew/%'
-  AND NOT p.cgroup_path LIKE '/system.slice/docker-%'
+  AND NOT p0.cgroup_path LIKE '/system.slice/docker-%'
-  AND NOT p.cgroup_path LIKE '/system.slice/system.slice:docker:%'
+  AND NOT p0.cgroup_path LIKE '/system.slice/system.slice:docker:%'

detection/persistence/low-fd-socket.sql

@@ -8,20 +8,45 @@
 --
 -- tags: process state
 -- platform: posix
-SELECT p.uid,
+SELECT pos.protocol,
-    p.euid,
-    pos.protocol,
     pos.pid,
     pos.remote_address,
     pos.local_address,
     pos.local_port,
     pos.remote_port,
-    p.name,
+    pos.state,
-    p.start_time,
+    -- Child
-    p.parent,
+    p0.pid AS p0_pid,
-    p.cgroup_path,
+    p0.path AS p0_path,
-    p.path,
+    p0.name AS p0_name,
-    pos.state
+    p0.start_time AS p0_start,
-FROM processes p
+    p0.cmdline AS p0_cmd,
-    JOIN process_open_sockets pos ON p.pid = pos.pid
+    p0.cwd AS p0_cwd,
-    WHERE fd < 3 AND family != 1;
+    p0.cgroup_path AS p0_cgroup,
+    p0.euid AS p0_euid,
+    p0_hash.sha256 AS p0_sha256,
+    -- Parent
+    p0.parent AS p1_pid,
+    p1.path AS p1_path,
+    p1.name AS p1_name,
+    p1.start_time AS p1_start,
+    p1.euid AS p1_euid,
+    p1.cmdline AS p1_cmd,
+    p1_hash.sha256 AS p1_sha256,
+    -- Grandparent
+    p1.parent AS p2_pid,
+    p2.name AS p2_name,
+    p2.start_time AS p2_start,
+    p2.path AS p2_path,
+    p2.cmdline AS p2_cmd,
+    p2_hash.sha256 AS p2_sha256
+FROM process_open_sockets pos
+    JOIN processes p0 ON pos.pid = p0.pid
+    LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
+    LEFT JOIN processes p1 ON p0.parent = p1.pid
+    LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
+    LEFT JOIN processes p2 ON p1.parent = p2.pid
+    LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
+WHERE pos.fd < 3
+    AND pos.family != 1
+    AND p0.path NOT IN ('/usr/libexec/bootpd')

detection/persistence/minimal-socket-client-linux.sql

@@ -8,43 +8,47 @@
 --
 -- tags: persistent process state seldom
 -- platform: linux
-SELECT p.uid,
+SELECT pos.protocol,
-    p.euid,
-    pos.protocol,
     pos.pid,
     pos.remote_address,
     pos.local_address,
     pos.local_port,
     pos.remote_port,
-    p.start_time,
-    p.name,
-    p.parent,
-    p.cgroup_path,
-    p.path,
     pos.state,
     GROUP_CONCAT(DISTINCT pmm.path) AS libs,
-    COUNT(DISTINCT pmm.path) AS lib_count
+    COUNT(DISTINCT pmm.path) AS lib_count,
-FROM processes p
+    -- Child
-    JOIN process_open_sockets pos ON p.pid = pos.pid AND pos.family != 1
+    p0.pid AS p0_pid,
-    JOIN process_memory_map pmm ON pos.pid = pmm.pid 
+    p0.path AS p0_path,
-WHERE p.pid IN (
+    p0.name AS p0_name,
-        SELECT pid
+    p0.start_time AS p0_start,
-        FROM processes
+    p0.cmdline AS p0_cmd,
-        WHERE path NOT IN (
+    p0.cwd AS p0_cwd,
-                '/usr/bin/containerd',
+    p0.cgroup_path AS p0_cgroup,
-                '/usr/bin/fusermount3',
+    p0.euid AS p0_euid,
-                '/usr/sbin/acpid',
+    p0_hash.sha256 AS p0_sha256
-                '/usr/bin/dash',
+FROM processes p0
-                '/usr/bin/docker',
+    JOIN process_open_sockets pos ON p0.pid = pos.pid
-                '/usr/sbin/mcelog',
+    JOIN process_memory_map pmm ON p0.pid = pmm.pid
-                '/usr/bin/docker-proxy',
+    LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
-                '/usr/bin/cat',
+WHERE
-                '/usr/lib/electron/chrome-sandbox',
+    pos.family != 1
-                '/usr/bin/i3blocks'
+    AND pos.pid > 0
-            )
+    AND pos.state != 'LISTEN'
-            AND name NOT IN ('chrome_crashpad', 'dhcpcd', 'Brackets-node')
+    AND p0.path NOT IN (
-        GROUP BY processes.path
+        '/usr/bin/containerd',
+        '/usr/bin/fusermount3',
+        '/usr/sbin/acpid',
+        '/usr/bin/dash',
+        '/usr/bin/docker',
+        '/usr/sbin/mcelog',
+        '/usr/libexec/docker/docker-proxy',
+        '/usr/bin/docker-proxy',
+        '/usr/bin/cat',
+        '/usr/lib/electron/chrome-sandbox',
+        '/usr/bin/i3blocks'
     )
+    AND p0.name NOT IN ('chrome_crashpad', 'dhcpcd', 'Brackets-node')
     AND pmm.path LIKE "%.so.%"
 GROUP BY pos.pid -- libc.so, ld-linux
 HAVING lib_count IN (1, 2)

detection/persistence/minimal-socket-client-macos.sql

@@ -23,7 +23,7 @@ SELECT
     p.cgroup_path,
     p.path,
     pos.state,
-    GROUP_CONCAT(pmm.path) AS libs,
+    GROUP_CONCAT(DISTINCT pmm.path) AS libs,
     COUNT(DISTINCT pmm.path) AS lib_count,
     -- Normally we would use signatures for exceptions, but it was triggering
     -- an unusual performance issue in osquery.
@@ -68,6 +68,7 @@ WHERE
     AND exception_key NOT IN (
         '500,Todoist,/Applications/Todoist.app/Contents/MacOS/Todoist',
         '500,Slack,/Applications/Slack.app/Contents/MacOS/Slack',
+        '500,WhatsApp Helper (GPU),/Applications/WhatsApp.app/Contents/Frameworks/WhatsApp Helper (GPU).app/Contents/MacOS/WhatsApp Helper (GPU)',
         '500,Slack Helper (Renderer),/Applications/Slack.app/Contents/Frameworks/Slack Helper (Renderer).app/Contents/MacOS/Slack Helper (Renderer)',
         '500,Snagit 2020,/Applications/Snagit 2020.app/Contents/MacOS/Snagit 2020',
         '500,SnagitHelper2020,/Applications/Snagit 2020.app/Contents/Library/LoginItems/SnagitHelper2020.app/Contents/MacOS/SnagitHelper2020'

detection/persistence/unexpected-active-systemd-units.sql

@@ -49,10 +49,13 @@ WHERE
     AND (
       exception_key IN (
         'abrtd.service,ABRT Automated Bug Reporting Tool,,450',
+        'abrtd.service,ABRT Daemon,,225',
+        'abrt-journal-core.service,ABRT coredumpctl message creator,,0',
         'abrt-journal-core.service,Creates ABRT problems from coredumpctl messages,,225',
         'abrt-oops.service,ABRT kernel log watcher,,225',
         'abrt-xorg.service,ABRT Xorg log watcher,,225',
         'accounts-daemon.service,Accounts Service,,1800',
+        'accounts-daemon.service,Accounts Service,,2025',
         'accounts-daemon.service,Accounts Service,,675',
         'acpid.path,ACPI Events Check,,0',
         'acpid.service,ACPI Daemon,,1125',
@@ -138,6 +141,7 @@ WHERE
         'fprintd.service,Fingerprint Authentication Daemon,,675',
         'fprintd.service,Fingerprint Authentication Daemon,,900',
         'fstrim.service,Discard unused blocks on filesystems from /etc/fstab,,225',
+        'fstrim.service,Discard unused blocks on filesystems from /etc/fstab,,450',
         'fstrim.timer,Discard unused blocks once a week,,225',
         'fwupd-refresh.service,Refresh fwupd metadata and update motd,fwupd-refresh,225',
         'fwupd-refresh.service,Refresh fwupd metadata and update motd,fwupd-refresh,450',
@@ -176,6 +180,7 @@ WHERE
         'lm-sensors.service,Initialize hardware monitoring sensors,,0',
         'lm_sensors.service,Initialize hardware monitoring sensors,,225',
         'logrotate-checkconf.service,Logrotate configuration check,,1125',
+        'logrotate-checkconf.service,Logrotate configuration check,,900',
         'logrotate.timer,Daily rotation of log files,,0',
         'logrotate.timer,logrotate.timer,,0',
         'low-memory-monitor.service,Low Memory Monitor,,675',
@@ -201,6 +206,7 @@ WHERE
         'netcf-transaction.service,Rollback uncommitted netcf network config change transactions,,225',
         'networkd-dispatcher.service,Dispatcher daemon for systemd-networkd,,225',
         "networking.service,Raise network interfaces,,450",
+        'network-local-commands.service,Extra networking commands.,,1125',
         'network-local-commands.service,Extra networking commands.,,1350',
         'NetworkManager-dispatcher.service,Network Manager Script Dispatcher Service,,450',
         'NetworkManager-dispatcher.service,Network Manager Script Dispatcher Service,,675',
@@ -208,11 +214,13 @@ WHERE
         'NetworkManager.service,Network Manager,,1350',
         'NetworkManager-wait-online.service,Network Manager Wait Online,,1125',
         'network-setup.service,Networking Setup,,1350',
+        'nginx.service,Nginx Web Server,nginx,2250',
         'nginx.service,Nginx Web Server,nginx,2400',
         'nix-daemon.service,Nix Daemon,,225',
         'nix-daemon.socket,Nix Daemon Socket,,225',
         'nix-gc.timer,nix-gc.timer,,0',
         'nscd.service,Name Service Cache Daemon,nscd,1800',
+        'nscd.service,Name Service Cache Daemon (nsncd),nscd,1350',
         'nvidia-fallback.service,Fallback to nouveau as nvidia did not load,,225',
         'nvidia-persistenced.service,NVIDIA Persistence Daemon,,225',
         'nvidia-powerd.service,nvidia-powerd service,,0',
@@ -235,6 +243,7 @@ WHERE
         'proc-sys-fs-binfmt_misc.automount,Arbitrary Executable File Formats File System Automount Point,,675',
         'pwrstatd.service,The monitor UPS software.,,225',
         'qemu-kvm.service,QEMU KVM preparation - module, ksm, hugepages,,225',
+        'qualys-cloud-agent.service,Qualys cloud agent daemon,,225',
         'raid-check.timer,Weekly RAID setup health check,,0',
         'realmd.service,Realm and Domain Configuration,,0',
         'reflector.service,Refresh Pacman mirrorlist with Reflector.,,1350',
@@ -253,14 +262,7 @@ WHERE
         'setvtrgb.service,Set console scheme,,225',
         'shadow.service,Verify integrity of password and group files,,900',
         'shadow.timer,Daily verification of password and group files,,0',
-        'abrt-journal-core.service,ABRT coredumpctl message creator,,0',
-        'abrtd.service,ABRT Daemon,,225',
-        'nginx.service,Nginx Web Server,nginx,2250',
-        'network-local-commands.service,Extra networking commands.,,1125',
-        'logrotate-checkconf.service,Logrotate configuration check,,900',
         '-.slice,Root Slice,,0',
-        'accounts-daemon.service,Accounts Service,,2025',
-        'nscd.service,Name Service Cache Daemon (nsncd),nscd,1350',
         'smartd.service,Self Monitoring and Reporting Technology (SMART) Daemon,,225',
         'smartd.service,Self Monitoring and Reporting Technology (SMART) Daemon,,450',
         'snapd.apparmor.service,Load AppArmor profiles managed internally by snapd,,675',
@@ -310,6 +312,7 @@ WHERE
         'systemd-journald.service,Journal Service,,1800',
         'systemd-journald.service,Journal Service,,2025',
         'systemd-journald.service,Journal Service,,2200',
+        'systemd-journald.service,Journal Service,,2250',
         'systemd-journald.socket,Journal Socket,,900',
         'systemd-journal-flush.service,Flush Journal to Persistent Storage,,675',
         'systemd-localed.service,Locale Service,,1125',

detection/persistence/unexpected-global-lock.sql

@@ -36,6 +36,7 @@ WHERE (
     AND exception_key NOT IN (
         '0,0,/var/run/unattended-upgrades.lock,regular,0640',
         '0,0,/var/run/xtables.lock,regular,0600',
+        '0,0,/var/run/dnf-metadata.lock,regular,0644',
         '0,0,/var/run/apport.lock,regular,0600',
         '74,0,/tmp/mysql.sock.lock,regular,0600',
         '74,0,/tmp/mysqlx.sock.lock,regular,0600'

detection/persistence/unexpected-lock-opener.sql

@@ -23,15 +23,31 @@ SELECT CONCAT(
         )
     ) AS exception_key,
     pof.path AS lock,
-    -- Child
+  -- Child
-    p0.pid AS p0_pid,
+  p0.pid AS p0_pid,
-    p0.path AS p0_path,
+  p0.path AS p0_path,
-    p0.name AS p0_name,
+  p0.name AS p0_name,
-    p0.cmdline AS p0_cmd,
+  p0.start_time AS p0_start,
-    p0.cwd AS p0_cwd,
+  p0.cmdline AS p0_cmd,
-    p0.cgroup_path AS p0_cgroup,
+  p0.cwd AS p0_cwd,
-    p0.euid AS p0_euid,
+  p0.cgroup_path AS p0_cgroup,
-    p0_hash.sha256 AS p0_sha256
+  p0.euid AS p0_euid,
+  p0_hash.sha256 AS p0_sha256,
+  -- Parent
+  p0.parent AS p1_pid,
+  p1.path AS p1_path,
+  p1.name AS p1_name,
+  p1.start_time AS p1_start,
+  p1.euid AS p1_euid,
+  p1.cmdline AS p1_cmd,
+  p1_hash.sha256 AS p1_sha256,
+  -- Grandparent
+  p1.parent AS p2_pid,
+  p2.name AS p2_name,
+  p2.start_time AS p2_start,
+  p2.path AS p2_path,
+  p2.cmdline AS p2_cmd,
+  p2_hash.sha256 AS p2_sha256
 FROM processes p0
     JOIN users u ON p0.euid = u.uid
     LEFT JOIN process_open_files pof ON p0.pid = pof.pid
@@ -41,19 +57,23 @@ FROM processes p0
     LEFT JOIN processes p2 ON p1.parent = p2.pid
     LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
 WHERE pof.path LIKE "%.lock"
-    AND pof.path NOT LIKE "/run/user/1%/%.lock"
+    AND pof.path NOT LIKE "/run/user/%/%.lock"
     AND NOT exception_key IN (
         '0,com.apple.MobileSoftwareUpdate.CryptegraftService,/private/var/db/softwareupdate/SplunkHistory',
         '0,snapd,/var/lib/snapd',
+        '500,flyctl,~/.fly',
         '200,softwareupdated,/private~/SplunkHistory',
+        '500,Ecamm Live Stream Deck Plugin,~/Library/Application Support/com.elgato.StreamDeck/Sentry',
         '500,Beeper,~/Library/Application Support/Beeper/EventStore',
         '500,bridge-gui,~/Library/Application Support/protonmail/bridge-v3/sentry_cache',
         '500,bridge-gui,~/Library/Caches/protonmail/bridge-v3',
+        '200,NRDUpdated,/private~/SplunkHistory',
         '500,bridge,~/Library/Application Support/protonmail/bridge-v3/sentry_cache',
         '500,Stream Deck,~/Library/Application Support/com.elgato.StreamDeck/Sentry',
         '500,bridge,~/Library/Caches/protonmail/bridge-v3',
         '500,Craft,~/Library/Containers/com.lukilabs.lukiapp/Data/Library/Application Support/com.lukilabs.lukiapp',
         '500,buildkitd,~/.local/share/buildkit',
+        '500,Adobe Premiere Pro 2023,~/Library/Caches/Adobe/Premiere Pro/23.0/SentryIO-db',
         '500,com.docker.backend,~/Library/Containers/com.docker.docker',
         '500,photolibraryd,~/Library/Photos/Libraries/Syndication.photoslibrary/database',
         '500,photolibraryd,~/Pictures/Photos Library.photoslibrary/database',
@@ -62,7 +82,9 @@ WHERE pof.path LIKE "%.lock"
     AND NOT exception_key LIKE '500,com.apple.Virtualization.VirtualMachine,~/%'
     AND NOT exception_key LIKE '500,com.apple.Virtualization.VirtualMachine,/private/var/folders/%'
     AND NOT exception_key LIKE '500,lua-language-server,~/%'
-    AND NOT exception_key LIKE '0,prl_disp_service,/Users/%/Parallels/%/vm.lock'
+    AND NOT exception_key LIKE '500,ykman-gui,/private/var/folders/%/T'
+    AND NOT exception_key LIKE '500,golangci-lint,/private/var/folders/%/T'
+    AND NOT exception_key LIKE '0,prl_disp_service,/Users/%/Parallels/%.pvm'
     AND NOT exception_key LIKE '500,iTermServer-%,~/Library/Application Support/iTerm2'
     AND NOT exception_key LIKE '500,%,/private/var/folders/%/T/Sentry_StreamDeck'
     AND NOT exception_key LIKE '500,gnome-software,/var/tmp/flatpak-cache-%'

detection/privesc/unexpected-elevated-children-events_macos.sql

@@ -107,16 +107,19 @@ WHERE
     '/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker_shared -s mdworker -c MDSImporterWorker -m com.apple.mdworker.shared'
   )
   AND NOT exception_key IN (
-    'containermanagerd,262,com.docker.backend,Docker',
-    'sysextd,0,LogiTune,launchd',
-    'CAReportingService,0,LogiTune,launchd',
-    'biometrickitd,0,LogiTune,launchd',
-    'suhelperd,0,LogiTune,launchd',
-    'com.apple.AccountPolicyHelper,0,LogiTune,launchd',
     'amfid,0,com.docker.backend,Docker',
-    'dprivacyd,0,com.docker.backend,Docker',
+    'biometrickitd,0,LogiTune,launchd',
+    'bioutil,0,callservicesd,launchd',
+    'CAReportingService,0,LogiTune,launchd',
+    'com.apple.AccountPolicyHelper,0,LogiTune,launchd',
     'com.apple.geod,262,com.docker.backend,Docker',
-    'SCHelper,0,com.docker.backend,Docker'
+    'com.apple.WebKit.WebContent,200,zsh,Emacs-arm64-11',
+    'containermanagerd,262,com.docker.backend,Docker',
+    'dprivacyd,0,com.docker.backend,Docker',
+    'SCHelper,0,com.docker.backend,Docker',
+    'suhelperd,0,LogiTune,launchd',
+    'sysextd,0,LogiTune,launchd',
+    'system_profiler,0,callservicesd,launchd'
   )
   AND NOT (
     pe.euid = 262 -- core media helper id

fragments/process_event_parents_macos.sql

@@ -15,6 +15,7 @@ SELECT
   -- Parent
   pe.parent AS p1_pid,
   TRIM(COALESCE(p1.cmdline, pe1.cmdline)) AS p1_cmd,
+  COALESCE(p1.start_time, pe1.time) AS p1_start,
   COALESCE(p1.path, pe1.path) AS p1_path,
   p1.cwd AS p1_cwd,
   COALESCE(p_hash1.sha256, pe_hash1.sha256) AS p1_hash,

fragments/process_parents.sql

@@ -26,8 +26,7 @@ SELECT
   p2.cmdline AS p2_cmd,
   p2_hash.sha256 AS p2_sha256
 FROM
-  process_open_sockets pop
+  processes p0
-  LEFT JOIN processes p0 ON pop.pid = p0.pid
   LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
   LEFT JOIN processes p1 ON p0.parent = p1.pid
   LEFT JOIN hash p1_hash ON p1.path = p1_hash.path

policy/gcp-service-account-keys-mdfind.sql

@@ -85,6 +85,7 @@ WHERE
     '4b4be8c1bc7e3bc7ea1f02932a024466db5faf3eaad885cf31ac7383484b1b1c',
     '6e55f3eccad59a615189c82cbcbd1133ce94509f7c5d42e3e7fbd00e65f0731f',
     'e99b4e6dfbbefa19c9ec9c82bb0c3445a443702f960c2a05f882bb5577a59ef8',
+    '421899fb9bfa0252ce7921969339918a5bbacbc7b9cd500e03a88f9c4e33bae4',
     '81bce2313cd00ffc42303fbf7c08e4d068fccc9c0076867903ef94616d795e12',
     '8d740893c1f9163ddfd8c193d9a95caf15da3740b42f2739c4b107ad12661809',
     '998ddcb7d1a7c2931c8546576873e47b399f23cef719227052f245c8240c6528',

policy/gcp-service-account-keys.sql

@@ -4,6 +4,7 @@
 -- platform: posix
 SELECT
   file.path,
+  file.filename,
   file.type,
   file.size,
   file.mtime,
@@ -48,6 +49,5 @@ WHERE
   AND NOT file.filename LIKE 'ulabs-%'
   AND NOT hash.sha256 IN (
     "c7d6bac8e942511e25973889ac38656d4d46f68044650d694721017fda23716e",
-    "bd5f4c01ebb5636b94584ee4ae42514b27d371859f7344f6aa5a37332ee714ba",
     "bd5f4c01ebb5636b94584ee4ae42514b27d371859f7344f6aa5a37332ee714ba"
   )