RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fpr: macOS, yubikey, Premiere, dnf, vagrant, etc

This commit is contained in:
Thomas Stromberg 2023-05-23 11:31:37 -04:00
parent 82134447fa
commit 111c15e20b
32 changed files with 376 additions and 252 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile
View File

@ -72,7 +72,7 @@ verify-ci: ./out/osqtool-$(ARCH)
verify: ./out/osqtool-$(ARCH)
$(SUDO) ./out/osqtool-$(ARCH) --max-results=150000 --max-query-duration=10s --max-total-daily-duration=15m verify incident_response
$(SUDO) ./out/osqtool-$(ARCH) --max-results=0 --max-query-duration=6s --max-total-daily-duration=10m verify policy
$(SUDO) ./out/osqtool-$(ARCH) --max-results=0 --max-query-duration=8s --max-total-daily-duration=2h15m --max-query-daily-duration=1h verify detection
$(SUDO) ./out/osqtool-$(ARCH) --max-results=0 --max-query-duration=8s --max-total-daily-duration=2h25m --max-query-daily-duration=1h verify detection
all: out/odk-packs.zip

3
detection/c2/unexpected-https-linux.sql
View File

@ -83,6 +83,7 @@ WHERE
'0,python3.10,0u,0g,dnf',
'0,python3.10,0u,0g,dnf-automatic',
'0,python3.10,0u,0g,yum',
'500,evolution-source-registry,0u,0g,evolution-sourc',
'0,python3.11,0u,0g,dnf',
'0,python3.11,0u,0g,dnf-automatic',
'0,python3.11,0u,0g,yum',
@ -247,6 +248,7 @@ WHERE
'500,spotify,500u,500g,spotify',
'500,spotify,u,g,spotify',
'500,steam,500u,100g,steam',
'500,buildkite-agent,500u,500g,buildkite-agent',
'500,steam,500u,500g,steam',
'500,steamwebhelper,500u,100g,steamwebhelper',
'500,steamwebhelper,500u,500g,steamwebhelper',
@ -264,6 +266,7 @@ WHERE
'500,todoist,0u,0g,todoist',
'500,trivy,0u,0g,trivy',
'500,trivy,500u,500g,trivy',
'500,firefox-bin,u,g,firefox-bin',
'500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
'500,wget,0u,0g,wget',
'500,wine64-preloader,500u,500g,Root.exe',

13
detection/c2/unexpected-https-macos.sql
View File

@ -102,15 +102,19 @@ WHERE pos.protocol IN (6, 17)
AND s.authority = 'Software Signing'
)
AND NOT exception_key IN (
'0,com.google.one.NetworkExtension,com.google.one.NetworkExtension,Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.one.NetworkExtension',
'0,launcher,launcher,Developer ID Application: Kolide, Inc (X98UFR7HA3),com.kolide.agent',
'0,Setup,Setup,Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.acc.Setup',
'500,bash,bash,,bash',
'0,EdgeUpdater,EdgeUpdater,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.EdgeUpdater',
'500,cloud_sql_proxy,cloud_sql_proxy,,a.out',
'500,ngrok,ngrok,Developer ID Application: ngrok LLC (TEX8MHRDQ9),darwin_amd64',
'500,Code Helper,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode.helper',
'500,Code Helper (Plugin),Code Helper (Plugin),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
'500,Code Helper (Renderer),Code Helper (Renderer),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
'500,Ecamm Live Stream Deck Plugin,Ecamm Live Stream Deck Plugin,Developer ID Application: Ecamm Network, LLC (5EJH68M642),Ecamm Live Stream Deck Plugin',
'500,Electron,Electron,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode',
'500,Fleet,~/Library/Caches/JetBrains/Fleet',
'500,git-remote-http,git-remote-http,,git-remote-http-55554944748a32c47cdc35cfa7f071bb69a39ce4',
'500,go,go,Developer ID Application: Google LLC (EQHXZ8M8AV),org.golang.go',
'500,grype,grype,Developer ID Application: ANCHORE, INC. (9MJHKYX5AT),grype',
@ -126,6 +130,7 @@ WHERE pos.protocol IN (6, 17)
'500,Reflect,Reflect,Developer ID Application: Reflect App, LLC (789ULN5MZB),app.reflect.ReflectDesktop',
'500,sdaudioswitch,sdaudioswitch,,sdaudioswitch',
'500,snyk-ls_darwin_arm64,snyk-ls_darwin_arm64,,a.out',
'500,steam_osx,steam_osx,Developer ID Application: Valve Corporation (MXGJJ98X76),com.valvesoftware.steam',
'500,syncthing,syncthing,,syncthing',
'500,terraform,terraform,Developer ID Application: Hashicorp, Inc. (D38WU7D763),terraform',
'500,Transmit,Transmit,Developer ID Application: Panic, Inc. (VE8FC488U5),com.panic.Transmit',
@ -137,7 +142,9 @@ WHERE pos.protocol IN (6, 17)
'500,chainlink,chainlink,500u,20g',
'500,cpu,cpu,500u,20g',
'500,cosign,cosign,0u,500g',
'500,chainctl,chainctl,500u,20g',
'500,crane,crane,500u,80g',
'500,pulumi-resource-gcp,pulumi-resource-gcp,500u,20g',
'500,go,go,500u,80g',
'500,git-remote-http,git-remote-http,500u,80g',
'500,vim,vim,0u,500g',
@ -147,6 +154,11 @@ WHERE pos.protocol IN (6, 17)
)
AND NOT alt_exception_key LIKE '500,terraform-provider-%,terraform-provider-%,500u,20g'
AND NOT p0.path LIKE '/private/var/folders/%/T/GoLand/%'
AND NOT (
exception_key = '500,Python,Python,,org.python.python'
AND p0_cmd LIKE '% main.py'
AND p0_cwd LIKE "%/neko"
)
AND NOT (
exception_key IN (
'500,Python,Python,,org.python.python',
@ -156,7 +168,6 @@ WHERE pos.protocol IN (6, 17)
p0_cmd LIKE '%/gcloud.py%'
OR p0_cmd LIKE '%pip install%'
OR p0_cmd LIKE '%googlecloudsdk/core/metrics_reporter.py%'
OR p0_cmd LIKE '%/main.py'
OR p0_cmd LIKE '%/bin/aws%'
)
) -- theScore and other iPhone apps

1
detection/c2/unexpected-libcurl-user-linux.sql
View File

@ -69,6 +69,7 @@ WHERE
AND NOT exception_key IN (
'flatpak-system-,/usr/libexec/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755',
'fwupd,/usr/libexec/fwupd/fwupd,0,system.slice,fwupd.service,0755',
'zed,/nix/store/__VERSION__/bin/zed,0,system.slice,zfs-zed.service,0555',
'fwupd,/usr/lib/fwupd/fwupd,0,system.slice,fwupd.service,0755',
'dnf,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755',
'libvirtd,/usr/bin/libvirtd,0,system.slice,libvirtd.service,0755',

2
detection/c2/unexpected-talkers-linux.sql
View File

@ -130,7 +130,9 @@ WHERE
'80,6,0,applydeltarpm,0u,0g,applydeltarpm',
'80,6,0,appstreamcli,0u,0g,appstreamcli',
'80,6,0,bash,0u,0g,bash',
'43,6,500,whois.md,0u,0g,whois',
'80,6,0,bash,0u,0g,mkinitcpio',
'3306,6,500,java,u,g,java',
'80,6,0,bash,0u,0g,sh',
'80,6,0,bash,0u,0g,update-ca-trust',
'80,6,0,cp,0u,0g,cp',

13
detection/c2/unexpected-talkers-macos.sql
View File

@ -116,6 +116,8 @@ WHERE
)
AND NOT exception_key IN (
'0,6,80,prl_naptd,prl_naptd,Developer ID Application: Parallels International GmbH (4C6364ACXT),com.parallels.naptd',
'500,6,4318,Code Helper (Plugin),Code Helper (Plugin),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
'500,6,5223,KakaoTalk,KakaoTalk,Apple Mac OS Application Signing,com.kakao.KakaoTalkMac',
'500,17,8801,zoom.us,zoom.us,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3),us.zoom.xos',
'500,17,9000,Meeting Center,Meeting Center,Developer ID Application: Cisco (DE8Y96K9QP),com.webex.meetingmanager',
'500,6,22,Cyberduck,Cyberduck,Developer ID Application: David Kocher (G69SCX94XU),ch.sudo.cyberduck',
@ -139,27 +141,31 @@ WHERE
'500,6,80,launcher-Helper,launcher-Helper,Developer ID Application: Mojang AB (HR992ZEAE6),com.mojang.mclauncher.helper',
'500,6,80,node,node,Developer ID Application: Node.js Foundation (HX7739G8FX),node',
'500,6,80,Signal Helper (Renderer),Signal Helper (Renderer),Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR),org.whispersystems.signal-desktop.helper.Renderer',
'500,6,80,Slack Helper,Slack Helper,Apple Mac OS Application Signing,com.tinyspeck.slackmacgap.helper',
'500,6,80,Snagit 2020,Snagit 2020,Apple Mac OS Application Signing,com.TechSmith.Snagit2020',
'500,6,80,Snagit 2023,Snagit 2023,Developer ID Application: TechSmith Corporation (7TQL462TU8),com.TechSmith.Snagit2023',
'500,6,80,SnagitHelper2020,SnagitHelper2020,Apple Mac OS Application Signing,com.techsmith.snagit.capturehelper2020',
'500,6,80,SnagitHelper2023,SnagitHelper2023,Developer ID Application: TechSmith Corporation (7TQL462TU8),com.techsmith.snagit.capturehelper2023',
'500,6,80,Spotify,Spotify,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client',
'500,6,80,steam_osx,steam_osx,Developer ID Application: Valve Corporation (MXGJJ98X76),com.valvesoftware.steam',
'500,6,80,Telegram,Telegram,Apple Mac OS Application Signing,ru.keepcoder.Telegram',
'500,6,80,WhatsApp,WhatsApp,Developer ID Application: WhatsApp Inc. (57T9237FN3),WhatsApp',
'500,6,80,thunderbird,thunderbird,Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird',
'500,6,80,Twitter,Twitter,Apple Mac OS Application Signing,maccatalyst.com.atebits.Tweetie2',
'500,6,993,Mimestream,Mimestream,Developer ID Application: Mimestream, LLC (P2759L65T8),com.mimestream.Mimestream',
'500,6,993,thunderbird,thunderbird,Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird'
) -- Useful for unsigned binaries
AND NOT alt_exception_key IN (
'500,6,80,firefox,firefox,500u,20g',
'500,6,22,ssh,ssh,0u,500g',
'500,6,22,ssh,ssh,500u,0g',
'500,6,22,ssh,ssh,500u,20g',
'500,6,22,ssh,ssh,500u,80g',
'500,6,80,qemu-system-aarch64,qemu-system-aarch64,500u,80g',
'500,6,3307,cloud_sql_proxy,cloud_sql_proxy,0u,0g',
'500,6,3307,cloud_sql_proxy,cloud_sql_proxy,500u,20g',
'500,6,3307,cloud-sql-proxy,cloud-sql-proxy,500u,20g',
'500,6,80,copilot-agent-macos-arm64,copilot-agent-macos-arm64,500u,20g'
'500,6,3307,cloud_sql_proxy,cloud_sql_proxy,500u,20g',
'500,6,80,copilot-agent-macos-arm64,copilot-agent-macos-arm64,500u,20g',
'500,6,80,qemu-system-aarch64,qemu-system-aarch64,500u,80g'
)
AND NOT (
alt_exception_key LIKE '500,6,%,syncthing,syncthing,0u,500g'
@ -179,6 +185,7 @@ WHERE
OR pos.remote_port > 3000
)
AND id_exception_key IN (
'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker',
'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4),com.brave.Browser.helper',
'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.Chrome.helper',
'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.edgemac.helper',

31
detection/evasion/hidden-parent-pid.sql
View File

@ -1,31 +0,0 @@
-- Find a process which has a parent that is not listed in the process table
--
-- Works well for revealing boopkit, so long as boopkit has a child process.
--
-- references:
-- * https://github.com/krisnova/boopkit
-- * https://attack.mitre.org/techniques/T1014/ (Rootkit)
--
-- false positives:
-- * None observed
--
-- tags: persistent daemon
SELECT
p.*,
hash.sha256,
GROUP_CONCAT(DISTINCT pof.path) AS open_files
FROM
processes p
LEFT JOIN hash ON p.path = hash.path
LEFT JOIN process_open_files pof ON p.pid = pof.pid
WHERE
p.parent NOT IN (
SELECT
pid
FROM
processes
)
AND p.parent != 0
AND p.parent IS NOT NULL
GROUP BY
p.pid

1
detection/evasion/parent-missing-from-disk-linux.sql
View File

@ -55,6 +55,7 @@ WHERE
'/usr/bin/doas',
'/usr/bin/dockerd',
'/usr/bin/fusermount3',
'/usr/libexec/at-spi-bus-launcher',
'/usr/bin/gnome-shell',
'/usr/bin/ibus-daemon',
'/usr/bin/kitty',

1
detection/evasion/unexpected-hidden-system-paths.sql
View File

@ -141,6 +141,7 @@ WHERE
AND file.directory NOT IN ('/etc/skel', '/etc/skel/.config')
AND file.path NOT LIKE '/%bin/bootstrapping/.default_components'
AND file.path NOT LIKE '/tmp/.#%'
AND file.path NOT LIKE '/tmp/.lark_cache_%'
AND file.path NOT LIKE '/tmp/.wine-%'
AND file.path NOT LIKE '/tmp/.%.gcode'
AND file.path NOT LIKE '/tmp/.vbox-%-ipc/'

9
detection/evasion/unexpected-tmp-executables-macos.sql
View File

@ -14,6 +14,7 @@ SELECT DISTINCT
file.btime,
file.ctime,
file.mtime,
file.type,
file.size,
hash.sha256,
magic.data,
@ -110,6 +111,7 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
) -- macOS updates
AND NOT file.directory LIKE '/tmp/msu-target-%' -- I don't know man. I don't work here.
AND NOT file.directory LIKE '/tmp/UpdateBrain-%/AssetData/com.apple.MobileSoftwareUpdate.UpdateBrainService.xpc/Contents/MacOS' -- terraform
AND NOT file.directory LIKE '/tmp/staged-updates%'
AND NOT (
uid > 500
AND file.path LIKE '/tmp/terraform_%/terraform'
@ -135,12 +137,12 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
AND (
magic.data IN ('JSON data', 'ASCII text')
OR magic.data LIKE 'ELF %-bit %SB executable%'
OR magic.data LIKE 'symbolic link to l%.so.%'
OR magic.data LIKE 'symbolic link to %'
OR magic.data LIKE 'ELF %-bit LSB shared object%'
OR magic.data LIKE 'libtool library file,%'
OR (
file.filename IN ("configure", "mkinstalldirs")
AND magic.data = "POSIX shell script, ASCII text executable"
file.filename IN ("configure", "mkinstalldirs", "config.status")
AND magic.data LIKE "POSIX shell script, ASCII text executable%"
)
OR (
file.size < 50000
@ -159,6 +161,7 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
'py',
'script',
'sh',
'status',
'strings',
'txt',
'yaml',

3
detection/evasion/unexpected-var-run-macos.sql
View File

@ -31,6 +31,7 @@ WHERE
'auditd.pid',
'.autoBackup',
'automount.initialized',
'bootpd.pid',
'com.apple.DumpPanic.finishedPMUFaultHandling',
'com.apple.DumpPanic.finishedThisBoot',
'com.apple.logind.didRunThisBoot',
@ -44,13 +45,13 @@ WHERE
'FirstBootAfterUpdate',
'FirstBootCleanupHandled',
'hdiejectd.pid',
'signpost_reporter_running',
'kdc.pid',
'prl_disp_service.pid',
'prl_naptd.pid',
'prl_watchdog-ebdba5702a20.pid',
'resolv.conf',
'rtadvd.pid',
'signpost_reporter_running',
'socketfilterfw.launchd',
'syslog.pid',
'systemkeychaincheck.done',

10
detection/execution/recently-created-executables-linux.sql
View File

@ -6,8 +6,8 @@
-- tags: transient process state often
-- platform: linux
SELECT
f.ctime,
f.mtime,
f.ctime AS p0_ctime,
f.mtime AS p0_mtime,
-- Child
p0.pid AS p0_pid,
p0.path AS p0_path,
@ -53,8 +53,11 @@ WHERE
-- What I would give for osquery to support binary signature verification on Linux
AND NOT p0.path IN (
'',
'/usr/sbin/irqbalance',
'/opt/google/chrome/chrome',
'/usr/bin/packer',
'/usr/bin/cmake',
'/usr/sbin/cups-browsed',
'/opt/google/chrome/chrome_crashpad_handler',
'/opt/google/chrome/nacl_helper',
'/usr/bin/gnome-software',
@ -209,6 +212,9 @@ WHERE
AND p0.cmdline LIKE './%'
)
AND NOT p1.path IN ('/usr/bin/gnome-shell') -- Filter out developers working on their own code
AND NOT p1.name = 'makepkg'
AND NOT p2.path = '/usr/bin/yay'
AND NOT p2.cmdline LIKE '/usr/bin/yay %'
AND NOT (
p0.path LIKE '/home/%'
AND p0.uid > 499

2
detection/execution/recently-created-executables-macos.sql
View File

@ -109,6 +109,7 @@ WHERE
'~/bin',
'~/code/bin',
'~/go/bin',
'~/Library/Application Support/snyk-ls',
'~/Library/Application Support/cloud-code/installer/google-cloud-sdk/bin',
'~/Library/Application Support/dev.warp.Warp-Stable',
'~/Library/Application Support/zoom.us/Plugins/aomhost.app/Contents/MacOS',
@ -118,6 +119,7 @@ WHERE
'~/projects/go/bin'
)
OR dir LIKE '~/%/node_modules/.bin/%'
OR dir LIKE '~/%/node_modules/esbuild%/bin'
OR f.path LIKE '%go-build%'
OR f.path LIKE '~/%/src/%.test'
OR f.path LIKE '~/%/pkg/%.test'

167
detection/execution/sketchy-fetcher.sql
View File

@ -7,42 +7,52 @@
-- tags: transient process state
-- platform: posix
SELECT
p.pid,
p.path,
p.name,
p.cmdline,
p.start_time,
REGEX_MATCH (p.cmdline, '(\w+:\/\/.*)\b', 1) AS url,
REGEX_MATCH (p.cmdline, '//(\d+\.\d+\.\d+\.\d+)[:/]', 1) AS ip,
REGEX_MATCH (p.cmdline, ':(\d+)', 1) AS port,
REGEX_MATCH (p.cmdline, '//([\w\-\.]+)[:/]', 1) AS addr,
REGEX_MATCH (p.cmdline, '//[\w\-\.]+\.(\w+)[:/]', 1) AS tld,
p.cwd,
p.euid,
p.parent,
p.cgroup_path,
pp.path AS parent_path,
pp.name AS parent_name,
pp.cmdline AS parent_cmdline,
pp.euid AS parent_euid,
gp.name AS gparent_name,
gp.cmdline AS gparent_cmdline,
pp.pid AS gparent_pid,
hash.sha256 AS parent_sha256
REGEX_MATCH (p0.cmdline, '(\w+:\/\/.*)\b', 1) AS url,
REGEX_MATCH (p0.cmdline, '//(\d+\.\d+\.\d+\.\d+)[:/]', 1) AS ip,
REGEX_MATCH (p0.cmdline, ':(\d+)', 1) AS port,
REGEX_MATCH (p0.cmdline, '//([\w\-\.]+)[:/]', 1) AS addr,
REGEX_MATCH (p0.cmdline, '//[\w\-\.]+\.(\w+)[:/]', 1) AS tld,
-- Child
p0.pid AS p0_pid,
p0.path AS p0_path,
p0.name AS p0_name,
p0.start_time AS p0_start,
p0.cmdline AS p0_cmd,
p0.cwd AS p0_cwd,
p0.cgroup_path AS p0_cgroup,
p0.euid AS p0_euid,
p0_hash.sha256 AS p0_sha256,
-- Parent
p0.parent AS p1_pid,
p1.path AS p1_path,
p1.name AS p1_name,
p1.start_time AS p1_start,
p1.euid AS p1_euid,
p1.cmdline AS p1_cmd,
p1_hash.sha256 AS p1_sha256,
-- Grandparent
p1.parent AS p2_pid,
p2.name AS p2_name,
p2.start_time AS p2_start,
p2.path AS p2_path,
p2.cmdline AS p2_cmd,
p2_hash.sha256 AS p2_sha256
FROM
processes p
LEFT JOIN processes pp ON p.parent = pp.pid
LEFT JOIN processes gp ON pp.parent = gp.pid
LEFT JOIN hash ON pp.path = hash.path
processes p0
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
LEFT JOIN processes p1 ON p0.parent = p1.pid
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE
-- NOTE: Sync remaining portion with sketchy-fetcher-events
(
INSTR(p.cmdline, 'wget ') > 0
OR INSTR(p.cmdline, 'curl ') > 0
INSTR(p0.cmdline, 'wget ') > 0
OR INSTR(p0.cmdline, 'curl ') > 0
)
-- Sketchy fetcher events always seem to contain a switch
AND p.cmdline LIKE '%-%'
AND p.cmdline LIKE '%/%'
AND p0.cmdline LIKE '%-%'
AND p0.cmdline LIKE '%/%'
AND (
ip NOT IN ('', '127.0.0.1', '::1')
OR port != ''
@ -67,65 +77,65 @@ WHERE
'so',
'uk'
)
OR p.cmdline LIKE '%chmod%'
OR p.cmdline LIKE '%.onion%'
OR p.cmdline LIKE '%tor2web%'
OR p.cmdline LIKE '%aliyun%'
OR p.cmdline LIKE '%pastebin%'
OR p.cmdline LIKE '%curl %--user-agent%'
OR p.cmdline LIKE '%curl -k%'
OR p.cmdline LIKE '%curl -sL %'
OR p.cmdline LIKE '%curl%-o-%'
OR p.cmdline LIKE '%curl%--insecure%'
OR p.cmdline LIKE '%wget %--user-agent%'
OR p.cmdline LIKE '%wget %--no-check-certificate%'
OR p.cmdline LIKE '%curl%--connect-timeout%'
OR p.cmdline LIKE '%wget -nc%'
OR p.cmdline LIKE '%wget -t%'
OR p.cmdline LIKE '%wget -q%'
OR p0.cmdline LIKE '%chmod%'
OR p0.cmdline LIKE '%.onion%'
OR p0.cmdline LIKE '%tor2web%'
OR p0.cmdline LIKE '%aliyun%'
OR p0.cmdline LIKE '%pastebin%'
OR p0.cmdline LIKE '%curl %--user-agent%'
OR p0.cmdline LIKE '%curl -k%'
OR p0.cmdline LIKE '%curl -sL %'
OR p0.cmdline LIKE '%curl%-o-%'
OR p0.cmdline LIKE '%curl%--insecure%'
OR p0.cmdline LIKE '%wget %--user-agent%'
OR p0.cmdline LIKE '%wget %--no-check-certificate%'
OR p0.cmdline LIKE '%curl%--connect-timeout%'
OR p0.cmdline LIKE '%wget -nc%'
OR p0.cmdline LIKE '%wget -t%'
OR p0.cmdline LIKE '%wget -q%'
OR (
p.cmdline LIKE '%wget %'
AND p.euid < 500
p0.cmdline LIKE '%wget %'
AND p0.euid < 500
-- TODO: Update this query to understand containers
AND pp.path NOT IN (
AND p1.path NOT IN (
"/usr/bin/bwrap",
"/bin/busybox",
"/usr/bin/melange"
)
)
OR (
p.cmdline LIKE '%curl %'
AND p.euid < 500
AND p.cmdline NOT LIKE "%./configure %--with-curl%"
p0.cmdline LIKE '%curl %'
AND p0.euid < 500
AND p0.cmdline NOT LIKE "%./configure %--with-curl%"
)
)
-- Exceptions for all calls
AND pp.name NOT IN ('makepkg') -- Exceptions for non-privileged calls
AND p1.name NOT IN ('makepkg') -- Exceptions for non-privileged calls
AND NOT (
p.euid > 500
p0.euid > 500
AND (
p.cmdline LIKE '%--dump-header%'
OR p.cmdline LIKE '%/api/v%'
OR p.cmdline LIKE '%curl -X %'
OR p.cmdline LIKE '%go mod %'
OR p.cmdline LIKE '%application/json%'
OR p.cmdline LIKE '%grpcurl%'
OR p.cmdline LIKE '%Homebrew%'
OR p.cmdline LIKE '%Nixpkgs/%'
OR p.cmdline LIKE '%If-None-Match%'
OR p.cmdline LIKE '%ctlog%'
OR p.cmdline LIKE '%.well-known/openid-configuration%'
OR p.cmdline LIKE '%/openid/v1/jwks%'
OR p.cmdline LIKE '%--progress-bar%'
OR parent_cmdline LIKE '%brew.rb%'
OR parent_cmdline LIKE '%brew.sh%'
OR parent_cmdline LIKE '/nix/store/%-builder.sh'
OR p.cmdline LIKE 'git %'
OR p.cmdline LIKE '%LICENSES/vendor/%'
OR p.cmdline LIKE 'curl -sL wttr.in%'
OR p.cmdline LIKE '%localhost:%'
OR p.cmdline LIKE '%127.0.0.1:%'
OR p.name IN ('apko')
p0.cmdline LIKE '%--dump-header%'
OR p0.cmdline LIKE '%/api/v%'
OR p0.cmdline LIKE '%curl -X %'
OR p0.cmdline LIKE '%go mod %'
OR p0.cmdline LIKE '%application/json%'
OR p0.cmdline LIKE '%grpcurl%'
OR p0.cmdline LIKE '%Homebrew%'
OR p0.cmdline LIKE '%Nixpkgs/%'
OR p0.cmdline LIKE '%If-None-Match%'
OR p0.cmdline LIKE '%ctlog%'
OR p0.cmdline LIKE '%.well-known/openid-configuration%'
OR p0.cmdline LIKE '%/openid/v1/jwks%'
OR p0.cmdline LIKE '%--progress-bar%'
OR p1.cmdline LIKE '%brew.rb%'
OR p1.cmdline LIKE '%brew.sh%'
OR p1.cmdline LIKE '/nix/store/%-builder.sh'
OR p0.cmdline LIKE 'git %'
OR p0.cmdline LIKE '%LICENSES/vendor/%'
OR p0.cmdline LIKE 'curl -sL wttr.in%'
OR p0.cmdline LIKE '%localhost:%'
OR p0.cmdline LIKE '%127.0.0.1:%'
OR p0.name IN ('apko')
)
)
-- These are typically curl -k calls
@ -145,3 +155,8 @@ WHERE
OR ip LIKE '192.168.%'
)
)
-- Qualys Cloud Agent
AND NOT (
addr = "169.254.169.254"
AND p2.path = "/usr/local/qualys/cloud-agent/bin/qualys-scan-util"
)

9
detection/execution/unexpected-execdir-events-macos.sql
View File

@ -35,7 +35,6 @@ SELECT
'(.*)/',
1
) AS top3_dir,
u.directory AS user_home_dir,
s.identifier AS s_id,
s.authority AS s_auth,
-- Child
@ -100,6 +99,7 @@ WHERE
'~/Applications (Parallels)',
'~/bin',
'~/.cargo',
'~/melange',
'~/chainguard',
'~/dev',
'~/code',
@ -137,6 +137,8 @@ WHERE
'/Library/Application Support/Adobe',
'~/Library/Application Support/BraveSoftware',
'/Library/Application Support/Canon_Inc_IC',
'~/.docker/cli-plugins/docker-sbom',
'~/.docker/cli-plugins',
'~/Library/Application Support/com.elgato.StreamDeck',
'~/Library/Application Support/com.grammarly.ProjectLlama',
'/Library/Application Support/EcammLive',
@ -170,7 +172,9 @@ WHERE
AND dir NOT IN (
'/bin',
'~/bin',
'~/.cache/gitstatus',
'~/code/bin',
'~/.docker/cli-plugins',
'~/Downloads/google-cloud-sdk/bin',
'~/Downloads/protoc/bin',
'~/go/bin',
@ -192,6 +196,7 @@ WHERE
'/Library/Image Capture/Devices/EPSON Scanner.app/Contents/MacOS',
'/Library/Kandji/Kandji Agent.app/Contents/MacOS',
'/Library/Kandji/Kandji Agent.app/Contents/MacOS/',
'/Library/Printers/Brother/Filter/rastertobrother2130.bundle/Contents/MacOS',
'/Library/Printers/Brother/Filter/rastertobrother2300.bundle/Contents/MacOS',
'/Library/Printers/Brother/Utilities/Server/LOGINserver.app/Contents/MacOS',
'/Library/Printers/Brother/Utilities/Server/NETserver.app/Contents/MacOS',
@ -203,6 +208,7 @@ WHERE
'/Library/TeX/texbin',
'~/.local/bin',
'~/.magefile',
'~/melange',
'/node_modules/.bin',
'/opt/homebrew/bin',
'/opt/osquery/lib/osquery.app/Contents/MacOS',
@ -226,6 +232,7 @@ WHERE
'/usr/lib/fwupd',
'/usr/lib/ibus',
'/usr/lib/system',
'/usr/local/aws-cli',
'/usr/local/bin',
'/usr/local/MacGPG2/bin',
'/usr/sbin',

1
detection/execution/unexpected-fetcher-parents.sql
View File

@ -40,6 +40,7 @@ WHERE -- NOTE: The remainder of this query is synced with unexpected-fetcher-par
child_name IN ('curl', 'wget', 'ftp', 'tftp') -- And not a regular local user
AND NOT exception_key IN (
'curl,0,09-timezone,nm-dispatcher',
'curl,0,sh,qualys-cloud-ag',
'curl,0,build.sh,buildkit-runc',
'curl,0,nm-dispatcher,',
'curl,0,nm-dispatcher,nm-dispatcher',

7
detection/execution/unexpected-osascript-calls.sql
View File

@ -112,6 +112,11 @@ WHERE
)
)
-- The following apply to all uids
AND NOT p0_cmd = 'osascript -e user locale of (get system info)'
AND NOT p0_cmd IN (
'osascript -e do shell script "/bin/rm -Rf /opt/vagrant /usr/local/bin/vagrant" with administrator privileges',
'osascript -e user locale of (get system info)',
'/usr/bin/osascript -e do shell script "/bin/rm -Rf /opt/vagrant /usr/local/bin/vagrant" with administrator privileges
)
GROUP BY
pe.pid

27
detection/execution/unexpected-root-signer-macos.sql
View File

@ -9,18 +9,23 @@ SELECT
REGEX_MATCH (p.path, '(/.*?/.*?)/', 1) AS top_dir,
-- Child
pe.path AS p0_path,
pe.time,
pe.time AS p0_time,
pe.euid AS p0_euid,
s.authority AS p0_sauth,
s.identifier AS p0_sid,
hash.sha256 AS p0_hash,
REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
TRIM(pe.cmdline) AS p0_cmd,
pe.cwd AS p0_cwd,
-- pe.cwd is NULL on macOS
p.cwd AS p0_cwd,
pe.pid AS p0_pid,
pe.euid AS p0_euid,
-- Parent
pe.parent AS p1_pid,
TRIM(COALESCE(p1.cmdline, pe1.cmdline)) AS p1_cmd,
COALESCE(p1.start_time, pe1.time) AS p1_start,
COALESCE(p1.path, pe1.path) AS p1_path,
p1.cwd AS p1_cwd,
COALESCE(p_hash1.sha256, pe_hash1.sha256) AS p1_hash,
REGEX_MATCH (COALESCE(p1.path, pe1.path), '.*/(.*)', 1) AS p1_name,
-- Grandparent
@ -28,6 +33,7 @@ SELECT
TRIM(
COALESCE(p1_p2.cmdline, pe1_p2.cmdline, pe1_pe2.cmdline)
) AS p2_cmd,
p1_p2.cwd AS p2_cwd,
COALESCE(p1_p2.path, pe1_p2.path, pe1_pe2.path) AS p2_path,
COALESCE(
p1_p2_hash.path,
@ -41,10 +47,11 @@ SELECT
) AS p2_name
FROM
process_events pe
LEFT JOIN signature s ON pe.path = s.path
LEFT JOIN file f ON pe.path = f.path
LEFT JOIN users u ON pe.uid = u.uid
LEFT JOIN signature s ON pe.path = s.path
LEFT JOIN processes p ON pe.pid = p.pid
LEFT JOIN hash ON pe.path = hash.path
-- Parents (via two paths)
LEFT JOIN processes p1 ON pe.parent = p1.pid
LEFT JOIN hash p_hash1 ON p1.path = p_hash1.path
@ -60,9 +67,9 @@ FROM
LEFT JOIN hash pe1_p2_hash ON pe1_p2.path = pe1_p2_hash.path
LEFT JOIN hash pe1_pe2_hash ON pe1_pe2.path = pe1_pe2_hash.path
WHERE
-- query optimization: Exclude SIP protected directories
p.euid = 0
p0_euid = 0
AND pe.time > (strftime('%s', 'now') -900)
-- query optimization: Exclude SIP protected directories
AND top_dir NOT IN (
'/Library/Apple',
'/System/Library',
@ -107,21 +114,21 @@ WHERE
pe.path LIKE "/nix/store/%-nix-%/bin/nix-%"
OR pe.path LIKE "/private/var/folders/%/T/tmp.%/nix-installer"
)
AND p1.path = "/usr/bin/sudo"
AND p1_path = "/usr/bin/sudo"
)
AND NOT (
s.authority = ""
AND p0_path LIKE "/opt/%/bin/socket_vmnet"
AND pe.path LIKE "/opt/%/bin/socket_vmnet"
AND p1_path IN ("/usr/bin/sudo", "/sbin/launchd")
)
AND NOT (
s.authority = ""
AND p0_path LIKE "/opt/homebrew/Cellar/mariadb/%/bin/mariadbd"
AND pe.path LIKE "/opt/homebrew/Cellar/mariadb/%/bin/mariadbd"
AND p0_cmd LIKE "/opt/homebrew/opt/mariadb/bin/mariadbd %"
)
AND NOT (
s.authority = ""
AND p0_path LIKE "/opt/homebrew/Cellar/tailscale/%/bin/tailscaled"
AND pe.path LIKE "/opt/homebrew/Cellar/tailscale/%/bin/tailscaled"
AND p0_cmd LIKE "/opt/homebrew/Cellar/tailscale/%/bin/tailscaled %"
)
AND NOT (
@ -129,4 +136,4 @@ WHERE
AND p0_name = "node"
AND p1_name IN ("vim", "nvim")
)
AND NOT p0_path LIKE '/usr/local/Cellar/htop/%/bin/htop'
AND NOT pe.path LIKE '/usr/local/Cellar/htop/%/bin/htop'

2
detection/execution/unexpected-security-framework-program-macos.sql
View File

@ -146,7 +146,9 @@ WHERE
'500,scdaemon,scdaemon,',
'500,tflint-ruleset-aws,a.out,',
'500,sdaudioswitch,,',
'500,monorail,a.out,',
'500,sdaudioswitch,sdaudioswitch,',
'500,k9s,a.out,',
'500,sdzoomplugin,,',
'500,Slack,com.tinyspeck.slackmacgap,Apple Mac OS Application Signing',
'500,Slack Helper,com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',

1
detection/initial_access/unexpected-diskimage-source-macos.sql
View File

@ -123,6 +123,7 @@ WHERE
'adoptium.net',
'balsamiq.com',
'brave.com',
'cron.com',
'discord.com',
'dl.discordapp.net',
'dl.google.com',

121
detection/initial_access/unexpected-shell-parents.sql
View File

@ -11,28 +11,45 @@
-- interval: 60
-- platform: posix
SELECT
p.name,
p.path AS path,
p.cmdline AS cmd,
p.pid,
p.cgroup_path,
p.parent,
p.cwd,
pp.name AS parent_name,
pp.path AS parent_path,
pp.cmdline AS parent_cmd,
hash.sha256 AS parent_sha256
-- Child
p0.pid AS p0_pid,
p0.path AS p0_path,
p0.name AS p0_name,
p0.start_time AS p0_start,
p0.cmdline AS p0_cmd,
p0.cwd AS p0_cwd,
p0.cgroup_path AS p0_cgroup,
p0.euid AS p0_euid,
p0_hash.sha256 AS p0_sha256,
-- Parent
p0.parent AS p1_pid,
p1.path AS p1_path,
p1.name AS p1_name,
p1.start_time AS p1_start,
p1.euid AS p1_euid,
p1.cmdline AS p1_cmd,
p1_hash.sha256 AS p1_sha256,
-- Grandparent
p1.parent AS p2_pid,
p2.name AS p2_name,
p2.start_time AS p2_start,
p2.path AS p2_path,
p2.cmdline AS p2_cmd,
p2_hash.sha256 AS p2_sha256
FROM
processes p
LEFT JOIN processes pp ON pp.pid = p.parent
LEFT JOIN hash ON pp.path = hash.path
processes p0
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
LEFT JOIN processes p1 ON p0.parent = p1.pid
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE
p.name IN ('sh', 'fish', 'zsh', 'bash', 'dash')
p0.name IN ('sh', 'fish', 'zsh', 'bash', 'dash')
-- Ignore partial table joins
AND parent_path != ''
AND p1_path != ''
-- Editors & terminals mostly.
-- I know it's tempting to list "electron" here but please find a more specific exclusion.
AND pp.name NOT IN (
AND p1.name NOT IN (
'abrt-action-per',
'abrt-handle-eve',
'alacritty',
@ -129,7 +146,7 @@ WHERE
'zellij',
'zsh'
)
AND parent_path NOT IN (
AND p1_path NOT IN (
'/Applications/Docker.app/Contents/MacOS/Docker',
'/Applications/Docker.app/Contents/MacOS/install',
'/Applications/Docker.app/Contents/Resources/bin/com.docker.cli',
@ -142,6 +159,7 @@ WHERE
'/Applications/Amazon Photos.app/Contents/MacOS/Amazon Photos',
'/bin/dash',
'/bin/sh',
'/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent',
'/Library/Application Support/Logitech.localized/LogiOptionsPlus/logioptionsplus_agent.app/Contents/MacOS/logioptionsplus_agent',
'/Library/Developer/CommandLineTools/usr/bin/git',
'/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateDaemon',
@ -169,10 +187,11 @@ WHERE
'/usr/libexec/periodic-wrapper',
'/usr/lib/xorg/Xorg'
)
AND NOT p.cmdline IN (
AND NOT p0.cmdline IN (
-- npm run server
'sh -c -- exec-bin node_modules/.bin/hugo/hugo server',
'/bin/sh -c ioreg -rd1 -c IOPlatformExpertDevice',
'/bin/sh -c sysctl hw.model kern.osrelease',
'/bin/bash -c ioreg -l -w 0 | grep SecureInput',
"sh -c acpi -b | grep -v 'unavailable'",
'sh -c xcode-select --print-path >/dev/null 2>&1 && xcrun --sdk macosx --show-sdk-path 2>/dev/null',
@ -180,43 +199,43 @@ WHERE
'sh -c ps -xcocommand,pid | grep "LOGINserver"'
)
AND NOT (
pp.name = 'sshd'
AND p.cmdline LIKE '%askpass%'
p1.name = 'sshd'
AND p0.cmdline LIKE '%askpass%'
)
AND NOT (
pp.name = 'steam'
AND p.cmdline LIKE 'sh -c %steamwebhelper.sh%'
p1.name = 'steam'
AND p0.cmdline LIKE 'sh -c %steamwebhelper.sh%'
)
AND NOT (
pp.name = 'bash'
AND p.cmdline LIKE 'sh -s _hostname %'
p1.name = 'bash'
AND p0.cmdline LIKE 'sh -s _hostname %'
)
AND NOT (
pp.cmdline LIKE 'perl%/help2man%'
AND p.cmdline LIKE 'sh -c man/%'
p1.cmdline LIKE 'perl%/help2man%'
AND p0.cmdline LIKE 'sh -c man/%'
)
AND NOT p.cmdline LIKE '/bin/sh %/bin/docker-credential-gcloud get'
AND NOT parent_path LIKE '/private/var/folders/%/T/go-build%.test'
AND NOT parent_path LIKE '/private/tmp/PKInstallSandbox.%/tmp/Python/Python3.framework/Versions/%/Resources/Python.app/Contents/MacOS/Python'
AND NOT p.cmdline LIKE '%/Library/Apple/System/Library/InstallerSandboxes%'
AND NOT p.cmdline LIKE '%gcloud config config-helper%'
AND NOT p.cmdline LIKE '%hugo/hugo server%'
AND NOT pp.cmdline LIKE '/Applications/Warp.app/%'
AND NOT pp.cmdline = 'npm run start'
AND NOT pp.cmdline LIKE '%brew.rb%'
AND NOT pp.cmdline LIKE '%/Homebrew/build.rb%'
AND NOT pp.cmdline LIKE '%Code Helper%'
AND NOT pp.cmdline LIKE '%gcloud.py config config-helper%'
AND NOT pp.cmdline LIKE '/usr/lib/electron19/electron /usr/lib/code/out/bootstrap-fork --type=ptyHost --logsPath /home/%/.config/Code - OSS/logs/%'
AND NOT pp.name LIKE '%term%'
AND NOT pp.name LIKE '%Term%'
AND NOT pp.name LIKE 'Emacs%'
AND NOT pp.name LIKE 'terraform-provider-%'
AND NOT pp.path LIKE '/Users/%/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwareUpdateAgent'
AND NOT p0.cmdline LIKE '/bin/sh %/bin/docker-credential-gcloud get'
AND NOT p1_path LIKE '/private/var/folders/%/T/go-build%.test'
AND NOT p1_path LIKE '/private/tmp/PKInstallSandbox.%/tmp/Python/Python3.framework/Versions/%/Resources/Python.app/Contents/MacOS/Python'
AND NOT p0.cmdline LIKE '%/Library/Apple/System/Library/InstallerSandboxes%'
AND NOT p0.cmdline LIKE '%gcloud config config-helper%'
AND NOT p0.cmdline LIKE '%hugo/hugo server%'
AND NOT p1.cmdline LIKE '/Applications/Warp.app/%'
AND NOT p1.cmdline = 'npm run start'
AND NOT p1.cmdline LIKE '%brew.rb%'
AND NOT p1.cmdline LIKE '%/Homebrew/build.rb%'
AND NOT p1.cmdline LIKE '%Code Helper%'
AND NOT p1.cmdline LIKE '%gcloud.py config config-helper%'
AND NOT p1.cmdline LIKE '/usr/lib/electron19/electron /usr/lib/code/out/bootstrap-fork --type=ptyHost --logsPath /home/%/.config/Code - OSS/logs/%'
AND NOT p1.name LIKE '%term%'
AND NOT p1.name LIKE '%Term%'
AND NOT p1.name LIKE 'Emacs%'
AND NOT p1.name LIKE 'terraform-provider-%'
AND NOT p1.path LIKE '/Users/%/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwareUpdateAgent'
-- Oh, NixOS.
AND NOT pp.name LIKE '%/bin/bash'
AND NOT pp.name LIKE '%/bin/direnv'
AND NOT parent_path LIKE '/nix/store/%sh'
AND NOT parent_path LIKE '/opt/homebrew/%'
AND NOT p.cgroup_path LIKE '/system.slice/docker-%'
AND NOT p.cgroup_path LIKE '/system.slice/system.slice:docker:%'
AND NOT p1.name LIKE '%/bin/bash'
AND NOT p1.name LIKE '%/bin/direnv'
AND NOT p1_path LIKE '/nix/store/%sh'
AND NOT p1_path LIKE '/opt/homebrew/%'
AND NOT p0.cgroup_path LIKE '/system.slice/docker-%'
AND NOT p0.cgroup_path LIKE '/system.slice/system.slice:docker:%'

49
detection/persistence/low-fd-socket.sql
View File

@ -8,20 +8,45 @@
--
-- tags: process state
-- platform: posix
SELECT p.uid,
p.euid,
pos.protocol,
SELECT pos.protocol,
pos.pid,
pos.remote_address,
pos.local_address,
pos.local_port,
pos.remote_port,
p.name,
p.start_time,
p.parent,
p.cgroup_path,
p.path,
pos.state
FROM processes p
JOIN process_open_sockets pos ON p.pid = pos.pid
WHERE fd < 3 AND family != 1;
pos.state,
-- Child
p0.pid AS p0_pid,
p0.path AS p0_path,
p0.name AS p0_name,
p0.start_time AS p0_start,
p0.cmdline AS p0_cmd,
p0.cwd AS p0_cwd,
p0.cgroup_path AS p0_cgroup,
p0.euid AS p0_euid,
p0_hash.sha256 AS p0_sha256,
-- Parent
p0.parent AS p1_pid,
p1.path AS p1_path,
p1.name AS p1_name,
p1.start_time AS p1_start,
p1.euid AS p1_euid,
p1.cmdline AS p1_cmd,
p1_hash.sha256 AS p1_sha256,
-- Grandparent
p1.parent AS p2_pid,
p2.name AS p2_name,
p2.start_time AS p2_start,
p2.path AS p2_path,
p2.cmdline AS p2_cmd,
p2_hash.sha256 AS p2_sha256
FROM process_open_sockets pos
JOIN processes p0 ON pos.pid = p0.pid
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
LEFT JOIN processes p1 ON p0.parent = p1.pid
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE pos.fd < 3
AND pos.family != 1
AND p0.path NOT IN ('/usr/libexec/bootpd')

62
detection/persistence/minimal-socket-client-linux.sql
View File

@ -8,43 +8,47 @@
--
-- tags: persistent process state seldom
-- platform: linux
SELECT p.uid,
p.euid,
pos.protocol,
SELECT pos.protocol,
pos.pid,
pos.remote_address,
pos.local_address,
pos.local_port,
pos.remote_port,
p.start_time,
p.name,
p.parent,
p.cgroup_path,
p.path,
pos.state,
GROUP_CONCAT(DISTINCT pmm.path) AS libs,
COUNT(DISTINCT pmm.path) AS lib_count
FROM processes p
JOIN process_open_sockets pos ON p.pid = pos.pid AND pos.family != 1
JOIN process_memory_map pmm ON pos.pid = pmm.pid
WHERE p.pid IN (
SELECT pid
FROM processes
WHERE path NOT IN (
'/usr/bin/containerd',
'/usr/bin/fusermount3',
'/usr/sbin/acpid',
'/usr/bin/dash',
'/usr/bin/docker',
'/usr/sbin/mcelog',
'/usr/bin/docker-proxy',
'/usr/bin/cat',
'/usr/lib/electron/chrome-sandbox',
'/usr/bin/i3blocks'
)
AND name NOT IN ('chrome_crashpad', 'dhcpcd', 'Brackets-node')
GROUP BY processes.path
COUNT(DISTINCT pmm.path) AS lib_count,
-- Child
p0.pid AS p0_pid,
p0.path AS p0_path,
p0.name AS p0_name,
p0.start_time AS p0_start,
p0.cmdline AS p0_cmd,
p0.cwd AS p0_cwd,
p0.cgroup_path AS p0_cgroup,
p0.euid AS p0_euid,
p0_hash.sha256 AS p0_sha256
FROM processes p0
JOIN process_open_sockets pos ON p0.pid = pos.pid
JOIN process_memory_map pmm ON p0.pid = pmm.pid
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
WHERE
pos.family != 1
AND pos.pid > 0
AND pos.state != 'LISTEN'
AND p0.path NOT IN (
'/usr/bin/containerd',
'/usr/bin/fusermount3',
'/usr/sbin/acpid',
'/usr/bin/dash',
'/usr/bin/docker',
'/usr/sbin/mcelog',
'/usr/libexec/docker/docker-proxy',
'/usr/bin/docker-proxy',
'/usr/bin/cat',
'/usr/lib/electron/chrome-sandbox',
'/usr/bin/i3blocks'
)
AND p0.name NOT IN ('chrome_crashpad', 'dhcpcd', 'Brackets-node')
AND pmm.path LIKE "%.so.%"
GROUP BY pos.pid -- libc.so, ld-linux
HAVING lib_count IN (1, 2)

3
detection/persistence/minimal-socket-client-macos.sql
View File

@ -23,7 +23,7 @@ SELECT
p.cgroup_path,
p.path,
pos.state,
GROUP_CONCAT(pmm.path) AS libs,
GROUP_CONCAT(DISTINCT pmm.path) AS libs,
COUNT(DISTINCT pmm.path) AS lib_count,
-- Normally we would use signatures for exceptions, but it was triggering
-- an unusual performance issue in osquery.
@ -68,6 +68,7 @@ WHERE
AND exception_key NOT IN (
'500,Todoist,/Applications/Todoist.app/Contents/MacOS/Todoist',
'500,Slack,/Applications/Slack.app/Contents/MacOS/Slack',
'500,WhatsApp Helper (GPU),/Applications/WhatsApp.app/Contents/Frameworks/WhatsApp Helper (GPU).app/Contents/MacOS/WhatsApp Helper (GPU)',
'500,Slack Helper (Renderer),/Applications/Slack.app/Contents/Frameworks/Slack Helper (Renderer).app/Contents/MacOS/Slack Helper (Renderer)',
'500,Snagit 2020,/Applications/Snagit 2020.app/Contents/MacOS/Snagit 2020',
'500,SnagitHelper2020,/Applications/Snagit 2020.app/Contents/Library/LoginItems/SnagitHelper2020.app/Contents/MacOS/SnagitHelper2020'

17
detection/persistence/unexpected-active-systemd-units.sql
View File

@ -49,10 +49,13 @@ WHERE
AND (
exception_key IN (
'abrtd.service,ABRT Automated Bug Reporting Tool,,450',
'abrtd.service,ABRT Daemon,,225',
'abrt-journal-core.service,ABRT coredumpctl message creator,,0',
'abrt-journal-core.service,Creates ABRT problems from coredumpctl messages,,225',
'abrt-oops.service,ABRT kernel log watcher,,225',
'abrt-xorg.service,ABRT Xorg log watcher,,225',
'accounts-daemon.service,Accounts Service,,1800',
'accounts-daemon.service,Accounts Service,,2025',
'accounts-daemon.service,Accounts Service,,675',
'acpid.path,ACPI Events Check,,0',
'acpid.service,ACPI Daemon,,1125',
@ -138,6 +141,7 @@ WHERE
'fprintd.service,Fingerprint Authentication Daemon,,675',
'fprintd.service,Fingerprint Authentication Daemon,,900',
'fstrim.service,Discard unused blocks on filesystems from /etc/fstab,,225',
'fstrim.service,Discard unused blocks on filesystems from /etc/fstab,,450',
'fstrim.timer,Discard unused blocks once a week,,225',
'fwupd-refresh.service,Refresh fwupd metadata and update motd,fwupd-refresh,225',
'fwupd-refresh.service,Refresh fwupd metadata and update motd,fwupd-refresh,450',
@ -176,6 +180,7 @@ WHERE
'lm-sensors.service,Initialize hardware monitoring sensors,,0',
'lm_sensors.service,Initialize hardware monitoring sensors,,225',
'logrotate-checkconf.service,Logrotate configuration check,,1125',
'logrotate-checkconf.service,Logrotate configuration check,,900',
'logrotate.timer,Daily rotation of log files,,0',
'logrotate.timer,logrotate.timer,,0',
'low-memory-monitor.service,Low Memory Monitor,,675',
@ -201,6 +206,7 @@ WHERE
'netcf-transaction.service,Rollback uncommitted netcf network config change transactions,,225',
'networkd-dispatcher.service,Dispatcher daemon for systemd-networkd,,225',
"networking.service,Raise network interfaces,,450",
'network-local-commands.service,Extra networking commands.,,1125',
'network-local-commands.service,Extra networking commands.,,1350',
'NetworkManager-dispatcher.service,Network Manager Script Dispatcher Service,,450',
'NetworkManager-dispatcher.service,Network Manager Script Dispatcher Service,,675',
@ -208,11 +214,13 @@ WHERE
'NetworkManager.service,Network Manager,,1350',
'NetworkManager-wait-online.service,Network Manager Wait Online,,1125',
'network-setup.service,Networking Setup,,1350',
'nginx.service,Nginx Web Server,nginx,2250',
'nginx.service,Nginx Web Server,nginx,2400',
'nix-daemon.service,Nix Daemon,,225',
'nix-daemon.socket,Nix Daemon Socket,,225',
'nix-gc.timer,nix-gc.timer,,0',
'nscd.service,Name Service Cache Daemon,nscd,1800',
'nscd.service,Name Service Cache Daemon (nsncd),nscd,1350',
'nvidia-fallback.service,Fallback to nouveau as nvidia did not load,,225',
'nvidia-persistenced.service,NVIDIA Persistence Daemon,,225',
'nvidia-powerd.service,nvidia-powerd service,,0',
@ -235,6 +243,7 @@ WHERE
'proc-sys-fs-binfmt_misc.automount,Arbitrary Executable File Formats File System Automount Point,,675',
'pwrstatd.service,The monitor UPS software.,,225',
'qemu-kvm.service,QEMU KVM preparation - module, ksm, hugepages,,225',
'qualys-cloud-agent.service,Qualys cloud agent daemon,,225',
'raid-check.timer,Weekly RAID setup health check,,0',
'realmd.service,Realm and Domain Configuration,,0',
'reflector.service,Refresh Pacman mirrorlist with Reflector.,,1350',
@ -253,14 +262,7 @@ WHERE
'setvtrgb.service,Set console scheme,,225',
'shadow.service,Verify integrity of password and group files,,900',
'shadow.timer,Daily verification of password and group files,,0',
'abrt-journal-core.service,ABRT coredumpctl message creator,,0',
'abrtd.service,ABRT Daemon,,225',
'nginx.service,Nginx Web Server,nginx,2250',
'network-local-commands.service,Extra networking commands.,,1125',
'logrotate-checkconf.service,Logrotate configuration check,,900',
'-.slice,Root Slice,,0',
'accounts-daemon.service,Accounts Service,,2025',
'nscd.service,Name Service Cache Daemon (nsncd),nscd,1350',
'smartd.service,Self Monitoring and Reporting Technology (SMART) Daemon,,225',
'smartd.service,Self Monitoring and Reporting Technology (SMART) Daemon,,450',
'snapd.apparmor.service,Load AppArmor profiles managed internally by snapd,,675',
@ -310,6 +312,7 @@ WHERE
'systemd-journald.service,Journal Service,,1800',
'systemd-journald.service,Journal Service,,2025',
'systemd-journald.service,Journal Service,,2200',
'systemd-journald.service,Journal Service,,2250',
'systemd-journald.socket,Journal Socket,,900',
'systemd-journal-flush.service,Flush Journal to Persistent Storage,,675',
'systemd-localed.service,Locale Service,,1125',

1
detection/persistence/unexpected-global-lock.sql
View File

@ -36,6 +36,7 @@ WHERE (
AND exception_key NOT IN (
'0,0,/var/run/unattended-upgrades.lock,regular,0640',
'0,0,/var/run/xtables.lock,regular,0600',
'0,0,/var/run/dnf-metadata.lock,regular,0644',
'0,0,/var/run/apport.lock,regular,0600',
'74,0,/tmp/mysql.sock.lock,regular,0600',
'74,0,/tmp/mysqlx.sock.lock,regular,0600'

44
detection/persistence/unexpected-lock-opener.sql
View File

@ -23,15 +23,31 @@ SELECT CONCAT(
)
) AS exception_key,
pof.path AS lock,
-- Child
p0.pid AS p0_pid,
p0.path AS p0_path,
p0.name AS p0_name,
p0.cmdline AS p0_cmd,
p0.cwd AS p0_cwd,
p0.cgroup_path AS p0_cgroup,
p0.euid AS p0_euid,
p0_hash.sha256 AS p0_sha256
-- Child
p0.pid AS p0_pid,
p0.path AS p0_path,
p0.name AS p0_name,
p0.start_time AS p0_start,
p0.cmdline AS p0_cmd,
p0.cwd AS p0_cwd,
p0.cgroup_path AS p0_cgroup,
p0.euid AS p0_euid,
p0_hash.sha256 AS p0_sha256,
-- Parent
p0.parent AS p1_pid,
p1.path AS p1_path,
p1.name AS p1_name,
p1.start_time AS p1_start,
p1.euid AS p1_euid,
p1.cmdline AS p1_cmd,
p1_hash.sha256 AS p1_sha256,
-- Grandparent
p1.parent AS p2_pid,
p2.name AS p2_name,
p2.start_time AS p2_start,
p2.path AS p2_path,
p2.cmdline AS p2_cmd,
p2_hash.sha256 AS p2_sha256
FROM processes p0
JOIN users u ON p0.euid = u.uid
LEFT JOIN process_open_files pof ON p0.pid = pof.pid
@ -41,19 +57,23 @@ FROM processes p0
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE pof.path LIKE "%.lock"
AND pof.path NOT LIKE "/run/user/1%/%.lock"
AND pof.path NOT LIKE "/run/user/%/%.lock"
AND NOT exception_key IN (
'0,com.apple.MobileSoftwareUpdate.CryptegraftService,/private/var/db/softwareupdate/SplunkHistory',
'0,snapd,/var/lib/snapd',
'500,flyctl,~/.fly',
'200,softwareupdated,/private~/SplunkHistory',
'500,Ecamm Live Stream Deck Plugin,~/Library/Application Support/com.elgato.StreamDeck/Sentry',
'500,Beeper,~/Library/Application Support/Beeper/EventStore',
'500,bridge-gui,~/Library/Application Support/protonmail/bridge-v3/sentry_cache',
'500,bridge-gui,~/Library/Caches/protonmail/bridge-v3',
'200,NRDUpdated,/private~/SplunkHistory',
'500,bridge,~/Library/Application Support/protonmail/bridge-v3/sentry_cache',
'500,Stream Deck,~/Library/Application Support/com.elgato.StreamDeck/Sentry',
'500,bridge,~/Library/Caches/protonmail/bridge-v3',
'500,Craft,~/Library/Containers/com.lukilabs.lukiapp/Data/Library/Application Support/com.lukilabs.lukiapp',
'500,buildkitd,~/.local/share/buildkit',
'500,Adobe Premiere Pro 2023,~/Library/Caches/Adobe/Premiere Pro/23.0/SentryIO-db',
'500,com.docker.backend,~/Library/Containers/com.docker.docker',
'500,photolibraryd,~/Library/Photos/Libraries/Syndication.photoslibrary/database',
'500,photolibraryd,~/Pictures/Photos Library.photoslibrary/database',
@ -62,7 +82,9 @@ WHERE pof.path LIKE "%.lock"
AND NOT exception_key LIKE '500,com.apple.Virtualization.VirtualMachine,~/%'
AND NOT exception_key LIKE '500,com.apple.Virtualization.VirtualMachine,/private/var/folders/%'
AND NOT exception_key LIKE '500,lua-language-server,~/%'
AND NOT exception_key LIKE '0,prl_disp_service,/Users/%/Parallels/%/vm.lock'
AND NOT exception_key LIKE '500,ykman-gui,/private/var/folders/%/T'
AND NOT exception_key LIKE '500,golangci-lint,/private/var/folders/%/T'
AND NOT exception_key LIKE '0,prl_disp_service,/Users/%/Parallels/%.pvm'
AND NOT exception_key LIKE '500,iTermServer-%,~/Library/Application Support/iTerm2'
AND NOT exception_key LIKE '500,%,/private/var/folders/%/T/Sentry_StreamDeck'
AND NOT exception_key LIKE '500,gnome-software,/var/tmp/flatpak-cache-%'

19
detection/privesc/unexpected-elevated-children-events_macos.sql
View File

@ -107,16 +107,19 @@ WHERE
'/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker_shared -s mdworker -c MDSImporterWorker -m com.apple.mdworker.shared'
)
AND NOT exception_key IN (
'containermanagerd,262,com.docker.backend,Docker',
'sysextd,0,LogiTune,launchd',
'CAReportingService,0,LogiTune,launchd',
'biometrickitd,0,LogiTune,launchd',
'suhelperd,0,LogiTune,launchd',
'com.apple.AccountPolicyHelper,0,LogiTune,launchd',
'amfid,0,com.docker.backend,Docker',
'dprivacyd,0,com.docker.backend,Docker',
'biometrickitd,0,LogiTune,launchd',
'bioutil,0,callservicesd,launchd',
'CAReportingService,0,LogiTune,launchd',
'com.apple.AccountPolicyHelper,0,LogiTune,launchd',
'com.apple.geod,262,com.docker.backend,Docker',
'SCHelper,0,com.docker.backend,Docker'
'com.apple.WebKit.WebContent,200,zsh,Emacs-arm64-11',
'containermanagerd,262,com.docker.backend,Docker',
'dprivacyd,0,com.docker.backend,Docker',
'SCHelper,0,com.docker.backend,Docker',
'suhelperd,0,LogiTune,launchd',
'sysextd,0,LogiTune,launchd',
'system_profiler,0,callservicesd,launchd'
)
AND NOT (
pe.euid = 262 -- core media helper id

1
fragments/process_event_parents_macos.sql
View File

@ -15,6 +15,7 @@ SELECT
-- Parent
pe.parent AS p1_pid,
TRIM(COALESCE(p1.cmdline, pe1.cmdline)) AS p1_cmd,
COALESCE(p1.start_time, pe1.time) AS p1_start,
COALESCE(p1.path, pe1.path) AS p1_path,
p1.cwd AS p1_cwd,
COALESCE(p_hash1.sha256, pe_hash1.sha256) AS p1_hash,

3
fragments/process_parents.sql
View File

@ -26,8 +26,7 @@ SELECT
p2.cmdline AS p2_cmd,
p2_hash.sha256 AS p2_sha256
FROM
process_open_sockets pop
LEFT JOIN processes p0 ON pop.pid = p0.pid
processes p0
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
LEFT JOIN processes p1 ON p0.parent = p1.pid
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path

1
policy/gcp-service-account-keys-mdfind.sql
View File

@ -85,6 +85,7 @@ WHERE
'4b4be8c1bc7e3bc7ea1f02932a024466db5faf3eaad885cf31ac7383484b1b1c',
'6e55f3eccad59a615189c82cbcbd1133ce94509f7c5d42e3e7fbd00e65f0731f',
'e99b4e6dfbbefa19c9ec9c82bb0c3445a443702f960c2a05f882bb5577a59ef8',
'421899fb9bfa0252ce7921969339918a5bbacbc7b9cd500e03a88f9c4e33bae4',
'81bce2313cd00ffc42303fbf7c08e4d068fccc9c0076867903ef94616d795e12',
'8d740893c1f9163ddfd8c193d9a95caf15da3740b42f2739c4b107ad12661809',
'998ddcb7d1a7c2931c8546576873e47b399f23cef719227052f245c8240c6528',

2
policy/gcp-service-account-keys.sql
View File

@ -4,6 +4,7 @@
-- platform: posix
SELECT
file.path,
file.filename,
file.type,
file.size,
file.mtime,
@ -48,6 +49,5 @@ WHERE
AND NOT file.filename LIKE 'ulabs-%'
AND NOT hash.sha256 IN (
"c7d6bac8e942511e25973889ac38656d4d46f68044650d694721017fda23716e",
"bd5f4c01ebb5636b94584ee4ae42514b27d371859f7344f6aa5a37332ee714ba",
"bd5f4c01ebb5636b94584ee4ae42514b27d371859f7344f6aa5a37332ee714ba"
)