From 336a1fca4a38e6d2a2334924397034211dc247d6 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Mon, 8 Jan 2024 17:18:25 -0500 Subject: [PATCH 1/4] Add exceptions for Elastic Defend --- detection/c2/unexpected-https-linux.sql | 4 ++++ detection/evasion/empty_root_environ_linux.sql | 1 + detection/evasion/touched-executable-linux.sql | 1 + detection/evasion/unexpected-hidden-system-paths.sql | 1 + detection/execution/unexpected-executable-permissions.sql | 5 +++++ detection/exfil/yara-unexpected-go-crypt-exec-process.sql | 3 +++ detection/persistence/unexpected-active-systemd-units.sql | 2 ++ .../persistence/yara-suspicious-strings-process-linux.sql | 1 + 8 files changed, 18 insertions(+) diff --git a/detection/c2/unexpected-https-linux.sql b/detection/c2/unexpected-https-linux.sql index 20107a4..acf2d0d 100644 --- a/detection/c2/unexpected-https-linux.sql +++ b/detection/c2/unexpected-https-linux.sql @@ -60,7 +60,9 @@ WHERE '0,.tailscaled-wrapped,0u,0g,.tailscaled-wra', '0,apk,u,g,apk', '0,applydeltarpm,0u,0g,applydeltarpm', + '0,elastic-endpoint,0u,0g,elastic-endpoin', '0,bash,0u,0g,bash', + '0,filebeat,0u,0g,filebeat', '0,bash,0u,0g,mkinitcpio', '0,bash,0u,0g,sh', '0,chainctl,0u,0g,chainctl', @@ -68,6 +70,8 @@ WHERE '0,containerd,u,g,containerd', '0,dirmngr,0u,0g,dirmngr', '0,dockerd,0u,0g,dockerd', + '0,elastic-agent,0u,0g,elastic-agent', + '0,metricbeat,0u,0g,metricbeat', '0,flatpak-system-helper,0u,0g,flatpak-system-', '0,git-remote-http,0u,0g,git-remote-http', '0,go,0u,0g,go', diff --git a/detection/evasion/empty_root_environ_linux.sql b/detection/evasion/empty_root_environ_linux.sql index 2a877ed..33649af 100644 --- a/detection/evasion/empty_root_environ_linux.sql +++ b/detection/evasion/empty_root_environ_linux.sql @@ -56,6 +56,7 @@ WHERE 'sshd', 'sudo', 'systemd', + 'elastic-agent', 'systemd-udevd', 'systemd-userdbd', 'systemd-userwor', diff --git a/detection/evasion/touched-executable-linux.sql b/detection/evasion/touched-executable-linux.sql index e04be4c..047c4dc 100644 --- a/detection/evasion/touched-executable-linux.sql +++ b/detection/evasion/touched-executable-linux.sql @@ -32,6 +32,7 @@ WHERE AND p.path != '/' AND f.path NOT IN ( '/opt/google/endpoint-verification/bin/apihelper', + '/opt/Elastic/Endpoint/elastic-endpoint', '/usr/bin/melange' ) AND f.path NOT LIKE '/home/%' diff --git a/detection/evasion/unexpected-hidden-system-paths.sql b/detection/evasion/unexpected-hidden-system-paths.sql index 49b75a2..f2da252 100644 --- a/detection/evasion/unexpected-hidden-system-paths.sql +++ b/detection/evasion/unexpected-hidden-system-paths.sql @@ -62,6 +62,7 @@ WHERE AND file.path NOT IN ( '/.VolumeIcon.icns', '/.autorelabel', + '/.equarantine/', '/.file', '/.lesshst', '/.mozilla/', diff --git a/detection/execution/unexpected-executable-permissions.sql b/detection/execution/unexpected-executable-permissions.sql index fb4405e..4ba68e0 100644 --- a/detection/execution/unexpected-executable-permissions.sql +++ b/detection/execution/unexpected-executable-permissions.sql @@ -50,6 +50,7 @@ WHERE '0544', '0555', '0711', + '0750', '0755', '0775', '0744', @@ -115,3 +116,7 @@ WHERE f.path LIKE '/Users/%/Library/Application Support/com.raycast.macos/NodeJS/runtime/%/bin/node' AND f.mode = '0754' ) + AND NOT ( + f.path LIKE '/opt/Elastic/Agent/data/elastic-agent%/elastic-agent' + AND f.mode = '0770' + ) \ No newline at end of file diff --git a/detection/exfil/yara-unexpected-go-crypt-exec-process.sql b/detection/exfil/yara-unexpected-go-crypt-exec-process.sql index a75243e..ed384b1 100644 --- a/detection/exfil/yara-unexpected-go-crypt-exec-process.sql +++ b/detection/exfil/yara-unexpected-go-crypt-exec-process.sql @@ -95,6 +95,9 @@ WHERE 'BluejeansHelper', 'docker', 'lima-guestagent', + 'elastic-agent', + 'metricbeat', + 'filebeat', 'containerd-star', 'gopls', 'ollama', diff --git a/detection/persistence/unexpected-active-systemd-units.sql b/detection/persistence/unexpected-active-systemd-units.sql index bc86050..66c2dc3 100644 --- a/detection/persistence/unexpected-active-systemd-units.sql +++ b/detection/persistence/unexpected-active-systemd-units.sql @@ -271,10 +271,12 @@ WHERE 'systemd-coredump.socket,Process Core Dump Socket,', 'systemd-cryptsetup@cryptdata.service,Cryptography Setup for cryptdata,', 'systemd-cryptsetup@cryptoswap.service,Cryptography Setup for cryptoswap,', + 'ElasticEndpoint.service,ElasticEndpoint,', 'systemd-cryptsetup@cryptswap.service,Cryptography Setup for cryptswap,', 'systemd-fsckd.socket,fsck to fsckd communication Socket,', 'systemd-fsck-root.service,File System Check on Root Device,', 'systemd-growfs@-.service,Grow File System on /,', + 'elastic-agent.service,Elastic Agent is a unified agent to observe, monitor and protect your system.,', 'systemd-homed-activate.service,Home Area Activation,', 'systemd-homed.service,Home Area Manager,', 'loadcpufreq.service,LSB: Load kernel modules needed to enable cpufreq scaling,', diff --git a/detection/persistence/yara-suspicious-strings-process-linux.sql b/detection/persistence/yara-suspicious-strings-process-linux.sql index c225d96..a3b4867 100644 --- a/detection/persistence/yara-suspicious-strings-process-linux.sql +++ b/detection/persistence/yara-suspicious-strings-process-linux.sql @@ -110,6 +110,7 @@ WHERE '/usr/bin/NetworkManager', '/usr/bin/nvidia-persistenced', '/usr/bin/nvim', + '/opt/Elastic/Endpoint/elastic-endpoint', '/usr/bin/pulseaudio', '/usr/bin/sshd', '/usr/bin/sudo', From 1304d6678307b582c179566795efe1a48057caa1 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Mon, 8 Jan 2024 17:55:30 -0500 Subject: [PATCH 2/4] Add more Elastic exceptions --- detection/c2/unexpected-https-macos.sql | 1 + detection/c2/unexpected-talker-events.sql | 1 + detection/evasion/hidden-executable.sql | 1 + detection/evasion/old-binaries-running.sql | 1 + .../parent-missing-from-disk-macos.sql | 1 + .../unexpected-execdir-events-macos.sql | 1 + detection/exfil/high_disk_bytes_read.sql | 1 + .../unexpected-webmail-downloads.sql | 1 + .../minimal-socket-client-macos.sql | 1 + .../unexpected-listening-port-macos.sql | 1 + .../unexpected-uid0-daemon-linux.sql | 98 ++++++++++--------- 11 files changed, 61 insertions(+), 47 deletions(-) diff --git a/detection/c2/unexpected-https-macos.sql b/detection/c2/unexpected-https-macos.sql index 866e286..2935a9d 100644 --- a/detection/c2/unexpected-https-macos.sql +++ b/detection/c2/unexpected-https-macos.sql @@ -166,6 +166,7 @@ WHERE '500,snyk-ls_darwin_arm64,snyk-ls_darwin_arm64,,a.out', '500,steam_osx,steam_osx,Developer ID Application: Valve Corporation (MXGJJ98X76),com.valvesoftware.steam', '500,syncthing,syncthing,,syncthing', + '500,Plex,Plex,Developer ID Application: Plex Inc. (K4QJ56KR4A),tv.plex.desktop', '500,terraform,terraform,Developer ID Application: Hashicorp, Inc. (D38WU7D763),terraform', '500,zoom.us,zoom.us,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3),us.zoom.xos' ) diff --git a/detection/c2/unexpected-talker-events.sql b/detection/c2/unexpected-talker-events.sql index e8be5d4..282061b 100644 --- a/detection/c2/unexpected-talker-events.sql +++ b/detection/c2/unexpected-talker-events.sql @@ -165,6 +165,7 @@ WHERE '500,0,53,launcher', '500,0,53,nessusd', '500,0,53,NetworkManager', + '500,99,32768,Slack', '500,0,53,slack', '500,0,53,spotify', '500,500,32768,G2MUpdate', diff --git a/detection/evasion/hidden-executable.sql b/detection/evasion/hidden-executable.sql index 70ff722..6cf5661 100644 --- a/detection/evasion/hidden-executable.sql +++ b/detection/evasion/hidden-executable.sql @@ -59,6 +59,7 @@ WHERE AND NOT f.directory LIKE '%/.go/bin' AND NOT f.directory LIKE '%/.rustup/%' AND NOT f.directory LIKE '%/.terraform%' + AND NOT f.directory LIKE '%/.steampipe/db/%' AND NOT f.directory LIKE '%/.docker/cli-plugins' AND NOT f.directory LIKE '%/.cursor/%' AND NOT f.directory LIKE '%/.tflint.d/%' diff --git a/detection/evasion/old-binaries-running.sql b/detection/evasion/old-binaries-running.sql index 136cc4d..de0cfa5 100644 --- a/detection/evasion/old-binaries-running.sql +++ b/detection/evasion/old-binaries-running.sql @@ -46,6 +46,7 @@ WHERE '/Library/Application Support/Logitech/com.logitech.vc.LogiVCCoreService/LogiVCCoreService.app/Contents/MacOS/LogiVCCoreService', '/Library/Printers/Brother/Utilities/BrStatusMonitor.app/Contents/MacOS/BrStatusMonitor', '/Library/Printers/Brother/Utilities/Server/LOGINserver.app/Contents/MacOS/LOGINserver', + '/Applications/Vimari.app/Contents/PlugIns/Vimari Extension.appex/Contents/MacOS/Vimari Extension', '/Library/Printers/Brother/Utilities/Server/NETserver.app/Contents/MacOS/NETserver', '/Library/Printers/Brother/Utilities/Server/USBAppControl.app/Contents/MacOS/USBAppControl', '/Library/Printers/Brother/Utilities/Server/USBserver.app/Contents/MacOS/USBserver', diff --git a/detection/evasion/parent-missing-from-disk-macos.sql b/detection/evasion/parent-missing-from-disk-macos.sql index a4533d7..f82319d 100644 --- a/detection/evasion/parent-missing-from-disk-macos.sql +++ b/detection/evasion/parent-missing-from-disk-macos.sql @@ -73,6 +73,7 @@ WHERE AND pp.path NOT IN ( "", "/sbin/launchd", + '/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper', "/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper (Plugin).app/Contents/MacOS/Code Helper (Plugin)", "/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper" ) diff --git a/detection/execution/unexpected-execdir-events-macos.sql b/detection/execution/unexpected-execdir-events-macos.sql index 146ad07..ed2a81a 100644 --- a/detection/execution/unexpected-execdir-events-macos.sql +++ b/detection/execution/unexpected-execdir-events-macos.sql @@ -155,6 +155,7 @@ WHERE '/Volumes/Slack/Slack.app', '/opt/homebrew/Caskroom', '/opt/homebrew/Cellar', + '/Library/Elastic/Agent', '/opt/homebrew/Library', '/private/var/kolide-k2', '/usr/libexec/AssetCache', diff --git a/detection/exfil/high_disk_bytes_read.sql b/detection/exfil/high_disk_bytes_read.sql index 8e8c240..23577be 100644 --- a/detection/exfil/high_disk_bytes_read.sql +++ b/detection/exfil/high_disk_bytes_read.sql @@ -63,6 +63,7 @@ WHERE 'baloo_file', 'baloo_file_extr', 'bash', + 'apko', 'bwrap', 'cargo', 'chrome', diff --git a/detection/initial_access/unexpected-webmail-downloads.sql b/detection/initial_access/unexpected-webmail-downloads.sql index ee5633b..af8add0 100644 --- a/detection/initial_access/unexpected-webmail-downloads.sql +++ b/detection/initial_access/unexpected-webmail-downloads.sql @@ -36,6 +36,7 @@ WHERE 'doc', 'docx', 'dwg', + 'rtf', 'eml', 'eps', 'gif', diff --git a/detection/persistence/minimal-socket-client-macos.sql b/detection/persistence/minimal-socket-client-macos.sql index 7bd52ac..b887157 100644 --- a/detection/persistence/minimal-socket-client-macos.sql +++ b/detection/persistence/minimal-socket-client-macos.sql @@ -62,6 +62,7 @@ WHERE AND exception_key NOT IN ( '500,Bitwarden,/Applications/Bitwarden.app/Contents/MacOS/Bitwarden', '500,Final Cut Pro,/Applications/Final Cut Pro.app/Contents/MacOS/Final Cut Pro', + '500,Clipy,/Applications/Clipy.app/Contents/MacOS/Clipy', '500,Evernote,/Applications/Evernote.app/Contents/MacOS/Evernote', '500,Skitch,/Applications/Skitch.app/Contents/MacOS/Skitch', '500,Macdown,/Applications/MacDown.app/Contents/MacOS/MacDown', diff --git a/detection/persistence/unexpected-listening-port-macos.sql b/detection/persistence/unexpected-listening-port-macos.sql index 3442132..e3e966f 100644 --- a/detection/persistence/unexpected-listening-port-macos.sql +++ b/detection/persistence/unexpected-listening-port-macos.sql @@ -137,6 +137,7 @@ WHERE '546,17,0,configd,Software Signing', '547,17,500,dhcp6d,Software Signing', '5900,6,0,launchd,Software Signing', + '8125,6,500,Brackets-node,Developer ID Application: CORE.AI SCIENTIFIC TECHNOLOGIES PRIVATE LIMITED (8F632A866K)', '5900,6,0,screensharingd,Software Signing', '5990,6,500,goland,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)', '6000,6,500,X11.bin,Developer ID Application: Apple Inc. - XQuartz (NA574AWV7E)', diff --git a/detection/persistence/unexpected-uid0-daemon-linux.sql b/detection/persistence/unexpected-uid0-daemon-linux.sql index 1df8f99..0e645a4 100644 --- a/detection/persistence/unexpected-uid0-daemon-linux.sql +++ b/detection/persistence/unexpected-uid0-daemon-linux.sql @@ -74,18 +74,6 @@ WHERE AND p0.path != "" AND p0.start_time < (strftime('%s', 'now') - 1200) AND exception_key NOT IN ( - '(sd-pam),/usr/lib/systemd/systemd,0,user.slice,user-0.slice,0755', - 'sshd,/usr/sbin/sshd,0,user.slice,user-501.slice,0755', - 'docker,/usr/local/bin/docker,0,user.slice,user-1000.slice,0755', - 'launcher,/usr/local/kolide-k2/bin/launcher,0,system.slice,launcher.kolide-k2.service,0755', - '.tailscaled-wra,/nix/store/__VERSION__/bin/.tailscaled-wrapped,0,system.slice,tailscaled.service,0555', - '/usr/bin/monito,/usr/bin/perl,0,system.slice,monitorix.service,0755', - 'ModemManager,/usr/sbin/ModemManager,0,system.slice,ModemManager.service,0755', - 'NetworkManager,/usr/bin/NetworkManager,0,system.slice,NetworkManager.service,0755', - 'NetworkManager,/usr/sbin/NetworkManager,0,system.slice,NetworkManager.service,0755', - 'X,/nix/store/__VERSION__/bin/Xorg,0,system.slice,display-manager.service,0555', - 'Xorg,/usr/lib/Xorg,0,system.slice,lightdm.service,0755', - 'Xorg,/usr/lib/Xorg,0,system.slice,sddm.service,0755', 'abrt-dump-journ,/usr/bin/abrt-dump-journal-core,0,system.slice,abrt-journal-core.service,0755', 'abrt-dump-journ,/usr/bin/abrt-dump-journal-oops,0,system.slice,abrt-oops.service,0755', 'abrt-dump-journ,/usr/bin/abrt-dump-journal-xorg,0,system.slice,abrt-xorg.service,0755', @@ -97,7 +85,6 @@ WHERE 'agetty,/nix/store/__VERSION__/bin/agetty,0,system.slice,system-getty.slice,0555', 'agetty,/usr/bin/agetty,0,system.slice,system-getty.slice,0755', 'agetty,/usr/sbin/agetty,0,system.slice,system-getty.slice,0755', - 'bash,/usr/bin/bash,0,user.slice,user-1000.slice,0755', 'agetty,/usr/sbin/agetty,0,system.slice,system-serial\x2dgetty.slice,0755', 'alsactl,/usr/sbin/alsactl,0,system.slice,alsa-state.service,0755', 'anacron,/usr/bin/anacron,0,system.slice,cronie.service,0755', @@ -106,29 +93,29 @@ WHERE 'atd,/usr/sbin/atd,0,system.slice,atd.service,0755', 'auditd,/usr/bin/auditd,0,system.slice,auditd.service,0755', 'auditd,/usr/sbin/auditd,0,system.slice,auditd.service,0755', - 'blueman-mechani,/usr/bin/python3.10,0,system.slice,blueman-mechanism.service,0755', + 'bash,/usr/bin/bash,0,user.slice,user-1000.slice,0755', 'blueman-mechanism.service,Bluetooth management mechanism,,200', + 'blueman-mechani,/usr/bin/python3.10,0,system.slice,blueman-mechanism.service,0755', 'bluetoothd,/usr/lib/bluetooth/bluetoothd,0,system.slice,bluetooth.service,0755', 'bluetoothd,/usr/libexec/bluetooth/bluetoothd,0,system.slice,bluetooth.service,0755', 'boltd,/usr/lib/boltd,0,system.slice,bolt.service,0755', - 'lightdm,/nix/store/__VERSION__/bin/lightdm,0,user.slice,user-78.slice,0555', 'boltd,/usr/libexec/boltd,0,system.slice,bolt.service,0755', - 'firewalld,/usr/bin/python3.12,0,system.slice,firewalld.service,0755', 'bpfilter_umh,/bpfilter_umh,0,,,', 'chainctl,/usr/local/bin/chainctl,0,user.slice,user-1000.slice,0755', 'containerd,/nix/store/__VERSION__/bin/containerd,0,system.slice,docker.service,0555', - 'containerd,/usr/bin/containerd,0,system.slice,containerd.service,0755', - 'containerd,/usr/bin/containerd,0,system.slice,docker.service,0755', 'containerd-shim,/usr/bin/containerd-shim-runc-v2,0,system.slice,containerd.service,0755', 'containerd-shim,/usr/bin/containerd-shim-runc-v2,0,system.slice,docker.service,0755', - 'cron,/usr/sbin/cron,0,system.slice,cron.service,0755', + 'containerd,/usr/bin/containerd,0,system.slice,containerd.service,0755', + 'containerd,/usr/bin/containerd,0,system.slice,docker.service,0755', 'crond,/usr/bin/crond,0,system.slice,cronie.service,0755', 'crond,/usr/sbin/crond,0,system.slice,crond.service,0755', + 'cron,/usr/sbin/cron,0,system.slice,cron.service,0755', 'cups-browsed,/usr/sbin/cups-browsed,0,system.slice,cups-browsed.service,0755', 'cupsd,/usr/bin/cupsd,0,system.slice,cups.service,0700', 'cupsd,/usr/sbin/cupsd,0,system.slice,cups.service,0755', 'dbus-daemon,/usr/bin/dbus-daemon,0,user.slice,user-1000.slice,0755', 'dbus-launch,/usr/bin/dbus-launch,0,user.slice,user-1000.slice,0755', + 'dconf-service,/usr/libexec/dconf-service,0,user.slice,user-1000.slice,0755', 'dhclient,/usr/sbin/dhclient,0,system.slice,networking.service,0755', 'dhcpcd,/nix/store/__VERSION__/bin/dhcpcd,0,system.slice,dhcpcd.service,0555', 'dirmngr,/usr/bin/dirmngr,0,system.slice,archlinux-keyring-wkd-sync.service,0755', @@ -136,67 +123,74 @@ WHERE 'dnsmasq,/usr/bin/dnsmasq,0,system.slice,libvirtd.service,0755', 'dnsmasq,/usr/sbin/dnsmasq,0,system.slice,libvirtd.service,0755', 'doas,/usr/bin/doas,1000,user.slice,user-1000.slice,4755', - 'docker,/usr/bin/docker,0,user.slice,user-1000.slice,0755', - 'docker-proxy,/usr/bin/docker-proxy,0,system.slice,docker.service,0755', - 'docker-proxy,/usr/libexec/docker/docker-proxy,0,system.slice,docker.service,0755', 'dockerd,/nix/store/__VERSION__/libexec/docker/dockerd,0,system.slice,docker.service,0555', 'dockerd,/usr/bin/dockerd,0,system.slice,docker.service,0755', + 'docker-proxy,/usr/bin/docker-proxy,0,system.slice,docker.service,0755', + 'docker-proxy,/usr/libexec/docker/docker-proxy,0,system.slice,docker.service,0755', + 'docker,/usr/bin/docker,0,user.slice,user-1000.slice,0755', + 'docker,/usr/local/bin/docker,0,user.slice,user-1000.slice,0755', + 'elastic-endpoin,/opt/Elastic/Endpoint/elastic-endpoint,0,elasticendpoint,,0500', 'firewalld,/usr/bin/python3.10,0,system.slice,firewalld.service,0755', - 'login,/usr/bin/login,0,user.slice,user-1000.slice,0755', + 'firewalld,/usr/bin/python3.12,0,system.slice,firewalld.service,0755', 'firewalld,/usr/bin/python__VERSION__,0,system.slice,firewalld.service,0755', 'fish,/usr/bin/fish,0,user.slice,user-1000.slice,0755', - 'flatpak-system-,/usr/lib/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755', 'flatpak-system-,/usr/libexec/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755', + 'flatpak-system-,/usr/lib/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755', 'fprintd,/usr/libexec/fprintd,0,system.slice,fprintd.service,0755', - 'tcpdump,/usr/bin/tcpdump,0,user.slice,user-1000.slice,0755', 'fstrim,/usr/sbin/fstrim,0,system.slice,fstrim.service,0755', 'fusermount,/usr/bin/fusermount,1000,user.slice,user-1000.slice,4755', - 'fwupd,/usr/lib/fwupd/fwupd,0,system.slice,fwupd.service,0755', 'fwupd,/usr/libexec/fwupd/fwupd,0,system.slice,fwupd.service,0755', - 'gdm,/usr/bin/gdm,0,system.slice,gdm.service,0755', - 'gdm,/usr/sbin/gdm,0,system.slice,gdm.service,0755', - 'gdm-session-wor,/usr/lib/gdm-session-worker,0,user.slice,user-1000.slice,0755', - 'gdm-session-wor,/usr/lib/gdm-session-worker,0,user.slice,user-120.slice,0755', + 'fwupd,/usr/lib/fwupd/fwupd,0,system.slice,fwupd.service,0755', + 'gdm3,/usr/sbin/gdm3,0,system.slice,gdm.service,0755', 'gdm-session-wor,/usr/libexec/gdm-session-worker,0,user.slice,user-1000.slice,0755', 'gdm-session-wor,/usr/libexec/gdm-session-worker,0,user.slice,user-42.slice,0755', - 'gdm3,/usr/sbin/gdm3,0,system.slice,gdm.service,0755', + 'gdm-session-wor,/usr/lib/gdm-session-worker,0,user.slice,user-1000.slice,0755', + 'gdm-session-wor,/usr/lib/gdm-session-worker,0,user.slice,user-120.slice,0755', + 'gdm,/usr/bin/gdm,0,system.slice,gdm.service,0755', + 'gdm,/usr/sbin/gdm,0,system.slice,gdm.service,0755', 'geoclue.service,Location Lookup Service,geoclue,500', 'gnome-keyring-d,/usr/bin/gnome-keyring-daemon,0,user.slice,user-1000.slice,0755', 'gpg-agent,/usr/bin/gpg-agent,0,system.slice,packagekit.service,0755', 'gpg-agent,/usr/bin/gpg-agent,0,user.slice,user-1000.slice,0755', 'gssproxy,/usr/sbin/gssproxy,0,system.slice,gssproxy.service,0755', - 'gvfsd,/usr/libexec/gvfsd,0,user.slice,user-1000.slice,0755', 'gvfsd-fuse,/usr/libexec/gvfsd-fuse,0,user.slice,user-1000.slice,0755', + 'gvfsd,/usr/libexec/gvfsd,0,user.slice,user-1000.slice,0755', 'haproxy,/usr/sbin/haproxy,0,system.slice,haproxy.service,0755', - 'iio-sensor-prox,/usr/lib/iio-sensor-proxy,0,system.slice,iio-sensor-proxy.service,0755', 'iio-sensor-prox,/usr/libexec/iio-sensor-proxy,0,system.slice,iio-sensor-proxy.service,0755', + 'iio-sensor-prox,/usr/lib/iio-sensor-proxy,0,system.slice,iio-sensor-proxy.service,0755', 'irqbalance,/usr/sbin/irqbalance,0,system.slice,irqbalance.service,0755', 'iwd,/usr/lib/iwd/iwd,0,system.slice,iwd.service,0755', 'launcher,/nix/store/__VERSION__/bin/launcher,0,system.slice,kolide-launcher.service,0555', + 'launcher,/usr/local/kolide-k2/bin/launcher,0,system.slice,launcher.kolide-k2.service,0755', 'launcher,/usr/local/kolide-k2/bin/launcher-updates/__VERSION__/launcher,0,system.slice,launcher.kolide-k2.service,0755', 'libvirtd,/usr/bin/libvirtd,0,system.slice,libvirtd.service,0755', 'lightdm,/nix/store/__VERSION__/bin/lightdm,0,system.slice,display-manager.service,0555', 'lightdm,/nix/store/__VERSION__/bin/lightdm,0,user.slice,user-1000.slice,0555', + 'lightdm,/nix/store/__VERSION__/bin/lightdm,0,user.slice,user-78.slice,0555', 'lightdm,/usr/bin/lightdm,0,system.slice,lightdm.service,0755', 'lightdm,/usr/bin/lightdm,0,user.slice,user-1000.slice,0755', 'lightdm,/usr/bin/lightdm,0,user.slice,user-974.slice,0755', 'lima-guestagent,/usr/local/bin/lima-guestagent,0,system.slice,lima-guestagent.service,0755', + 'login,/usr/bin/login,0,user.slice,user-1000.slice,0755', 'low-memory-moni,/usr/libexec/low-memory-monitor,0,system.slice,low-memory-monitor.service,0755', 'mcelog,/usr/sbin/mcelog,0,system.slice,mcelog.service,0755', + 'ModemManager,/usr/sbin/ModemManager,0,system.slice,ModemManager.service,0755', 'multipathd,/usr/sbin/multipathd,0,system.slice,multipathd.service,0755', - 'nessus-service,/opt/nessus/sbin/nessus-service,0,system.slice,nessusd.service,0755', 'nessusd,/opt/nessus/sbin/nessusd,0,system.slice,nessusd.service,0755', + 'nessus-service,/opt/nessus/sbin/nessus-service,0,system.slice,nessusd.service,0755', 'networkd-dispat,/usr/bin/python3.10,0,system.slice,networkd-dispatcher.service,0755', + 'NetworkManager,/usr/bin/NetworkManager,0,system.slice,NetworkManager.service,0755', + 'NetworkManager,/usr/sbin/NetworkManager,0,system.slice,NetworkManager.service,0755', 'nix-daemon,/nix/store/__VERSION__/bin/nix,0,system.slice,nix-daemon.service,0555', 'nm-dispatcher,/usr/lib/nm-dispatcher,0,system.slice,NetworkManager-dispatcher.service,0755', 'nm-openvpn-serv,/usr/libexec/nm-openvpn-service,0,system.slice,NetworkManager.service,0755', 'nvidia-powerd,/usr/bin/nvidia-powerd,0,system.slice,nvidia-powerd.service,0755', 'orbit,/opt/orbit/bin/orbit/linux/stable/orbit,0,system.slice,orbit.service,0755', - 'osquery-extensi,/nix/store/__VERSION__/bin/osquery-extension.ext,0,system.slice,kolide-launcher.service,0555', 'osqueryd,/nix/store/__VERSION__/bin/osqueryd,0,system.slice,kolide-launcher.service,0555', 'osqueryd,/opt/orbit/bin/osqueryd/linux/stable/osqueryd,0,system.slice,orbit.service,0755', 'osqueryd,/usr/local/kolide-k2/bin/osqueryd,0,system.slice,launcher.kolide-k2.service,0755', 'osqueryd,/usr/local/kolide-k2/bin/osqueryd-updates/__VERSION__/osqueryd,0,system.slice,launcher.kolide-k2.service,0755', + 'osquery-extensi,/nix/store/__VERSION__/bin/osquery-extension.ext,0,system.slice,kolide-launcher.service,0555', 'osqueryi,/usr/bin/osqueryd,0,user.slice,user-1000.slice,0755', 'packagekitd,/usr/libexec/packagekitd,0,system.slice,packagekit.service,0755', 'pacman,/usr/bin/pacman,0,user.slice,user-1000.slice,0755', @@ -204,37 +198,38 @@ WHERE 'pcscd,/usr/sbin/pcscd,0,system.slice,pcscd.service,0755', 'perl,/nix/store/__VERSION__/bin/perl,0,system.slice,znapzend.service,0555', 'polkitd,/usr/libexec/polkitd,0,system.slice,polkit.service,0755', - 'power-profiles-,/usr/lib/power-profiles-daemon,0,system.slice,power-profiles-daemon.service,0755', 'power-profiles-,/usr/libexec/power-profiles-daemon,0,system.slice,power-profiles-daemon.service,0755', + 'power-profiles-,/usr/lib/power-profiles-daemon,0,system.slice,power-profiles-daemon.service,0755', 'pwrstatd,/usr/sbin/pwrstatd,0,system.slice,pwrstatd.service,0700', 'qualys-cloud-ag,/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent,0,system.slice,qualys-cloud-agent.service,0700', 'rsyslogd,/usr/sbin/rsyslogd,0,system.slice,rsyslog.service,0755', 'runc,/usr/bin/runc,0,system.slice,docker.service,0755', 'scdaemon,/usr/libexec/scdaemon,0,system.slice,packagekit.service,0755', 'scdaemon,/usr/libexec/scdaemon,0,user.slice,user-1000.slice,0755', - 'sddm,/usr/bin/sddm,0,system.slice,sddm.service,0755', 'sddm-helper,/usr/lib/sddm/sddm-helper,0,user.slice,user-1000.slice,0755', + 'sddm,/usr/bin/sddm,0,system.slice,sddm.service,0755', + '(sd-pam),/usr/lib/systemd/systemd,0,user.slice,user-0.slice,0755', 'sedispatch,/usr/sbin/sedispatch,0,system.slice,auditd.service,0755', 'sh,/nix/store/__VERSION__/bin/bash,0,system.slice,znapzend.service,0555', 'smartd,/usr/sbin/smartd,0,system.slice,smartd.service,0755', 'snapd,/snap/snapd/__VERSION__/usr/lib/snapd/snapd,0,system.slice,snapd.service,0755', - 'snapd,/usr/lib/snapd/snapd,0,system.slice,snapd.service,0755', 'snapd,/usr/libexec/snapd/snapd,0,system.slice,snapd.service,0755', - 'ssh,/nix/store/__VERSION__/bin/ssh,0,system.slice,znapzend.service,0555', + 'snapd,/usr/lib/snapd/snapd,0,system.slice,snapd.service,0755', 'sshd,/nix/store/__VERSION__/bin/sshd,0,system.slice,sshd.service,0555', 'sshd,/nix/store/__VERSION__/bin/sshd,0,user.slice,user-1000.slice,0555', 'sshd,/usr/bin/sshd,0,system.slice,sshd.service,0755', 'sshd,/usr/bin/sshd,0,user.slice,user-1000.slice,0755', - 'sshd,/usr/sbin/sshd,0,system.slice,ssh.service,0755', 'sshd,/usr/sbin/sshd,0,system.slice,sshd.service,0755', + 'sshd,/usr/sbin/sshd,0,system.slice,ssh.service,0755', 'sshd,/usr/sbin/sshd,0,user.slice,user-1000.slice,0755', + 'sshd,/usr/sbin/sshd,0,user.slice,user-501.slice,0755', + 'ssh,/nix/store/__VERSION__/bin/ssh,0,system.slice,znapzend.service,0555', 'sssd_kcm,/usr/libexec/sssd/sssd_kcm,0,system.slice,sssd-kcm.service,0755', - 'su,/usr/bin/su,0,user.slice,user-1000.slice,4755', 'sudo,/usr/bin/sudo,1000,user.slice,user-1000.slice,4111', 'sudo,/usr/bin/sudo,1000,user.slice,user-1000.slice,4755', 'supergfxd,/usr/bin/supergfxd,0,system.slice,supergfxd.service,0755', + 'su,/usr/bin/su,0,user.slice,user-1000.slice,4755', 'switcheroo-cont,/usr/libexec/switcheroo-control,0,system.slice,switcheroo-control.service,0755', - 'systemd,/usr/lib/systemd/systemd,0,user.slice,user-0.slice,0755', 'systemd-coredum,/nix/store/__VERSION__/lib/systemd/systemd-coredump,0,,,0555', 'systemd-homed,/usr/lib/systemd/systemd-homed,0,system.slice,systemd-homed.service,0755', 'systemd-hostnam,/usr/lib/systemd/systemd-hostnamed,0,system.slice,systemd-hostnamed.service,0755', @@ -249,18 +244,22 @@ WHERE 'systemd-udevd,/usr/bin/udevadm,0,system.slice,systemd-udevd.service,0755', 'systemd-userdbd,/usr/lib/systemd/systemd-userdbd,0,system.slice,systemd-userdbd.service,0755', 'systemd-userwor,/usr/lib/systemd/systemd-userwork,0,system.slice,systemd-userdbd.service,0755', + 'systemd,/usr/lib/systemd/systemd,0,user.slice,user-0.slice,0755', 'tailscaled,/usr/bin/tailscaled,0,system.slice,tailscaled.service,0755', 'tailscaled,/usr/sbin/tailscaled,0,system.slice,tailscaled.service,0755', + '.tailscaled-wra,/nix/store/__VERSION__/bin/.tailscaled-wrapped,0,system.slice,tailscaled.service,0555', + 'tcpdump,/usr/bin/tcpdump,0,user.slice,user-1000.slice,0755', 'thermald,/usr/sbin/thermald,0,system.slice,thermald.service,0755', 'udisksd,/nix/store/__VERSION__/libexec/udisks2/udisksd,0,system.slice,udisks2.service,0555', - 'udisksd,/usr/lib/udisks2/udisksd,0,system.slice,udisks2.service,0755', 'udisksd,/usr/libexec/udisks2/udisksd,0,system.slice,udisks2.service,0755', + 'udisksd,/usr/lib/udisks2/udisksd,0,system.slice,udisks2.service,0755', 'unattended-upgr,/usr/bin/python3.10,0,system.slice,unattended-upgrades.service,0755', 'unattended-upgr,/usr/bin/python3.9,0,system.slice,unattended-upgrades.service,0755', 'unattended-upgr,/usr/bin/python__VERSION__,0,system.slice,unattended-upgrades.service,0755', - 'upowerd,/usr/lib/upowerd,0,system.slice,upower.service,0755', 'upowerd,/usr/libexec/upowerd,0,system.slice,upower.service,0755', + 'upowerd,/usr/lib/upowerd,0,system.slice,upower.service,0755', 'uresourced,/usr/libexec/uresourced,0,system.slice,uresourced.service,0755', + '/usr/bin/monito,/usr/bin/perl,0,system.slice,monitorix.service,0755', 'velociraptor_cl,/usr/local/bin/velociraptor,0,system.slice,velociraptor_client.service,0700', 'virtlogd,/usr/bin/virtlogd,0,system.slice,virtlogd.service,0755', 'wpa_supplicant,/usr/bin/wpa_supplicant,0,system.slice,wpa_supplicant.service,0755', @@ -270,17 +269,22 @@ WHERE 'xdg-desktop-por,/usr/libexec/xdg-desktop-portal-gtk,0,user.slice,user-1000.slice,0755', 'xdg-document-po,/usr/libexec/xdg-document-portal,0,user.slice,user-1000.slice,0755', 'xdg-permission-,/usr/libexec/xdg-permission-store,0,user.slice,user-1000.slice,0755', + 'X,/nix/store/__VERSION__/bin/Xorg,0,system.slice,display-manager.service,0555', + 'Xorg,/usr/lib/Xorg,0,system.slice,lightdm.service,0755', + 'Xorg,/usr/lib/Xorg,0,system.slice,sddm.service,0755', 'yum,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755', 'zed,/nix/store/__VERSION__/bin/zed,0,system.slice,zfs-zed.service,0555', 'zed,/usr/sbin/zed,0,system.slice,zfs-zed.service,0755', + 'zfs-auto-snapsh,/nix/store/__VERSION__/bin/ruby,0,system.slice,zfs-snapshot-frequent.service,0555', + 'zfs-auto-snapsh,/nix/store/__VERSION__/bin/ruby,0,system.slice,zfs-snapshot-hourly.service,0555', 'zfs,/nix/store/__VERSION__/bin/zfs,0,system.slice,zfs-snapshot-frequent.service,0555', 'zfs,/nix/store/__VERSION__/bin/zfs,0,system.slice,zfs-snapshot-hourly.service,0555', - 'zfs,/nix/store/__VERSION__/bin/zfs,0,system.slice,znapzend.service,0555', - 'zfs-auto-snapsh,/nix/store/__VERSION__/bin/ruby,0,system.slice,zfs-snapshot-frequent.service,0555', - 'zfs-auto-snapsh,/nix/store/__VERSION__/bin/ruby,0,system.slice,zfs-snapshot-hourly.service,0555' + 'zfs,/nix/store/__VERSION__/bin/zfs,0,system.slice,znapzend.service,0555' ) AND NOT exception_key LIKE 'abrt-dbus,/usr/sbin/abrt-dbus,0,system.slice,system-dbus%org.freedesktop.problems.slice,0755' AND NOT exception_key LIKE 'fusermount3,/usr/bin/fusermount3,%,user.slice,user-%.slice,4755' + AND NOT exception_key LIKE '%beat,/opt/Elastic/Agent/data/elastic-%/components/%beat,0,system.slice,elastic-agent.service,0750' + AND NOT exception_key LIKE 'elastic-agent,/opt/Elastic/Agent/data/elastic-agent-%/elastic-agent,0,system.slice,elastic-agent.service,0770' AND NOT p0.path IN ('/bin/bash', '/usr/bin/bash') AND NOT p0.cgroup_path LIKE '/system.slice/docker-%' GROUP BY From c2c29a1a524e64cf747fc69360fca9b8be314053 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Mon, 8 Jan 2024 18:47:36 -0500 Subject: [PATCH 3/4] Optimize performance with Google Chrome image mounted --- detection/initial_access/sketchy-mounted-diskimage.sql | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/detection/initial_access/sketchy-mounted-diskimage.sql b/detection/initial_access/sketchy-mounted-diskimage.sql index 5703304..e4183a8 100644 --- a/detection/initial_access/sketchy-mounted-diskimage.sql +++ b/detection/initial_access/sketchy-mounted-diskimage.sql @@ -36,7 +36,7 @@ FROM WHERE file.path IN ( SELECT - file.path + DISTINCT file.path FROM block_devices JOIN mounts ON mounts.device = block_devices.name @@ -52,6 +52,11 @@ WHERE AND mounts.path LIKE "/Volumes/%" -- osquery will traverse symlinks, this prevents following symlinks to /Applications (poorly) AND file.path NOT LIKE "/Volumes/%/Applications/%" + AND file.path NOT LIKE "/Volumes/%/ /%" + AND NOT ( + file.type != "regular" + AND file.directory LIKE '%/Contents/Resources/' + ) ) AND ( -- Rule 0. App binaries that are hidden, like WnBJLaF/1302.app/Contents/MacOS/1302 (1302.app) From 875125fc9472fba6957805b856cb29eabac3079e Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Mon, 8 Jan 2024 19:07:57 -0500 Subject: [PATCH 4/4] Add exceptions for Elastic Defend & Rapid7 InsightIDR --- detection/c2/unexpected-https-macos.sql | 25 +++-- .../unexpected-dev-opener-macos.sql | 3 +- .../discovery/unexpected-pcap-user-macos.sql | 3 +- .../evasion/unexpected-var-run-macos.sql | 1 + ...ected-security-framework-program-macos.sql | 104 +++++++++--------- ...yara-recently-downloaded-go-crypt-exec.sql | 2 +- .../unexpected-launchd-program-arguments.sql | 2 + .../unexpected-launchd-program-macos.sql | 9 +- .../unexpected-uid0-daemon-macos.sql | 2 + 9 files changed, 84 insertions(+), 67 deletions(-) diff --git a/detection/c2/unexpected-https-macos.sql b/detection/c2/unexpected-https-macos.sql index 2935a9d..3616059 100644 --- a/detection/c2/unexpected-https-macos.sql +++ b/detection/c2/unexpected-https-macos.sql @@ -112,16 +112,20 @@ WHERE '0,Setup,Setup,Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.acc.Setup', '0,com.fortinet.forticlient.macos.vpn.nwextension,com.fortinet.forticlient.macos.vpn.nwextension,Developer ID Application: Fortinet, Inc (AH4XFXJ7DK),com.fortinet.forticlient.macos.vpn.nwextension', '0,com.google.one.NetworkExtension,com.google.one.NetworkExtension,Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.one.NetworkExtension', + '0,elastic-agent,elastic-agent,Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z),co.elastic.elastic-agent', + '0,elastic-endpoint,elastic-endpoint,Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z),co.elastic.endpoint', + '0,filebeat,filebeat,Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z),filebeat', + '0,io.tailscale.ipn.macsys.network-extension,io.tailscale.ipn.macsys.network-extension,Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension', + '0,ir_agent,ir_agent,Developer ID Application: Rapid7 LLC (UL6CGN7MAL),ir_agent', '0,kandji-daemon,kandji-daemon,Developer ID Application: Kandji, Inc. (P3FGV63VK7),kandji-daemon', '0,kandji-library-manager,kandji-library-manager,Developer ID Application: Kandji, Inc. (P3FGV63VK7),kandji-library-manager', '0,kandji-parameter-agent,kandji-parameter-agent,Developer ID Application: Kandji, Inc. (P3FGV63VK7),kandji-parameter-agent', '0,launcher,launcher,Developer ID Application: Kolide, Inc (X98UFR7HA3),com.kolide.agent', '0,logioptionsplus_installer,logioptionsplus_installer,Developer ID Application: Logitech Inc. (QED4VVPZWA),com.logi.optionsplus.installer', + '0,metricbeat,metricbeat,Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z),metricbeat', '0,multipassd,multipassd,Developer ID Application: Canonical Group Limited (X4QN7LTP59),com.canonical.multipass.multipassd', '0,nessusd,nessusd,Developer ID Application: Tenable, Inc. (4B8J598M7U),nessusd', '500,Authy,Authy,Apple iPhone OS Application Signing,com.authy', - '500,Realm,Realm,Apple iPhone OS Application Signing,camera.youpi.metareal', - '500,Signal Helper (Renderer),Signal Helper (Renderer),Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR),org.whispersystems.signal-desktop.helper.Renderer', '500,Code Helper (Plugin),Code Helper (Plugin),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper', '500,Code Helper (Renderer),Code Helper (Renderer),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper', '500,Code Helper,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode.helper', @@ -129,32 +133,33 @@ WHERE '500,Electron,Electron,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode', '500,Elgato Capture Device Utility,Elgato Capture Device Utility,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5),com.elgato.CaptureDeviceUtility', '500,Fleet,~/Library/Caches/JetBrains/Fleet', + '500,GitX,GitX,Developer ID Application: Farhan Ahmed (4RZN52RN5P),net.phere.GitX', + '500,Google Chrome Helper,Google Chrome Helper,Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.Chrome.helper', '500,Install Spotify,Install Spotify,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.installer', '500,IterableRichNotifications,IterableRichNotifications,Apple iPhone OS Application Signing,com.plexapp.plex.IterableRichNotifications', '500,Java Updater,Java Updater,Developer ID Application: Oracle America, Inc. (VB5E2TV963),com.oracle.java.Java-Updater', '500,Kindle,Kindle,TestFlight Beta Distribution,com.amazon.Lassen', '500,OneDriveStandaloneUpdater,OneDriveStandaloneUpdater,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.OneDriveStandaloneUpdater', + '500,PSI Bridge Secure Browser Helper,PSI Bridge Secure Browser Helper,Developer ID Application: PSI Services LLC (73AT498HPV),com.psiexams.psi-bridge-secure-browser.helper', '500,Paintbrush,Paintbrush,Developer ID Application: Michael Schreiber (G966ML7VBG),com.soggywaffles.paintbrush', + '500,Plex,Plex,Developer ID Application: Plex Inc. (K4QJ56KR4A),tv.plex.desktop', '500,PlexMobile,PlexMobile,Apple iPhone OS Application Signing,com.plexapp.plex', + '500,Realm,Realm,Apple iPhone OS Application Signing,camera.youpi.metareal', '500,Reflect Helper,Reflect Helper,Developer ID Application: Reflect App, LLC (789ULN5MZB),app.reflect.ReflectDesktop', '500,Reflect,Reflect,Developer ID Application: Reflect App, LLC (789ULN5MZB),app.reflect.ReflectDesktop', + '500,Signal Helper (Renderer),Signal Helper (Renderer),Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR),org.whispersystems.signal-desktop.helper.Renderer', + '500,Slack Helper,Slack Helper,Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL),com.tinyspeck.slackmacgap.helper', + '500,Slack,Slack,Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL),com.tinyspeck.slackmacgap', '500,SteelSeriesEngine,SteelSeriesEngine,Developer ID Application: SteelSeries (6WGL6CHFH2),SteelSeriesEngine', '500,SteelSeriesGG,SteelSeriesGG,Developer ID Application: SteelSeries (6WGL6CHFH2),SteelSeriesGG', - '500,GitX,GitX,Developer ID Application: Farhan Ahmed (4RZN52RN5P),net.phere.GitX', '500,Transmit,Transmit,Developer ID Application: Panic, Inc. (VE8FC488U5),com.panic.Transmit', '500,TwitchStudioStreamDeck,TwitchStudioStreamDeck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5),TwitchStudioStreamDeck', '500,bash,bash,,bash', - '500,Google Chrome Helper,Google Chrome Helper,Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.Chrome.helper', - '500,Slack Helper,Slack Helper,Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL),com.tinyspeck.slackmacgap.helper', - '500,Slack,Slack,Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL),com.tinyspeck.slackmacgap', - '0,io.tailscale.ipn.macsys.network-extension,io.tailscale.ipn.macsys.network-extension,Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension', '500,chrome_crashpad_handler,chrome_crashpad_handler,Developer ID Application: Microsoft Corporation (UBF8T346G9),chrome_crashpad_handler', '500,cloud_sql_proxy,cloud_sql_proxy,,a.out', '500,git-remote-http,git-remote-http,,git-remote-http-55554944748a32c47cdc35cfa7f071bb69a39ce4', '500,go,go,Developer ID Application: Google LLC (EQHXZ8M8AV),org.golang.go', - '500,PSI Bridge Secure Browser Helper,PSI Bridge Secure Browser Helper,Developer ID Application: PSI Services LLC (73AT498HPV),com.psiexams.psi-bridge-secure-browser.helper', '500,grype,grype,Developer ID Application: ANCHORE, INC. (9MJHKYX5AT),grype', - '500,plugin_host-3.3,plugin_host-3.3,Developer ID Application: Sublime HQ Pty Ltd (Z6D26JE4Y4),plugin_host-3', '500,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV),ksfetch', '500,melange,melange,,a.out', '500,ngrok,ngrok,Developer ID Application: ngrok LLC (TEX8MHRDQ9),a.out', @@ -162,11 +167,11 @@ WHERE '500,node,node,Developer ID Application: Node.js Foundation (HX7739G8FX),node', '500,old,old,Developer ID Application: Denver Technologies, Inc (2BBY89MBSN),dev.warp.Warp-Stable', '500,op,op,Developer ID Application: AgileBits Inc. (2BUA8C4S2C),com.1password.op', + '500,plugin_host-3.3,plugin_host-3.3,Developer ID Application: Sublime HQ Pty Ltd (Z6D26JE4Y4),plugin_host-3', '500,sdaudioswitch,sdaudioswitch,,sdaudioswitch', '500,snyk-ls_darwin_arm64,snyk-ls_darwin_arm64,,a.out', '500,steam_osx,steam_osx,Developer ID Application: Valve Corporation (MXGJJ98X76),com.valvesoftware.steam', '500,syncthing,syncthing,,syncthing', - '500,Plex,Plex,Developer ID Application: Plex Inc. (K4QJ56KR4A),tv.plex.desktop', '500,terraform,terraform,Developer ID Application: Hashicorp, Inc. (D38WU7D763),terraform', '500,zoom.us,zoom.us,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3),us.zoom.xos' ) diff --git a/detection/credentials/unexpected-dev-opener-macos.sql b/detection/credentials/unexpected-dev-opener-macos.sql index 4cbb4ad..2a9302d 100644 --- a/detection/credentials/unexpected-dev-opener-macos.sql +++ b/detection/credentials/unexpected-dev-opener-macos.sql @@ -75,8 +75,9 @@ WHERE AND p0.path NOT LIKE '/usr/sbin/%' AND exception_key NOT IN ( '/dev/afsc_type,revisiond,Software Signing,com.apple.revisiond', - '/dev/auditpipe,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF),osqueryd', + '/dev/auditpipe,ir_agent,Developer ID Application: Rapid7 LLC (UL6CGN7MAL),ir_agent', '/dev/auditpipe,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF),io.osquery.agent', + '/dev/auditpipe,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF),osqueryd', '/dev/auditsessions,GSSCred,Software Signing,com.apple.GSSCred', '/dev/auditsessions,TouchBarServer,Software Signing,com.apple.touchbarserver', '/dev/auditsessions,authd,Software Signing,com.apple.authd', diff --git a/detection/discovery/unexpected-pcap-user-macos.sql b/detection/discovery/unexpected-pcap-user-macos.sql index ccb4638..e470733 100644 --- a/detection/discovery/unexpected-pcap-user-macos.sql +++ b/detection/discovery/unexpected-pcap-user-macos.sql @@ -66,7 +66,8 @@ WHERE 'Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)', 'Apple Mac OS Application Signing', 'Developer ID Application: Kolide Inc (YZ3EM74M78)', - 'Developer ID Application: Docker Inc (9BNSXJN65R)' + 'Developer ID Application: Docker Inc (9BNSXJN65R)', + 'Developer ID Application: Rapid7 LLC (UL6CGN7MAL)' ) GROUP BY p0.pid diff --git a/detection/evasion/unexpected-var-run-macos.sql b/detection/evasion/unexpected-var-run-macos.sql index 14bbd64..88576d5 100644 --- a/detection/evasion/unexpected-var-run-macos.sql +++ b/detection/evasion/unexpected-var-run-macos.sql @@ -62,5 +62,6 @@ WHERE 'utmpx', 'wifi' ) + AND NOT file.filename LIKE '%.pid' GROUP BY file.path; diff --git a/detection/execution/unexpected-security-framework-program-macos.sql b/detection/execution/unexpected-security-framework-program-macos.sql index 3d3a623..1471aab 100644 --- a/detection/execution/unexpected-security-framework-program-macos.sql +++ b/detection/execution/unexpected-security-framework-program-macos.sql @@ -78,125 +78,127 @@ WHERE ) AND pmm.path LIKE '%Security.framework%' AND exception_key NOT IN ( + '0,ir_agent,bootstrap,Developer ID Application: Rapid7 LLC (UL6CGN7MAL)', + '0,ir_agent,ir_agent,Developer ID Application: Rapid7 LLC (UL6CGN7MAL)', '0,nix,nix,', '0,osqueryd,io.osquery.agent,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)', '0,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)', '0,velociraptor,a.out,', + '500,.cargo-wrapped,.cargo-wrapped,', '500,Android File Transfer Agent,com.google.android.mtpagent,Developer ID Application: Google, Inc. (EQHXZ8M8AV)', '500,AppleMusic,AppleMusic,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', - '500,bash,bash,', - '500,Evernote Helper (GPU),com.evernote.Evernote.helper.GPU,Apple Mac OS Application Signing', - '500,Speedtest,com.ookla.speedtest-macos,Apple Mac OS Application Signing', - '500,bash,com.apple.bash,Software Signing', - '500,nvim,nvim,', - '500,keyboxd,keyboxd,', '500,Bazecor Helper,,', - '500,Bitwarden,com.bitwarden.desktop,Apple Mac OS Application Signing', - '500,Bitwarden Helper,com.bitwarden.desktop.helper,Apple Mac OS Application Signing', '500,Bitwarden Helper (GPU),com.bitwarden.desktop.helper.GPU,Apple Mac OS Application Signing', '500,Bitwarden Helper (Renderer),com.bitwarden.desktop.helper.Renderer,Apple Mac OS Application Signing', + '500,Bitwarden Helper,com.bitwarden.desktop.helper,Apple Mac OS Application Signing', + '500,Bitwarden,com.bitwarden.desktop,Apple Mac OS Application Signing', '500,BloomRPC Helper,,', - '500,bufls,a.out,', - '500,.cargo-wrapped,.cargo-wrapped,', - '500,chainctl,a.out,', '500,Chromium,Chromium,', + '500,CopyClip,com.fiplab.clipboard,Apple Mac OS Application Signing', + '500,Divvy,com.mizage.Divvy,Apple Mac OS Application Signing', + '500,Duckly Helper (Renderer),Electron Helper (Renderer),', + '500,Duckly Helper,Electron Helper,', + '500,Duckly,Electron,', + '500,Emacs-arm64-11,Emacs-arm64-11,Developer ID Application: Galvanix (5BRAQAFB8B)', + '500,Evernote Helper (GPU),com.evernote.Evernote.helper.GPU,Apple Mac OS Application Signing', + '500,Evernote Helper (Renderer),com.evernote.Evernote.helper.Renderer,Apple Mac OS Application Signing', + '500,Evernote Helper,com.evernote.Evernote.helper,Apple Mac OS Application Signing', + '500,Evernote,com.evernote.Evernote,Apple Mac OS Application Signing', + '500,Final Cut Pro,com.apple.FinalCut,Apple Mac OS Application Signing', + '500,GitterHelperApp,com.troupe.gitter.mac.GitterHelperApp,Developer ID Application: Troupe Technology Limited (A86QBWJ43W)', + '500,Grammarly Safari Extension,com.grammarly.safari.extension.ext2,Apple Mac OS Application Signing', + '500,Grammarly for Safari,com.grammarly.safari.extension,Apple Mac OS Application Signing', + '500,InternalFiltersXPC,com.apple.InternalFiltersXPC,Apple Mac OS Application Signing', + '500,Magnet,com.crowdcafe.windowmagnet,Apple Mac OS Application Signing', + '500,Mattermost Helper (GPU),Mattermost.Desktop.helper.GPU,Apple Mac OS Application Signing', + '500,Mattermost Helper (Renderer),Mattermost.Desktop.helper.Renderer,Apple Mac OS Application Signing', + '500,Mattermost Helper,Mattermost.Desktop.helper,Apple Mac OS Application Signing', + '500,Mattermost,Mattermost.Desktop,Apple Mac OS Application Signing', + '500,OOPProResRawService,com.apple.videoapps.OOPProResRawService,Apple Mac OS Application Signing', + '500,PrinterProxy,com.apple.print.PrinterProxy,', + '500,Runner.Listener,apphost-55554944a938bab90f04347d83659c53dd1197d6,', + '500,Slack Helper (GPU),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing', + '500,Slack Helper (Plugin),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing', + '500,Slack Helper (Renderer),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing', + '500,Slack Helper,com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing', + '500,Slack,com.tinyspeck.slackmacgap,Apple Mac OS Application Signing', + '500,Speedtest,com.ookla.speedtest-macos,Apple Mac OS Application Signing', + '500,Steam Helper,com.valvesoftware.steam.helper,Developer ID Application: Valve Corporation (MXGJJ98X76)', + '500,Telegram,ru.keepcoder.Telegram,Apple Mac OS Application Signing', + '500,Todoist Helper (GPU),com.todoist.mac.Todoist.helper.GPU,Apple Mac OS Application Signing', + '500,Todoist Helper (Renderer),com.todoist.mac.Todoist.helper.Renderer,Apple Mac OS Application Signing', + '500,Todoist Helper,com.todoist.mac.Todoist.helper,Apple Mac OS Application Signing', + '500,Todoist,com.todoist.mac.Todoist,Apple Mac OS Application Signing', + '500,TwitchStudioStreamDeck,TwitchStudioStreamDeck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', + '500,WinAppHelper,,', + '500,WinAppHelper,WinAppHelper,', + '500,bash,bash,', + '500,bash,com.apple.bash,Software Signing', + '500,bufls,a.out,', + '500,chainctl,a.out,', '500,clangd,clangd,', '500,cloud-sql-proxy,a.out,', - '500,cloud_sql_proxy,a.out,', '500,cloud-sql-proxy.darwin.arm64,a.out,', + '500,cloud_sql_proxy,a.out,', '500,copilot-agent-macos-arm64,copilot-agent-macos-arm64-5555494405ae226b796431f588804b65cad1040e,', - '500,CopyClip,com.fiplab.clipboard,Apple Mac OS Application Signing', '500,cosign,a.out,', '500,cpu,cpu-555549441132dc6b7af538428ce3359ae94eab37,', '500,crane,a.out,', '500,debug.test,a.out,', '500,dive,a.out,', - '500,Divvy,com.mizage.Divvy,Apple Mac OS Application Signing', '500,dlv,a.out,', '500,docker,a.out,', - '500,Duckly,Electron,', - '500,Duckly Helper,Electron Helper,', - '500,Duckly Helper (Renderer),Electron Helper (Renderer),', - '500,Emacs-arm64-11,Emacs-arm64-11,Developer ID Application: Galvanix (5BRAQAFB8B)', '500,epdfinfo,epdfinfo,', '500,esbuild,,', '500,esbuild,a.out,', - '500,Evernote,com.evernote.Evernote,Apple Mac OS Application Signing', - '500,Evernote Helper,com.evernote.Evernote.helper,Apple Mac OS Application Signing', - '500,Evernote Helper (Renderer),com.evernote.Evernote.helper.Renderer,Apple Mac OS Application Signing', '500,fake,a.out,', - '500,Final Cut Pro,com.apple.FinalCut,Apple Mac OS Application Signing', '500,git,git,', '500,gitsign,a.out,', '500,gitsign-credential-cache,a.out,', - '500,GitterHelperApp,com.troupe.gitter.mac.GitterHelperApp,Developer ID Application: Troupe Technology Limited (A86QBWJ43W)', '500,gke-gcloud-auth-plugin,a.out,', '500,go,a.out,', '500,gopls,a.out,', '500,gopls,gopls,', - '500,monday.com,com.monday.desktop,Apple Mac OS Application Signing', '500,gpg-agent,gpg-agent,', - '500,Grammarly for Safari,com.grammarly.safari.extension,Apple Mac OS Application Signing', - '500,Grammarly Safari Extension,com.grammarly.safari.extension.ext2,Apple Mac OS Application Signing', '500,hugo,a.out,', - '500,InternalFiltersXPC,com.apple.InternalFiltersXPC,Apple Mac OS Application Signing', '500,ipcserver,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)', '500,ipcserver.old,,', '500,k9s,a.out,', + '500,keyboxd,keyboxd,', '500,ko,,', '500,ko,a.out,', '500,kubectl,a.out,', '500,lua-language-server,lua-language-server,', - '500,Magnet,com.crowdcafe.windowmagnet,Apple Mac OS Application Signing', '500,mattermost,a.out,', - '500,Mattermost Helper (GPU),Mattermost.Desktop.helper.GPU,Apple Mac OS Application Signing', - '500,Mattermost Helper,Mattermost.Desktop.helper,Apple Mac OS Application Signing', - '500,Mattermost Helper (Renderer),Mattermost.Desktop.helper.Renderer,Apple Mac OS Application Signing', - '500,Mattermost,Mattermost.Desktop,Apple Mac OS Application Signing', '500,melange,a.out,', '500,melange-run,a.out,', - '500,monday.com Helper,com.monday.desktop.helper,Apple Mac OS Application Signing', '500,monday.com Helper (GPU),com.monday.desktop.helper.GPU,Apple Mac OS Application Signing', '500,monday.com Helper (Renderer),com.monday.desktop.helper.Renderer,Apple Mac OS Application Signing', + '500,monday.com Helper,com.monday.desktop.helper,Apple Mac OS Application Signing', + '500,monday.com,com.monday.desktop,Apple Mac OS Application Signing', '500,monorail,a.out,', - '500,OOPProResRawService,com.apple.videoapps.OOPProResRawService,Apple Mac OS Application Signing', + '500,nvim,nvim,', '500,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)', '500,plugin-darwin-arm64,a.out,', - '500,PrinterProxy,com.apple.print.PrinterProxy,', '500,registry,a.out,', '500,registry-redirect,a.out,', - '500,Runner.Listener,apphost-55554944a938bab90f04347d83659c53dd1197d6,', '500,rust-analyzer,rust_analyzer-d11ae4e1bae4360d,', '500,scdaemon,scdaemon,', '500,sdaudioswitch,,', '500,sdaudioswitch,sdaudioswitch,', '500,sdzoomplugin,,', - '500,Slack,com.tinyspeck.slackmacgap,Apple Mac OS Application Signing', - '500,Slack Helper,com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing', - '500,Slack Helper (GPU),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing', - '500,Slack Helper (Plugin),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing', - '500,Slack Helper (Renderer),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing', '500,snyk-ls_darwin_arm64,a.out,', '500,ssh,ssh,', - '500,Steam Helper,com.valvesoftware.steam.helper,Developer ID Application: Valve Corporation (MXGJJ98X76)', '500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)', '500,stern,a.out,', '500,syncthing,syncthing,', - '500,Telegram,ru.keepcoder.Telegram,Apple Mac OS Application Signing', '500,testing,com.yourcompany.testing,', -- Xcode iPhone emulator '500,tflint,a.out,', '500,tflint-ruleset-aws,a.out,', '500,tflint-ruleset-google,a.out,', '500,timestamp-server,a.out,', - '500,Todoist,com.todoist.mac.Todoist,Apple Mac OS Application Signing', - '500,Todoist Helper,com.todoist.mac.Todoist.helper,Apple Mac OS Application Signing', - '500,Todoist Helper (GPU),com.todoist.mac.Todoist.helper.GPU,Apple Mac OS Application Signing', - '500,Todoist Helper (Renderer),com.todoist.mac.Todoist.helper.Renderer,Apple Mac OS Application Signing', - '500,TwitchStudioStreamDeck,TwitchStudioStreamDeck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', '500,vim,,', - '500,vim,vim,', - '500,WinAppHelper,,', - '500,WinAppHelper,WinAppHelper,' + '500,vim,vim,' ) AND NOT ( exception_key LIKE '500,%,a.out,' diff --git a/detection/exfil/yara-recently-downloaded-go-crypt-exec.sql b/detection/exfil/yara-recently-downloaded-go-crypt-exec.sql index c222e13..e436bb8 100644 --- a/detection/exfil/yara-recently-downloaded-go-crypt-exec.sql +++ b/detection/exfil/yara-recently-downloaded-go-crypt-exec.sql @@ -42,4 +42,4 @@ WHERE }' AND yara.count > 0 AND file.path NOT LIKE '/Users/%/Downloads/chainctl%' - AND file.filename NOT IN ('grype', 'chainctl') + AND file.filename NOT IN ('grype', 'chainctl', 'elastic-agent') diff --git a/detection/persistence/unexpected-launchd-program-arguments.sql b/detection/persistence/unexpected-launchd-program-arguments.sql index f41e7cd..09feab9 100644 --- a/detection/persistence/unexpected-launchd-program-arguments.sql +++ b/detection/persistence/unexpected-launchd-program-arguments.sql @@ -62,6 +62,8 @@ WHERE 'Developer ID Application: Sanford, L.P. (N3S6676K3E)', -- DYMO 'Developer ID Application: Seiko Epson Corporation (TXAEAV5RN4)', 'Developer ID Application: Tenable, Inc. (4B8J598M7U)', + 'Developer ID Application: Rapid7 LLC (UL6CGN7MAL)', + 'Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z)', 'Developer ID Application: X-Rite, Incorporated (2K7GT73B4R)', 'Software Signing', -- Apple 'yabai-cert' diff --git a/detection/persistence/unexpected-launchd-program-macos.sql b/detection/persistence/unexpected-launchd-program-macos.sql index 5924e1f..4c42c04 100644 --- a/detection/persistence/unexpected-launchd-program-macos.sql +++ b/detection/persistence/unexpected-launchd-program-macos.sql @@ -33,19 +33,22 @@ WHERE 'Developer ID Application: Adobe Inc. (JQ525L2MZD)', 'Developer ID Application: Canonical Group Limited (X4QN7LTP59)', 'Developer ID Application: Creative Labs Pte. Ltd. (5Q3552844F)', - 'Developer ID Application: Wireshark Foundation (7Z6EMTD2C6)', 'Developer ID Application: Docker Inc (9BNSXJN65R)', - 'Developer ID Application: Jonathan Bullard (Z2SG5H3HC8)', - 'Developer ID Application: Ilya Parniuk (ACC5R6RH47)', + 'Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z)', 'Developer ID Application: Fortinet, Inc (AH4XFXJ7DK)', 'Developer ID Application: Hercules Labs Inc. (B8PC799ZGU)', + 'Developer ID Application: Ilya Parniuk (ACC5R6RH47)', + 'Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z)', + 'Developer ID Application: Jonathan Bullard (Z2SG5H3HC8)', 'Developer ID Application: Kandji, Inc. (P3FGV63VK7)', 'Developer ID Application: Logitech Inc. (QED4VVPZWA)', 'Developer ID Application: Louis Pontoise (QXD7GW8FHY)', 'Developer ID Application: Microsoft Corporation (UBF8T346G9)', 'Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R)', 'Developer ID Application: Oracle America, Inc. (VB5E2TV963)', + 'Developer ID Application: Rapid7 LLC (UL6CGN7MAL)', 'Developer ID Application: Valve Corporation (MXGJJ98X76)', + 'Developer ID Application: Wireshark Foundation (7Z6EMTD2C6)', 'Developer ID Application: Wireshark Foundation, Inc. (7Z6EMTD2C6)', 'Software Signing' ) diff --git a/detection/persistence/unexpected-uid0-daemon-macos.sql b/detection/persistence/unexpected-uid0-daemon-macos.sql index 2886d5a..f60f744 100644 --- a/detection/persistence/unexpected-uid0-daemon-macos.sql +++ b/detection/persistence/unexpected-uid0-daemon-macos.sql @@ -306,6 +306,8 @@ WHERE -- Focus on longer-running programs 'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)', 'Developer ID Application: Ecamm Network, LLC (5EJH68M642)', 'Developer ID Application: Fortinet, Inc (AH4XFXJ7DK)', + 'Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z)', + 'Developer ID Application: Rapid7 LLC (UL6CGN7MAL)', 'Developer ID Application: Foxit Corporation (8GN47HTP75)', 'Developer ID Application: Fumihiko Takayama (G43BCU2T37)', 'Developer ID Application: Google LLC (EQHXZ8M8AV)',