RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-02-16 09:27:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge to master

Browse Source
This commit is contained in:
Thomas Stromberg 2023-09-01 17:34:36 -04:00
commit 190e8adcfd
35 changed files with 492 additions and 414 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
detection/c2/unexpected-dns-traffic-events.sql
View File

@ -80,6 +80,8 @@ WHERE
'Meeting Center,8.8.8.8,53',
'signal-desktop,8.8.8.8,53',
'slack,8.8.8.8,53',
'EpicWebHelper,8.8.4.4,53',
'EpicWebHelper,8.8.8.8,53',
'Signal Helper (Renderer),8.8.8.8,53',
'plugin-container,8.8.8.8,53',
'WhatsApp,1.1.1.1,53',

8
detection/c2/unexpected-dns-traffic.sql
View File

@ -85,11 +85,13 @@ WHERE
)
-- Local DNS servers and custom clients go here
AND p.path NOT IN (
'/usr/lib/systemd/systemd-resolved',
'/usr/sbin/mDNSResponder',
'/Applications/Slack.app/Contents/Frameworks/Slack Helper.app/Contents/MacOS/Slack Helper',
'/Applications/Spotify.app/Contents/Frameworks/Spotify Helper.app/Contents/MacOS/Spotify Helper',
'/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/Contents/MacOS/IPNExtension',
'/System/Volumes/Preboot/Cryptexes/Incoming/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/Contents/MacOS/com.apple.WebKit.Networking',
'/Applications/Spotify.app/Contents/Frameworks/Spotify Helper.app/Contents/MacOS/Spotify Helper'
'/usr/bin/tailscaled',
'/usr/lib/systemd/systemd-resolved',
'/usr/sbin/mDNSResponder'
)
AND p.path NOT LIKE '/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/%/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper'
-- Workaround for the GROUP_CONCAT subselect adding a blank ent

41
detection/c2/unexpected-https-linux.sql
View File

@ -57,6 +57,7 @@ WHERE
AND s.remote_address NOT LIKE 'fc00:%'
AND p.path != ''
AND NOT exception_key IN (
'0,.tailscaled-wrapped,0u,0g,.tailscaled-wra',
'0,apk,u,g,apk',
'0,applydeltarpm,0u,0g,applydeltarpm',
'0,bash,0u,0g,bash',
@ -98,24 +99,34 @@ WHERE
'0,systemctl,0u,0g,systemctl',
'0,tailscaled,0u,0g,tailscaled',
'0,tailscaled,500u,500g,tailscaled',
'0,.tailscaled-wrapped,0u,0g,.tailscaled-wra',
'0,velociraptor,0u,0g,velociraptor_cl',
'105,http,0u,0g,https',
'106,geoclue,0u,0g,geoclue',
'129,fwupdmgr,0u,0g,fwupdmgr',
'42,http,0u,0g,https',
'500,1password,0u,0g,1password',
'500,Brackets,0u,0g,Brackets',
'500,Discord,0u,0g,Discord',
'500,Discord,u,g,Discord',
'500,Keybase,0u,0g,Keybase',
'500,Logseq,u,g,Logseq',
'500,Melvor Idle,500u,500g,exe',
'500,TJPP8_Vulkan,500u,500g,TJPP8_Vulkan',
'500,WPILibInstaller,500u,500g,WPILibInstaller',
'500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
'500,___go_build_main_go,500u,500g,___go_build_mai',
'500,abrt-action-generate-core-backtrace,0u,0g,abrt-action-gen',
'500,act,0u,0g,act',
'500,apk,500u,500g,apk',
'500,apk,u,g,apk',
'500,apko,500u,500g,apko',
'500,apko,u,g,apko',
'500,apk,u,g,apk',
'500,aws,0u,0g,aws',
'500,aws,500u,500g,aws',
'500,bash,0u,0g,bash',
'500,beeper,u,g,beeper',
'500,bom,500u,500g,bom',
'500,bom-linux-amd64,500u,500g,bom-linux-amd64',
'500,Brackets,0u,0g,Brackets',
'500,brave,0u,0g,brave',
'500,buildkitd,500u,500g,buildkitd',
'500,buildkite-agent,500u,500g,buildkite-agent',
@ -127,6 +138,7 @@ WHERE
'500,chainctl,500u,500g,chainctl',
'500,chainctl,500u,500g,docker-credenti',
'500,chrome,0u,0g,chrome',
'500,chrome,u,g,chrome',
'500,cilium,500u,123g,cilium',
'500,cloud_sql_proxy,0u,0g,cloud_sql_proxy',
'500,code,0u,0g,code',
@ -139,8 +151,6 @@ WHERE
'500,crane,0u,0g,crane',
'500,crane,500u,500g,crane',
'500,curl,0u,0g,curl',
'500,Discord,0u,0g,Discord',
'500,Discord,u,g,Discord',
'500,docker,0u,0g,docker',
'500,docker-buildx,0u,0g,docker-buildx',
'500,eksctl,0u,0g,eksctl',
@ -149,9 +159,9 @@ WHERE
'500,evolution-addressbook-factory,0u,0g,evolution-addre',
'500,evolution-calendar-factory,0u,0g,evolution-calen',
'500,evolution-source-registry,0u,0g,evolution-sourc',
'500,firefox,0u,0g,firefox',
'500,firefox,0u,0g,.firefox-wrappe',
'500,firefox,0u,0g,Socket Process',
'500,firefox,0u,0g,firefox',
'500,firefox-bin,u,g,firefox-bin',
'500,flameshot,0u,0g,flameshot',
'500,flatpak-oci-authenticator,0u,0g,flatpak-oci-aut',
@ -159,7 +169,6 @@ WHERE
'500,fulcio,500u,500g,fulcio',
'500,geoclue,0u,0g,geoclue',
'500,gh,0u,0g,gh',
'500,beeper,u,g,beeper',
'500,git,0u,0g,git',
'500,git-remote-http,0u,0g,git-remote-http',
'500,git-remote-http,u,g,git-remote-http',
@ -170,13 +179,11 @@ WHERE
'500,gjs-console,0u,0g,org.gnome.Maps',
'500,gnome-recipes,0u,0g,gnome-recipes',
'500,gnome-shell,0u,0g,gnome-shell',
'500,chrome,u,g,chrome',
'500,gnome-software,0u,0g,gnome-software',
'500,go,0u,0g,go',
'500,go,500u,500g,go',
'500,goa-daemon,0u,0g,goa-daemon',
'500,___go_build_main_go,500u,500g,___go_build_mai',
'500,go,u,g,go',
'500,goa-daemon,0u,0g,goa-daemon',
'500,grafana,u,g,grafana',
'500,grype,0u,0g,grype',
'500,grype,500u,500g,grype',
@ -196,7 +203,6 @@ WHERE
'500,k6,500u,500g,k6',
'500,kbfsfuse,0u,0g,kbfsfuse',
'500,keybase,0u,0g,keybase',
'500,Keybase,0u,0g,Keybase',
'500,ko,500u,500g,ko',
'500,ko,u,g,ko',
'500,kpromo,500u,500g,kpromo',
@ -206,26 +212,24 @@ WHERE
'500,lens,0u,0g,lens',
'500,less,0u,0g,less',
'500,limactl,0u,0g,limactl',
'500,Logseq,u,g,Logseq',
'500,mconvert,500u,500g,mconvert',
'500,mediawriter,u,g,mediawriter',
'500,melange,500u,500g,melange',
'500,melange,u,g,melange',
'500,Melvor Idle,500u,500g,exe',
'500,minikube,0u,0g,minikube',
'500,nautilus,0u,0g,nautilus',
'500,nerdctl,500u,500g,nerdctl',
'500,nix,0u,0g,nix',
'500,node,0u,0g,node',
'500,node,0u,0g,.node2nix-wrapp',
'500,node,0u,0g,node',
'500,node,0u,0g,npm install',
'500,node,u,g,node',
'500,obs,0u,0g,obs',
'500,obs,u,g,obs',
'500,obs-browser-page,0u,0g,obs-browser-pag',
'500,obs-ffmpeg-mux,0u,0g,obs-ffmpeg-mux',
'500,obs-ffmpeg-mux,u,g,obs-ffmpeg-mux',
'500,obsidian,u,g,obsidian',
'500,obs,u,g,obs',
'500,op,0u,500g,op',
'500,packer-plugin-proxmox_v1.1.2_x5.0_linux_amd64,500u,500g,packer-plugin-p',
'500,pacman,0u,0g,pacman',
@ -234,7 +238,9 @@ WHERE
'500,pingsender,0u,0g,pingsender',
'500,promoter,500u,500g,promoter',
'500,publish-release,500u,500g,publish-release',
'500,python.test,500u,500g,python.test',
'500,python3,0u,0g,python3',
'500,python3,500u,500g,python3',
'500,python3.10,0u,0g,aws',
'500,python3.10,0u,0g,python',
'500,python3.10,0u,0g,python3',
@ -243,8 +249,6 @@ WHERE
'500,python3.11,0u,0g,gnome-abrt',
'500,python3.11,0u,0g,protonvpn',
'500,python3.11,0u,0g,prowler',
'500,python3,500u,500g,python3',
'500,python.test,500u,500g,python.test',
'500,qemu-system-x86_64,0u,0g,qemu-system-x86',
'500,reporter-ureport,0u,0g,reporter-urepor',
'500,rpi-imager,0u,0g,rpi-imager',
@ -275,16 +279,13 @@ WHERE
'500,thunderbird,0u,0g,thunderbird',
'500,thunderbird,u,g,thunderbird',
'500,tilt,500u,500g,tilt',
'500,TJPP8_Vulkan,500u,500g,TJPP8_Vulkan',
'500,todoist,0u,0g,todoist',
'500,trivy,0u,0g,trivy',
'500,trivy,500u,500g,trivy',
'500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
'500,wget,0u,0g,wget',
'500,wine64-preloader,500u,500g,DaveTheDiver.ex',
'500,wine64-preloader,500u,500g,Root.exe',
'500,wolfictl,500u,500g,wolfictl',
'500,WPILibInstaller,500u,500g,WPILibInstaller',
'500,xmobar,0u,0g,xmobar',
'500,yay,0u,0g,yay',
'500,zdup,500u,500g,zdup',

39
detection/c2/unexpected-https-macos.sql
View File

@ -106,10 +106,11 @@ WHERE
)
AND NOT exception_key IN (
'0,AGSService,AGSService,Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.ags',
'0,com.fortinet.forticlient.macos.vpn.nwextension,com.fortinet.forticlient.macos.vpn.nwextension,Developer ID Application: Fortinet, Inc (AH4XFXJ7DK),com.fortinet.forticlient.macos.vpn.nwextension',
'0,com.google.one.NetworkExtension,com.google.one.NetworkExtension,Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.one.NetworkExtension',
'0,EdgeUpdater,EdgeUpdater,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.EdgeUpdater',
'0,Install,Install,Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.Install',
'0,Setup,Setup,Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.acc.Setup',
'0,com.fortinet.forticlient.macos.vpn.nwextension,com.fortinet.forticlient.macos.vpn.nwextension,Developer ID Application: Fortinet, Inc (AH4XFXJ7DK),com.fortinet.forticlient.macos.vpn.nwextension',
'0,com.google.one.NetworkExtension,com.google.one.NetworkExtension,Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.one.NetworkExtension',
'0,kandji-daemon,kandji-daemon,Developer ID Application: Kandji, Inc. (P3FGV63VK7),kandji-daemon',
'0,kandji-library-manager,kandji-library-manager,Developer ID Application: Kandji, Inc. (P3FGV63VK7),kandji-library-manager',
'0,kandji-parameter-agent,kandji-parameter-agent,Developer ID Application: Kandji, Inc. (P3FGV63VK7),kandji-parameter-agent',
@ -117,45 +118,45 @@ WHERE
'0,logioptionsplus_installer,logioptionsplus_installer,Developer ID Application: Logitech Inc. (QED4VVPZWA),com.logi.optionsplus.installer',
'0,multipassd,multipassd,Developer ID Application: Canonical Group Limited (X4QN7LTP59),com.canonical.multipass.multipassd',
'0,nessusd,nessusd,Developer ID Application: Tenable, Inc. (4B8J598M7U),nessusd',
'0,Setup,Setup,Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.acc.Setup',
'500,bash,bash,,bash',
'500,chrome_crashpad_handler,chrome_crashpad_handler,Developer ID Application: Microsoft Corporation (UBF8T346G9),chrome_crashpad_handler',
'500,cloud_sql_proxy,cloud_sql_proxy,,a.out',
'500,Code Helper,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode.helper',
'500,Authy,Authy,Apple iPhone OS Application Signing,com.authy',
'500,Code Helper (Plugin),Code Helper (Plugin),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
'500,Code Helper (Renderer),Code Helper (Renderer),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
'500,Code Helper,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode.helper',
'500,Ecamm Live Stream Deck Plugin,Ecamm Live Stream Deck Plugin,Developer ID Application: Ecamm Network, LLC (5EJH68M642),Ecamm Live Stream Deck Plugin',
'500,Electron,Electron,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode',
'500,Elgato Capture Device Utility,Elgato Capture Device Utility,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5),com.elgato.CaptureDeviceUtility',
'500,Fleet,~/Library/Caches/JetBrains/Fleet',
'500,git-remote-http,git-remote-http,,git-remote-http-55554944748a32c47cdc35cfa7f071bb69a39ce4',
'500,go,go,Developer ID Application: Google LLC (EQHXZ8M8AV),org.golang.go',
'500,grype,grype,Developer ID Application: ANCHORE, INC. (9MJHKYX5AT),grype',
'500,Install Spotify,Install Spotify,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.installer',
'500,IterableRichNotifications,IterableRichNotifications,Apple iPhone OS Application Signing,com.plexapp.plex.IterableRichNotifications',
'500,Java Updater,Java Updater,Developer ID Application: Oracle America, Inc. (VB5E2TV963),com.oracle.java.Java-Updater',
'500,Kindle,Kindle,TestFlight Beta Distribution,com.amazon.Lassen',
'500,OneDriveStandaloneUpdater,OneDriveStandaloneUpdater,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.OneDriveStandaloneUpdater',
'500,Paintbrush,Paintbrush,Developer ID Application: Michael Schreiber (G966ML7VBG),com.soggywaffles.paintbrush',
'500,PlexMobile,PlexMobile,Apple iPhone OS Application Signing,com.plexapp.plex',
'500,Reflect Helper,Reflect Helper,Developer ID Application: Reflect App, LLC (789ULN5MZB),app.reflect.ReflectDesktop',
'500,Reflect,Reflect,Developer ID Application: Reflect App, LLC (789ULN5MZB),app.reflect.ReflectDesktop',
'500,SteelSeriesEngine,SteelSeriesEngine,Developer ID Application: SteelSeries (6WGL6CHFH2),SteelSeriesEngine',
'500,SteelSeriesGG,SteelSeriesGG,Developer ID Application: SteelSeries (6WGL6CHFH2),SteelSeriesGG',
'500,Transmit,Transmit,Developer ID Application: Panic, Inc. (VE8FC488U5),com.panic.Transmit',
'500,TwitchStudioStreamDeck,TwitchStudioStreamDeck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5),TwitchStudioStreamDeck',
'500,bash,bash,,bash',
'500,chrome_crashpad_handler,chrome_crashpad_handler,Developer ID Application: Microsoft Corporation (UBF8T346G9),chrome_crashpad_handler',
'500,cloud_sql_proxy,cloud_sql_proxy,,a.out',
'500,git-remote-http,git-remote-http,,git-remote-http-55554944748a32c47cdc35cfa7f071bb69a39ce4',
'500,go,go,Developer ID Application: Google LLC (EQHXZ8M8AV),org.golang.go',
'500,grype,grype,Developer ID Application: ANCHORE, INC. (9MJHKYX5AT),grype',
'500,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV),ksfetch',
'500,melange,melange,,a.out',
'500,ngrok,ngrok,Developer ID Application: ngrok LLC (TEX8MHRDQ9),a.out',
'500,ngrok,ngrok,Developer ID Application: ngrok LLC (TEX8MHRDQ9),darwin_amd64',
'500,node,node,Developer ID Application: Node.js Foundation (HX7739G8FX),node',
'500,old,old,Developer ID Application: Denver Technologies, Inc (2BBY89MBSN),dev.warp.Warp-Stable',
'500,OneDriveStandaloneUpdater,OneDriveStandaloneUpdater,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.OneDriveStandaloneUpdater',
'500,op,op,Developer ID Application: AgileBits Inc. (2BUA8C4S2C),com.1password.op',
'500,Paintbrush,Paintbrush,Developer ID Application: Michael Schreiber (G966ML7VBG),com.soggywaffles.paintbrush',
'500,PlexMobile,PlexMobile,Apple iPhone OS Application Signing,com.plexapp.plex',
'500,Reflect Helper,Reflect Helper,Developer ID Application: Reflect App, LLC (789ULN5MZB),app.reflect.ReflectDesktop',
'500,Reflect,Reflect,Developer ID Application: Reflect App, LLC (789ULN5MZB),app.reflect.ReflectDesktop',
'500,sdaudioswitch,sdaudioswitch,,sdaudioswitch',
'500,snyk-ls_darwin_arm64,snyk-ls_darwin_arm64,,a.out',
'500,steam_osx,steam_osx,Developer ID Application: Valve Corporation (MXGJJ98X76),com.valvesoftware.steam',
'500,SteelSeriesEngine,SteelSeriesEngine,Developer ID Application: SteelSeries (6WGL6CHFH2),SteelSeriesEngine',
'500,SteelSeriesGG,SteelSeriesGG,Developer ID Application: SteelSeries (6WGL6CHFH2),SteelSeriesGG',
'500,syncthing,syncthing,,syncthing',
'500,terraform,terraform,Developer ID Application: Hashicorp, Inc. (D38WU7D763),terraform',
'500,Transmit,Transmit,Developer ID Application: Panic, Inc. (VE8FC488U5),com.panic.Transmit',
'500,TwitchStudioStreamDeck,TwitchStudioStreamDeck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5),TwitchStudioStreamDeck',
'500,zoom.us,zoom.us,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3),us.zoom.xos'
)
AND NOT exception_key LIKE '500,tor-%-darwin-brave-%,tor-%-darwin-brave-%,Developer ID Application: Brave Software, Inc. (KL8N8XSYF4),tor-%-darwin-brave-%'

4
detection/c2/unexpected-talkers-macos.sql
View File

@ -209,14 +209,16 @@ WHERE
'Developer ID Application: Bookry Ltd (4259LE8SU5),com.bookry.wavebox.helper',
'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4),com.brave.Browser.helper',
'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker',
'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client',
'Developer ID Application: Epic Games International, S.a.r.l. (96DBZ92D3Y),com.epicgames.EpicGamesLauncher',
'Developer ID Application: Fortinet, Inc (AH4XFXJ7DK),fctupdate',
'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.Chrome.helper',
'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.one.NetworkExtension',
'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.edgemac.helper',
'Developer ID Application: Microsoft Corporation (UBF8T346G9),net.java.openjdk.java',
'Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.firefox',
'Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.firefoxdeveloperedition',
'Developer ID Application: Opera Software AS (A2P9LX4JPN),com.operasoftware.Opera.helper',
'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client',
'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client.helper',
'Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G),company.thebrowser.browser.helper',
'Developer ID Application: Valve Corporation (MXGJJ98X76),com.valvesoftware.steam',

43
detection/credentials/unexpected-dev-opener-macos.sql
View File

@ -76,37 +76,38 @@ WHERE
AND exception_key NOT IN (
'/dev/afsc_type,revisiond,Software Signing,com.apple.revisiond',
'/dev/auditpipe,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF),osqueryd',
'/dev/auditsessions,authd,Software Signing,com.apple.authd',
'/dev/auditsessions,GSSCred,Software Signing,com.apple.GSSCred',
'/dev/auditsessions,securityd,Software Signing,com.apple.securityd',
'/dev/auditsessions,TouchBarServer,Software Signing,com.apple.touchbarserver',
'/dev/auditsessions,authd,Software Signing,com.apple.authd',
'/dev/auditsessions,securityd,Software Signing,com.apple.securityd',
'/dev/autofs,automountd,Software Signing,com.apple.automountd',
'/dev/bpf,airportd,Software Signing,com.apple.airport.airportd',
'/dev/console,kernelmanagerd,Software Signing,com.apple.kernelmanagerd',
'/dev/console,launchd_sim,Software Signing,com.apple.xpc.launchd',
'/dev/console,launchd,Software Signing,com.apple.xpc.launchd',
'/dev/cu.BLTH,bluetoothd,Software Signing,com.apple.bluetoothd',
'/dev/console,dbeaver,Developer ID Application: DBeaver Corporation (42B6MDKMW8),org.jkiss.dbeaver.core.product',
'/dev/io8log,airportd,Software Signing,com.apple.airport.airportd',
'/dev/io8log,ControlCenter,Software Signing,com.apple.controlcenter',
'/dev/io8logmt,airportd,Software Signing,com.apple.airport.airportd',
'/dev/io8log,PerfPowerServices,Software Signing,com.apple.PerfPowerServices',
'/dev/io8log,symptomsd,Software Signing,com.apple.symptomsd',
'/dev/io8logtemp,airportd,Software Signing,com.apple.airport.airportd',
'/dev/io8logtemp,ControlCenter,Software Signing,com.apple.controlcenter',
'/dev/io8logtemp,PerfPowerServices,Software Signing,com.apple.PerfPowerServices',
'/dev/io8logtemp,symptomsd,Software Signing,com.apple.symptomsd',
'/dev/io8logtemp,WiFiAgent,Software Signing,com.apple.wifi.WiFiAgent',
'/dev/io8logtemp,WirelessRadioManagerd,Software Signing,com.apple.WirelessRadioManagerd',
'/dev/io8log,WiFiAgent,Software Signing,com.apple.wifi.WiFiAgent',
'/dev/io8log,WirelessRadioManagerd,Software Signing,com.apple.WirelessRadioManagerd',
'/dev/io,airportd,Software Signing,com.apple.airport.airportd',
'/dev/console,kernelmanagerd,Software Signing,com.apple.kernelmanagerd',
'/dev/console,launchd,Software Signing,com.apple.xpc.launchd',
'/dev/console,launchd_sim,Software Signing,com.apple.xpc.launchd',
'/dev/cu.BLTH,bluetoothd,Software Signing,com.apple.bluetoothd',
'/dev/io,ControlCenter,Software Signing,com.apple.controlcenter',
'/dev/io,PerfPowerServices,Software Signing,com.apple.PerfPowerServices',
'/dev/io,symptomsd,Software Signing,com.apple.symptomsd',
'/dev/io,WiFiAgent,Software Signing,com.apple.wifi.WiFiAgent',
'/dev/io,WirelessRadioManagerd,Software Signing,com.apple.WirelessRadioManagerd',
'/dev/io,airportd,Software Signing,com.apple.airport.airportd',
'/dev/io,symptomsd,Software Signing,com.apple.symptomsd',
'/dev/io8log,ControlCenter,Software Signing,com.apple.controlcenter',
'/dev/io8log,PerfPowerServices,Software Signing,com.apple.PerfPowerServices',
'/dev/io8log,WiFiAgent,Software Signing,com.apple.wifi.WiFiAgent',
'/dev/io8log,WirelessRadioManagerd,Software Signing,com.apple.WirelessRadioManagerd',
'/dev/io8log,airportd,Software Signing,com.apple.airport.airportd',
'/dev/io8log,symptomsd,Software Signing,com.apple.symptomsd',
'/dev/io8logmt,airportd,Software Signing,com.apple.airport.airportd',
'/dev/io8logtemp,ControlCenter,Software Signing,com.apple.controlcenter',
'/dev/io8logtemp,PerfPowerServices,Software Signing,com.apple.PerfPowerServices',
'/dev/io8logtemp,WiFiAgent,Software Signing,com.apple.wifi.WiFiAgent',
'/dev/io8logtemp,WirelessRadioManagerd,Software Signing,com.apple.WirelessRadioManagerd',
'/dev/io8logtemp,airportd,Software Signing,com.apple.airport.airportd',
'/dev/io8logtemp,symptomsd,Software Signing,com.apple.symptomsd',
'/dev/kbfuse,kbfs,Developer ID Application: Keybase, Inc. (99229SGT5K),kbfs',
'/dev/kbfuse,keybase-redirector,Developer ID Application: Keybase, Inc. (99229SGT5K),keybase-redirector',
'/dev/klog,syslogd,Software Signing,com.apple.syslogd',
'/dev/macfuse,gcsfuse,,a.out',
'/dev/macfuse,rclone,,a.out',

2
detection/evasion/hidden-cwd.sql
View File

@ -79,6 +79,7 @@ WHERE
'vim',
'find',
'nvim',
'terraform',
'code',
'updatedb',
'git',
@ -143,6 +144,7 @@ WHERE
OR dir LIKE '/private/tmp/%/.git'
OR dir LIKE '/tmp/.mount_%'
OR dir LIKE '/tmp/%/.git'
OR dir LIKE '~/%/.tests/%'
OR dir LIKE '/tmp/%/.github/workflows'
OR dir LIKE '~/%/.terragrunt-cache/%'
OR dir LIKE '%/.build'

35
detection/evasion/hidden-home-libappsupport.sql
View File

@ -48,9 +48,22 @@ WHERE
'~/Library/Application Support/1Password',
'~/Library/Application Support/Adobe',
'~/Library/Application Support/Beeper',
'~/Library/Application Support/CleanMyMac X',
'~/Library/Application Support/BetterTouchTool',
'~/Library/Application Support/CleanMyMac X Menu',
'~/Library/Application Support/CleanMyMac X',
'~/Library/Application Support/Code',
'~/Library/Application Support/Docker Desktop',
'~/Library/Application Support/DropboxElectron',
'~/Library/Application Support/GitHub Desktop',
'~/Library/Application Support/Jabra Direct',
'~/Library/Application Support/Keybase',
'~/Library/Application Support/Lens',
'~/Library/Application Support/Loom',
'~/Library/Application Support/Presenting',
'~/Library/Application Support/Slack',
'~/Library/Application Support/ZaloApp',
'~/Library/Application Support/ZaloData',
'~/Library/Application Support/ZaloPC',
'~/Library/Application Support/com.apple.spotlight',
'~/Library/Application Support/com.bohemiancoding.sketch3',
'~/Library/Application Support/com.intelliscapesolutions.caffeine',
@ -58,19 +71,7 @@ WHERE
'~/Library/Application Support/com.psiexams.psi-bridge-secure-browser',
'~/Library/Application Support/com.tinyapp.TablePlus',
'~/Library/Application Support/discord',
'~/Library/Application Support/Docker Desktop',
'~/Library/Application Support/BetterTouchTool',
'~/Library/Application Support/DropboxElectron',
'~/Library/Application Support/GitHub Desktop',
'~/Library/Application Support/Jabra Direct',
'~/Library/Application Support/Keybase',
'~/Library/Application Support/Lens',
'~/Library/Application Support/lghub',
'~/Library/Application Support/Loom',
'~/Library/Application Support/Presenting',
'~/Library/Application Support/Slack',
'~/Library/Application Support/ZaloApp',
'~/Library/Application Support/ZaloPC'
'~/Library/Application Support/lghub'
)
AND NOT homepath IN (
'~/Library/Application Support/.Shadowland5.5',
@ -84,11 +85,7 @@ WHERE
file.mode = "0666"
AND size > 1200
AND size < 4000
AND REGEX_MATCH (
file.filename,
"^(\.[0-9A-Z]{32})$",
0
) != ""
AND REGEX_MATCH (file.filename, "^(\.[0-9A-Z]{32})$", 0) != ""
)
GROUP BY
file.path

1
detection/evasion/hidden-home-library-dir.sql
View File

@ -46,6 +46,7 @@ WHERE
'~/Library/Group Containers/.SiriTodayViewExtension/Library',
'~/Library/Group Containers/.SiriTodayViewExtension',
'~/Library/Saved Searches/.DockTags',
'~/Library/Preferences/.wrangler/config',
'~/Library/HomeKit/.core-cloudkit_SUPPORT/_EXTERNAL_DATA',
'~/Library/HomeKit/.core-cloudkit-shared_SUPPORT/_EXTERNAL_DATA',
'~/Library/Caches/.sigstore/gitsign',

42
detection/evasion/unexpected-alf-exceptions-macos.sql
View File

@ -48,27 +48,35 @@ WHERE
-- Ignore files that ahve already been removed
AND file.filename NOT NULL
AND exception_key NOT IN (
',a.out,/opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/kubectl,501',
',a.out,/opt/homebrew/Cellar/go/1.20.4/libexec/pkg/tool/darwin_arm64/trace,501',
'Apple Mac OS Application Signing,com.anydo.mac,/Applications/Anydo.app/,0',
'Apple Mac OS Application Signing,com.apple.garageband10,/Applications/GarageBand.app/,0',
'Apple Mac OS Application Signing,com.joeallen.teleprompter.mac,/Applications/Teleprompter.app/,0',
'Apple Mac OS Application Signing,com.utmapp.QEMULauncher,/Applications/UTM.app/Contents/XPCServices/QEMUHelper.xpc/Contents/MacOS/QEMULauncher.app/,0',
'Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension,/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/,0',
',,/Applications/Google%20Chrome.app/,',
',,/Applications/IntelliJ%20IDEA.app/,',
',,/Applications/ProtonMail%20Bridge.app/,',
',,/Applications/Visual%20Studio%20Code.app/,',
',,/Applications/Visual%20Studio%20Code.app/Contents/Frameworks/Code%20Helper.app/,',
',,/usr/local/sbin/iodined,501',
',a.out,/opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/kubectl,501',
',a.out,/opt/homebrew/Cellar/go/1.20.4/libexec/pkg/tool/darwin_arm64/trace,501',
',dnsmasq,/opt/homebrew/Cellar/dnsmasq/2.88/sbin/dnsmasq,0',
',iodined-55554944d1ffcb236a84363d9b667be6a1742a17,/usr/local/sbin/iodined,501',
',java,/opt/homebrew/Cellar/openjdk/19/libexec/openjdk.jdk/Contents/Home/bin/java,501',
',org.python.python,/opt/homebrew/Cellar/python@3.10/3.10.9/Frameworks/Python.framework/Versions/3.10/Resources/Python.app/,501',
',org.python.python,/opt/homebrew/Cellar/python@3.11/3.11.2_1/Frameworks/Python.framework/Versions/3.11/Resources/Python.app/,501',
'/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/',
'Apple Mac OS Application Signing,com.anydo.mac,/Applications/Anydo.app/,0',
'Apple Mac OS Application Signing,com.apple.garageband10,/Applications/GarageBand.app/,0',
'Apple Mac OS Application Signing,com.joeallen.teleprompter.mac,/Applications/Teleprompter.app/,0',
'Apple Mac OS Application Signing,com.utmapp.QEMULauncher,/Applications/UTM.app/Contents/XPCServices/QEMUHelper.xpc/Contents/MacOS/QEMULauncher.app/,0',
'Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension,/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/,0',
'Developer ID Application: Bearly Inc (NK6K4BACCF),com.bearly.app,/Applications/Bearly.app/,501',
'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.sketch3,/Applications/Sketch.app/,501',
'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.SketchMirrorHelper,/Applications/Sketch.app/Contents/XPCServices/SketchMirrorHelper.xpc/,501',
'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.sketch3,/Applications/Sketch.app/,501',
'Developer ID Application: Brother Industries, LTD. (5HCL85FLGW),com.brother.utility.WorkflowAppControlServer,/Library/Printers/Brother/Utilities/Server/WorkflowAppControl.app/,0',
'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5),com.elgato.WaveLink,/Applications/WaveLink.app/,0',
'Developer ID Application: Cypress.Io, Inc. (7D655LWGLY),com.electron.cypress,/Users/garrying/Library/Caches/Cypress/12.9.0/Cypress.app/,501',
'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK),com.getdropbox.dropbox,/Applications/Dropbox.app/,501',
'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland,/Applications/GoLand.app/,501',
'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.pycharm,/Applications/PyCharm.app/,501',
'Developer ID Application: Loom, Inc (QGD2ZPXZZG),com.loom.desktop,/Applications/Loom.app/,501',
'Developer ID Application: Opentest, Inc. (QGD2ZPXZZG),com.loom.desktop,/Applications/Loom.app/,501',
'Developer ID Application: RescueTime, Inc (FSY4RB8H39),com.rescuetime.RescueTime,/Applications/RescueTime.app/,0',
'Developer ID Application: Sonos, Inc. (2G4LW83Q3E),com.sonos.macController,/Applications/Sonos.app/,501',
@ -76,21 +84,14 @@ WHERE
'Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension,/Library/SystemExtensions/A30AF854-E980-4345-A658-17000BF66D00/io.tailscale.ipn.macsys.network-extension.systemextension/,0',
'Developer ID Application: VNG ONLINE CO.,LTD (CVB6BX97VM),com.vng.zalo,/Applications/Zalo.app/,501',
'Developer ID Application: Voicemod Sociedad Limitada. (S2MC4XQDSM),net.voicemod.desktop,/Applications/Voicemod.app/,0',
',dnsmasq,/opt/homebrew/Cellar/dnsmasq/2.88/sbin/dnsmasq,0',
',iodined-55554944d1ffcb236a84363d9b667be6a1742a17,/usr/local/sbin/iodined,501',
',java,/opt/homebrew/Cellar/openjdk/19/libexec/openjdk.jdk/Contents/Home/bin/java,501',
',org.python.python,/opt/homebrew/Cellar/python@3.10/3.10.9/Frameworks/Python.framework/Versions/3.10/Resources/Python.app/,501',
',org.python.python,/opt/homebrew/Cellar/python@3.11/3.11.2_1/Frameworks/Python.framework/Versions/3.11/Resources/Python.app/,501',
'Software Signing,com.apple.audio.InfoHelper,/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.InfoHelper.xpc/,0',
'Software Signing,com.apple.controlcenter,/System/Library/CoreServices/ControlCenter.app/,0',
'Software Signing,com.apple.Music,/System/Applications/Music.app/,0',
'Software Signing,com.apple.nc,/usr/bin/nc,0',
'Software Signing,com.apple.python3,/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.9/Resources/Python.app/,0',
'Software Signing,com.apple.WebKit.Networking,/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/,0',
'Software Signing,com.apple.WebKit.Networking,/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/,0',
'Software Signing,com.apple.xartstorageremoted,/usr/libexec/xartstorageremoted,0',
'/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/',
',,/usr/local/sbin/iodined,501'
'Software Signing,com.apple.audio.InfoHelper,/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.InfoHelper.xpc/,0',
'Software Signing,com.apple.controlcenter,/System/Library/CoreServices/ControlCenter.app/,0',
'Software Signing,com.apple.nc,/usr/bin/nc,0',
'Software Signing,com.apple.python3,/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.9/Resources/Python.app/,0',
'Software Signing,com.apple.xartstorageremoted,/usr/libexec/xartstorageremoted,0'
)
AND NOT exception_key LIKE ',a.out,/Users/%/dev/%,501'
AND NOT exception_key LIKE ',org.python.python,/opt/homebrew/Cellar/python@%/Frameworks/Python.framework/Versions/3.11/Resources/Python.app/,501'
@ -100,6 +101,7 @@ WHERE
AND NOT exception_key LIKE ',a.out,/Users/%/GolandProjects/documentation-code-examples/debuggingTutorial/myApp,501'
AND NOT exception_key LIKE ',node,/opt/homebrew/Cellar/nvm/%/versions/node/v%/bin/node,501'
AND NOT exception_key LIKE ',java,/opt/homebrew/Cellar/openjdk/%/libexec/openjdk.jdk/Contents/Home/bin/java,501'
AND NOT exception_key LIKE ',python3.%,/nix/store/%-python3-3%/bin/python3.%,0'
AND NOT (
signature.identifier LIKE 'cargo-%'
AND ae.path LIKE '/Users/%/.rustup/%'

29
detection/evasion/unexpected-etc-executables.sql
View File

@ -150,25 +150,26 @@ WHERE
'/etc/zfs/zpool.d'
)
AND file.path NOT IN (
'/etc/nftables.conf',
'/etc/sv/ssh/run',
'/etc/sv/ssh/finish',
'/etc/libpaper.d/texlive-base',
'/etc/vpl/vars.sh',
'/etc/rmt',
'/etc/grub2.cfg',
'/etc/pki/tls/certs/renew-dummy-cert',
'/etc/pki/tls/certs/make-dummy-cert',
'/etc/shutdown.sh',
'/etc/pwrstatd.conf',
'/etc/hibernate.sh',
'/etc/cloud/clean.d/99-installer',
'/etc/grub2-efi.cfg',
'/etc/grub2.cfg',
'/etc/hibernate.sh',
'/etc/libpaper.d/texlive-base',
'/etc/nftables.conf',
'/etc/opt/chrome/native-messaging-hosts/com.google.endpoint_verification.api_helper.json',
'/etc/paths.d/100-rvictl',
'/etc/pki/tls/certs/make-dummy-cert',
'/etc/pki/tls/certs/renew-dummy-cert',
'/etc/profile',
'/etc/sudoers.d/lima',
'/etc/pwrstatd.conf',
'/etc/qemu-ifdown',
'/etc/qemu-ifup',
'/etc/opt/chrome/native-messaging-hosts/com.google.endpoint_verification.api_helper.json'
'/etc/rmt',
'/etc/shutdown.sh',
'/etc/sudoers.d/lima',
'/etc/sv/ssh/finish',
'/etc/sv/ssh/run',
'/etc/vpl/vars.sh'
)
-- Nix (on macOS) -- actually a symbolic link
AND file.path NOT LIKE '/etc/profiles/per-user/%/bin/%'

1
detection/evasion/unexpected-hidden-system-paths.sql
View File

@ -68,6 +68,7 @@ WHERE
'/etc/selinux/.config_backup',
'/etc/skel/.mozilla/',
'/etc/.#sudoers',
'/tmp/.searcher.tmp/',
'/.file',
'/.lesshst',
'/lib/jvm/.java-1.17.0-openjdk-amd64.jinfo',

3
detection/evasion/unexpected-kernel-extensions-macos.sql
View File

@ -21,7 +21,8 @@ WHERE
AND name = '__kernel__'
)
AND exception_key NOT IN (
'/Library/StagedExtensions/Library/Extensions/CalDigitUSBHubSupport.kext,com.CalDigit.USBHubSupport,1,<3>'
'/Library/StagedExtensions/Library/Extensions/CalDigitUSBHubSupport.kext,com.CalDigit.USBHubSupport,1,<3>',
'/Library/StagedExtensions/Library/Filesystems/kbfuse.fs/Contents/Extensions/13/kbfuse.kext,com.github.kbfuse.filesystems.kbfuse,2113.21,<1 3 4 5 7>'
)
AND exception_key NOT LIKE '/Library/StagedExtensions/Library/Extensions/ufsd_NTFS.kext,com.paragon-software.filesystems.ntfs,%'
AND exception_key NOT LIKE '/Library/StagedExtensions/Library/Filesystems/macfuse.fs/Contents/Extensions/12/macfuse.kext,io.macfuse.filesystems.macfuse,%'

27
detection/evasion/unexpected-process-extension-linux.sql
View File

@ -8,7 +8,6 @@
--
-- tags: persistent process state
-- platform: linux
SELECT
-- Child
p0.pid AS p0_pid,
@ -49,6 +48,30 @@ WHERE
AND extension NOT IN (
'1',
'2',
'3',
'4',
'5',
'10',
'11',
'12',
'13',
'14',
'15',
'16',
'17',
'18',
'19',
'20',
'21',
'22',
'23',
'24',
'25',
'26',
'27',
'28',
'29',
'30',
'bin',
'basic',
'real',
@ -56,4 +79,4 @@ WHERE
'ext'
)
AND NOT basename LIKE 'python3.%'
AND NOT basename LIKE 'python2.%'
AND NOT basename LIKE 'python2.%'

1
detection/evasion/unexpected-user-executables-macos.sql
View File

@ -127,6 +127,7 @@ WHERE
'~/.fzf/bin',
'~/.venv/bin',
'~/.fig/bin',
'~/.zsh_snap/zsh-snap',
'~/.zed/gopls',
'~/.config/kn',
'~/.asdf/shims',

19
detection/evasion/unexpected-var-run-linux.sql
View File

@ -32,19 +32,18 @@ WHERE
'alsactl.pid',
'apcupsd.pid',
'apport.lock',
'dnf-metadata.lock',
'atd.pid',
'unattended-upgrades.pid',
"auditd.pid",
"crond.pid",
'auditd.pid',
'cron.reboot',
'crond.pid',
'crond.reboot',
"cron.reboot",
"docker.pid",
'dnf-metadata.lock',
'docker.pid',
'firefox-restart-required',
'gdm3.pid',
'gssproxy.pid',
'haproxy.pid',
"lightdm.pid",
'lightdm.pid',
'mcelog.pid',
'motd',
'nvidia-powerd.pid',
@ -57,10 +56,12 @@ WHERE
'sshd.pid',
'u-d-c-nvidia-drm-was-loaded',
'u-d-c-nvidia-was-loaded',
'ufw.lock',
'unattended-upgrades.lock',
'unattended-upgrades.pid',
'unattended-upgrades.progress',
"utmp",
"xtables.lock",
'utmp',
'xtables.lock',
'zed.pid',
'zed.state',
'zfs_fs_name',

10
detection/evasion/unexpected-var-run-macos.sql
View File

@ -27,24 +27,26 @@ WHERE
file.directory = "/var/run"
AND file.type = "regular"
AND file.filename NOT IN (
'.autoBackup',
'FirstBootAfterUpdate',
'FirstBootCleanupHandled',
'appfwd.pid',
'auditd.pid',
'.autoBackup',
'automount.initialized',
'bootpd.pid',
'com.apple.DumpPanic.finishedPMUFaultHandling',
'com.apple.DumpPanic.finishedThisBoot',
'com.apple.WindowServer.didRunThisBoot',
'com.apple.logind.didRunThisBoot',
'com.apple.loginwindow.didRunThisBoot',
'com.apple.mdmclient.daemon.didRunThisBoot',
'com.apple.mobileassetd-MobileAssetBrain',
'com.apple.parentalcontrols.webfilterctl.mutex',
'com.apple.softwareupdate.availableupdatesupdated',
'com.apple.WindowServer.didRunThisBoot',
'diskarbitrationd.pid',
'FirstBootAfterUpdate',
'FirstBootCleanupHandled',
'fctc.s',
'hdiejectd.pid',
'.fctcompsupdate',
'installd.commit.pid',
'kdc.pid',
'prl_disp_service.pid',

1
detection/execution/exotic-command-events-macos.sql
View File

@ -204,5 +204,6 @@ WHERE
AND NOT exception_key IN (
'dd,500,zsh,login',
'git,500,zsh,goland',
'sh,0,Ecamm Live,launchd',
'cat,500,zsh,login'
)

2
detection/execution/recently-created-executables-long-lived-macos.sql
View File

@ -129,6 +129,8 @@ WHERE
OR f.path LIKE '%go-build%'
OR f.path LIKE '~/%/src/%.test'
OR f.path LIKE '~/%/pkg/%.test'
OR f.path LIKE '~/%/gopls'
OR f.path LIKE '~/go/%/bin'
OR f.path LIKE '/private/tmp/%/Creative Cloud Installer.app/Contents/MacOS/Install'
OR f.path LIKE '/private/tmp/go-%'
OR f.path LIKE '/private/tmp/nix-build-%'

119
detection/execution/unexpected-execdir-events-macos.sql
View File

@ -100,6 +100,7 @@ WHERE
'~/bin',
'~/.cargo',
'~/melange',
'~/chainctl',
'~/chainguard',
'~/dev',
'~/code',
@ -133,37 +134,22 @@ WHERE
'~/.vs-kubernetes'
)
AND top3_dir NOT IN (
'~/.docker/cli-plugins',
'~/.docker/cli-plugins/docker-sbom',
'/Library/Apple/System',
'/Library/Application Support/Adobe',
'~/Library/Application Support/BraveSoftware',
'/Library/Application Support/Canon_Inc_IC',
'~/Library/Application Support/CleanMyMac X',
'/Library/Application Support/com.canonical.multipass',
'~/Library/Application Support/com.elgato.StreamDeck',
'~/Library/Application Support/com.grammarly.ProjectLlama',
'/Library/Application Support/EcammLive',
'~/Library/Application Support/Foxit Software',
'/Library/Application Support/GPGTools',
'~/Library/Application Support/JetBrains',
'~/Library/Application Support/LogMeInInc',
'/Library/Application Support/org.pqrs',
'~/Library/Application Support/minecraft',
'~/Library/Application Support/zoom.us',
'/Library/Application Support/Blackmagic Design',
'~/Library/Caches/com.knollsoft.Rectangle',
'~/Library/Caches/com.mimestream.Mimestream',
'~/Library/Caches/Cypress',
'~/Library/Caches/JetBrains',
'/Library/Printers/Canon',
'~/Library/Caches/snyk',
'/Library/Application Support/Canon_Inc_IC',
'/Library/Application Support/EcammLive',
'/Library/Application Support/Fortinet',
'/Library/Application Support/GPGTools',
'/Library/Application Support/com.canonical.multipass',
'/Library/Application Support/org.pqrs',
'/Library/Developer/CommandLineTools',
'~/Library/Developer/Xcode',
'/Library/Google/GoogleSoftwareUpdate',
'~/Library/Google/GoogleSoftwareUpdate',
'/Library/Java/JavaVirtualMachines',
'/Library/Plug-Ins/FxPlug',
'/Library/Printers/Canon',
'/Volumes/Google Chrome/Google Chrome.app',
'/Volumes/Slack/Slack.app',
'/opt/homebrew/Caskroom',
'/opt/homebrew/Cellar',
'/opt/homebrew/Library',
@ -172,28 +158,32 @@ WHERE
'/usr/libexec/rosetta',
'/usr/local/Cellar',
'/usr/local/kolide-k2',
'/Volumes/Google Chrome/Google Chrome.app',
'/Volumes/Slack/Slack.app',
'~/.wdm/drivers/chromedriver'
'~/.docker/cli-plugins',
'~/.docker/cli-plugins/docker-sbom',
'~/.wdm/drivers/chromedriver',
'~/Library/Application Support/BraveSoftware',
'~/Library/Application Support/CleanMyMac X',
'~/Library/Application Support/Foxit Software',
'~/Library/Application Support/JetBrains',
'~/Library/Application Support/LogMeInInc',
'~/Library/Application Support/com.elgato.StreamDeck',
'~/Library/Application Support/com.grammarly.ProjectLlama',
'~/Library/Application Support/minecraft',
'~/Library/Application Support/zoom.us',
'~/Library/Caches/Cypress',
'~/Library/Caches/JetBrains',
'~/Library/Caches/com.knollsoft.Rectangle',
'~/Library/Caches/com.mimestream.Mimestream',
'~/Library/Caches/snyk',
'~/Library/Developer/Xcode',
'~/Library/Google/GoogleSoftwareUpdate',
'~/Library/Services/UE4EditorServices.app'
)
AND dir NOT IN (
'/bin',
'~/bin',
'~/.cache/gitstatus',
'~/code/bin',
'/opt/custom-cli-tools',
'~/.docker/cli-plugins',
'~/Downloads/google-cloud-sdk/bin',
'~/Downloads/protoc/bin',
'~/go/bin',
'~/Library/Application Support/Alfred/Assistant',
'~/Library/Application Support/cloud-code/installer/google-cloud-sdk/bin',
'~/Library/Application Support/dev.warp.Warp-Stable',
'/Library/Application Support/Fortinet/FortiClient/bin',
'/Library/Application Support/Kandji/Kandji Menu/Kandji Menu.app/Contents/MacOS',
'/Library/Application Support/Logitech.localized/LogiOptionsPlus/logioptionsplus_agent.app/Contents/MacOS',
'/Library/Application Support/Logitech.localized/Logitech Options.localized/LogiMgrUpdater.app/Contents/Resources',
'~/Library/Application Support/minecraft/launcher/launcher.bundle/Contents/Frameworks/launcher-Helper (GPU).app/Contents/MacOS',
'~/Library/Application Support/snyk-ls',
'/Library/Application Support/X-Rite/Frameworks/XRiteDevice.framework/Versions/B/Resources/XRD Software Update.app/Contents/MacOS',
'/Library/Audio/Plug-Ins/HAL/ACE.driver/Contents/Resources',
'/Library/Audio/Plug-Ins/HAL/ACE.driver/Contents/Resources/aceagent.app/Contents/MacOS',
@ -217,23 +207,25 @@ WHERE
'/Library/Printers/EPSON/InkjetPrinter2/Filter/commandtoescp.app/Contents/MacOS',
'/Library/PrivilegedHelperTools',
'/Library/TeX/texbin',
'~/.local/bin',
'~/.magefile',
'~/melange',
'/Volumes/Grammarly/Grammarly Installer.app/Contents/MacOS',
'/bin',
'/node_modules/.bin',
'/opt/X11/bin',
'/opt/X11/libexec',
'/opt/custom-cli-tools',
'/opt/homebrew/bin',
'/opt/osquery/lib/osquery.app/Contents/MacOS',
'/opt/usr/bin',
'/opt/X11/bin',
'/opt/X11/libexec',
'~/projects/go/bin',
'/run/current-system/sw/bin',
'/tmp/bin',
'/sbin',
'/tmp/bin',
'/usr/bin',
'/usr/lib',
'/usr/lib/bluetooth',
'/usr/lib/cups/notifier',
'/usr/lib/fwupd',
'/usr/lib/ibus',
'/usr/lib/system',
'/usr/libexec',
'/usr/libexec/ApplicationFirewall',
'/usr/libexec/AssetCache',
@ -241,14 +233,26 @@ WHERE
'/usr/libexec/firmwarecheckers',
'/usr/libexec/firmwarecheckers/eficheck',
'/usr/libexec/rosetta',
'/usr/lib/fwupd',
'/usr/lib/ibus',
'/usr/lib/system',
'/usr/local/MacGPG2/bin',
'/usr/local/aws-cli',
'/usr/local/bin',
'/usr/local/MacGPG2/bin',
'/usr/sbin',
'/Volumes/Grammarly/Grammarly Installer.app/Contents/MacOS'
'~/.cache/gitstatus',
'~/.docker/cli-plugins',
'~/.local/bin',
'~/.magefile',
'~/Downloads/google-cloud-sdk/bin',
'~/Downloads/protoc/bin',
'~/Library/Application Support/Alfred/Assistant',
'~/Library/Application Support/cloud-code/installer/google-cloud-sdk/bin',
'~/Library/Application Support/dev.warp.Warp-Stable',
'~/Library/Application Support/minecraft/launcher/launcher.bundle/Contents/Frameworks/launcher-Helper (GPU).app/Contents/MacOS',
'~/Library/Application Support/snyk-ls',
'~/bin',
'~/code/bin',
'~/go/bin',
'~/melange',
'~/projects/go/bin'
) -- Locally built executables
AND NOT (
s.identifier = 'a.out'
@ -298,7 +302,6 @@ WHERE
'Apple iPhone OS Application Signing',
'Apple Mac OS Application Signing',
'Developer ID Application: Adobe Inc. (JQ525L2MZD)',
'Developer ID Application: LG Electronics (5SKT5H4CPQ)',
'Developer ID Application: Brother Industries, LTD. (5HCL85FLGW)',
'Developer ID Application: Canonical Group Limited (X4QN7LTP59)',
'Developer ID Application: Cisco (DE8Y96K9QP)',
@ -306,18 +309,20 @@ WHERE
'Developer ID Application: Canon Inc. (XE2XNRRXZ5)',
'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
'Developer ID Application: Docker Inc (9BNSXJN65R)',
'Developer ID Application: MacPaw Inc. (S8EX82NJP6)',
'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)',
'Developer ID Application: Epic Games International, S.a.r.l. (96DBZ92D3Y)',
'Developer ID Application: Figma, Inc. (T8RA8NE3B7)',
'Developer ID Application: Keybase, Inc. (99229SGT5K)',
'Developer ID Application: Fortinet, Inc (AH4XFXJ7DK)',
'Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D)',
'Developer ID Application: Google LLC (EQHXZ8M8AV)',
'Developer ID Application: Hashicorp, Inc. (D38WU7D763)',
'Developer ID Application: Keybase, Inc. (99229SGT5K)',
'Developer ID Application: LG Electronics (5SKT5H4CPQ)',
'Developer ID Application: Logitech Inc. (QED4VVPZWA)',
'Developer ID Application: MacPaw Inc. (S8EX82NJP6)',
'Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'Developer ID Application: Mojang AB (HR992ZEAE6)',
'Developer ID Application: Ned Deily (DJ3H93M7VJ)',
-- ^-- Python
'Developer ID Application: Node.js Foundation (HX7739G8FX)',
'Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R)',
'Developer ID Application: Objective-See, LLC (VBG97UB4TA)',

2
detection/execution/unexpected-execdir-macos.sql
View File

@ -139,6 +139,7 @@ WHERE
'/Library/Application Support/EcammLive',
'~/Library/Caches/com.mimestream.Mimestream/',
'~/Library/Caches/com.sempliva.Tiles/',
'~/Library/Services/UE4EditorServices.app/',
'~/Library/Caches/JetBrains/',
'~/Library/Caches/Cypress/',
'~/Library/Caches/org.gpgtools.updater/',
@ -177,6 +178,7 @@ WHERE
'Developer ID Application: Docker Inc (9BNSXJN65R)',
'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)',
'Developer ID Application: EnterpriseDB Corporation (26QKX55P9K)',
'Developer ID Application: Epic Games International, S.a.r.l. (96DBZ92D3Y)',
'Developer ID Application: Figma, Inc. (T8RA8NE3B7)',
'Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D)',
'Developer ID Application: Google LLC (EQHXZ8M8AV)',

4
detection/execution/unexpected-osascript-calls.sql
View File

@ -110,6 +110,10 @@ WHERE
p1_authority = 'Developer ID Application: VNG ONLINE CO.,LTD (CVB6BX97VM)'
AND p0_cmd = 'osascript -ss'
)
OR (
p1_authority = 'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)'
AND p0_cmd = 'osascript'
)
)
)
-- The following apply to all uids

87
detection/execution/unexpected-security-framework-program-macos.sql
View File

@ -82,23 +82,57 @@ WHERE
'0,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
'0,velociraptor,a.out,',
'500,.cargo-wrapped,.cargo-wrapped,',
'500,bash,bash,',
'500,bash,com.apple.bash,Software Signing',
'500,Android File Transfer Agent,com.google.android.mtpagent,Developer ID Application: Google, Inc. (EQHXZ8M8AV)',
'500,AppleMusic,AppleMusic,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
'500,Bazecor Helper,,',
'500,Bitwarden Helper (GPU),com.bitwarden.desktop.helper.GPU,Apple Mac OS Application Signing',
'500,Bitwarden Helper (Renderer),com.bitwarden.desktop.helper.Renderer,Apple Mac OS Application Signing',
'500,Bitwarden Helper,com.bitwarden.desktop.helper,Apple Mac OS Application Signing',
'500,Bitwarden,com.bitwarden.desktop,Apple Mac OS Application Signing',
'500,BloomRPC Helper,,',
'500,CopyClip,com.fiplab.clipboard,Apple Mac OS Application Signing',
'500,Divvy,com.mizage.Divvy,Apple Mac OS Application Signing',
'500,Duckly Helper (Renderer),Electron Helper (Renderer),',
'500,Duckly Helper,Electron Helper,',
'500,Duckly,Electron,',
'500,Emacs-arm64-11,Emacs-arm64-11,Developer ID Application: Galvanix (5BRAQAFB8B)',
'500,Final Cut Pro,com.apple.FinalCut,Apple Mac OS Application Signing',
'500,GitterHelperApp,com.troupe.gitter.mac.GitterHelperApp,Developer ID Application: Troupe Technology Limited (A86QBWJ43W)',
'500,Grammarly Safari Extension,com.grammarly.safari.extension.ext2,Apple Mac OS Application Signing',
'500,Grammarly for Safari,com.grammarly.safari.extension,Apple Mac OS Application Signing',
'500,InternalFiltersXPC,com.apple.InternalFiltersXPC,Apple Mac OS Application Signing',
'500,Magnet,com.crowdcafe.windowmagnet,Apple Mac OS Application Signing',
'500,Mattermost Helper (GPU),Mattermost.Desktop.helper.GPU,Apple Mac OS Application Signing',
'500,Mattermost Helper (Renderer),Mattermost.Desktop.helper.Renderer,Apple Mac OS Application Signing',
'500,Mattermost Helper,Mattermost.Desktop.helper,Apple Mac OS Application Signing',
'500,Mattermost,Mattermost.Desktop,Apple Mac OS Application Signing',
'500,OOPProResRawService,com.apple.videoapps.OOPProResRawService,Apple Mac OS Application Signing',
'500,PrinterProxy,com.apple.print.PrinterProxy,',
'500,Runner.Listener,apphost-55554944a938bab90f04347d83659c53dd1197d6,',
'500,Slack Helper (GPU),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
'500,Slack Helper (Plugin),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
'500,Slack Helper (Renderer),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
'500,Slack Helper,com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
'500,Slack,com.tinyspeck.slackmacgap,Apple Mac OS Application Signing',
'500,Steam Helper,com.valvesoftware.steam.helper,Developer ID Application: Valve Corporation (MXGJJ98X76)',
'500,Telegram,ru.keepcoder.Telegram,Apple Mac OS Application Signing',
'500,Todoist Helper (GPU),com.todoist.mac.Todoist.helper.GPU,Apple Mac OS Application Signing',
'500,Todoist Helper (Renderer),com.todoist.mac.Todoist.helper.Renderer,Apple Mac OS Application Signing',
'500,Todoist Helper,com.todoist.mac.Todoist.helper,Apple Mac OS Application Signing',
'500,Todoist,com.todoist.mac.Todoist,Apple Mac OS Application Signing',
'500,TwitchStudioStreamDeck,TwitchStudioStreamDeck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
'500,WinAppHelper,,',
'500,WinAppHelper,WinAppHelper,',
'500,bash,bash,',
'500,bash,com.apple.bash,Software Signing',
'500,bufls,a.out,',
'500,timestamp-server,a.out,',
'500,docker,a.out,',
'500,chainctl,a.out,',
'500,cloud_sql_proxy,a.out,',
'500,cloud-sql-proxy,a.out,',
'500,cloud-sql-proxy.darwin.arm64,a.out,',
'500,cloud_sql_proxy,a.out,',
'500,copilot-agent-macos-arm64,copilot-agent-macos-arm64-5555494405ae226b796431f588804b65cad1040e,',
'500,CopyClip,com.fiplab.clipboard,Apple Mac OS Application Signing',
'500,cosign,a.out,',
'500,cpu,cpu-555549441132dc6b7af538428ce3359ae94eab37,',
'500,crane,a.out,',
@ -108,27 +142,18 @@ WHERE
'500,monday.com Helper (Renderer),com.monday.desktop.helper.Renderer,Apple Mac OS Application Signing',
'500,Divvy,com.mizage.Divvy,Apple Mac OS Application Signing',
'500,dlv,a.out,',
'500,Duckly Helper (Renderer),Electron Helper (Renderer),',
'500,Duckly Helper,Electron Helper,',
'500,Duckly,Electron,',
'500,Emacs-arm64-11,Emacs-arm64-11,Developer ID Application: Galvanix (5BRAQAFB8B)',
'500,epdfinfo,epdfinfo,',
'500,esbuild,,',
'500,esbuild,a.out,',
'500,fake,a.out,',
'500,Final Cut Pro,com.apple.FinalCut,Apple Mac OS Application Signing',
'500,git,git,',
'500,gitsign-credential-cache,a.out,',
'500,gitsign,a.out,',
'500,GitterHelperApp,com.troupe.gitter.mac.GitterHelperApp,Developer ID Application: Troupe Technology Limited (A86QBWJ43W)',
'500,gitsign-credential-cache,a.out,',
'500,go,a.out,',
'500,gopls,a.out,',
'500,gopls,gopls,',
'500,gpg-agent,gpg-agent,',
'500,Grammarly for Safari,com.grammarly.safari.extension,Apple Mac OS Application Signing',
'500,Grammarly Safari Extension,com.grammarly.safari.extension.ext2,Apple Mac OS Application Signing',
'500,hugo,a.out,',
'500,InternalFiltersXPC,com.apple.InternalFiltersXPC,Apple Mac OS Application Signing',
'500,ipcserver,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
'500,ipcserver.old,,',
'500,k9s,a.out,',
@ -136,53 +161,31 @@ WHERE
'500,ko,a.out,',
'500,kubectl,a.out,',
'500,lua-language-server,lua-language-server,',
'500,Magnet,com.crowdcafe.windowmagnet,Apple Mac OS Application Signing',
'500,AppleMusic,AppleMusic,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
'500,Mattermost Helper (GPU),Mattermost.Desktop.helper.GPU,Apple Mac OS Application Signing',
'500,Mattermost Helper (Renderer),Mattermost.Desktop.helper.Renderer,Apple Mac OS Application Signing',
'500,Mattermost Helper,Mattermost.Desktop.helper,Apple Mac OS Application Signing',
'500,mattermost,a.out,',
'500,Mattermost,Mattermost.Desktop,Apple Mac OS Application Signing',
'500,Android File Transfer Agent,com.google.android.mtpagent,Developer ID Application: Google, Inc. (EQHXZ8M8AV)',
'500,melange,a.out,',
'500,melange-run,a.out,',
'500,monday.com Helper,com.monday.desktop.helper,Apple Mac OS Application Signing',
'500,monorail,a.out,',
'500,OOPProResRawService,com.apple.videoapps.OOPProResRawService,Apple Mac OS Application Signing',
'500,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
'500,plugin-darwin-arm64,a.out,',
'500,PrinterProxy,com.apple.print.PrinterProxy,',
'500,registry-redirect,a.out,',
'500,registry,a.out,',
'500,Runner.Listener,apphost-55554944a938bab90f04347d83659c53dd1197d6,',
'500,registry-redirect,a.out,',
'500,rust-analyzer,rust_analyzer-d11ae4e1bae4360d,',
'500,scdaemon,scdaemon,',
'500,sdaudioswitch,,',
'500,sdaudioswitch,sdaudioswitch,',
'500,sdzoomplugin,,',
'500,Slack Helper (GPU),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
'500,Slack Helper (Plugin),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
'500,Slack Helper (Renderer),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
'500,Slack Helper,com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
'500,Slack,com.tinyspeck.slackmacgap,Apple Mac OS Application Signing',
'500,snyk-ls_darwin_arm64,a.out,',
'500,ssh,ssh,',
'500,Steam Helper,com.valvesoftware.steam.helper,Developer ID Application: Valve Corporation (MXGJJ98X76)',
'500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
'500,stern,a.out,',
'500,syncthing,syncthing,',
'500,Telegram,ru.keepcoder.Telegram,Apple Mac OS Application Signing',
'500,testing,com.yourcompany.testing,', -- Xcode iPhone emulator
'500,tflint,a.out,',
'500,tflint-ruleset-aws,a.out,',
'500,tflint-ruleset-google,a.out,',
'500,tflint,a.out,',
'500,Todoist Helper (GPU),com.todoist.mac.Todoist.helper.GPU,Apple Mac OS Application Signing',
'500,Todoist Helper (Renderer),com.todoist.mac.Todoist.helper.Renderer,Apple Mac OS Application Signing',
'500,Todoist Helper,com.todoist.mac.Todoist.helper,Apple Mac OS Application Signing',
'500,Todoist,com.todoist.mac.Todoist,Apple Mac OS Application Signing',
'500,TwitchStudioStreamDeck,TwitchStudioStreamDeck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
'500,vim,,',
'500,vim,vim,',
'500,WinAppHelper,,',
'500,WinAppHelper,WinAppHelper,'
'500,vim,vim,'
)
AND NOT (
exception_key LIKE '500,%,a.out,'
@ -194,7 +197,7 @@ WHERE
)
AND NOT (
exception_key LIKE '500,python3.%,%,'
AND p0.path LIKE '/opt/homebrew/%/bin/python'
AND p0.path LIKE '/opt/%/bin/python%'
)
AND NOT (
exception_Key LIKE '500,%,a.out,'

1
detection/initial_access/sketchy-mounted-diskimage.sql
View File

@ -66,6 +66,7 @@ WHERE
AND signature.identifier != 'net.snowflake.snowsql'
AND signature.authority NOT IN (
'Developer ID Application: Allen Bai (97DN42T837)',
'Developer ID Application: BlueStack Systems, Inc. (QX5T8D6EDU)',
'Developer ID Application: Galvanix (5BRAQAFB8B)'
)
) -- Rule 2. App binaries that have mixed-caps names such as LYwjtu0sc3XqkNVbQe_gM4YiRpmgUpRIew or yWnBJLaF (AdobeFlashPlayer_567.app)

9
detection/initial_access/unexpected-diskimage-source-macos.sql
View File

@ -49,17 +49,17 @@ WHERE
'balsamiq.com',
'bluestacks.com',
'brave.com',
'c-wss.com',
'canon.co.uk',
'cdn.mozilla.net',
'charlesproxy.com',
'cloudfront.net',
'cron.com',
'csclub.uwaterloo.ca',
'c-wss.com',
'descript.com',
'digidesign.com',
'discordapp.net',
'discord.com',
'discordapp.net',
'dl.sourceforge.net',
'docker.com',
'dogado.de',
@ -90,10 +90,11 @@ WHERE
'mozilla.org',
'mutedeck.com',
'mysql.com',
'notion.so',
'notion-static.com',
'notion.so',
'ocf.berkeley.edu',
'oobesaas.adobe.com',
'openra.net',
'oracle.com',
'osuosl.org',
'pqrs.org',
@ -121,8 +122,8 @@ WHERE
'webex.com',
'whatsapp.com',
'xtom.com',
'zoomgov.com',
'zoom.us',
'zoomgov.com',
'zsa.io'
)
-- NOTE: Do not put all of storage.googleapis.com or similarly generic hosts here

19
detection/initial_access/unexpected-shell-parent-events.sql
View File

@ -245,22 +245,25 @@ WHERE
'bash,0,auditd,launchd',
'bash,0,etcd,containerd-shim-runc-v2',
'bash,0,kube-apiserver,containerd-shim-runc-v2',
'bash,0,mutter-x11-frames,gnome-shell',
'bash,0,perl5.30,system_installd',
'bash,0,pia-daemon,launchd',
'bash,0,udevadm,udevadm',
'bash,500,.man-wrapped,zsh',
'bash,500,Foxit PDF Reader,launchd',
'bash,500,Hyprland,gdm-wayland-session',
'bash,500,Private Internet Access,launchd',
'bash,500,accounts-daemon,systemd',
'bash,500,busybox,bwrap',
'bash,500,com.docker.dev-envs,com.docker.backend',
'bash,500,docker-builder,bash',
'bash,500,Foxit PDF Reader,launchd',
'bash,500,gnome-session-binary,systemd',
'bash,500,gpg-agent,launchd',
'bash,500,Hyprland,gdm-wayland-session',
'bash,500,lazygit,nvim',
'bash,500,.man-wrapped,zsh',
'bash,500,Private Internet Access,launchd',
'bash,500,script,bash',
'bash,500,steam,bash',
'bash,500,xdg-desktop-portal,systemd',
'bash,500,xdg-permission-store,systemd',
'dash,0,anacron,systemd',
'dash,0,dpkg,apt',
'dash,0,dpkg,python3.10',
@ -268,15 +271,13 @@ WHERE
'dash,0,kube-proxy,containerd-shim-runc-v2',
'dash,0,run-parts,dash',
'dash,0,snapd,systemd',
'sh,0,Ecamm Live,launchd',
'sh,0,auditd,launchd',
'sh,500,cloud_sql_proxy,zsh',
'sh,500,docs,zsh',
'sh,500,Google Drive,launchd',
'sh,500,LogiTune,launchd',
'bash,0,mutter-x11-frames,gnome-shell',
'bash,500,xdg-permission-store,systemd',
'bash,500,accounts-daemon,systemd',
'sh,500,Meeting Center,launchd',
'sh,500,cloud_sql_proxy,zsh',
'sh,500,docs,zsh',
'sh,500,snyk-macos,snyk',
'sh,500,ssh,mosh-client',
'sh,500,updater,Foxit PDF Reader',

38
detection/initial_access/unexpected-volume-contents.sql
View File

@ -71,51 +71,53 @@ WHERE
AND basename NOT IN (
'.',
'..',
'.CFUserTextEncoding',
'.DS_Store',
'.TemporaryItems',
'.Trashes',
'.VolumeIcon.icns',
'._.TemporaryItems',
'._.Trashes',
'._.apdisk',
'._AUTORUN.INF',
'._Id.txt',
'.actrc',
'.angular-config.json',
'._.apdisk',
'.apdisk',
'._AUTORUN.INF',
'.background',
'.background.png',
'.background.tiff',
'.bash_history',
'.bashrc',
'.CFUserTextEncoding',
'.dbshell',
'.disk_label',
'.disk_label_2x',
'.DS_Store',
'.file',
'.file-revisions-by-id',
'.flyrc',
'.gitconfig',
'._Id.txt',
'.iotest',
'.keystone_install',
'.lesshst',
'LogiPresentation Installer.app',
'.metadata_never_index_unless_rootfs',
'.mysql_history',
'.pdfbox.cache',
'pve-installer.squashfs',
'Seagate Dashboard Installer.exe',
'.shortcut-targets-by-id',
'._.TemporaryItems',
'.TemporaryItems',
'._.Trashes',
'.Trashes',
'UFRII_LT_LIPS_LX_Installer.pkg',
'.vol',
'.VolumeIcon.icns',
'.zsh_history'
'.zsh_history',
'KBFS_NOT_RUNNING',
'LogiPresentation Installer.app',
'Seagate Dashboard Installer.exe',
'UFRII_LT_LIPS_LX_Installer.pkg',
'pve-installer.squashfs'
)
AND authority NOT IN (
'Developer ID Application: Google LLC (EQHXZ8M8AV)',
'Developer ID Application: Adobe Inc. (JQ525L2MZD)',
'Developer ID Application: BlueStack Systems, Inc. (QX5T8D6EDU)',
'Developer ID Application: Canon Inc. (XE2XNRRXZ5)',
'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)',
'Developer ID Application: Logitech Inc. (QED4VVPZWA)',
'Developer ID Application: Adobe Inc. (JQ525L2MZD)'
'Developer ID Application: Google LLC (EQHXZ8M8AV)',
'Developer ID Application: Logitech Inc. (QED4VVPZWA)'
) -- Unsigned programs here
AND trimpath NOT IN (
'/Volumes/Google Chrome/.keystone_install',

65
detection/persistence/unexpected-active-systemd-units.sql
View File

@ -40,12 +40,17 @@ WHERE
)
AND (
exception_key IN (
'abrtd.service,ABRT Automated Bug Reporting Tool,',
'abrtd.service,ABRT Daemon,',
'-.slice,Root Slice,',
'ModemManager.service,Modem Manager,root',
'NetworkManager-dispatcher.service,Network Manager Script Dispatcher Service,',
'NetworkManager-wait-online.service,Network Manager Wait Online,',
'NetworkManager.service,Network Manager,',
'abrt-journal-core.service,ABRT coredumpctl message creator,',
'abrt-journal-core.service,Creates ABRT problems from coredumpctl messages,',
'abrt-oops.service,ABRT kernel log watcher,',
'abrt-xorg.service,ABRT Xorg log watcher,',
'abrtd.service,ABRT Automated Bug Reporting Tool,',
'abrtd.service,ABRT Daemon,',
'accounts-daemon.service,Accounts Service,',
'acpid.path,ACPI Events Check,',
'acpid.service,ACPI Daemon,',
@ -62,22 +67,22 @@ WHERE
'apport-autoreport.path,Process error reports when automatic reporting is enabled (file watch),',
'apport-autoreport.timer,Process error reports when automatic reporting is enabled (timer based),',
'apport.service,LSB: automatic crash report generation,',
'apt-daily-upgrade.timer,Daily apt upgrade and clean activities,',
'apt-daily.service,Daily apt download activities,',
'apt-daily.timer,Daily apt download activities,',
'apt-daily-upgrade.timer,Daily apt upgrade and clean activities,',
'archlinux-keyring-wkd-sync.service,Refresh existing keys of archlinux-keyring,',
'archlinux-keyring-wkd-sync.timer,Refresh existing PGP keys of archlinux-keyring regularly,',
'atd.service,Deferred execution scheduler,',
'auditd.service,Security Auditing Service,',
'audit.service,Kernel Auditing,',
'auditd.service,Security Auditing Service,',
'avahi-daemon.service,Avahi mDNS/DNS-SD Stack,',
'avahi-daemon.socket,Avahi mDNS/DNS-SD Stack Activation Socket,',
'binfmt-support.service,Enable support for additional executable binary formats,',
'blk-availability.service,Availability of block devices,',
'bluetooth.service,Bluetooth service,',
'bolt.service,Thunderbolt system service,',
'chronyd.service,NTP client/server,',
'chrony.service,chrony, an NTP client/server',
'chronyd.service,NTP client/server,',
'cloud-config.service,Apply the settings specified in cloud-config,',
'cloud-final.service,Execute cloud user/final scripts,',
'cloud-init-hotplugd.socket,cloud-init hotplug hook socket,',
@ -88,9 +93,9 @@ WHERE
'com.system76.Scheduler.service,Automatically configure CPU scheduler for responsiveness on AC,',
'console-setup.service,Set console font and keymap,',
'containerd.service,containerd container runtime,',
'cron.service,Regular background program processing daemon,',
'crond.service,Command Scheduler,',
'cronie.service,Periodic Command Scheduler,',
'cron.service,Regular background program processing daemon,',
'cups-browsed.service,Make remote CUPS printers available locally,',
'cups.path,CUPS Scheduler,',
'cups.service,CUPS Scheduler,',
@ -113,8 +118,8 @@ WHERE
'dracut-shutdown.service,Restore /run/initramfs on shutdown,',
'e2scrub_all.timer,Periodic ext4 Online Metadata Check for All Filesystems,',
'finalrd.service,Create final runtime dir for shutdown pivot root,',
'firewalld.service,firewalld - dynamic firewall daemon,',
'firewall.service,Firewall,',
'firewalld.service,firewalld - dynamic firewall daemon,',
'flatpak-system-helper.service,flatpak system helper,',
'fprintd.service,Fingerprint Authentication Daemon,',
'fstrim.service,Discard unused blocks on filesystems from /etc/fstab,',
@ -150,8 +155,8 @@ WHERE
'lima-guestagent.service,lima-guestagent,',
'livesys-late.service,SYSV: Late init script for live image.,',
'livesys.service,LSB: Init script for live image.,',
'lm_sensors.service,Hardware Monitoring Sensors,',
'lm-sensors.service,Initialize hardware monitoring sensors,',
'lm_sensors.service,Hardware Monitoring Sensors,',
'lm_sensors.service,Initialize hardware monitoring sensors,',
'logrotate-checkconf.service,Logrotate configuration check,',
'logrotate.timer,Daily rotation of log files,',
@ -164,7 +169,6 @@ WHERE
'man-db.timer,Daily man-db regeneration,',
'mcelog.service,Machine Check Exception Logging Daemon,',
'mlocate-updatedb.timer,Updates mlocate database every day,',
'ModemManager.service,Modem Manager,root',
'modprobe@efi_pstore.service,Load Kernel Module efi_pstore,',
'modprobe@pstore_blk.service,Load Kernel Module pstore_blk,',
'modprobe@pstore_zone.service,Load Kernel Module pstore_zone,',
@ -176,19 +180,16 @@ WHERE
'multipathd.socket,multipathd control socket,',
'nessusd.service,The Nessus Vulnerability Scanner,',
'netcf-transaction.service,Rollback uncommitted netcf network config change transactions,',
'network-local-commands.service,Extra networking commands.,',
'network-setup.service,Networking Setup,',
'networkd-dispatcher.service,Dispatcher daemon for systemd-networkd,',
'networking.service,Raise network interfaces,',
'network-local-commands.service,Extra networking commands.,',
'NetworkManager-dispatcher.service,Network Manager Script Dispatcher Service,',
'NetworkManager.service,Network Manager,',
'NetworkManager-wait-online.service,Network Manager Wait Online,',
'network-setup.service,Networking Setup,',
'nginx.service,Nginx Web Server,nginx',
'nix-daemon.service,Nix Daemon,',
'nix-daemon.socket,Nix Daemon Socket,',
'nix-gc.timer,nix-gc.timer,',
'nscd.service,Name Service Cache Daemon,nscd',
'nscd.service,Name Service Cache Daemon (nsncd),nscd',
'nscd.service,Name Service Cache Daemon,nscd',
'nvidia-fallback.service,Fallback to nouveau as nvidia did not load,',
'nvidia-persistenced.service,NVIDIA Persistence Daemon,',
'nvidia-powerd.service,nvidia-powerd service,',
@ -202,8 +203,8 @@ WHERE
'phpsessionclean.timer,Clean PHP session files every 30 mins,',
'plocate-updatedb.service,Update the plocate database,',
'plocate-updatedb.timer,Update the plocate database daily,',
'plymouth-quit.service,Terminate Plymouth Boot Screen,',
'plymouth-quit-wait.service,Hold until boot process finishes up,',
'plymouth-quit.service,Terminate Plymouth Boot Screen,',
'plymouth-read-write.service,Tell Plymouth To Write Out Runtime Data,',
'plymouth-start.service,Show Plymouth Boot Screen,',
'polkit.service,Authorization Manager,',
@ -231,27 +232,27 @@ WHERE
'setvtrgb.service,Set console scheme,',
'shadow.service,Verify integrity of password and group files,',
'shadow.timer,Daily verification of password and group files,',
'-.slice,Root Slice,',
'smartd.service,Self Monitoring and Reporting Technology (SMART) Daemon,',
'snap.lxd.daemon.unix.socket,Socket unix for snap application lxd.daemon,',
'snap.lxd.user-daemon.unix.socket,Socket unix for snap application lxd.user-daemon,',
'snap.yubioath-desktop.pcscd.service,Service for snap application yubioath-desktop.pcscd,',
'snapd.apparmor.service,Load AppArmor profiles managed internally by snapd,',
'snapd.seeded.service,Wait until snapd is fully seeded,',
'snapd.service,Snap Daemon,',
'snapd.socket,Socket activation for snappy daemon,',
'snap.lxd.daemon.unix.socket,Socket unix for snap application lxd.daemon,',
'snap.lxd.user-daemon.unix.socket,Socket unix for snap application lxd.user-daemon,',
'snap.yubioath-desktop.pcscd.service,Service for snap application yubioath-desktop.pcscd,',
'ssh.service,OpenBSD Secure Shell server,',
'sshd.service,OpenSSH Daemon,',
'sshd.service,OpenSSH server daemon,',
'sshd.service,SSH Daemon,',
'ssh.service,OpenBSD Secure Shell server,',
'sssd-kcm.service,SSSD Kerberos Cache Manager,',
'sssd-kcm.socket,SSSD Kerberos Cache Manager responder socket,',
'supergfxd.service,SUPERGFX,',
'switcheroo-control.service,Switcheroo Control Proxy service,',
'syslog.socket,Syslog Socket,',
'sysstat-collect.timer,Run system activity accounting tool every 10 minutes,',
'sysstat.service,Resets System Activity Logs,root',
'sysstat-summary.timer,Generate summary of yesterday''s process accounting,',
'sysstat.service,Resets System Activity Logs,root',
'system.slice,System Slice,',
'systemd-ask-password-console.path,Dispatch Password Requests to Console Directory Watch,',
'systemd-ask-password-plymouth.path,Forward Password Requests to Plymouth Directory Watch,',
'systemd-ask-password-wall.path,Forward Password Requests to Wall Directory Watch,',
@ -262,8 +263,8 @@ WHERE
'systemd-cryptsetup@cryptdata.service,Cryptography Setup for cryptdata,',
'systemd-cryptsetup@cryptoswap.service,Cryptography Setup for cryptoswap,',
'systemd-cryptsetup@cryptswap.service,Cryptography Setup for cryptswap,',
'systemd-fsckd.socket,fsck to fsckd communication Socket,',
'systemd-fsck-root.service,File System Check on Root Device,',
'systemd-fsckd.socket,fsck to fsckd communication Socket,',
'systemd-growfs@-.service,Grow File System on /,',
'systemd-homed-activate.service,Home Area Activation,',
'systemd-homed.service,Home Area Manager,',
@ -271,24 +272,24 @@ WHERE
'systemd-hwdb-update.service,Rebuild Hardware Database,',
'systemd-initctl.socket,initctl Compatibility Named Pipe,',
'systemd-journal-catalog-update.service,Rebuild Journal Catalog,',
'systemd-journal-flush.service,Flush Journal to Persistent Storage,',
'systemd-journald-audit.socket,Journal Audit Socket,',
'systemd-journald-dev-log.socket,Journal Socket (/dev/log),',
'systemd-journald.service,Journal Service,',
'systemd-journald.socket,Journal Socket,',
'systemd-journal-flush.service,Flush Journal to Persistent Storage,',
'systemd-localed.service,Locale Service,',
'systemd-logind.service,User Login Management,',
'systemd-machined.service,Virtual Machine and Container Registration Service,',
'systemd-modules-load.service,Load Kernel Modules,',
'systemd-network-generator.service,Generate network units from Kernel command line,',
'systemd-networkd-wait-online.service,Wait for Network to be Configured,',
'systemd-networkd.service,Network Configuration,systemd-network',
'systemd-networkd.socket,Network Service Netlink Socket,',
'systemd-networkd-wait-online.service,Wait for Network to be Configured,',
'systemd-network-generator.service,Generate network units from Kernel command line,',
'systemd-oomd.service,Userspace Out-Of-Memory (OOM) Killer,systemd-oom',
'systemd-oomd.socket,Userspace Out-Of-Memory (OOM) Killer Socket,',
'systemd-pcrmachine.service,TPM2 PCR Machine ID Measurement,',
'systemd-pcrphase.service,TPM2 PCR Barrier (User),',
'systemd-pcrphase-sysinit.service,TPM2 PCR Barrier (Initialization),',
'systemd-pcrphase.service,TPM2 PCR Barrier (User),',
'systemd-random-seed.service,Load/Save OS Random Seed,',
'systemd-random-seed.service,Load/Save Random Seed,',
'systemd-remount-fs.service,Remount Root and Kernel File Systems,',
@ -302,20 +303,19 @@ WHERE
'systemd-tmpfiles-clean.timer,Daily Cleanup of Temporary Directories,',
'systemd-tmpfiles-setup-dev.service,Create Static Device Nodes in /dev,',
'systemd-tmpfiles-setup.service,Create Volatile Files and Directories,',
'systemd-udev-settle.service,Wait for udev To Complete Device Initialization,',
'systemd-udev-trigger.service,Coldplug All udev Devices,',
'systemd-udevd-control.socket,udev Control Socket,',
'systemd-udevd-kernel.socket,udev Kernel Socket,',
'systemd-udevd.service,Rule-based Manager for Device Events and Files,',
'systemd-udev-settle.service,Wait for udev To Complete Device Initialization,',
'systemd-udev-trigger.service,Coldplug All udev Devices,',
'systemd-update-done.service,Update is Completed,',
'systemd-update-utmp.service,Record System Boot/Shutdown in UTMP,',
'systemd-update-utmp.service,Update UTMP about System Boot/Shutdown,',
'systemd-user-sessions.service,Permit User Sessions,',
'systemd-userdbd.service,User Database Manager,',
'systemd-userdbd.socket,User Database Manager Socket,',
'systemd-user-sessions.service,Permit User Sessions,',
'systemd-vconsole-setup.service,Setup Virtual Console,',
'systemd-vconsole-setup.service,Virtual Console Setup,',
'system.slice,System Slice,',
'tailscaled.service,Tailscale node agent,',
'thermald.service,Thermal Daemon Service,',
'tlp.service,TLP system startup/shutdown,',
@ -325,9 +325,9 @@ WHERE
'ufw.service,Uncomplicated firewall,',
'unattended-upgrades.service,Unattended Upgrades Shutdown,',
'unbound-anchor.timer,daily update of the root trust anchor for DNSSEC,',
'updatedb.timer,Daily locate database update,',
'update-notifier-download.timer,Download data for packages that failed at package install time,',
'update-notifier-motd.timer,Check to see whether there is a new version of Ubuntu available,',
'updatedb.timer,Daily locate database update,',
'upower.service,Daemon for power management,',
'uresourced.service,User resource assignment daemon,',
'usbmuxd.service,Socket daemon for the usbmux protocol used by Apple devices,',
@ -374,6 +374,7 @@ WHERE
)
OR exception_key LIKE 'machine-qemu%.scope,Virtual Machine qemu%,'
OR exception_key LIKE 'zfs-snapshot-%.timer,zfs-snapshot-%.timer,'
OR exception_key LIKE 'systemd-cryptsetup@dm_crypt%.service,Cryptography Setup for dm_crypt-%,'
OR exception_key LIKE 'zfs-snapshot-%.service,zfs-snapshot-%.service,'
OR exception_key LIKE 'dbus-:1.%-org.freedesktop.problems@%.service,dbus-:%.%-org.freedesktop.problems@%.service,0'
OR exception_key LIKE 'run-media-%.mount,run-media-%.mount,'

12
detection/persistence/unexpected-device.sql
View File

@ -50,6 +50,7 @@ WHERE
OR directory LIKE '/dev/%'
)
AND path_expr NOT IN (
'/dev/HID-SENSOR-e..auto',
'/dev/acpi_thermal_rel',
'/dev/autofs',
'/dev/block/',
@ -66,8 +67,8 @@ WHERE
'/dev/console',
'/dev/core',
'/dev/cpu/',
'/dev/cpu_dma_latency',
'/dev/cpu/microcode',
'/dev/cpu_dma_latency',
'/dev/cros_ec',
'/dev/cuse',
'/dev/disk/',
@ -95,7 +96,6 @@ WHERE
'/dev/fuse',
'/dev/gpiochip',
'/dev/hidraw',
'/dev/HID-SENSOR-e..auto',
'/dev/hpet',
'/dev/hugepages/',
'/dev/hugepages/libvirt',
@ -141,10 +141,10 @@ WHERE
'/dev/nvidia',
'/dev/nvidia-caps/',
'/dev/nvidia-caps/nvidia-cap',
'/dev/nvidiactl',
'/dev/nvidia-modeset',
'/dev/nvidia-uvm',
'/dev/nvidia-uvm-tools',
'/dev/nvidiactl',
'/dev/nvme',
'/dev/nvmen',
'/dev/nvmenp',
@ -195,9 +195,10 @@ WHERE
'/dev/tpmrm',
'/dev/tty',
'/dev/ttyACM',
'/dev/ttyprintk',
'/dev/ttyS',
'/dev/ttyUSB',
'/dev/ttyprintk',
'/dev/ubuntu-vg/',
'/dev/udmabuf',
'/dev/uhid',
'/dev/uinput',
@ -218,13 +219,14 @@ WHERE
'/dev/vfio/',
'/dev/vfio/vfio',
'/dev/vg/',
'/dev/vga_arbiter',
'/dev/vg/root',
'/dev/vg/swap',
'/dev/vga_arbiter',
'/dev/vgubuntu/',
'/dev/vgubuntu/root',
'/dev/vgubuntu/swap_',
'/dev/vhci',
'/dev/disk/by-dname',
'/dev/vhost-net',
'/dev/vhost-vsock',
'/dev/video',

76
detection/persistence/unexpected-global-lock.sql
View File

@ -8,39 +8,43 @@
--
-- tags: persistent filesystem state seldom
-- platform: posix
SELECT *,
CONCAT(
MIN(file.uid, 500),
",",
file.gid,
",",
file.path,
",",
file.type,
',',
mode
) AS exception_key
FROM file
WHERE (
path LIKE "/tmp/%.lock"
OR path LIKE "/var/run/%.lock"
OR path LIKE "/var/tmp/%.lock"
OR path LIKE "/dev/shm/%.lock"
OR path LIKE "/dev/mqueue/%.lock"
OR path LIKE "/tmp/.%.lock"
OR path LIKE "/var/run/.%.lock"
OR path LIKE "/var/tmp/.%.lock"
OR path LIKE "/dev/shm/.%.lock"
OR path LIKE "/dev/mqueue/.%.lock"
)
AND exception_key NOT IN (
'0,0,/var/run/unattended-upgrades.lock,regular,0640',
'500,0,/tmp/mysql.sock.lock,regular,0600',
'500,0,/tmp/mysqlx.sock.lock,regular,0600',
'0,0,/var/run/xtables.lock,regular,0600',
'0,0,/var/run/dnf-metadata.lock,regular,0644',
'0,0,/var/run/apport.lock,regular,0600',
'74,0,/tmp/mysql.sock.lock,regular,0600',
'74,0,/tmp/mysqlx.sock.lock,regular,0600',
'500,1001,/tmp/nwg-dock.lock,regular,0600'
)
SELECT
*,
CONCAT (
MIN(file.uid, 500),
",",
file.gid,
",",
file.path,
",",
file.type,
',',
mode
) AS exception_key
FROM
file
WHERE
(
path LIKE "/tmp/%.lock"
OR path LIKE "/var/run/%.lock"
OR path LIKE "/var/tmp/%.lock"
OR path LIKE "/dev/shm/%.lock"
OR path LIKE "/dev/mqueue/%.lock"
OR path LIKE "/tmp/.%.lock"
OR path LIKE "/var/run/.%.lock"
OR path LIKE "/var/tmp/.%.lock"
OR path LIKE "/dev/shm/.%.lock"
OR path LIKE "/dev/mqueue/.%.lock"
)
AND exception_key NOT IN (
'0,0,/var/run/unattended-upgrades.lock,regular,0640',
'500,0,/tmp/mysql.sock.lock,regular,0600',
'500,0,/tmp/mysqlx.sock.lock,regular,0600',
'0,0,/var/run/xtables.lock,regular,0600',
'0,0,/var/run/dnf-metadata.lock,regular,0644',
'0,0,/var/run/ufw.lock,regular,0644',
'0,0,/var/run/apport.lock,regular,0600',
'74,0,/tmp/mysql.sock.lock,regular,0600',
'74,0,/tmp/mysqlx.sock.lock,regular,0600',
'500,1001,/tmp/nwg-dock.lock,regular,0600'
)

9
detection/persistence/unexpected-launchd-program-arguments.sql
View File

@ -39,22 +39,23 @@ WHERE
'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
'Developer ID Application: Foxit Corporation (8GN47HTP75)',
'Developer ID Application: Fumihiko Takayama (G43BCU2T37)',
'Developer ID Application: Google, Inc. (EQHXZ8M8AV)',
'Developer ID Application: Google LLC (EQHXZ8M8AV)',
'Developer ID Application: Google, Inc. (EQHXZ8M8AV)',
'Developer ID Application: Hercules Labs Inc. (B8PC799ZGU)',
'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)',
'Developer ID Application: OPENVPN TECHNOLOGIES, INC. (ACV7L3WCD8)',
'Developer ID Application: Keybase, Inc. (99229SGT5K)',
'Developer ID Application: Kolide, Inc (X98UFR7HA3)',
'Developer ID Application: Kolide Inc (YZ3EM74M78)',
'Developer ID Application: Kolide, Inc (X98UFR7HA3)',
'Developer ID Application: Krisp Technologies, Inc. (U5R26XM5Z2)',
'Developer ID Application: Logitech Inc. (QED4VVPZWA)',
'Developer ID Application: MacPaw Inc. (S8EX82NJP6)',
'Developer ID Application: Mersive Technologies (63B5A5WDNG)',
'Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'Developer ID Application: Objective-See, LLC (VBG97UB4TA)',
'Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
'Developer ID Application: Paragon Software GmbH (LSJ6YVK468)',
'Developer ID Application: Objective-See, LLC (VBG97UB4TA)',
'Developer ID Application: PFU LIMITED (XW4U7W2E9L)', -- Fujitsu
'Developer ID Application: Paragon Software GmbH (LSJ6YVK468)',
'Developer ID Application: Private Internet Access, Inc. (5357M5NW9W)',
'Developer ID Application: Proton Technologies AG (6UN54H93QT)',
'Developer ID Application: Sanford, L.P. (N3S6676K3E)', -- DYMO

3
detection/persistence/unexpected-launchd-program-macos.sql
View File

@ -33,8 +33,9 @@ WHERE
'Developer ID Application: Adobe Inc. (JQ525L2MZD)',
'Developer ID Application: Canonical Group Limited (X4QN7LTP59)',
'Developer ID Application: Creative Labs Pte. Ltd. (5Q3552844F)',
'Developer ID Application: Hercules Labs Inc. (B8PC799ZGU)',
'Developer ID Application: Docker Inc (9BNSXJN65R)',
'Developer ID Application: Fortinet, Inc (AH4XFXJ7DK)',
'Developer ID Application: Hercules Labs Inc. (B8PC799ZGU)',
'Developer ID Application: Kandji, Inc. (P3FGV63VK7)',
'Developer ID Application: Logitech Inc. (QED4VVPZWA)',
'Developer ID Application: Louis Pontoise (QXD7GW8FHY)',

9
detection/persistence/unexpected-systemctl-calls-linux.sql
View File

@ -70,19 +70,20 @@ WHERE
AND pe.cmdline != ''
AND pe.time > (strftime('%s', 'now') -300)
AND NOT exception_key IN (
'systemctl,0,apt-helper,',
'systemctl,0,,containerd-shim-runc-v2',
'systemctl,0,kubeadm,containerd-shim-runc-v2',
'systemctl,0,apt-helper,',
'systemctl,0,bash,pacman',
'systemctl,0,dash,logrotate',
'systemctl,0,kubeadm,containerd-shim-runc-v2',
'systemctl,0,pacman,pacman',
'systemctl,500,zsh,tmux',
'systemctl,0,pacman,sudo',
'systemctl,0,snapd,systemd',
'systemctl,0,tailscaled,',
'systemctl,127,snap,systemd',
'systemctl,500,bash,gnome-terminal-server',
'systemctl,500,snap,systemd',
'systemctl,500,systemd,'
'systemctl,500,systemd,',
'systemctl,500,zsh,tmux'
)
AND NOT p0_cmd IN (
'/bin/systemctl is-enabled -q whoopsie.path',

79
detection/persistence/unexpected-uid0-daemon-linux.sql
View File

@ -74,6 +74,15 @@ WHERE
AND p0.path != ""
AND p0.start_time < (strftime('%s', 'now') - 1200)
AND exception_key NOT IN (
'(sd-pam),/usr/lib/systemd/systemd,0,user.slice,user-0.slice,0755',
'.tailscaled-wra,/nix/store/__VERSION__/bin/.tailscaled-wrapped,0,system.slice,tailscaled.service,0555',
'/usr/bin/monito,/usr/bin/perl,0,system.slice,monitorix.service,0755',
'ModemManager,/usr/sbin/ModemManager,0,system.slice,ModemManager.service,0755',
'NetworkManager,/usr/bin/NetworkManager,0,system.slice,NetworkManager.service,0755',
'NetworkManager,/usr/sbin/NetworkManager,0,system.slice,NetworkManager.service,0755',
'X,/nix/store/__VERSION__/bin/Xorg,0,system.slice,display-manager.service,0555',
'Xorg,/usr/lib/Xorg,0,system.slice,lightdm.service,0755',
'Xorg,/usr/lib/Xorg,0,system.slice,sddm.service,0755',
'abrt-dump-journ,/usr/bin/abrt-dump-journal-core,0,system.slice,abrt-journal-core.service,0755',
'abrt-dump-journ,/usr/bin/abrt-dump-journal-oops,0,system.slice,abrt-oops.service,0755',
'abrt-dump-journ,/usr/bin/abrt-dump-journal-xorg,0,system.slice,abrt-xorg.service,0755',
@ -93,8 +102,8 @@ WHERE
'atd,/usr/sbin/atd,0,system.slice,atd.service,0755',
'auditd,/usr/bin/auditd,0,system.slice,auditd.service,0755',
'auditd,/usr/sbin/auditd,0,system.slice,auditd.service,0755',
'blueman-mechanism.service,Bluetooth management mechanism,,200',
'blueman-mechani,/usr/bin/python3.10,0,system.slice,blueman-mechanism.service,0755',
'blueman-mechanism.service,Bluetooth management mechanism,,200',
'bluetoothd,/usr/lib/bluetooth/bluetoothd,0,system.slice,bluetooth.service,0755',
'bluetoothd,/usr/libexec/bluetooth/bluetoothd,0,system.slice,bluetooth.service,0755',
'boltd,/usr/lib/boltd,0,system.slice,bolt.service,0755',
@ -102,13 +111,13 @@ WHERE
'bpfilter_umh,/bpfilter_umh,0,,,',
'chainctl,/usr/local/bin/chainctl,0,user.slice,user-1000.slice,0755',
'containerd,/nix/store/__VERSION__/bin/containerd,0,system.slice,docker.service,0555',
'containerd-shim,/usr/bin/containerd-shim-runc-v2,0,system.slice,containerd.service,0755',
'containerd-shim,/usr/bin/containerd-shim-runc-v2,0,system.slice,docker.service,0755',
'containerd,/usr/bin/containerd,0,system.slice,containerd.service,0755',
'containerd,/usr/bin/containerd,0,system.slice,docker.service,0755',
'containerd-shim,/usr/bin/containerd-shim-runc-v2,0,system.slice,containerd.service,0755',
'containerd-shim,/usr/bin/containerd-shim-runc-v2,0,system.slice,docker.service,0755',
'cron,/usr/sbin/cron,0,system.slice,cron.service,0755',
'crond,/usr/bin/crond,0,system.slice,cronie.service,0755',
'crond,/usr/sbin/crond,0,system.slice,crond.service,0755',
'cron,/usr/sbin/cron,0,system.slice,cron.service,0755',
'cups-browsed,/usr/sbin/cups-browsed,0,system.slice,cups-browsed.service,0755',
'cupsd,/usr/bin/cupsd,0,system.slice,cups.service,0700',
'cupsd,/usr/sbin/cupsd,0,system.slice,cups.service,0755',
@ -121,38 +130,38 @@ WHERE
'dnsmasq,/usr/bin/dnsmasq,0,system.slice,libvirtd.service,0755',
'dnsmasq,/usr/sbin/dnsmasq,0,system.slice,libvirtd.service,0755',
'doas,/usr/bin/doas,1000,user.slice,user-1000.slice,4755',
'dockerd,/nix/store/__VERSION__/libexec/docker/dockerd,0,system.slice,docker.service,0555',
'dockerd,/usr/bin/dockerd,0,system.slice,docker.service,0755',
'docker,/usr/bin/docker,0,user.slice,user-1000.slice,0755',
'docker-proxy,/usr/bin/docker-proxy,0,system.slice,docker.service,0755',
'docker-proxy,/usr/libexec/docker/docker-proxy,0,system.slice,docker.service,0755',
'docker,/usr/bin/docker,0,user.slice,user-1000.slice,0755',
'dockerd,/nix/store/__VERSION__/libexec/docker/dockerd,0,system.slice,docker.service,0555',
'dockerd,/usr/bin/dockerd,0,system.slice,docker.service,0755',
'firewalld,/usr/bin/python3.10,0,system.slice,firewalld.service,0755',
'firewalld,/usr/bin/python__VERSION__,0,system.slice,firewalld.service,0755',
'fish,/usr/bin/fish,0,user.slice,user-1000.slice,0755',
'flatpak-system-,/usr/libexec/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755',
'flatpak-system-,/usr/lib/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755',
'flatpak-system-,/usr/libexec/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755',
'fprintd,/usr/libexec/fprintd,0,system.slice,fprintd.service,0755',
'fstrim,/usr/sbin/fstrim,0,system.slice,fstrim.service,0755',
'fusermount,/usr/bin/fusermount,1000,user.slice,user-1000.slice,4755',
'fwupd,/usr/libexec/fwupd/fwupd,0,system.slice,fwupd.service,0755',
'fwupd,/usr/lib/fwupd/fwupd,0,system.slice,fwupd.service,0755',
'gdm3,/usr/sbin/gdm3,0,system.slice,gdm.service,0755',
'gdm-session-wor,/usr/libexec/gdm-session-worker,0,user.slice,user-1000.slice,0755',
'gdm-session-wor,/usr/libexec/gdm-session-worker,0,user.slice,user-42.slice,0755',
'gdm-session-wor,/usr/lib/gdm-session-worker,0,user.slice,user-1000.slice,0755',
'gdm-session-wor,/usr/lib/gdm-session-worker,0,user.slice,user-120.slice,0755',
'fwupd,/usr/libexec/fwupd/fwupd,0,system.slice,fwupd.service,0755',
'gdm,/usr/bin/gdm,0,system.slice,gdm.service,0755',
'gdm,/usr/sbin/gdm,0,system.slice,gdm.service,0755',
'gdm-session-wor,/usr/lib/gdm-session-worker,0,user.slice,user-1000.slice,0755',
'gdm-session-wor,/usr/lib/gdm-session-worker,0,user.slice,user-120.slice,0755',
'gdm-session-wor,/usr/libexec/gdm-session-worker,0,user.slice,user-1000.slice,0755',
'gdm-session-wor,/usr/libexec/gdm-session-worker,0,user.slice,user-42.slice,0755',
'gdm3,/usr/sbin/gdm3,0,system.slice,gdm.service,0755',
'geoclue.service,Location Lookup Service,geoclue,500',
'gnome-keyring-d,/usr/bin/gnome-keyring-daemon,0,user.slice,user-1000.slice,0755',
'gpg-agent,/usr/bin/gpg-agent,0,system.slice,packagekit.service,0755',
'gpg-agent,/usr/bin/gpg-agent,0,user.slice,user-1000.slice,0755',
'gssproxy,/usr/sbin/gssproxy,0,system.slice,gssproxy.service,0755',
'gvfsd-fuse,/usr/libexec/gvfsd-fuse,0,user.slice,user-1000.slice,0755',
'gvfsd,/usr/libexec/gvfsd,0,user.slice,user-1000.slice,0755',
'gvfsd-fuse,/usr/libexec/gvfsd-fuse,0,user.slice,user-1000.slice,0755',
'haproxy,/usr/sbin/haproxy,0,system.slice,haproxy.service,0755',
'iio-sensor-prox,/usr/libexec/iio-sensor-proxy,0,system.slice,iio-sensor-proxy.service,0755',
'iio-sensor-prox,/usr/lib/iio-sensor-proxy,0,system.slice,iio-sensor-proxy.service,0755',
'iio-sensor-prox,/usr/libexec/iio-sensor-proxy,0,system.slice,iio-sensor-proxy.service,0755',
'irqbalance,/usr/sbin/irqbalance,0,system.slice,irqbalance.service,0755',
'iwd,/usr/lib/iwd/iwd,0,system.slice,iwd.service,0755',
'launcher,/nix/store/__VERSION__/bin/launcher,0,system.slice,kolide-launcher.service,0555',
@ -166,23 +175,20 @@ WHERE
'lima-guestagent,/usr/local/bin/lima-guestagent,0,system.slice,lima-guestagent.service,0755',
'low-memory-moni,/usr/libexec/low-memory-monitor,0,system.slice,low-memory-monitor.service,0755',
'mcelog,/usr/sbin/mcelog,0,system.slice,mcelog.service,0755',
'ModemManager,/usr/sbin/ModemManager,0,system.slice,ModemManager.service,0755',
'multipathd,/usr/sbin/multipathd,0,system.slice,multipathd.service,0755',
'nessusd,/opt/nessus/sbin/nessusd,0,system.slice,nessusd.service,0755',
'nessus-service,/opt/nessus/sbin/nessus-service,0,system.slice,nessusd.service,0755',
'nessusd,/opt/nessus/sbin/nessusd,0,system.slice,nessusd.service,0755',
'networkd-dispat,/usr/bin/python3.10,0,system.slice,networkd-dispatcher.service,0755',
'NetworkManager,/usr/bin/NetworkManager,0,system.slice,NetworkManager.service,0755',
'NetworkManager,/usr/sbin/NetworkManager,0,system.slice,NetworkManager.service,0755',
'nix-daemon,/nix/store/__VERSION__/bin/nix,0,system.slice,nix-daemon.service,0555',
'nm-dispatcher,/usr/lib/nm-dispatcher,0,system.slice,NetworkManager-dispatcher.service,0755',
'nm-openvpn-serv,/usr/libexec/nm-openvpn-service,0,system.slice,NetworkManager.service,0755',
'nvidia-powerd,/usr/bin/nvidia-powerd,0,system.slice,nvidia-powerd.service,0755',
'orbit,/opt/orbit/bin/orbit/linux/stable/orbit,0,system.slice,orbit.service,0755',
'osquery-extensi,/nix/store/__VERSION__/bin/osquery-extension.ext,0,system.slice,kolide-launcher.service,0555',
'osqueryd,/nix/store/__VERSION__/bin/osqueryd,0,system.slice,kolide-launcher.service,0555',
'osqueryd,/opt/orbit/bin/osqueryd/linux/stable/osqueryd,0,system.slice,orbit.service,0755',
'osqueryd,/usr/local/kolide-k2/bin/osqueryd,0,system.slice,launcher.kolide-k2.service,0755',
'osqueryd,/usr/local/kolide-k2/bin/osqueryd-updates/__VERSION__/osqueryd,0,system.slice,launcher.kolide-k2.service,0755',
'osquery-extensi,/nix/store/__VERSION__/bin/osquery-extension.ext,0,system.slice,kolide-launcher.service,0555',
'osqueryi,/usr/bin/osqueryd,0,user.slice,user-1000.slice,0755',
'packagekitd,/usr/libexec/packagekitd,0,system.slice,packagekit.service,0755',
'pacman,/usr/bin/pacman,0,user.slice,user-1000.slice,0755',
@ -190,37 +196,37 @@ WHERE
'pcscd,/usr/sbin/pcscd,0,system.slice,pcscd.service,0755',
'perl,/nix/store/__VERSION__/bin/perl,0,system.slice,znapzend.service,0555',
'polkitd,/usr/libexec/polkitd,0,system.slice,polkit.service,0755',
'power-profiles-,/usr/libexec/power-profiles-daemon,0,system.slice,power-profiles-daemon.service,0755',
'power-profiles-,/usr/lib/power-profiles-daemon,0,system.slice,power-profiles-daemon.service,0755',
'power-profiles-,/usr/libexec/power-profiles-daemon,0,system.slice,power-profiles-daemon.service,0755',
'pwrstatd,/usr/sbin/pwrstatd,0,system.slice,pwrstatd.service,0700',
'qualys-cloud-ag,/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent,0,system.slice,qualys-cloud-agent.service,0700',
'rsyslogd,/usr/sbin/rsyslogd,0,system.slice,rsyslog.service,0755',
'runc,/usr/bin/runc,0,system.slice,docker.service,0755',
'scdaemon,/usr/libexec/scdaemon,0,system.slice,packagekit.service,0755',
'scdaemon,/usr/libexec/scdaemon,0,user.slice,user-1000.slice,0755',
'sddm-helper,/usr/lib/sddm/sddm-helper,0,user.slice,user-1000.slice,0755',
'sddm,/usr/bin/sddm,0,system.slice,sddm.service,0755',
'(sd-pam),/usr/lib/systemd/systemd,0,user.slice,user-0.slice,0755',
'sddm-helper,/usr/lib/sddm/sddm-helper,0,user.slice,user-1000.slice,0755',
'sedispatch,/usr/sbin/sedispatch,0,system.slice,auditd.service,0755',
'sh,/nix/store/__VERSION__/bin/bash,0,system.slice,znapzend.service,0555',
'smartd,/usr/sbin/smartd,0,system.slice,smartd.service,0755',
'snapd,/snap/snapd/__VERSION__/usr/lib/snapd/snapd,0,system.slice,snapd.service,0755',
'snapd,/usr/libexec/snapd/snapd,0,system.slice,snapd.service,0755',
'snapd,/usr/lib/snapd/snapd,0,system.slice,snapd.service,0755',
'snapd,/usr/libexec/snapd/snapd,0,system.slice,snapd.service,0755',
'ssh,/nix/store/__VERSION__/bin/ssh,0,system.slice,znapzend.service,0555',
'sshd,/nix/store/__VERSION__/bin/sshd,0,system.slice,sshd.service,0555',
'sshd,/nix/store/__VERSION__/bin/sshd,0,user.slice,user-1000.slice,0555',
'sshd,/usr/bin/sshd,0,system.slice,sshd.service,0755',
'sshd,/usr/bin/sshd,0,user.slice,user-1000.slice,0755',
'sshd,/usr/sbin/sshd,0,system.slice,sshd.service,0755',
'sshd,/usr/sbin/sshd,0,system.slice,ssh.service,0755',
'sshd,/usr/sbin/sshd,0,system.slice,sshd.service,0755',
'sshd,/usr/sbin/sshd,0,user.slice,user-1000.slice,0755',
'ssh,/nix/store/__VERSION__/bin/ssh,0,system.slice,znapzend.service,0555',
'sssd_kcm,/usr/libexec/sssd/sssd_kcm,0,system.slice,sssd-kcm.service,0755',
'su,/usr/bin/su,0,user.slice,user-1000.slice,4755',
'sudo,/usr/bin/sudo,1000,user.slice,user-1000.slice,4111',
'sudo,/usr/bin/sudo,1000,user.slice,user-1000.slice,4755',
'supergfxd,/usr/bin/supergfxd,0,system.slice,supergfxd.service,0755',
'su,/usr/bin/su,0,user.slice,user-1000.slice,4755',
'switcheroo-cont,/usr/libexec/switcheroo-control,0,system.slice,switcheroo-control.service,0755',
'systemd,/usr/lib/systemd/systemd,0,user.slice,user-0.slice,0755',
'systemd-coredum,/nix/store/__VERSION__/lib/systemd/systemd-coredump,0,,,0555',
'systemd-homed,/usr/lib/systemd/systemd-homed,0,system.slice,systemd-homed.service,0755',
'systemd-hostnam,/usr/lib/systemd/systemd-hostnamed,0,system.slice,systemd-hostnamed.service,0755',
@ -235,20 +241,18 @@ WHERE
'systemd-udevd,/usr/bin/udevadm,0,system.slice,systemd-udevd.service,0755',
'systemd-userdbd,/usr/lib/systemd/systemd-userdbd,0,system.slice,systemd-userdbd.service,0755',
'systemd-userwor,/usr/lib/systemd/systemd-userwork,0,system.slice,systemd-userdbd.service,0755',
'systemd,/usr/lib/systemd/systemd,0,user.slice,user-0.slice,0755',
'tailscaled,/usr/bin/tailscaled,0,system.slice,tailscaled.service,0755',
'tailscaled,/usr/sbin/tailscaled,0,system.slice,tailscaled.service,0755',
'.tailscaled-wra,/nix/store/__VERSION__/bin/.tailscaled-wrapped,0,system.slice,tailscaled.service,0555',
'thermald,/usr/sbin/thermald,0,system.slice,thermald.service,0755',
'udisksd,/nix/store/__VERSION__/libexec/udisks2/udisksd,0,system.slice,udisks2.service,0555',
'udisksd,/usr/libexec/udisks2/udisksd,0,system.slice,udisks2.service,0755',
'udisksd,/usr/lib/udisks2/udisksd,0,system.slice,udisks2.service,0755',
'udisksd,/usr/libexec/udisks2/udisksd,0,system.slice,udisks2.service,0755',
'unattended-upgr,/usr/bin/python3.10,0,system.slice,unattended-upgrades.service,0755',
'unattended-upgr,/usr/bin/python3.9,0,system.slice,unattended-upgrades.service,0755',
'upowerd,/usr/libexec/upowerd,0,system.slice,upower.service,0755',
'unattended-upgr,/usr/bin/python__VERSION__,0,system.slice,unattended-upgrades.service,0755',
'upowerd,/usr/lib/upowerd,0,system.slice,upower.service,0755',
'upowerd,/usr/libexec/upowerd,0,system.slice,upower.service,0755',
'uresourced,/usr/libexec/uresourced,0,system.slice,uresourced.service,0755',
'/usr/bin/monito,/usr/bin/perl,0,system.slice,monitorix.service,0755',
'velociraptor_cl,/usr/local/bin/velociraptor,0,system.slice,velociraptor_client.service,0700',
'virtlogd,/usr/bin/virtlogd,0,system.slice,virtlogd.service,0755',
'wpa_supplicant,/usr/bin/wpa_supplicant,0,system.slice,wpa_supplicant.service,0755',
@ -258,17 +262,14 @@ WHERE
'xdg-desktop-por,/usr/libexec/xdg-desktop-portal-gtk,0,user.slice,user-1000.slice,0755',
'xdg-document-po,/usr/libexec/xdg-document-portal,0,user.slice,user-1000.slice,0755',
'xdg-permission-,/usr/libexec/xdg-permission-store,0,user.slice,user-1000.slice,0755',
'X,/nix/store/__VERSION__/bin/Xorg,0,system.slice,display-manager.service,0555',
'Xorg,/usr/lib/Xorg,0,system.slice,lightdm.service,0755',
'Xorg,/usr/lib/Xorg,0,system.slice,sddm.service,0755',
'yum,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755',
'zed,/nix/store/__VERSION__/bin/zed,0,system.slice,zfs-zed.service,0555',
'zed,/usr/sbin/zed,0,system.slice,zfs-zed.service,0755',
'zfs-auto-snapsh,/nix/store/__VERSION__/bin/ruby,0,system.slice,zfs-snapshot-frequent.service,0555',
'zfs-auto-snapsh,/nix/store/__VERSION__/bin/ruby,0,system.slice,zfs-snapshot-hourly.service,0555',
'zfs,/nix/store/__VERSION__/bin/zfs,0,system.slice,zfs-snapshot-frequent.service,0555',
'zfs,/nix/store/__VERSION__/bin/zfs,0,system.slice,zfs-snapshot-hourly.service,0555',
'zfs,/nix/store/__VERSION__/bin/zfs,0,system.slice,znapzend.service,0555'
'zfs,/nix/store/__VERSION__/bin/zfs,0,system.slice,znapzend.service,0555',
'zfs-auto-snapsh,/nix/store/__VERSION__/bin/ruby,0,system.slice,zfs-snapshot-frequent.service,0555',
'zfs-auto-snapsh,/nix/store/__VERSION__/bin/ruby,0,system.slice,zfs-snapshot-hourly.service,0555'
)
AND NOT exception_key LIKE 'abrt-dbus,/usr/sbin/abrt-dbus,0,system.slice,system-dbus%org.freedesktop.problems.slice,0755'
AND NOT exception_key LIKE 'fusermount3,/usr/bin/fusermount3,%,user.slice,user-%.slice,4755'

64
detection/persistence/unexpected-uid0-daemon-macos.sql
View File

@ -63,10 +63,11 @@ WHERE -- Focus on longer-running programs
'/Applications/Parallels Desktop.app/Contents/MacOS/Parallels Service.app/Contents/MacOS/prl_disp_service',
'/Applications/Parallels Desktop.app/Contents/MacOS/prl_naptd',
'/Applications/VMware Fusion.app/Contents/Library/vmware-vmx',
'/bin/bash',
'/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS/XProtect',
'/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/XPCServices/XProtectPluginService.xpc/Contents/MacOS/XProtectPluginService',
'/Library/Application Support/Adobe/Adobe Desktop Common/ElevationManager/Adobe Installer',
'/Library/Application Support/Fortinet/FortiClient/bin/fcconfig',
'/Library/Application Support/Fortinet/FortiClient/bin/fctservctl',
'/Library/Application Support/Objective Development/Little Snitch/Components/at.obdev.littlesnitch.daemon.bundle/Contents/MacOS/at.obdev.littlesnitch.daemon',
'/Library/Application Support/Paragon Software/com.paragon-software.extfsd',
'/Library/Application Support/Paragon Software/com.paragon-software.ntfsd',
@ -76,33 +77,30 @@ WHERE -- Focus on longer-running programs
'/Library/Application Support/VMware/VMware Fusion/Services/Contents/Library/vmware-usbarbitrator',
'/Library/Application Support/X-Rite/Frameworks/XRiteDevice.framework/Versions/B/Resources/xrdd',
'/Library/Audio/Plug-Ins/HAL/SolsticeDesktopSpeakers.driver/Contents/XPCServices/RelayXpc.xpc/Contents/MacOS/RelayXpc',
'/Library/Nessus/run/sbin/nessusd',
'/Library/Nessus/run/sbin/nessus-service',
'/Library/Nessus/run/sbin/nessusd',
'/Library/PrivilegedHelperTools/com.adobe.acc.installer.v2',
'/Library/PrivilegedHelperTools/com.docker.vmnetd',
'/Library/PrivilegedHelperTools/com.fortinet.forticlient.macos.PrivilegedHelper',
'/Library/PrivilegedHelperTools/com.macpaw.CleanMyMac4.Agent',
'/Library/PrivilegedHelperTools/keybase.Helper',
'/Library/SystemExtensions/0FDB5206-860F-465C-B4D3-D6A0F43F4302/com.google.one.NetworkExtension.systemextension/Contents/MacOS/com.google.one.NetworkExtension',
'/Library/SystemExtensions/2DA71D8A-7905-4012-A7D5-0B246D5AA77B/at.obdev.littlesnitch.networkextension.systemextension/Contents/MacOS/at.obdev.littlesnitch.networkextension',
'/Library/SystemExtensions/4D1BF33A-9817-45D7-A242-8C39810C7F11/com.redcanary.agent.securityextension.systemextension/Contents/MacOS/com.redcanary.agent.securityextension',
'/Library/SystemExtensions/CC9A335C-A6D0-4C87-B902-45EBDF4BFD85/com.google.one.NetworkExtension.systemextension/Contents/MacOS/com.google.one.NetworkExtension',
'/opt/homebrew/Cellar/telepresence-arm64/2.7.6/bin/telepresence',
'/opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd',
'/opt/socket_vmnet/bin/socket_vmnet',
'/sbin/launchd',
'/System/Library/CoreServices/CrashReporterSupportHelper',
'/System/Library/CoreServices/ReportCrash',
'/System/Library/CoreServices/Software Update.app/Contents/Resources/suhelperd',
'/System/Library/CoreServices/SubmitDiagInfo',
'/System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd',
'/System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd-helper',
'/System/Library/CoreServices/CrashReporterSupportHelper',
'/System/Library/CoreServices/iconservicesagent',
'/System/Library/CoreServices/launchservicesd',
'/System/Library/CoreServices/logind',
'/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow',
'/System/Library/CoreServices/osanalyticshelper',
'/System/Library/CoreServices/powerd.bundle/powerd',
'/System/Library/CoreServices/ReportCrash',
'/System/Library/CoreServices/sharedfilelistd',
'/System/Library/CoreServices/Software Update.app/Contents/Resources/suhelperd',
'/System/Library/CoreServices/SubmitDiagInfo',
'/System/Library/CryptoTokenKit/com.apple.ifdreader.slotd/Contents/MacOS/com.apple.ifdreader',
'/System/Library/CryptoTokenKit/com.apple.ifdreader.slotd/Contents/XPCServices/com.apple.ifdbundle.xpc/Contents/MacOS/com.apple.ifdbundle',
'/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/HIServices.framework/Versions/A/XPCServices/com.apple.hiservices-xpcservice.xpc/Contents/MacOS/com.apple.hiservices-xpcservice',
@ -131,12 +129,12 @@ WHERE -- Focus on longer-running programs
'/System/Library/Frameworks/SystemExtensions.framework/Versions/A/Helpers/sysextd',
'/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper',
'/System/Library/PrivateFrameworks/AmbientDisplay.framework/Versions/A/XPCServices/com.apple.AmbientDisplayAgent.xpc/Contents/MacOS/com.apple.AmbientDisplayAgent',
'/System/Library/PrivateFrameworks/AppSSO.framework/Support/AppSSODaemon',
'/System/Library/PrivateFrameworks/AppStoreDaemon.framework/Versions/A/XPCServices/com.apple.AppStoreDaemon.StorePrivilegedTaskService.xpc/Contents/MacOS/com.apple.AppStoreDaemon.StorePrivilegedTaskService',
'/System/Library/PrivateFrameworks/AppleCredentialManager.framework/AppleCredentialManagerDaemon',
'/System/Library/PrivateFrameworks/AppleNeuralEngine.framework/XPCServices/ANECompilerService.xpc/Contents/MacOS/ANECompilerService',
'/System/Library/PrivateFrameworks/AppleNeuralEngine.framework/XPCServices/ANEStorageMaintainer.xpc/Contents/MacOS/ANEStorageMaintainer',
'/System/Library/PrivateFrameworks/ApplePushService.framework/apsd',
'/System/Library/PrivateFrameworks/AppSSO.framework/Support/AppSSODaemon',
'/System/Library/PrivateFrameworks/AppStoreDaemon.framework/Versions/A/XPCServices/com.apple.AppStoreDaemon.StorePrivilegedTaskService.xpc/Contents/MacOS/com.apple.AppStoreDaemon.StorePrivilegedTaskService',
'/System/Library/PrivateFrameworks/AssetCacheServicesExtensions.framework/Versions/A/XPCServices/AssetCacheManagerService.xpc/Contents/MacOS/AssetCacheManagerService',
'/System/Library/PrivateFrameworks/AssetCacheServicesExtensions.framework/Versions/A/XPCServices/AssetCacheTetheratorService.xpc/Contents/MacOS/AssetCacheTetheratorService',
'/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd',
@ -175,25 +173,36 @@ WHERE -- Focus on longer-running programs
'/System/Library/PrivateFrameworks/WirelessDiagnostics.framework/Support/awdd',
'/System/Library/PrivateFrameworks/XprotectFramework.framework/Versions/A/XPCServices/XProtectBehaviorService.xpc/Contents/MacOS/XProtectBehaviorService',
'/System/Library/PrivateFrameworks/XprotectFramework.framework/Versions/A/XPCServices/XprotectService.xpc/Contents/MacOS/XprotectService',
'/bin/bash',
'/opt/homebrew/Cellar/telepresence-arm64/2.7.6/bin/telepresence',
'/opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd',
'/opt/socket_vmnet/bin/socket_vmnet',
'/sbin/launchd',
'/usr/bin/login',
'/usr/bin/sudo',
'/usr/bin/sysdiagnose',
'/usr/libexec/ASPCarryLog',
'/usr/libexec/AirPlayXPCHelper',
'/usr/libexec/ApplicationFirewall/socketfilterfw',
'/usr/libexec/IOMFB_bics_daemon',
'/usr/libexec/InternetSharing',
'/usr/libexec/PerfPowerServices',
'/usr/libexec/PowerUIAgent',
'/usr/libexec/TouchBarServer',
'/usr/libexec/UserEventAgent',
'/usr/libexec/airportd',
'/usr/libexec/amfid',
'/usr/libexec/aned',
'/usr/libexec/apfsd',
'/usr/libexec/applessdstatistics',
'/usr/libexec/ApplicationFirewall/socketfilterfw',
'/usr/libexec/ASPCarryLog',
'/usr/libexec/autofsd',
'/usr/libexec/automountd',
'/usr/libexec/batteryintelligenced',
'/usr/libexec/biokitaggdd',
'/usr/libexec/biometrickitd',
'/usr/libexec/bootinstalld',
'/usr/libexec/colorsyncd',
'/usr/libexec/colorsync.displayservices',
'/usr/libexec/colorsyncd',
'/usr/libexec/configd',
'/usr/libexec/containermanagerd',
'/usr/libexec/corebrightnessd',
@ -208,8 +217,6 @@ WHERE -- Focus on longer-running programs
'/usr/libexec/endpointsecurityd',
'/usr/libexec/findmydeviced',
'/usr/libexec/firmwarecheckers/ethcheck/ethcheck',
'/usr/libexec/InternetSharing',
'/usr/libexec/IOMFB_bics_daemon',
'/usr/libexec/ioupsd',
'/usr/libexec/kernelmanagerd',
'/usr/libexec/keybagd',
@ -227,10 +234,8 @@ WHERE -- Focus on longer-running programs
'/usr/libexec/nesessionmanager',
'/usr/libexec/online-authd',
'/usr/libexec/opendirectoryd',
'/usr/libexec/PerfPowerServices',
'/usr/libexec/periodic-wrapper',
'/usr/libexec/powerdatad',
'/usr/libexec/PowerUIAgent',
'/usr/libexec/remoted',
'/usr/libexec/rtcreportingd',
'/usr/libexec/runningboardd',
@ -247,12 +252,10 @@ WHERE -- Focus on longer-running programs
'/usr/libexec/taskgated',
'/usr/libexec/thermald',
'/usr/libexec/thermalmonitord',
'/usr/libexec/TouchBarServer',
'/usr/libexec/trustdFileHelper',
'/usr/libexec/tzd',
'/usr/libexec/tzlinkd',
'/usr/libexec/usbd',
'/usr/libexec/UserEventAgent',
'/usr/libexec/usermanagerd',
'/usr/libexec/warmd',
'/usr/libexec/watchdogd',
@ -261,16 +264,17 @@ WHERE -- Focus on longer-running programs
'/usr/libexec/wifivelocityd',
'/usr/local/kolide-k2/bin/osquery-extension.ext',
'/usr/local/sbin/velociraptor',
'/usr/sbin/BTLEServer',
'/usr/sbin/BlueTool',
'/usr/sbin/KernelEventAgent',
'/usr/sbin/WirelessRadioManagerd',
'/usr/sbin/aslmanager',
'/usr/sbin/audioclocksyncd',
'/usr/sbin/auditd',
'/usr/sbin/BlueTool',
'/usr/sbin/bluetoothd',
'/usr/sbin/BTLEServer',
'/usr/sbin/cfprefsd',
'/usr/sbin/distnoted',
'/usr/sbin/filecoordinationd',
'/usr/sbin/KernelEventAgent',
'/usr/sbin/mDNSResponderHelper',
'/usr/sbin/notifyd',
'/usr/sbin/securityd',
@ -278,8 +282,7 @@ WHERE -- Focus on longer-running programs
'/usr/sbin/sshd',
'/usr/sbin/syslogd',
'/usr/sbin/systemsoundserverd',
'/usr/sbin/systemstats',
'/usr/sbin/WirelessRadioManagerd'
'/usr/sbin/systemstats'
)
AND NOT path LIKE '/nix/store/%-nix-%/bin/nix'
AND NOT path LIKE '/opt/homebrew/Cellar/htop/%/bin/htop'
@ -294,30 +297,31 @@ WHERE -- Focus on longer-running programs
)
AND NOT s.authority IN (
'Developer ID Application: Adobe Inc. (JQ525L2MZD)',
'Developer ID Application: Canonical Group Limited (X4QN7LTP59)',
'Developer ID Application: Creative Labs Pte. Ltd. (5Q3552844F)',
'Developer ID Application: Docker Inc (9BNSXJN65R)',
'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)',
'Developer ID Application: OPENVPN TECHNOLOGIES, INC. (ACV7L3WCD8)',
'Developer ID Application: Ecamm Network, LLC (5EJH68M642)',
'Developer ID Application: Fortinet, Inc (AH4XFXJ7DK)',
'Developer ID Application: Foxit Corporation (8GN47HTP75)',
'Developer ID Application: Fumihiko Takayama (G43BCU2T37)',
'Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL)',
'Developer ID Application: Google LLC (EQHXZ8M8AV)',
'Developer ID Application: Kandji, Inc. (P3FGV63VK7)',
'Developer ID Application: Keybase, Inc. (99229SGT5K)',
'Developer ID Application: Kolide, Inc (X98UFR7HA3)',
'Developer ID Application: Canonical Group Limited (X4QN7LTP59)',
'Developer ID Application: Kolide Inc (YZ3EM74M78)',
'Developer ID Application: Kolide, Inc (X98UFR7HA3)',
'Developer ID Application: Logitech Inc. (QED4VVPZWA)',
'Developer ID Application: MacPaw Inc. (S8EX82NJP6)',
'Developer ID Application: Mersive Technologies (63B5A5WDNG)',
'Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
'Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R)',
'Developer ID Application: Objective-See, LLC (VBG97UB4TA)',
'Developer ID Application: Opal Camera Inc (97Z3HJWCRT)',
'Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
'Developer ID Application: Parallels International GmbH (4C6364ACXT)',
'Developer ID Application: Private Internet Access, Inc. (5357M5NW9W)',
'Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL)',
'Developer ID Application: Tenable, Inc. (4B8J598M7U)',
'Developer ID Application: X-Rite, Incorporated (2K7GT73B4R)',
'Software Signing'