Remove more false positives, add more detail to sensitive file access

fd/unexpected-dev-opener-linux.sql

@@ -143,6 +143,7 @@ WHERE pof.path LIKE "/dev/%"
     "/dev/video,firefox",
     "/dev/video,obs",
     "/dev/video,pipewire",
+    "/dev/video,zoom",
     "/dev/video,obs-ffmpeg-mux",
     "/dev/video,vlc",
     "/dev/video,wireplumber",

fd/unexpected-sensitive-file-access-linux.sql

@@ -7,9 +7,15 @@ SELECT pof.pid,
     pof.fd,
     pof.path,
     f.uid AS file_uid,
+    p.cwd AS cwd,
+    p.euid,
     p.uid AS process_uid,
     p.name AS program_name,
     p.cmdline AS cmdline,
+    pp.name AS parent_name,
+    pp.cwd AS parent_cwd,
+    pp.path AS parent_path,
+    hp.sha256 AS parent_sha256,
     pf.filename AS program_base,
     hash.sha256,
     REPLACE(f.directory, u.directory, "~") AS dir,
@@ -34,10 +40,12 @@ SELECT pof.pid,
     ) AS exception_key
 FROM process_open_files pof
     LEFT JOIN processes p ON pof.pid = p.pid
+    LEFT JOIN processes pp ON p.parent = pp.pid
     LEFT JOIN file f ON pof.path = f.path
     LEFT JOIN file pf ON p.path = pf.path
     LEFT JOIN users u ON p.uid = u.uid
-    LEFT JOIN hash ON hash.path = p.path
+    LEFT JOIN hash ON p.path = hash.path
+    LEFT JOIN hash hp ON pp.path = hp.path
 WHERE f.uid != ""
     AND pf.filename != ""
     AND (
@@ -51,10 +59,12 @@ WHERE f.uid != ""
         OR pof.path LIKE "/home/%/.bash_history"
         OR pof.path LIKE "/home/%/.cache/mozilla/firefox%"
         OR pof.path LIKE "/home/%/.config/mozilla/firefox%"
+        OR pof.path LIKE "/home/%/.aws%"
     )
     AND NOT (
         file_uid == process_uid
         AND exception_key IN (
+            "aws,aws,~/.aws",
             "chrome_crashpad_handler,chrome_crashpad,",
             "chrome_crashpad_handler,chrome_crashpad,~/.config/google-chrome",
             "chrome,chrome,~/.config/google-chrome",

firewall/unexpected-alf-exceptions-macos.sql

@@ -100,6 +100,7 @@ WHERE -- NOTE:We intentionally want to preserve missing files
       OR file.directory LIKE "/Users/%/node_modules/.bin/%"
       OR file.directory LIKE "/Users/%/git/%"
       OR file.directory LIKE "/Users/%/%-cli"
+      OR file.directory LIKE "/private/var/folders/%/T/go-build%/exe"
     )
   )
 GROUP BY exception_key

net/unexpected-dns-traffic-events.sql

@@ -60,13 +60,13 @@ WHERE
   -- Exceptions that specifically talk to one server
   AND exception_key NOT IN (
     "coredns,0.0.0.0,53",
-    "nessusd,50.16.123.71,53",
-    "nessusd,52.44.207.89,53",
     "syncthing,46.162.192.181,53"
   )
+  AND p.name != "nessusd"
   -- Local DNS servers and custom clients go here
   AND p.path NOT IN (
     "/usr/lib/systemd/systemd-resolved",
+    "/Library/Nessus/run/sbin/nessusd",
     "/Applications/Slack.app/Contents/Frameworks/Slack Helper.app/Contents/MacOS/Slack Helper",
     "/Applications/Spotify.app/Contents/Frameworks/Spotify Helper.app/Contents/MacOS/Spotify Helper"
   )

net/unexpected-talkers-linux.sql

@@ -251,6 +251,7 @@ WHERE protocol > 0
     "80,6,500,firefox",
     "80,6,500,slack",
     "80,6,500,spotify",
+    "67,17,0,NetworkManager",
     "80,6,500,steam",
     "80,6,0,gdk-pixbuf-quer",
     "80,6,500,steamwebhelper",

process/hidden-cwd.sql

@@ -33,9 +33,16 @@ FROM processes p
   LEFT JOIN processes pp ON p.parent = pp.pid
   LEFT JOIN users u ON p.uid = u.uid
   LEFT JOIN hash ON p.path = hash.path
-WHERE p.cwd LIKE "%/.%"
-  AND NOT exception_key IN ("bash,~/go/src", "mysqld,~/.local/share")
-  OR program_name IN ("bindfs")
-  OR dir LIKE "~/go/src/%"
-  OR dir LIKE "~/src/%"
-  OR dir LIKE "~/%/.github%"
+WHERE dir LIKE "%/.%"
+  AND NOT (
+    exception_key IN (
+      "bash,~/go/src",
+      "mysqld,~/.local/share",
+      "Electron,~/.vscode/extensions",
+      "vim,~/go/src",
+    )
+    OR p.name IN ("bindfs")
+    OR dir LIKE "~/go/src/%"
+    OR dir LIKE "~/src/%"
+    OR dir LIKE "~/%/.github%"
+  )

process/recently-created-executables.sql

@@ -35,7 +35,6 @@ WHERE p.start_time > 0
     "/Applications/Grammarly Desktop.app/Contents/MacOS",
     "/Applications/Opal.app/Contents/Library/LaunchServices",
     "/Applications/Opal.app/Contents/MacOS",
-    "/usr/local/kolide-k2/bin",
     "/Applications/Opal.app/Contents/XPCServices/OpalCameraDeviceService.xpc/Contents/MacOS",
     "/Applications/Signal.app/Contents/Frameworks/Signal Helper (GPU).app/Contents/MacOS",
     "/Applications/Signal.app/Contents/Frameworks/Signal Helper (Renderer).app/Contents/MacOS",
@@ -51,7 +50,6 @@ WHERE p.start_time > 0
     "/Applications/Spotify.app/Contents/MacOS",
     "/Applications/Stream Deck.app/Contents/Frameworks/QtWebEngineCore.framework/Versions/5/Helpers/QtWebEngineProcess.app/Contents/MacOS",
     "/Applications/Stream Deck.app/Contents/MacOS",
-    "/Library/Developer/CommandLineTools/usr/bin",
     "/Applications/Tailscale.app/Contents/MacOS",
     "/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/Contents/MacOS",
     "/Applications/Todoist.app/Contents/Frameworks/Todoist Helper (GPU).app/Contents/MacOS",
@@ -60,32 +58,41 @@ WHERE p.start_time > 0
     "/Applications/Todoist.app/Contents/MacOS",
     "/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS",
     "/Library/Apple/System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/Resources",
+    "/Library/Application Support/Adobe/AdobeGCClient",
     "/Library/CoreMediaIO/Plug-Ins/DAL/OpalVirtualCamera.plugin/Contents/Resources",
+    "/Library/Developer/CommandLineTools/usr/bin",
     "/Library/Printers/Brother/Utilities/Server/LOGINserver.app/Contents/MacOS",
     "/Library/Printers/Brother/Utilities/Server/NETserver.app/Contents/MacOS",
     "/Library/Printers/Brother/Utilities/Server/USBAppControl.app/Contents/MacOS",
     "/Library/Printers/Brother/Utilities/Server/USBAppControl.app/Contents/MacOS",
     "/Library/Printers/Brother/Utilities/Server/USBserver.app/Contents/MacOS",
     "/Library/Printers/Brother/Utilities/Server/WorkflowAppControl.app/Contents/MacOS",
-    "/Users/wolf/Library/Caches/company.thebrowser.Browser/org.sparkle-project.Sparkle/Launcher/FzhOGA60Z/Updater.app/Contents/MacOS"
+    "/usr/local/kolide-k2/bin"
   )
+
+  -- Typically daemons or long-running desktop apps
   AND NOT p.path IN (
     "",
     "/Library/DropboxHelperTools/Dropbox_u501/dbkextd",
     "/Library/PrivilegedHelperTools/com.adobe.acc.installer.v2",
+    "/Library/PrivilegedHelperTools/com.docker.vmnetd",
     "/opt/google/chrome/chrome",
     "/usr/bin/containerd",
     "/usr/bin/dockerd",
     "/usr/bin/obs",
-    "/Library/PrivilegedHelperTools/com.docker.vmnetd",
+    "/usr/bin/udevadm",
     "/usr/lib/at-spi-bus-launcher",
     "/usr/lib/at-spi2-registryd",
     "/usr/lib/fwupd/fwupd",
     "/usr/lib/slack/chrome_crashpad_handler",
     "/usr/lib/slack/slack",
+    "/usr/lib/systemd/systemd-journald",
+    "/usr/lib/systemd/systemd-oomd",
+    "/usr/lib/systemd/systemd-resolved",
+    "/usr/lib/systemd/systemd-timesyncd",
     "/usr/lib/x86_64-linux-gnu/obs-plugins/obs-browser-page",
-    "/usr/libexec/fwupd/fwupd",
     "/usr/lib/xf86-video-intel-backlight-helper",
+    "/usr/libexec/fwupd/fwupd",
     "/usr/libexec/sssd/sssd_kcm",
     "/usr/sbin/cupsd",
     "/usr/sbin/tailscaled"

process/reverse-shell-socket.sql

@@ -1,31 +1,26 @@
 -- An alternate way to discover reverse shells, inspired by the osxattack pack
 SELECT DISTINCT
-  (processes.pid),
-  processes.parent,
-  processes.name,
-  processes.path,
-  processes.cmdline,
-  processes.cwd,
-  processes.root,
-  processes.uid,
-  processes.gid,
-  processes.start_time,
-  process_open_sockets.remote_address,
-  process_open_sockets.remote_port,
-  (
-    SELECT
-      cmdline
-    FROM
-      processes AS parent_cmdline
-    WHERE
-      pid = processes.parent
-  ) AS parent_cmdline
-FROM
-  processes
-  JOIN process_open_sockets USING (pid)
-  LEFT OUTER JOIN process_open_files ON processes.pid = process_open_files.pid
+  (p.pid),
+  p.parent,
+  p.name,
+  p.path,
+  p.cmdline,
+  p.cwd,
+  p.root,
+  p.uid,
+  p.gid,
+  p.start_time,
+  pos.remote_address,
+  pos.remote_port,
+  pp.cmdline,
+  pp.path
+  FROM process_open_files pof
+  JOIN process_open_sockets pos USING (pid)
+  LEFT JOIN processes p ON pof.pid = p.pid
+  LEFT JOIN processes pp ON p.parent = pp.pid
+  LEFT OUTER JOIN process_open_files ON p.pid = process_open_files.pid
 WHERE
-  name IN ('sh', 'bash', 'perl', 'python')
-  AND process_open_files.pid IS NULL
-  AND process_open_sockets.remote_port > 0
-  AND NOT (path="/usr/bin/bash" AND parent_cmdline LIKE "pacman -S%")
+  p.name IN ('sh', 'bash', 'perl', 'python')
+  AND pof.pid IS NULL
+  AND pos.remote_port > 0
+  AND NOT (p.path="/usr/bin/bash" AND pp.cmdline LIKE "pacman -S%")

process/touched-executable-macos.sql

@@ -3,11 +3,13 @@ SELECT p.path,
   p.name,
   p.cmdline,
   p.euid,
+  DATETIME(p.start_time, "unixepoch") AS started,
   DATETIME(f.ctime, "unixepoch") AS changed,
   DATETIME(f.btime, "unixepoch") AS birthed,
   DATETIME(f.mtime, "unixepoch") AS modified,
   DATETIME(f.atime, "unixepoch") AS accessed,
   (f.btime - f.ctime) / 86400 AS btime_ctime_days_diff,
+  (p.start_time - f.atime) / 86400 AS start_atime_days_diff,
   pp.path AS parent_path,
   pp.cmdline AS parent_cmd,
   pp.cwd AS parent_cwd,
@@ -21,20 +23,33 @@ FROM processes p
   LEFT JOIN signature ON p.path = signature.path
 WHERE f.btime == f.mtime
   AND (
-    -- The program was touched to look newer
-    btime_ctime_days_diff > 0 -- The program was touched to look older
-    OR btime_ctime_days_diff < -90
+    btime_ctime_days_diff > 0 -- change time is older than birth time
+    OR btime_ctime_days_diff < -120 -- change time is older than birth time
+    OR start_atime_days_diff > 90 -- access time is older than start time
+    OR start_atime_days_diff < -10 -- access time is newer than start time
   )
+
+  -- Vendors that create software packages that look like a touched file.
+  -- Typically they have a ctime way earlier than btime (>90 days)
   AND NOT signature.authority IN (
-    "Developer ID Application: Logitech Inc. (QED4VVPZWA)",
+    "Apple Mac OS Application Signing",
+    "Developer ID Application: Brave Software, Inc. (KL8N8XSYF4)",
+    "Developer ID Application: Brother Industries, LTD. (5HCL85FLGW)",
     "Developer ID Application: Bryan Jones (49EYHPJ4Q3)",
-    "Developer ID Application: RescueTime, Inc (FSY4RB8H39)",
-    "Developer ID Application: Michael Jones (YD6LEYT6WZ)",
-    "Developer ID Application: General Arcade (Pte. Ltd.) (S8JLSG5ES7)",
+    "Developer ID Application: CodeWeavers Inc. (9C6B7X7Z8E)",
     "Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)",
     "Developer ID Application: Emmanouil Konstantinidis (3YP8SXP3BF)",
-    "Developer ID Application: Brother Industries, LTD. (5HCL85FLGW)",
-    "Apple Mac OS Application Signing"
+    "Developer ID Application: General Arcade (Pte. Ltd.) (S8JLSG5ES7)",
+    "Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D)",
+    "Developer ID Application: Galvanix (5BRAQAFB8B)",
+    "Developer ID Application: Google LLC (EQHXZ8M8AV)",
+    "Developer ID Application: Docker Inc (9BNSXJN65R)",
+    "Developer ID Application: Logitech Inc. (QED4VVPZWA)",
+    "Developer ID Application: Michael Jones (YD6LEYT6WZ)",
+    "Developer ID Application: RescueTime, Inc (FSY4RB8H39)",
+    "Developer ID Application: Seiko Epson Corporation (TXAEAV5RN4)",
+    "Developer ID Application: Yubico Limited (LQA3CS5MM7)",
+    "Software Signing"
   )
   AND NOT (
     btime_ctime_days_diff < -90
@@ -48,7 +63,9 @@ WHERE f.btime == f.mtime
         "/Applications/Canon Utilities/Inkjet Extended Survey Program/Inkjet Extended Survey Program.app/Contents/MacOS/ESPController.app/Contents/Library/LoginItems/CanonIJExtendedSurveyLaunchAgent.app/Contents/MacOS/CanonIJExtendedSurveyLaunchAgent"
       )
       OR p.path LIKE "/Users/%/Library/Application Support/com.elgato.StreamDeck/Plugins/%"
-      OR p.path LIKE "/opt/homebrew/Cellar/bash/%/bin/bash"
+      OR p.path LIKE "/Applications/%.app/Contents/MacOS/%"
+      OR p.path LIKE "/opt/homebrew/Cellar/bash/%/bin/%"
+      OR p.path LIKE "/nix/store/%"
     )
   )
 GROUP by p.pid

process/unexpected-env-values.sql

@@ -31,7 +31,7 @@ WHERE
     AND NOT pe.value LIKE 'libmozsandbox.so%'
   )
   OR (
-    key = 'DYLD_INSERT_LIBRARIES' -- sort of obsolete, but may affect SIP abusers
+    key = 'DYLD_INSERT_LIBRARIES' -- actively exploited on programs which disable library security
   )
   OR (
     key = 'DYLD_FRAMEWORK_PATH' -- sort of obsolete, but may affect SIP abusers

process/unexpected-uid0-daemon-linux.sql

@@ -16,8 +16,7 @@ FROM processes p
     LEFT JOIN hash ON p.path = hash.path
     LEFT JOIN processes pp ON p.parent = pp.pid
 WHERE p.uid = 0
-    AND (strftime('%s', 'now') - p.start_time) > 120
-    -- use osquery as the reference mount namespace
+    AND (strftime('%s', 'now') - p.start_time) > 120 -- use osquery as the reference mount namespace
     AND mnt_namespace IN (
         SELECT DISTINCT (mnt_namespace)
         FROM process_namespaces
@@ -25,60 +24,62 @@ WHERE p.uid = 0
         WHERE processes.name IN ("osqueryi", "osqueryd")
     )
     AND p.path NOT IN (
-        "", -- Not a file-based process
-        "/usr/lib/systemd/systemd",
-        "/usr/sbin/tailscaled",
-        "/usr/bin/dockerd",
-        "/usr/libexec/flatpak-system-helper",
-        "/usr/bin/containerd",
-        "/usr/sbin/anacron",
+        "",
+        -- Not a file-based process
         "/sbin/apcupsd",
-        "/usr/bin/apcupsd",
-        "/usr/bin/sshd",
-        "/usr/bin/gpg-agent",
-        "/usr/libexec/scdaemon",
-        "/usr/libexec/docker/docker-proxy",
-        "/usr/bin/containerd-shim-runc-v2",
-        "/usr/sbin/pcscd",
-        "/usr/lib/systemd/systemd-journald",
-        "/usr/libexec/accounts-daemon",
-        "/usr/lib/systemd/systemd-homed",
-        "/usr/lib/systemd/systemd-machined",
-        "/usr/libexec/udisks2/udisksd",
-        "/usr/sbin/alsactl",
-        "/usr/sbin/abrtd",
+        "/snap/snapd/17029/usr/lib/snapd/snapd",
         "/usr/bin/abrt-dump-journal-core",
         "/usr/bin/abrt-dump-journal-oops",
         "/usr/bin/abrt-dump-journal-xorg",
-        "/usr/sbin/cupsd",
-        "/usr/sbin/gssproxy",
-        "/usr/sbin/wpa_supplicant",
-        "/usr/sbin/abrt-dbus",
-        "/usr/sbin/gdm",
-        "/usr/libexec/packagekitd",
-        "/usr/libexec/gdm-session-worker",
-        "/usr/bin/docker-proxy",
-        "/usr/bin/journalctl",
-        "/usr/lib/udisks2/udisksd",
+        "/usr/bin/anacron",
+        "/usr/bin/apcupsd",
+        "/usr/bin/containerd-shim-runc-v2",
+        "/usr/bin/containerd",
         "/usr/bin/crond",
+        "/usr/bin/docker-proxy",
+        "/usr/bin/dockerd",
+        "/usr/bin/gdm",
+        "/usr/bin/gpg-agent",
+        "/usr/bin/journalctl",
         "/usr/bin/lightdm",
-        "/usr/lib/Xorg",
         "/usr/bin/osqueryd",
+        "/usr/bin/sshd",
+        "/usr/bin/tailscaled",
         "/usr/bin/wpa_supplicant",
-        "/usr/sbin/cups-browsed",
-        "/usr/sbin/acpid",
-        "/usr/sbin/cron",
+        "/usr/lib/gdm-session-worker",
+        "/usr/lib/software-properties/software-properties-dbus",
+        "/usr/lib/systemd/systemd-homed",
+        "/usr/lib/systemd/systemd-journald",
+        "/usr/lib/systemd/systemd-machined",
+        "/usr/lib/systemd/systemd",
+        "/usr/lib/udisks2/udisksd",
+        "/usr/lib/Xorg",
+        "/usr/libexec/accounts-daemon",
+        "/usr/libexec/docker/docker-proxy",
+        "/usr/libexec/flatpak-system-helper",
+        "/usr/libexec/gdm-session-worker",
+        "/usr/libexec/packagekitd",
         "/usr/libexec/polkitd",
-        "/usr/sbin/zed",
-        "/usr/sbin/gdm3",
+        "/usr/libexec/scdaemon",
         "/usr/libexec/snapd/snapd",
         "/usr/libexec/sssd/sssd_kcm",
-        "/usr/bin/tailscaled",
-        "/usr/lib/gdm-session-worker",
-        "/usr/bin/gdm",
-        "/snap/snapd/17029/usr/lib/snapd/snapd"
-    )
-    -- Because I don't want to whitelist all of Python3
+        "/usr/libexec/udisks2/udisksd",
+        "/usr/sbin/abrt-dbus",
+        "/usr/sbin/abrtd",
+        "/usr/sbin/acpid",
+        "/usr/sbin/alsactl",
+        "/usr/sbin/anacron",
+        "/usr/sbin/cron",
+        "/usr/sbin/cups-browsed",
+        "/usr/sbin/cupsd",
+        "/usr/sbin/gdm",
+        "/usr/sbin/gdm3",
+        "/usr/sbin/gssproxy",
+        "/usr/sbin/pcscd",
+        "/usr/sbin/tailscaled",
+        "/usr/sbin/wpa_supplicant",
+        "/usr/sbin/zed"
+    ) -- Because I don't want to whitelist all of Python3
     AND p.cmdline NOT IN (
         "/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid",
         "/usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal",

process_events/exotic-command-events.sql

@@ -43,6 +43,7 @@ WHERE
       'rsh',
       'incbit',
       'insmod',
+      'osascript',
       'kmod',
       'lushput',
       'mkfifo',

process_events/unexpected-osascript-calls.sql

@@ -1,5 +1,5 @@
 -- Detect unusual calls to osascript
--- Designed for execution every 15 seconds (where the parent may still be around)
+-- Designed for execution every 60 seconds (where the parent may still be around)
 SELECT p.pid,
   p.path,
   TRIM(p.cmdline) AS cmd,
@@ -20,4 +20,4 @@ FROM uptime,
   LEFT JOIN hash ON p.path = hash.path
   LEFT JOIN hash AS phash ON pp.path = hash.path
 WHERE p.path = "/usr/bin/osascript"
-  AND p.time > (strftime('%s', 'now') -1800)
+  AND p.time > (strftime('%s', 'now') -60)

startup/unexpected-active-systemd-units.sql

@@ -272,6 +272,7 @@ WHERE
         "systemd-network-generator.service,Generate network units from Kernel command line,,600",
         "systemd-oomd.service,Userspace Out-Of-Memory (OOM) Killer,systemd-oom,1600",
         "systemd-oomd.socket,Userspace Out-Of-Memory (OOM) Killer Socket,,600",
+        "systemd-oomd.service,Userspace Out-Of-Memory (OOM) Killer,systemd-oom,1700",
         "systemd-random-seed.service,Load/Save Random Seed,,1100",
         "systemd-random-seed.service,Load/Save Random Seed,,1200",
         "systemd-remount-fs.service,Remount Root and Kernel File Systems,,700",