macos talkers: add grype, chainctl

2025-02-15 08:57:20 +00:00 · 2022-10-21 11:26:50 -04:00 · 2022-10-21 11:26:50 -04:00 · 2538e7f7ce
commit 2538e7f7ce
parent a31108984f
1 changed files with 23 additions and 18 deletions
--- a/detection/c2/unexpected-talkers-macos.sql
+++ b/detection/c2/unexpected-talkers-macos.sql
@ -5,8 +5,7 @@
 --
 -- tags: transient state net often
 -- platform: macos
-SELECT
-  protocol,
+SELECT protocol,
  s.local_port,
  s.remote_port,
  s.remote_address,
@ -32,14 +31,12 @@ SELECT
    ',',
    signature.authority
  ) AS exception_key
-FROM
-  process_open_sockets s
+FROM process_open_sockets s
  LEFT JOIN processes p ON s.pid = p.pid
  LEFT JOIN processes pp ON pp.pid = p.parent
  LEFT JOIN hash ON p.path = hash.path
  LEFT JOIN signature ON p.path = signature.path
-WHERE
-  protocol > 0
+WHERE protocol > 0
  AND s.remote_port > 0
  AND s.remote_address NOT IN ('127.0.0.1', '::ffff:127.0.0.1', '::1')
  AND s.remote_address NOT LIKE 'fe80:%'
@ -125,7 +122,6 @@ WHERE
  AND NOT exception_key IN (
    '22,6,500,Cyberduck,ch.sudo.cyberduck,Developer ID Application: David Kocher (G69SCX94XU)',
    '22,6,500,ssh,,',
-    '443,6,500,grype,grype,Developer ID Application: ANCHORE, INC. (9MJHKYX5AT)',
    '22,6,500,ssh,com.apple.openssh,Software Signing',
    '22,6,500,ssh,ssh,',
    '22,6,500,ssh,ssh-55554944fbf65684ab9b37c2bad3a27ef78b23f4,',
@ -133,7 +129,6 @@ WHERE
    '30011,6,500,java,net.java.openjdk.java,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
    '32768,6,500,java,net.java.openjdk.java,Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
    '3307,6,500,cloud_sql_proxy,a.out,',
-    '443,6,500,sublime_text,com.sublimetext.4,Developer ID Application: Sublime HQ Pty Ltd (Z6D26JE4Y4)',
    '43,6,500,DropboxMacUpdate,com.dropbox.DropboxMacUpdate,Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)',
    '443,17,500,Code Helper,com.microsoft.VSCode.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
    '443,17,500,Evernote Helper,com.evernote.Evernote.helper,Apple Mac OS Application Signing',
@ -146,13 +141,12 @@ WHERE
    '443,6,0,nix,nix,',
    '443,6,0,OneDrivePkgTelemetry,com.microsoft.OneDrivePkgTelemetry,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
    '443,6,0,Setup,com.adobe.acc.Setup,Developer ID Application: Adobe Inc. (JQ525L2MZD)',
-    '443,6,500,provisio,,',
    '443,6,500,,,',
    '443,6,500,Acrobat Update Helper,com.adobe.ARMDCHelper,Developer ID Application: Adobe Inc. (JQ525L2MZD)',
    '443,6,500,bash,bash,',
    '443,6,500,chainctl,,',
    '443,6,500,chainctl,a.out,',
-    '443,6,500,java,net.java.openjdk.java,Developer ID Application: Eclipse Foundation, Inc. (JCDTMS22B4)',
+    '443,6,500,chainctl,chainctl,',
    '443,6,500,chainctl_Darwin_arm64,a.out,',
    '443,6,500,civo,a.out,',
    '443,6,500,cloud_sql_proxy,a.out,',
@ -162,35 +156,39 @@ WHERE
    '443,6,500,cosign,a.out,',
    '443,6,500,cosign,cosign,',
    '443,6,500,crane,,',
-    '443,6,500,GitHub.UI,GitHub,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
    '443,6,500,crane,a.out,',
+    '443,6,500,crane,crane,',
    '443,6,500,ctclient,a.out,',
-    '53,17,500,trivy,,',
    '443,6,500,curl,com.apple.curl,Software Signing',
+    '443,6,500,darkfiles,a.out,',
    '443,6,500,docker-credential-gcr,a.out,',
    '443,6,500,Electron,com.microsoft.VSCode,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
    '443,6,500,emacs-28.2,emacs-28.2,',
    '443,6,500,Evernote Helper,com.evernote.Evernote.helper,Apple Mac OS Application Signing',
    '443,6,500,figma_agent,com.figma.agent,Developer ID Application: Figma, Inc. (T8RA8NE3B7)',
+    '443,6,500,FlyDelta,com.delta.iphone.ver1,Apple iPhone OS Application Signing',
    '443,6,500,gh,a.out,',
-    '443,6,500,git-remote-http,,',
    '443,6,500,gh,gh,',
    '443,6,500,git,com.apple.git,Software Signing',
    '443,6,500,git,git,',
+    '443,6,500,GitHub.UI,GitHub,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
+    '443,6,500,GitKraken Boards,com.axosoft.glo,Apple iPhone OS Application Signing',
    '443,6,500,git-remote-http,,',
    '443,6,500,git-remote-http,com.apple.git-remote-http,Software Signing',
+    '443,6,500,git-remote-http,git-remote-http-555549448cff17dcad50330caee64c85205e6a99,',
    '443,6,500,git-remote-http,git-remote-http-5555494493930c47f9d9385e94cdee8b19968153,',
    '443,6,500,git-remote-http,git-remote-http-55554944ce011d0e889a3cf58e5ac97ac15728f3,',
    '443,6,500,git-remote-http,git-remote-http-55554944e5dca79a2b44332e941af547708b0c68,',
    '443,6,500,gitsign,,',
-    '443,6,500,FlyDelta,com.delta.iphone.ver1,Apple iPhone OS Application Signing',
    '443,6,500,gitsign,a.out,',
    '443,6,500,gitsign,gitsign,',
    '443,6,500,go,a.out,',
    '443,6,500,go,org.golang.go,Developer ID Application: Google LLC (EQHXZ8M8AV)',
+    '443,6,500,grype,grype,',
+    '443,6,500,grype,grype,Developer ID Application: ANCHORE, INC. (9MJHKYX5AT)',
    '443,6,500,helm,a.out,',
    '443,6,500,istioctl,a.out,',
-    '443,6,500,darkfiles,a.out,',
+    '443,6,500,java,net.java.openjdk.java,Developer ID Application: Eclipse Foundation, Inc. (JCDTMS22B4)',
    '443,6,500,java,net.java.openjdk.java,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
    '443,6,500,java,net.java.openjdk.java,Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
    '443,6,500,ko,a.out,',
@ -206,6 +204,7 @@ WHERE
    '443,6,500,node,node,Developer ID Application: Node.js Foundation (HX7739G8FX)',
    '443,6,500,OneDriveStandaloneUpdater,com.microsoft.OneDriveStandaloneUpdater,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
    '443,6,500,prober,a.out,',
+    '443,6,500,provisio,,',
    '443,6,500,pulumi-resource-gcp,a.out,',
    '443,6,500,pulumi-resource-github,a.out,',
    '443,6,500,python2.7,python2.7,',
@ -222,6 +221,7 @@ WHERE
    '443,6,500,Slack Helper,com.tinyspeck.slackmacgap.helper,Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL)',
    '443,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
    '443,6,500,step,step,',
+    '443,6,500,sublime_text,com.sublimetext.4,Developer ID Application: Sublime HQ Pty Ltd (Z6D26JE4Y4)',
    '443,6,500,syft,syft,Developer ID Application: ANCHORE, INC. (9MJHKYX5AT)',
    '443,6,500,terraform-ls,terraform-ls,Developer ID Application: Hashicorp, Inc. (D38WU7D763)',
    '443,6,500,terraform,terraform,Developer ID Application: Hashicorp, Inc. (D38WU7D763)',
@ -230,6 +230,7 @@ WHERE
    '443,6,500,zoom.us,us.zoom.xos,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)',
    '443,6,500,zsh,com.apple.zsh,Software Signing',
    '53,17,500,docker-credential-gcr,a.out,',
+    '53,17,500,trivy,,',
    '6000,6,500,ssh,,',
    '6000,6,500,ssh,com.apple.openssh,Software Signing',
    '6000,6,500,ssh,ssh-55554944fbf65684ab9b37c2bad3a27ef78b23f4,',
@ -238,6 +239,7 @@ WHERE
    '80,6,500,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV)',
    '80,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
    '80,6,500,webhook.test,a.out,'
+
  ) -- nix-shell infects children with open connections
  AND NOT (
    parent_cmd LIKE '%/tmp/nix-shell%'
@ -248,10 +250,14 @@ WHERE
    (
      remote_address LIKE '151.101.%'
      OR remote_address LIKE '140.82.%'
+      OR remote_address LIKE '199.232.%'
    )
    AND remote_port = 443
    AND protocol = 6
-    AND parent_path LIKE '/nix/%/bash'
+    AND (
+      pp.path LIKE '/nix/store/%'
+      OR p.path LIKE '/nix/store/%'
+    )
  ) -- More complicated patterns go here
  AND NOT (
    p.name = 'syncthing'
@ -326,5 +332,4 @@ WHERE
    remote_port IN (53, 443)
    AND p.path LIKE '/private/var/folders/%/T/GoLand/%'
  )
-GROUP BY
-  s.pid
+GROUP BY s.pid