mirror of
https://github.com/chainguard-dev/osquery-defense-kit
synced 2024-12-25 15:22:05 +00:00
fpr: Revolt, Bearly, user executables, melange
This commit is contained in:
parent
82cd9bc7ff
commit
485f69a61c
@ -132,6 +132,7 @@ WHERE
|
||||
'500,6,4318,Code Helper (Plugin),Code Helper (Plugin),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
|
||||
'500,6,5091,ZoomPhone,ZoomPhone,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3),us.zoom.ZoomPhone',
|
||||
'500,6,5222,Telegram,Telegram,Apple Mac OS Application Signing,ru.keepcoder.Telegram',
|
||||
'500,6,5053,bridge,bridge,Developer ID Application: Proton Technologies AG (6UN54H93QT),bridge',
|
||||
'500,6,5223,KakaoTalk,KakaoTalk,Apple Mac OS Application Signing,com.kakao.KakaoTalkMac',
|
||||
'500,6,5228,Clay,Clay,Developer ID Application: Clay Software, Inc. (C68GA48KN3),com.clay.mac',
|
||||
'500,6,8009,Spotify Helper,Spotify Helper,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client.helper',
|
||||
|
@ -47,6 +47,7 @@ WHERE
|
||||
AND NOT f.directory LIKE '%/.bin'
|
||||
AND NOT f.directory LIKE '%/.bin-unwrapped'
|
||||
AND NOT f.directory LIKE '%/.cargo/bin'
|
||||
AND NOT f.directory LIKE '%/.fig/bin'
|
||||
AND NOT f.directory LIKE '%/.config/nvm/%/bin'
|
||||
AND NOT f.directory LIKE '%/.provisio/bin/%'
|
||||
AND NOT f.directory LIKE '%/.local/%'
|
||||
|
@ -48,6 +48,8 @@ WHERE
|
||||
'~/Library/Application Support/1Password',
|
||||
'~/Library/Application Support/Adobe',
|
||||
'~/Library/Application Support/Beeper',
|
||||
'~/Library/Application Support/CleanMyMac X',
|
||||
'~/Library/Application Support/CleanMyMac X Menu',
|
||||
'~/Library/Application Support/Code',
|
||||
'~/Library/Application Support/com.apple.spotlight',
|
||||
'~/Library/Application Support/com.bohemiancoding.sketch3',
|
||||
@ -60,7 +62,6 @@ WHERE
|
||||
'~/Library/Application Support/DropboxElectron',
|
||||
'~/Library/Application Support/GitHub Desktop',
|
||||
'~/Library/Application Support/Jabra Direct',
|
||||
'~/Library/Application Support/CleanMyMac X Menu',
|
||||
'~/Library/Application Support/Keybase',
|
||||
'~/Library/Application Support/Lens',
|
||||
'~/Library/Application Support/lghub',
|
||||
|
@ -36,7 +36,7 @@ WHERE
|
||||
)
|
||||
AND f.path NOT LIKE '/home/%'
|
||||
AND f.path NOT LIKE '/snap/%'
|
||||
AND f.path NOT LIKE '/tmp/go-build%/exe/%'
|
||||
AND f.path NOT LIKE '/tmp/%go-build%/exe/%'
|
||||
AND f.path NOT LIKE '/usr/local/bin/%'
|
||||
AND f.path NOT LIKE '/usr/local/aws-cli/%/dist/aws'
|
||||
AND f.path NOT LIKE '/usr/local/kolide-k2/bin/%-updates/%'
|
||||
|
@ -49,8 +49,10 @@ WHERE
|
||||
AND file.filename NOT NULL
|
||||
AND exception_key NOT IN (
|
||||
',a.out,/opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/kubectl,501',
|
||||
',a.out,/opt/homebrew/Cellar/go/1.20.4/libexec/pkg/tool/darwin_arm64/trace,501',
|
||||
'Apple Mac OS Application Signing,com.anydo.mac,/Applications/Anydo.app/,0',
|
||||
'Apple Mac OS Application Signing,com.apple.garageband10,/Applications/GarageBand.app/,0',
|
||||
'Apple Mac OS Application Signing,com.joeallen.teleprompter.mac,/Applications/Teleprompter.app/,0',
|
||||
'Apple Mac OS Application Signing,com.utmapp.QEMULauncher,/Applications/UTM.app/Contents/XPCServices/QEMUHelper.xpc/Contents/MacOS/QEMULauncher.app/,0',
|
||||
'Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension,/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/,0',
|
||||
',,/Applications/Google%20Chrome.app/,',
|
||||
@ -58,6 +60,7 @@ WHERE
|
||||
',,/Applications/ProtonMail%20Bridge.app/,',
|
||||
',,/Applications/Visual%20Studio%20Code.app/,',
|
||||
',,/Applications/Visual%20Studio%20Code.app/Contents/Frameworks/Code%20Helper.app/,',
|
||||
'Developer ID Application: Bearly Inc (NK6K4BACCF),com.bearly.app,/Applications/Bearly.app/,501',
|
||||
'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.sketch3,/Applications/Sketch.app/,501',
|
||||
'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.SketchMirrorHelper,/Applications/Sketch.app/Contents/XPCServices/SketchMirrorHelper.xpc/,501',
|
||||
'Developer ID Application: Brother Industries, LTD. (5HCL85FLGW),com.brother.utility.WorkflowAppControlServer,/Library/Printers/Brother/Utilities/Server/WorkflowAppControl.app/,0',
|
||||
@ -66,7 +69,6 @@ WHERE
|
||||
'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK),com.getdropbox.dropbox,/Applications/Dropbox.app/,501',
|
||||
'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland,/Applications/GoLand.app/,501',
|
||||
'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.pycharm,/Applications/PyCharm.app/,501',
|
||||
'Apple Mac OS Application Signing,com.joeallen.teleprompter.mac,/Applications/Teleprompter.app/,0',
|
||||
'Developer ID Application: Opentest, Inc. (QGD2ZPXZZG),com.loom.desktop,/Applications/Loom.app/,501',
|
||||
'Developer ID Application: RescueTime, Inc (FSY4RB8H39),com.rescuetime.RescueTime,/Applications/RescueTime.app/,0',
|
||||
'Developer ID Application: Sonos, Inc. (2G4LW83Q3E),com.sonos.macController,/Applications/Sonos.app/,501',
|
||||
@ -75,7 +77,6 @@ WHERE
|
||||
'Developer ID Application: VNG ONLINE CO.,LTD (CVB6BX97VM),com.vng.zalo,/Applications/Zalo.app/,501',
|
||||
'Developer ID Application: Voicemod Sociedad Limitada. (S2MC4XQDSM),net.voicemod.desktop,/Applications/Voicemod.app/,0',
|
||||
',dnsmasq,/opt/homebrew/Cellar/dnsmasq/2.88/sbin/dnsmasq,0',
|
||||
',a.out,/opt/homebrew/Cellar/go/1.20.4/libexec/pkg/tool/darwin_arm64/trace,501',
|
||||
',iodined-55554944d1ffcb236a84363d9b667be6a1742a17,/usr/local/sbin/iodined,501',
|
||||
',java,/opt/homebrew/Cellar/openjdk/19/libexec/openjdk.jdk/Contents/Home/bin/java,501',
|
||||
',org.python.python,/opt/homebrew/Cellar/python@3.10/3.10.9/Frameworks/Python.framework/Versions/3.10/Resources/Python.app/,501',
|
||||
@ -116,6 +117,10 @@ WHERE
|
||||
signature.identifier = 'syncthing'
|
||||
AND ae.path LIKE '/nix/store/%-syncthing-%/bin/syncthing'
|
||||
)
|
||||
AND NOT (
|
||||
signature.identifier = 'nix'
|
||||
AND ae.path LIKE '/nix/store/%-nix-%/bin/nix'
|
||||
)
|
||||
AND NOT (
|
||||
ae.path LIKE '/Users/%/Library/Application%20Support/Steam/Steam.AppBundle/Steam/'
|
||||
)
|
||||
@ -135,6 +140,10 @@ WHERE
|
||||
OR file.directory LIKE '/Users/%/bin'
|
||||
OR file.directory LIKE '/Users/%/code/%'
|
||||
OR file.directory LIKE '/Users/%/src/%'
|
||||
OR file.directory LIKE '/Users/%/gh/%'
|
||||
OR file.directory LIKE '/Users/%/debug/%'
|
||||
OR file.directory LIKE '/Users/%/target/%'
|
||||
OR file.directory LIKE '/Users/%/tmp/%'
|
||||
OR file.directory LIKE '/Users/%/sigstore/%'
|
||||
OR file.directory LIKE '/Users/%/node_modules/.bin/%'
|
||||
OR file.directory LIKE '/Users/%/git/%'
|
||||
|
@ -49,7 +49,9 @@ WHERE
|
||||
AND extension NOT IN (
|
||||
'1',
|
||||
'2',
|
||||
'basic',
|
||||
'real',
|
||||
'AppImage',
|
||||
'ext'
|
||||
)
|
||||
AND NOT basename LIKE 'python3.%'
|
||||
|
@ -92,7 +92,10 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
|
||||
'goreleaser'
|
||||
)
|
||||
)
|
||||
) -- Nix
|
||||
)
|
||||
-- Melange
|
||||
AND NOT file.directory LIKE '/tmp/melange-guest-%'
|
||||
-- Nix
|
||||
AND NOT (
|
||||
file.directory LIKE '/tmp/tmp%'
|
||||
AND gid = 0
|
||||
|
@ -80,23 +80,24 @@ WHERE
|
||||
-- Prevent weird recursion
|
||||
AND NOT path LIKE '%/../%'
|
||||
AND NOT path LIKE '%/./%' -- Exclude very temporary files
|
||||
AND NOT directory LIKE '/Users/%/Library/Mobile Documents/com~apple~shoebox/%'
|
||||
AND NOT directory LIKE '/Users/%/Library/Containers/%'
|
||||
AND NOT directory LIKE '/Users/%/.Trash/'
|
||||
AND NOT directory LIKE '/Users/%/.go/bin/'
|
||||
AND NOT directory LIKE '/Users/%/.bin/'
|
||||
AND NOT directory LIKE '/Users/%/.local/bin/'
|
||||
AND NOT directory LIKE '/Users/%/.cargo/bin/'
|
||||
AND NOT directory LIKE '/Users/%/.vim/backup/'
|
||||
AND NOT directory LIKE '/Users/%/.go/bin/'
|
||||
AND NOT directory LIKE '/Users/%/Library/Application Support/AutoFirma/certutil/'
|
||||
AND NOT directory LIKE '/Users/%/Library/Caches/chainctl/'
|
||||
AND NOT directory LIKE '/Users/%/Library/Containers/%'
|
||||
AND NOT directory LIKE '/Users/%/Library/Daemon Containers/%'
|
||||
AND NOT directory LIKE '/Users/%/Library/Mobile Documents/com~apple~shoebox/%'
|
||||
AND NOT directory LIKE '/Users/%/.local/bin/'
|
||||
AND NOT directory LIKE '/Users/%/.minikube/bin/'
|
||||
AND NOT directory LIKE '/Users/Shared/LGHUB/depots/%'
|
||||
AND NOT directory LIKE '/Users/Shared/LogiOptionsPlus/depots/%'
|
||||
AND NOT directory LIKE '/Users/%/Library/Application Support/AutoFirma/certutil'
|
||||
AND NOT directory LIKE '/Users/%/Library/Caches/chainctl'
|
||||
AND NOT directory LIKE '/Users/%/.Trash/%'
|
||||
AND NOT directory LIKE '/Users/%/.vim/backup/'
|
||||
AND NOT directory IN (
|
||||
'/Users/Shared/LogiOptionsPlus/cache',
|
||||
'/Users/Shared/logitune',
|
||||
'/Users/Shared/Red Giant/Uninstall'
|
||||
'/Users/Shared/LogiOptionsPlus/cache/',
|
||||
'/Users/Shared/logitune/',
|
||||
'/Users/Shared/Red Giant/Uninstall/'
|
||||
)
|
||||
AND NOT (strftime('%s', 'now') - ctime) < 60 -- Only executable files
|
||||
)
|
||||
@ -113,6 +114,39 @@ WHERE
|
||||
magic.data IS NOT NULL
|
||||
AND magic.data LIKE "0420 Alliant virtual executable%"
|
||||
)
|
||||
AND NOT homedir LIKE '~/%/bin'
|
||||
AND NOT homedir LIKE '~/%/shims'
|
||||
AND NOT homedir LIKE '~/%/plugins'
|
||||
AND NOT homedir IN (
|
||||
'~/.bin',
|
||||
'~/.fzf',
|
||||
'~/.fzf/bin',
|
||||
'~/.venv/bin',
|
||||
'~/.fig/bin',
|
||||
'~/.zed/gopls',
|
||||
'~/.config/kn',
|
||||
'~/.asdf/shims',
|
||||
'~/.amplify/bin',
|
||||
'~/.emacs.d/backups',
|
||||
'~/.rbenv/shims',
|
||||
'~/.config/nvim.bak',
|
||||
'~/.bazel/bin',
|
||||
'~/.pulumi-dev/bin',
|
||||
'~/.gvm/bin',
|
||||
'~/.emacs.d.bak/bin',
|
||||
'~/.docker/cli-plugins',
|
||||
'~/.zsh_snap/zsh-autocomplete',
|
||||
'~/.cache/gitstatus',
|
||||
'~/.wrangler/bin',
|
||||
'~/.provisio',
|
||||
'~/.pyenv/shims',
|
||||
'~/Library/ApplicationSupport/iTerm2',
|
||||
'~/.kn/plugins',
|
||||
'~/.kuberlr/darwin-amd64',
|
||||
'/Users/Shared/logitune',
|
||||
'~/.oh-my-zsh/tools',
|
||||
'~/Library/Dropbox/DropboxMacUpdate.app/Contents/MacOS'
|
||||
)
|
||||
AND NOT top2_homedir IN (
|
||||
'~/Library/Application Support',
|
||||
'/Users/Shared/LGHUB/cache',
|
||||
@ -132,10 +166,5 @@ WHERE
|
||||
'~/.magefile',
|
||||
'~/.nvm'
|
||||
)
|
||||
AND NOT homedir IN (
|
||||
'~/.bin',
|
||||
'~/.fzf',
|
||||
'~/Library/Dropbox/DropboxMacUpdate.app/Contents/MacOS'
|
||||
)
|
||||
GROUP BY
|
||||
f.path
|
||||
|
@ -223,6 +223,7 @@ WHERE
|
||||
'/opt/X11/libexec',
|
||||
'~/projects/go/bin',
|
||||
'/run/current-system/sw/bin',
|
||||
'/tmp/bin',
|
||||
'/sbin',
|
||||
'/usr/bin',
|
||||
'/usr/lib',
|
||||
@ -270,6 +271,7 @@ WHERE
|
||||
AND dir NOT LIKE '/opt/%/bin'
|
||||
AND dir NOT LIKE '/private/tmp/%.app/Contents/MacOS'
|
||||
AND dir NOT LIKE '/private/tmp/go-build%/exe'
|
||||
AND dir NOT LIKE '%/go/bin'
|
||||
AND dir NOT LIKE '/private/tmp/KSInstallAction.%/Install Google Software Update.app/Contents/Helpers'
|
||||
AND dir NOT LIKE '/private/tmp/nix-build-%'
|
||||
AND dir NOT LIKE '/private/var/folders/%/T/cargo-install%'
|
||||
|
@ -107,6 +107,7 @@ WHERE
|
||||
)
|
||||
AND NOT exception_key IN (
|
||||
'system_profiler,500,Google Drive,launchd',
|
||||
'system_profiler,500,bash,launchd',
|
||||
'system_profiler,0,launcher,launchd'
|
||||
)
|
||||
AND NOT p0_cmd LIKE '/usr/libexec/security_authtrampoline /Library/Application Support/Adobe/Adobe Desktop Common/ElevationManager/Adobe Installer auth%'
|
||||
|
@ -128,6 +128,7 @@ WHERE
|
||||
'presenting.app',
|
||||
'adoptium.net',
|
||||
'balsamiq.com',
|
||||
'bearly.ai',
|
||||
'brave.com',
|
||||
'cron.com',
|
||||
'discord.com',
|
||||
|
@ -59,16 +59,17 @@ WHERE
|
||||
)
|
||||
AND pmm.path LIKE "%.dylib"
|
||||
AND exception_key NOT IN (
|
||||
'500,Slack,/Applications/Slack.app/Contents/MacOS/Slack',
|
||||
'500,Bitwarden,/Applications/Bitwarden.app/Contents/MacOS/Bitwarden',
|
||||
'500,J8RPQ294UB.com.skitch.SkitchHelper,/Applications/Skitch.app/Contents/Library/LoginItems/J8RPQ294UB.com.skitch.SkitchHelper.app/Contents/MacOS/J8RPQ294UB.com.skitch.SkitchHelper',
|
||||
'500,Revolt,/Applications/Revolt.app/Contents/MacOS/Revolt',
|
||||
'500,Revolt Helper,/Applications/Revolt.app/Contents/Frameworks/Revolt Helper.app/Contents/MacOS/Revolt Helper',
|
||||
'500,Revolt Helper (GPU),/Applications/Revolt.app/Contents/Frameworks/Revolt Helper (GPU).app/Contents/MacOS/Revolt Helper (GPU)',
|
||||
'500,Slack,/Applications/Slack.app/Contents/MacOS/Slack',
|
||||
'500,Slack Helper (GPU),/Applications/Slack.app/Contents/Frameworks/Slack Helper (GPU).app/Contents/MacOS/Slack Helper (GPU)',
|
||||
'500,Slack Helper (Renderer),/Applications/Slack.app/Contents/Frameworks/Slack Helper (Renderer).app/Contents/MacOS/Slack Helper (Renderer)',
|
||||
'500,Snagit 2020,/Applications/Snagit 2020.app/Contents/MacOS/Snagit 2020',
|
||||
'500,Bitwarden,/Applications/Bitwarden.app/Contents/MacOS/Bitwarden',
|
||||
'500,Revolt Helper (GPU),/Applications/Revolt.app/Contents/Frameworks/Revolt Helper (GPU).app/Contents/MacOS/Revolt Helper (GPU)',
|
||||
'500,Revolt,/Applications/Revolt.app/Contents/MacOS/Revolt',
|
||||
'500,Steam Helper,/Users/kaniini/Library/Application Support/Steam/Steam.AppBundle/Steam/Contents/MacOS/Frameworks/Steam Helper.app/Contents/MacOS/Steam Helper',
|
||||
'500,SnagitHelper2020,/Applications/Snagit 2020.app/Contents/Library/LoginItems/SnagitHelper2020.app/Contents/MacOS/SnagitHelper2020',
|
||||
'500,Steam Helper,/Users/kaniini/Library/Application Support/Steam/Steam.AppBundle/Steam/Contents/MacOS/Frameworks/Steam Helper.app/Contents/MacOS/Steam Helper',
|
||||
'500,Todoist,/Applications/Todoist.app/Contents/MacOS/Todoist',
|
||||
'500,WhatsApp Helper (GPU),/Applications/WhatsApp.app/Contents/Frameworks/WhatsApp Helper (GPU).app/Contents/MacOS/WhatsApp Helper (GPU)'
|
||||
)
|
||||
|
Loading…
Reference in New Issue
Block a user