diff --git a/detection/c2/unexpected-dns-traffic-events.sql b/detection/c2/unexpected-dns-traffic-events.sql index fed7fc1..e72457f 100644 --- a/detection/c2/unexpected-dns-traffic-events.sql +++ b/detection/c2/unexpected-dns-traffic-events.sql @@ -108,7 +108,9 @@ WHERE 'com.apple.WebKit.Networking', 'com.docker.backend', 'go', + 'wolfictl', 'gvproxy', + 'incusd', 'IPNExtension', 'Jabra Direct Helper', 'limactl', diff --git a/detection/c2/unexpected-https-linux.sql b/detection/c2/unexpected-https-linux.sql index edc9ab3..f10d09a 100644 --- a/detection/c2/unexpected-https-linux.sql +++ b/detection/c2/unexpected-https-linux.sql @@ -57,16 +57,12 @@ WHERE AND s.remote_address NOT LIKE 'fc00:%' AND p.path != '' AND NOT exception_key IN ( - '0,.tailscaled-wrapped,0u,0g,.tailscaled-wra', '0,agentbeat,0u,0g,agentbeat', '0,apk,u,g,apk', '0,applydeltarpm,0u,0g,applydeltarpm', '0,bash,0u,0g,bash', '0,bash,0u,0g,mkinitcpio', '0,bash,0u,0g,sh', - '500,syft,500u,500g,syft', - '500,krunner,0u,0g,krunner', - '500,k9s,0u,0g,k9s', '0,canonical-livepatchd,0u,0g,canonical-livep', '0,chainctl,0u,0g,chainctl', '0,cmake,u,g,cmake', @@ -77,6 +73,7 @@ WHERE '0,elastic-agent,u,g,elastic-agent', '0,elastic-endpoint,0u,0g,elastic-endpoin', '0,filebeat,0u,0g,filebeat', + '0,flatpak,0u,0g,flatpak', '0,flatpak-system-helper,0u,0g,flatpak-system-', '0,git-remote-http,0u,0g,git-remote-http', '0,go,0u,0g,go', @@ -88,6 +85,7 @@ WHERE '0,launcher,500u,500g,launcher', '0,ldconfig,0u,0g,ldconfig', '0,make,0u,0g,make', + '0,melange,500u,500g,melange', '0,metricbeat,0u,0g,metricbeat', '0,nessusd,0u,0g,nessusd', '0,nix,0u,0g,nix', @@ -99,10 +97,12 @@ WHERE '0,pacman,0u,0g,pacman', '0,rapid7_endpoint_broker,0u,0g,rapid7_endpoint', '0,rpi-imager,0u,0g,rpi-imager', + '0,skopeo,0u,0g,skopeo', '0,snapd,0u,0g,snapd', '0,systemctl,0u,0g,systemctl', '0,tailscaled,0u,0g,tailscaled', '0,tailscaled,500u,500g,tailscaled', + '0,.tailscaled-wrapped,0u,0g,.tailscaled-wra', '0,velociraptor,0u,0g,velociraptor_cl', '0,yay,0u,0g,yay', '105,http,0u,0g,https', @@ -113,24 +113,13 @@ WHERE '129,fwupdmgr,0u,0g,fwupdmgr', '42,http,0u,0g,https', '500,1password,0u,0g,1password', - '500,Brackets,0u,0g,Brackets', - '500,Discord,0u,0g,Discord', - '500,Discord,u,g,Discord', - '500,Docker Desktop,0u,0g,Docker Desktop', - '500,Keybase,0u,0g,Keybase', - '500,Logseq,u,g,Logseq', - '500,Melvor Idle,500u,500g,exe', - '500,TJPP8_Vulkan,500u,500g,TJPP8_Vulkan', - '500,WPILibInstaller,500u,500g,WPILibInstaller', - '500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr', - '500,___go_build_main_go,500u,500g,___go_build_mai', '500,abrt-action-generate-core-backtrace,0u,0g,abrt-action-gen', '500,accountwizard,u,g,accountwizard', '500,act,0u,0g,act', '500,apk,500u,500g,apk', - '500,apk,u,g,apk', '500,apko,500u,500g,apko', '500,apko,u,g,apko', + '500,apk,u,g,apk', '500,armcord,u,g,armcord', '500,aws,0u,0g,aws', '500,aws,500u,500g,aws', @@ -139,6 +128,7 @@ WHERE '500,bitwarden,u,g,bitwarden', '500,bom,500u,500g,bom', '500,bom-linux-amd64,500u,500g,bom-linux-amd64', + '500,Brackets,0u,0g,Brackets', '500,brave,0u,0g,brave', '500,buildkitd,500u,500g,buildkitd', '500,buildkite-agent,500u,500g,buildkite-agent', @@ -151,15 +141,17 @@ WHERE '500,chainctl,500u,500g,chainctl', '500,chainctl,500u,500g,docker-credenti', '500,chrome,0u,0g,chrome', - '500,chrome,u,g,chrome', '500,chrome_crashpad_handler,0u,0g,chrome_crashpad', + '500,chrome,u,g,chrome', '500,cilium,500u,123g,cilium', '500,cloud_sql_proxy,0u,0g,cloud_sql_proxy', + '500,cockatrice,u,g,cockatrice', '500,code,0u,0g,code', '500,code,500u,500g,code', - '500,code,u,g,code', '500,code-oss,u,g,code-oss', + '500,code,u,g,code', '500,com.docker.backend,0u,0g,com.docker.back', + '500,com.docker.build,0u,0g,com.docker.buil', '500,com.docker.extensions,0u,0g,com.docker.exte', '500,containerd,u,g,containerd', '500,copilot-agent-linux,500u,500g,copilot-agent-l', @@ -170,8 +162,11 @@ WHERE '500,crane,500u,500g,crane', '500,curl,0u,0g,curl', '500,deno,500u,500g,deno', + '500,Discord,0u,0g,Discord', + '500,Discord,u,g,Discord', '500,docker,0u,0g,docker', '500,docker-buildx,0u,0g,docker-buildx', + '500,Docker Desktop,0u,0g,Docker Desktop', '500,drkonqi,0u,0g,drkonqi', '500,eksctl,0u,0g,eksctl', '500,eksctl,500u,500g,eksctl', @@ -180,9 +175,9 @@ WHERE '500,evolution-calendar-factory,0u,0g,evolution-calen', '500,evolution-source-registry,0u,0g,evolution-sourc', '500,extension-manager,0u,0g,extension-manag', + '500,firefox,0u,0g,firefox', '500,firefox,0u,0g,.firefox-wrappe', '500,firefox,0u,0g,Socket Process', - '500,firefox,0u,0g,firefox', '500,firefox-bin,500u,500g,firefox-bin', '500,firefox-bin,u,g,firefox-bin', '500,flameshot,0u,0g,flameshot', @@ -201,17 +196,18 @@ WHERE '500,gitsign,0u,0g,gitsign', '500,gitsign,500u,0g,gitsign', '500,gitsign,500u,500g,gitsign', - '500,gitsign,u,g,gitsign', '500,gitsign-credential-cache,500u,500g,gitsign-credent', + '500,gitsign,u,g,gitsign', '500,gjs-console,0u,0g,org.gnome.Maps', '500,gnome-recipes,0u,0g,gnome-recipes', '500,gnome-shell,0u,0g,gnome-shell', '500,gnome-software,0u,0g,gnome-software', '500,go,0u,0g,go', '500,go,500u,500g,go', - '500,go,u,g,go', '500,goa-daemon,0u,0g,goa-daemon', + '500,___go_build_main_go,500u,500g,___go_build_mai', '500,gobuster,500u,500g,gobuster', + '500,go,u,g,go', '500,grafana,u,g,grafana', '500,grype,0u,0g,grype', '500,grype,500u,500g,grype', @@ -229,42 +225,49 @@ WHERE '500,jcef_helper,500u,500g,jcef_helper', '500,jetbrains-toolbox,u,g,jetbrains-toolb', '500,k6,500u,500g,k6', + '500,k9s,0u,0g,k9s', '500,kbfsfuse,0u,0g,kbfsfuse', '500,keybase,0u,0g,keybase', + '500,Keybase,0u,0g,Keybase', '500,kioslave5,0u,0g,kioslave5', '500,ko,500u,500g,ko', '500,ko,u,g,ko', '500,kpromo,500u,500g,kpromo', '500,krel,500u,500g,krel', + '500,krunner,0u,0g,krunner', '500,kubectl,0u,0g,kubectl', '500,kubectl,500u,500g,kubectl', '500,lens,0u,0g,lens', '500,less,0u,0g,less', '500,license-detector,500u,500g,license-detecto', '500,limactl,0u,0g,limactl', + '500,limactl,500u,500g,limactl', + '500,Logseq,u,g,Logseq', '500,losslesscut,500u,500g,losslesscut', '500,mconvert,500u,500g,mconvert', '500,mediawriter,u,g,mediawriter', '500,melange,500u,500g,melange', '500,melange,u,g,melange', + '500,Melvor Idle,500u,500g,exe', '500,minikube,0u,0g,minikube', + '500,msedge,0u,0g,msedge', '500,nami,500u,500g,nami', '500,nautilus,0u,0g,nautilus', '500,nerdctl,500u,500g,nerdctl', '500,nix,0u,0g,nix', - '500,node,0u,0g,.node2nix-wrapp', '500,node,0u,0g,node', + '500,node,0u,0g,.node2nix-wrapp', '500,node,0u,0g,npm install', '500,node,500u,500g,npm run start', '500,node,u,g,node', '500,nuclei,500u,500g,nuclei', '500,obs,0u,0g,obs', - '500,obs,u,g,obs', '500,obs-browser-page,0u,0g,obs-browser-pag', '500,obs-ffmpeg-mux,0u,0g,obs-ffmpeg-mux', '500,obs-ffmpeg-mux,u,g,obs-ffmpeg-mux', '500,obsidian,0u,0g,obsidian', '500,obsidian,u,g,obsidian', + '500,obs,u,g,obs', '500,op,0u,500g,op', '500,packer-plugin-proxmox_v1.1.2_x5.0_linux_amd64,500u,500g,packer-plugin-p', '500,pacman,0u,0g,pacman', @@ -272,12 +275,11 @@ WHERE '500,php8.1,0u,0g,php', '500,pingsender,0u,0g,pingsender', '500,plasma-discover,0u,0g,plasma-discover', + '500,plasmashell,0u,0g,plasmashell', '500,podman,0u,0g,podman', '500,promoter,500u,500g,promoter', '500,publish-release,500u,500g,publish-release', - '500,python.test,500u,500g,python.test', '500,python3,0u,0g,python3', - '500,python3,500u,500g,python3', '500,python3.10,0u,0g,aws', '500,python3.10,0u,0g,python', '500,python3.10,0u,0g,python3', @@ -288,6 +290,8 @@ WHERE '500,python3.11,0u,0g,prowler', '500,python3.11,u,g,pip', '500,python3.12,0u,0g,dnf', + '500,python3,500u,500g,python3', + '500,python.test,500u,500g,python.test', '500,qemu-system-x86_64,0u,0g,qemu-system-x86', '500,reporter-ureport,0u,0g,reporter-urepor', '500,rpi-imager,0u,0g,rpi-imager', @@ -302,40 +306,43 @@ WHERE '500,slirp4netns,500u,500g,slirp4netns', '500,snap-store,0u,0g,snap-store', '500,snyk,500u,500g,snyk', - '500,plasmashell,0u,0g,plasmashell', '500,spotify,0u,0g,spotify', '500,spotify,500u,500g,spotify', '500,spotify,u,g,spotify', - '500,limactl,500u,500g,limactl', - '500,tidal-hifi,u,g,tidal-hifi', + '500,ssh,0u,0g,ssh', '500,steam,500u,100g,steam', - '0,skopeo,0u,0g,skopeo', '500,steam,500u,500g,steam', '500,steamwebhelper,500u,100g,steamwebhelper', '500,steamwebhelper,500u,500g,steamwebhelper', '500,step,500u,500g,step', '500,step-cli,0u,0g,step', '500,stern,500u,500g,stern', + '500,syft,500u,500g,syft', '500,syncthing,0u,0g,syncthing', '500,syncthing,u,g,syncthing', '500,synergy,0u,0g,synergy', '500,teams,0u,0g,teams', + '500,telegram-desktop,u,g,telegram-deskto', '500,terraform,0u,0g,terraform', '500,terraform,500u,500g,terraform', '500,terraform-ls,500u,500g,terraform-ls', '500,thunderbird,0u,0g,thunderbird', - '500,thunderbird,u,g,thunderbird', '500,thunderbird-bin,u,g,thunderbird-bin', + '500,thunderbird,u,g,thunderbird', + '500,tidal-hifi,u,g,tidal-hifi', '500,tilt,500u,500g,tilt', + '500,TJPP8_Vulkan,500u,500g,TJPP8_Vulkan', '500,todoist,0u,0g,todoist', '500,trivy,0u,0g,trivy', '500,trivy,500u,500g,trivy', '500,ubuntu-report,0u,0g,ubuntu-report', + '500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr', '500,wget,0u,0g,wget', - '500,ssh,0u,0g,ssh', '500,wine64-preloader,500u,500g,DaveTheDiver.ex', '500,wine64-preloader,500u,500g,Root.exe', '500,wolfictl,500u,500g,wolfictl', + '500,WPILibInstaller,500u,500g,WPILibInstaller', + '500,writerside,500u,500g,writerside', '500,xmobar,0u,0g,xmobar', '500,yay,0u,0g,yay', '500,zdup,500u,500g,zdup', @@ -352,6 +359,7 @@ WHERE AND NOT exception_key LIKE '500,python3%,u,g,pip' AND NOT exception_key LIKE '500,python3.%,0u,0g,pip' AND NOT exception_key LIKE '500,terraform-provider-%,500u,500g,terraform-provi' + AND NOT exception_key LIKE '500,terraform_%,500u,500g,terraform' AND NOT ( exception_key LIKE '500,python3%,0u,0g,python%' AND ( diff --git a/detection/c2/unexpected-https-macos.sql b/detection/c2/unexpected-https-macos.sql index c178d64..630a240 100644 --- a/detection/c2/unexpected-https-macos.sql +++ b/detection/c2/unexpected-https-macos.sql @@ -181,6 +181,7 @@ WHERE '500,istioctl,istioctl,500u,20g', '500,istioctl,istioctl,,a.out', '500,java,java,0u,0g', + '500,streamer,streamer,Developer ID Application: Autodesk (XXKJ396S2Y),streamer', '500,log-streaming,log-streaming,500u,80g', '500,.man-wrapped,.man-wrapped,0u,500g', '500,nami,nami,0u,0g', @@ -198,6 +199,7 @@ WHERE '500,taplo,taplo,500u,20g', '500,vexi,vexi,500u,20g', '500,vim,vim,0u,500g', + '500,twistcli,twistcli,500u,20g', '500,wolfibump,wolfibump,500u,20g', '500,wolfictl,wolfictl,0u,0g', '500,wolfictl,wolfictl,500u,20g' @@ -212,6 +214,7 @@ WHERE 'Developer ID Application: Canonical Group Limited (X4QN7LTP59)', 'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', 'Developer ID Application: Denver Technologies, Inc (2BBY89MBSN)', + 'Developer ID Application: Docker Inc (9BNSXJN65R)', 'Developer ID Application: TechSmith Corporation (7TQL462TU8)', 'Developer ID Application: Ecamm Network, LLC (5EJH68M642)', 'Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z)', @@ -269,6 +272,7 @@ WHERE OR p0_cwd LIKE "/Users/%/src/%" OR p0_cmd LIKE '%bin/chaingpt %' OR p0_cmd LIKE '%fetch_commits%' + OR p0_cmd LIKE '%ipykernel_launcher %' OR p0_cmd LIKE '%/Python update_plugins.py' OR p0_cmd LIKE '%/pydevd.py' ) diff --git a/detection/c2/unexpected-libcurl-user-linux.sql b/detection/c2/unexpected-root-libcurl-proc-linux.sql similarity index 100% rename from detection/c2/unexpected-libcurl-user-linux.sql rename to detection/c2/unexpected-root-libcurl-proc-linux.sql diff --git a/detection/c2/unexpected-libcurl-user-macos.sql b/detection/c2/unexpected-root-libcurl-proc-macos.sql similarity index 91% rename from detection/c2/unexpected-libcurl-user-macos.sql rename to detection/c2/unexpected-root-libcurl-proc-macos.sql index c07f2a2..b43c0f4 100644 --- a/detection/c2/unexpected-libcurl-user-macos.sql +++ b/detection/c2/unexpected-root-libcurl-proc-macos.sql @@ -42,6 +42,12 @@ FROM WHERE p0.euid = 0 AND pmm.path LIKE '%libcurl%' - AND p0.name NOT IN ('nix-daemon', 'nix') + AND p0.name NOT IN ( + 'nix-daemon', + 'nix', + 'velociraptor', + 'osqueryd', + 'socket_vmnet' + ) GROUP BY p0.pid diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql index 8368cf7..a997d5b 100644 --- a/detection/c2/unexpected-talkers-linux.sql +++ b/detection/c2/unexpected-talkers-linux.sql @@ -89,6 +89,7 @@ WHERE '49152,6,500,ContinuityCaptureAgent,Software Signing', '67,17,0,NetworkManager,0u,0g,NetworkManager', '8000,6,500,brave,0u,0g,brave', + '587,6,500,perl,0u,0g,git-send-email', '8000,6,500,chrome,0u,0g,chrome', '8000,6,500,firefox,0u,0g,firefox', '80,6,0,grep,0u,0g,grep', @@ -104,6 +105,7 @@ WHERE '80,6,0,python3.10,0u,0g,dnf-automatic', '80,6,0,python3.10,0u,0g,yum', '80,6,0,python3.11,0u,0g,dnf', + '80,6,500,http,0u,0g,http', '80,6,0,python3.11,0u,0g,dnf-automatic', '80,6,0,python3.11,0u,0g,yum', '80,6,0,python3.12,0u,0g,dnf', diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql index 4d5d53b..62d42f3 100644 --- a/detection/c2/unexpected-talkers-macos.sql +++ b/detection/c2/unexpected-talkers-macos.sql @@ -1,4 +1,4 @@ --- Unexpected programs communicating over HTTPS (state-based) +-- Unexpected programs communicating over non-HTTPS protocols (state-based) -- -- references: -- * https://attack.mitre.org/techniques/T1071/ (C&C, Application Layer Protocol) @@ -142,6 +142,7 @@ WHERE '500,6,3389,Microsoft Remote Desktop,Microsoft Remote Desktop,Apple Mac OS Application Signing,com.microsoft.rdc.macos', '500,6,3389,Microsoft Remote Desktop,Microsoft Remote Desktop,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.rdc.macos', '500,6,4070,Spotify,Spotify,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client', + '500,17,68,com.docker.backend,com.docker.backend,500u,80g', '500,6,4317,flyctl,flyctl,,a.out', '500,6,4318,Code Helper (Plugin),Code Helper (Plugin),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper', '500,6,5053,bridge,bridge,Developer ID Application: Proton Technologies AG (6UN54H93QT),bridge', @@ -196,6 +197,7 @@ WHERE '500,6,80,thunderbird,thunderbird,Defveloper ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird', '500,6,80,TIDAL Helper,TIDAL Helper,Developer ID Application: TIDAL Music AS (GK2243L7KB),com.tidal.desktop.helper', '500,6,80,Twitter,Twitter,Apple Mac OS Application Signing,maccatalyst.com.atebits.Tweetie2', + '500,6,8282,GeForceNOW,GeForceNOW,Developer ID Application: NVIDIA Corporation (6KR3T733EC),com.nvidia.gfnpc.mall', '500,6,80,Wavebox Helper,Wavebox Helper,Developer ID Application: Bookry Ltd (4259LE8SU5),com.bookry.wavebox.helper', '500,6,80,WhatsApp,WhatsApp,Developer ID Application: WhatsApp Inc. (57T9237FN3),WhatsApp', '500,6,9123,Elgato Control Center,Elgato Control Center,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5),com.corsair.ControlCenter', @@ -253,10 +255,13 @@ WHERE AND id_exception_key IN ( 'Apple Mac OS Application Signing,com.microsoft.OneDrive-mac', 'Apple Mac OS Application Signing,com.ookla.speedtest-macos', + 'Apple Mac OS Application Signing,com.buildtoconnect.screenrecorder', + 'Developer ID Application: AMZN Mobile LLC (94KV3E626L),lima__bin__limactl', 'Apple Mac OS Application Signing,net.whatsapp.WhatsApp.ServiceExtension', 'Developer ID Application: Adguard Software Limited (TC3Q7MAJXF),com.adguard.mac.adguard.network-extension', 'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.AdobeResourceSynchronizer', 'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.lightroomCC', + 'Developer ID Application: NVIDIA Corporation (6KR3T733EC),com.nvidia.nvcontainer', 'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.Reader', 'Developer ID Application: Bitdefender SRL (GUNFMW623Y),com.bitdefender.cst.net.dci.dci-network-extension', 'Developer ID Application: Bookry Ltd (4259LE8SU5),com.bookry.wavebox.helper', @@ -269,12 +274,14 @@ WHERE 'Developer ID Application: Epic Games International, S.a.r.l. (96DBZ92D3Y),com.epicgames.EpicGamesLauncher', 'Developer ID Application: Epic Games International, S.a.r.l. (96DBZ92D3Y),com.epicgames.UE4EditorServices', 'Developer ID Application: Fortinet, Inc (AH4XFXJ7DK),fctupdate', + 'Developer ID Application: NVIDIA Corporation (6KR3T733EC),com.nvidia.nvcontainer', 'Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D),com.googlecode.iterm2', 'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.Chrome.helper', 'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.GoogleUpdater', 'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.one.NetworkExtension', 'Developer ID Application: GUILHERME RAMBO (8C7439RJLG),codes.rambo.AirBuddy.MobileDevicesService', 'Developer ID Application: Loom, Inc (QGD2ZPXZZG),com.loom.desktop', + 'Developer ID Application: SURFSHARK LTD (YHUG37CKN8),com.surfshark.vpnclient.macos.direct', 'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.edgemac.helper', 'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.teams2.helper', 'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode.helper', diff --git a/detection/collection/high-disk-bytes-written.sql b/detection/collection/high-disk-bytes-written.sql index 498b003..c789d7b 100644 --- a/detection/collection/high-disk-bytes-written.sql +++ b/detection/collection/high-disk-bytes-written.sql @@ -48,7 +48,7 @@ FROM WHERE -- On my Linux machine, creating a gzip archive clocks in at 6780210 bytes_written_rate > 4000000 - AND age > 180 + AND age > 200 AND p0.pid > 2 AND p0.parent != 2 AND p0.path NOT IN ( @@ -82,12 +82,14 @@ WHERE '/usr/lib/flatpak-system-helper', '/usr/lib/snapd/snapd', '/usr/lib/systemd/systemd', + '/app/libexec/mediawriter/helper', '/usr/lib/systemd/systemd-journald', '/usr/lib64/thunderbird/thunderbird', '/usr/libexec/coreduetd', '/usr/libexec/flatpak-system-helper', '/usr/libexec/logd_helper', '/usr/libexec/packagekitd', + '/System/Library/PrivateFrameworks/MobileDevice.framework/Versions/Current/AppleMobileDeviceHelper.app/Contents/Resources/AppleMobileBackup', '/usr/libexec/rosetta/oahd', '/usr/libexec/secd', '/usr/libexec/sharingd', @@ -132,8 +134,13 @@ WHERE 'baloo_file_extr', 'bincapz', 'bwrap', + 'nami', + 'topgrade', + 'vi', + 'vim', 'cargo', 'chrome', + 'wimlib-imagex', 'code', 'com.apple.MobileSoftwareUpdate.UpdateBrainService', 'com.apple.NRD.UpdateBrainService', diff --git a/detection/credentials/unexpected-dev-opener-linux.sql b/detection/credentials/unexpected-dev-opener-linux.sql index 4181dbe..f859e44 100644 --- a/detection/credentials/unexpected-dev-opener-linux.sql +++ b/detection/credentials/unexpected-dev-opener-linux.sql @@ -131,6 +131,7 @@ WHERE '/dev/input,systemd', '/dev/input,systemd-logind', '/dev/input,thermald', + '/dev/shm,msedge', '/dev/input,upowerd', '/dev/input,Xorg', '/dev/net,tailscaled', @@ -245,7 +246,7 @@ WHERE AND path_exception NOT LIKE '/dev/shm/pym-%python3%' -- celery AND path_exception NOT LIKE '/dev/shm/pymp-%,python3.%' - AND dir_exception NOT LIKE '/dev/shm/byobu-%/status.tmux,' + AND dir_exception NOT LIKE '/dev/shm/byobu-%/%.tmux%' AND NOT ( pof.path = "/dev/uinput" AND p0.name LIKE "solaar%" diff --git a/detection/credentials/unexpected-dev-opener-macos.sql b/detection/credentials/unexpected-dev-opener-macos.sql index a8c7416..0391ab9 100644 --- a/detection/credentials/unexpected-dev-opener-macos.sql +++ b/detection/credentials/unexpected-dev-opener-macos.sql @@ -101,6 +101,7 @@ WHERE '/dev/io,WirelessRadioManagerd,Software Signing,com.apple.WirelessRadioManagerd', '/dev/io,airportd,Software Signing,com.apple.airport.airportd', '/dev/io,symptomsd,Software Signing,com.apple.symptomsd', + '/dev/console,Arc,Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G),company.thebrowser.Browser', '/dev/io8log,ControlCenter,Software Signing,com.apple.controlcenter', '/dev/io8log,PerfPowerServices,Software Signing,com.apple.PerfPowerServices', '/dev/io8log,WiFiAgent,Software Signing,com.apple.wifi.WiFiAgent', diff --git a/detection/discovery/unexpected-netutil-calls-linux.sql b/detection/discovery/unexpected-netutil-calls-linux.sql index 25693f2..850477e 100644 --- a/detection/discovery/unexpected-netutil-calls-linux.sql +++ b/detection/discovery/unexpected-netutil-calls-linux.sql @@ -88,6 +88,8 @@ WHERE 'login', 'roxterm', 'tmux', + 'screen', + 'gnome-terminal-server', 'newgrp', 'tmux:server', 'wezterm-gui', diff --git a/detection/evasion/hidden-cwd.sql b/detection/evasion/hidden-cwd.sql index 03e13fb..b20174e 100644 --- a/detection/evasion/hidden-cwd.sql +++ b/detection/evasion/hidden-cwd.sql @@ -164,6 +164,7 @@ WHERE OR dir LIKE '%/.git/%' OR dir LIKE '%/.gradle' OR dir LIKE '%/.github/%' + OR dir LIKE '%/node_modules/.bin' OR dir LIKE '%/.cache/melange%' OR dir LIKE '%/.github' OR dir LIKE '%/.venv' diff --git a/detection/evasion/hidden-executable.sql b/detection/evasion/hidden-executable.sql index 7b76f14..56b5a50 100644 --- a/detection/evasion/hidden-executable.sql +++ b/detection/evasion/hidden-executable.sql @@ -64,11 +64,12 @@ WHERE AND NOT f.directory LIKE '%/.goenv/%/bin' AND NOT f.directory LIKE '%/.goenv/%/pkg/%' AND NOT f.directory LIKE '%/.gradle/jdks/%' - AND NOT f.directory LIKE '/home/%/.pyenv/versions/%/bin' + AND NOT f.directory LIKE '%/.pyenv/versions/%/bin' AND NOT f.directory LIKE '%/.local/%' AND NOT f.directory LIKE '%/node_modules/.bin/%' AND NOT f.directory LIKE '%/.nvm/versions/%/bin' AND NOT f.directory LIKE '%/.pnpm/%' + AND NOT f.directory LIKE '%/.cache/selenium/chromedriver/%' AND NOT f.directory LIKE '%/.provisio/bin/%' AND NOT f.directory LIKE '%/.rustup/%' AND NOT f.directory LIKE '%/.rbenv/%' diff --git a/detection/evasion/hidden-home-library-dir.sql b/detection/evasion/hidden-home-library-dir.sql index 6c11a56..478630b 100644 --- a/detection/evasion/hidden-home-library-dir.sql +++ b/detection/evasion/hidden-home-library-dir.sql @@ -45,6 +45,7 @@ WHERE '~/Library/Finance/.finance_dropbox_SUPPORT/_EXTERNAL_DATA', '~/Library/Finance/.finance_local_SUPPORT/_EXTERNAL_DATA', '~/Library/GroupContainersAlias/.SiriTodayViewExtension', + '~/Library/Caches/.adobe/c2pa_cache', '~/Library/GroupContainersAlias/.SiriTodayViewExtension/Library', '~/Library/Group Containers/.SiriTodayViewExtension', '~/Library/Group Containers/.SiriTodayViewExtension/Library', diff --git a/detection/evasion/missing-from-disk-macos.sql b/detection/evasion/missing-from-disk-macos.sql index ad75b7e..ee2d04a 100644 --- a/detection/evasion/missing-from-disk-macos.sql +++ b/detection/evasion/missing-from-disk-macos.sql @@ -57,17 +57,18 @@ WHERE '/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper (Renderer).app/Contents/MacOS/Code Helper (Renderer)' ) OR cmd LIKE '/opt/homebrew/Cellar/%' - OR p.path LIKE '/Users/%/Library/Application Support/Steam/Steam.AppBundle/Steam/Contents/MacOS/ipcserver.old' OR p.path LIKE '/opt/homebrew/Cellar/%/bin/%' - OR p.path LIKE '/private/var/kolide-k2/k2device.kolide.com/updates/%' - OR p.path LIKE '/Users/%/homebrew/Cellar/%' - OR p.path LIKE '/usr/local/Cellar/%/bin/%' + OR p.path LIKE '/opt/homebrew/Cellar/%/libexec/%' OR p.path LIKE '/private/var/folders/zz/%/T/PKInstallSandboxTrash/%.sandboxTrash/%' - OR p.path LIKE '/Users/%/node_modules/.pnpm/%' + OR p.path LIKE '/private/var/kolide-k2/k2device.kolide.com/updates/%' OR p.path LIKE '/Users/%/go/bin/%' + OR p.path LIKE '/Users/%/homebrew/Cellar/%' OR p.path LIKE '/Users/%/homebrew/Cellar/%/bin/%' - OR p.path LIKE '/Users/%/.terraform/providers/%/terraform-provider-%' + OR p.path LIKE '/Users/%/Library/Application Support/Steam/Steam.AppBundle/Steam/Contents/MacOS/ipcserver.old' OR p.path LIKE '/Users/%/.local/share/nvim/mason/packages/%' + OR p.path LIKE '/Users/%/node_modules/.pnpm/%' + OR p.path LIKE '/Users/%/.terraform/providers/%/terraform-provider-%' + OR p.path LIKE '/usr/local/Cellar/%/bin/%' OR cmd LIKE '/opt/homebrew/opt/%' OR cmd LIKE '/private/var/folders/%/Visual Studio Code.app/Contents/%' OR cmd LIKE '/Users/%/homebrew/opt/mysql/bin/%' -- Sometimes cmd is empty also :( diff --git a/detection/evasion/old-binaries-running.sql b/detection/evasion/old-binaries-running.sql index 90e1528..ae0e115 100644 --- a/detection/evasion/old-binaries-running.sql +++ b/detection/evasion/old-binaries-running.sql @@ -46,6 +46,7 @@ WHERE '/Library/Application Support/Logitech/com.logitech.vc.LogiVCCoreService/LogiVCCoreService.app/Contents/MacOS/LogiVCCoreService', '/Library/Printers/Brother/Utilities/BrStatusMonitor.app/Contents/MacOS/BrStatusMonitor', '/Library/Application Support/Razer/RzUpdater.app/Contents/MacOS/RzUpdater', + '/Library/Application Support/LogiFacecam.bundle/Contents/MacOS/LogiFacecamService', '/Library/Printers/Brother/Utilities/Server/LOGINserver.app/Contents/MacOS/LOGINserver', '/Library/Printers/Brother/Filter/rastertobrother2300.bundle/Contents/MacOS/rastertobrother2300', '/Applications/Vimari.app/Contents/PlugIns/Vimari Extension.appex/Contents/MacOS/Vimari Extension', @@ -82,6 +83,7 @@ WHERE 'dlv' ) AND f.path NOT LIKE '/private/var/folders/%/T/AppTranslocation/%/d/Skitch.app/Contents/MacOS/Skitch' + AND p.cgroup_path NOT LIKE '/user.slice/user-%.slice/user@%.service/user.slice/podman-%' AND p.cgroup_path NOT LIKE '/system.slice/docker-%' AND p.cgroup_path NOT LIKE '/user.slice/user-%.slice/user@%.service/user.slice/nerdctl-%' GROUP BY diff --git a/detection/evasion/parent-missing-from-disk-linux.sql b/detection/evasion/parent-missing-from-disk-linux.sql index 8451959..bb76f24 100644 --- a/detection/evasion/parent-missing-from-disk-linux.sql +++ b/detection/evasion/parent-missing-from-disk-linux.sql @@ -61,9 +61,12 @@ WHERE '/usr/bin/kitty', '/usr/lib/electron22/electron', '/usr/bin/osqueryd', + '/usr/bin/ninja', + '/usr/bin/cmake', '/usr/libexec/gvfsd', '/usr/bin/sudo', '/usr/bin/tmux', + '/usr/bin/python3', '/usr/bin/yay', '/usr/libexec/gdm-wayland-session', '/usr/libexec/gdm-x-session', @@ -80,6 +83,7 @@ WHERE 'bash', 'dnf', 'electron', + 'gnome-terminal', 'fish', 'gnome-shell', 'kubelet', diff --git a/detection/evasion/unexpected-alf-exceptions-macos.sql b/detection/evasion/unexpected-alf-exceptions-macos.sql index 10830db..13f98e7 100644 --- a/detection/evasion/unexpected-alf-exceptions-macos.sql +++ b/detection/evasion/unexpected-alf-exceptions-macos.sql @@ -71,16 +71,17 @@ WHERE -- Filter out stock exceptions to decrease overhead 'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.SketchMirrorHelper,/Applications/Sketch.app/Contents/XPCServices/SketchMirrorHelper.xpc/,501', 'Developer ID Application: Brother Industries, LTD. (5HCL85FLGW),com.brother.utility.WorkflowAppControlServer,/Library/Printers/Brother/Utilities/Server/WorkflowAppControl.app/,0', 'Developer ID Application: Canonical Group Limited (X4QN7LTP59),com.canonical.multipass.,/Applications/Multipass.app/,0', + 'Developer ID Application: Canonical Group Limited (X4QN7LTP59),com.canonical.multipassGui,/Applications/Multipass.app/,0', 'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5),com.elgato.WaveLink,/Applications/WaveLink.app/,0', 'Developer ID Application: Crul, Inc. (5PTD6R25S6),com.electron.crul,/Applications/crul.app/,501', 'Developer ID Application: DBeaver Corporation (42B6MDKMW8),org.jkiss.dbeaver.core.product,/Applications/DBeaver.app/,501', + 'Developer ID Application: Digital Ignition LLC (5DPYRBHEAR),org.m0k.transmission,/Applications/Transmission.app/,501', 'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker.docker,/Applications/Docker.app/,501', 'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK),com.getdropbox.dropbox,/Applications/Dropbox.app/,501', 'Developer ID Application: Evernote Corporation (Q79WDW8YH9),com.evernote.Evernote,/Applications/Evernote.app/,501', 'Developer ID Application: folivora.AI GmbH (DAFVSXZ82P),com.hegenberg.BetterTouchTool,/Applications/BetterTouchTool.app/,501', 'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland,/Applications/GoLand.app/,501', 'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.pycharm,/Applications/PyCharm.app/,501', - 'Developer ID Application: Shanghai Lunkuo Technology Co., Ltd (T3UBR9Y3B2),com.bambulab.bambu-studio,/Applications/BambuStudio.app/,501', 'Developer ID Application: Loom, Inc (QGD2ZPXZZG),com.loom.desktop,/Applications/Loom.app/,501', 'Developer ID Application: Martijn Smit (GX645XXEAX),com.mutedeck.mac,/Applications/MuteDeck/MuteDeck.app/,501', 'Developer ID Application: Opentest, Inc. (QGD2ZPXZZG),com.loom.desktop,/Applications/Loom.app/,501', @@ -89,6 +90,7 @@ WHERE -- Filter out stock exceptions to decrease overhead 'Developer ID Application: Python Software Foundation (BMM5U3QVKW),org.python.python,/Library/Frameworks/Python.framework/Versions/3.12/Resources/Python.app/,0', 'Developer ID Application: Raycast Technologies Inc (SY64MV22J9),com.raycast.macos,/Applications/Raycast.app/,501', 'Developer ID Application: RescueTime, Inc (FSY4RB8H39),c]om.rescuetime.RescueTime,/Applications/RescueTime.app/,0', + 'Developer ID Application: Shanghai Lunkuo Technology Co., Ltd (T3UBR9Y3B2),com.bambulab.bambu-studio,/Applications/BambuStudio.app/,501', 'Developer ID Application: Sonos, Inc. (2G4LW83Q3E),com.sonos.macController,/Applications/Sonos.app/,501', 'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client,/Applications/Spotify.app/,501', 'Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension,/Library/SystemExtensions/A30AF854-E980-4345-A658-17000BF66D00/io.tailscale.ipn.macsys.network-extension.systemextension/,0', @@ -109,6 +111,7 @@ WHERE -- Filter out stock exceptions to decrease overhead 'Software Signing,com.apple.python3,/Applications/Xcode.app/Contents/Developer/Library/Frameworks/Python3.framework/Versions/3.9/Resources/Python.app/,0', 'Software Signing,com.apple.python3,/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.9/Resources/Python.app/,0', 'Software Signing,com.apple.rapportd,/usr/libexec/rapportd,0', + 'Software Signing,com.apple.RemoteDesktopAgent,/System/Library/CoreServices/RemoteManagement/ARDAgent.app/,0', 'Software Signing,com.apple.rpc,/usr/sbin/rpc.lockd,0', 'Software Signing,com.apple.Terminal,/System/Applications/Utilities/Terminal.app/,0', 'Software Signing,com.apple.WebKit.Networking,/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/,0', diff --git a/detection/evasion/unexpected-etc-executables.sql b/detection/evasion/unexpected-etc-executables.sql index e6faca1..10882c4 100644 --- a/detection/evasion/unexpected-etc-executables.sql +++ b/detection/evasion/unexpected-etc-executables.sql @@ -131,6 +131,7 @@ WHERE '/etc/security', '/etc/skel', '/etc/smartmontools', + '/etc/smartmontools/run.d', '/etc/ssl/certs', '/etc/ssl/misc', '/etc/ssl/trust-source', @@ -153,19 +154,19 @@ WHERE '/etc/zfs/zpool.d' ) AND file.path NOT IN ( + '/etc/auto.net', '/etc/cloud/clean.d/99-installer', '/etc/cloud/clean.d/99-installer-use-networkmanager', '/etc/grub2.cfg', '/etc/grub2-efi.cfg', '/etc/hibernate.sh', - '/etc/pcp/pmie/rc', - '/etc/sddm/wayland-session', '/etc/libpaper.d/texlive-base', '/etc/modulefiles/vpl', '/etc/nftables.conf', '/etc/opt/chrome/native-messaging-hosts/com.google.endpoint_verification.api_helper.json', '/etc/paths.d/100-rvictl', '/etc/pcp/pmcd/rc.local', + '/etc/pcp/pmie/rc', '/etc/pcp/pmlogger/rc', '/etc/pcp/pmproxy/rc', '/etc/pki/tls/certs/make-dummy-cert', @@ -177,6 +178,8 @@ WHERE '/etc/qemu-ifdown', '/etc/qemu-ifup', '/etc/rmt', + '/etc/sddm/wayland-session', + '/etc/sddm/Xsession', '/etc/sddm/Xsetup', '/etc/sddm/Xstop', '/etc/shutdown.sh', diff --git a/detection/evasion/unexpected-hidden-system-paths.sql b/detection/evasion/unexpected-hidden-system-paths.sql index a4ff07c..007d155 100644 --- a/detection/evasion/unexpected-hidden-system-paths.sql +++ b/detection/evasion/unexpected-hidden-system-paths.sql @@ -1,4 +1,4 @@ --- Find unexpected hidden directories in operating-system foldersbin/ +-- Find unexpected hidden directories in operating-system folders -- -- references: -- * https://themittenmac.com/what-does-apt-activity-look-like-on-macos/ @@ -169,6 +169,7 @@ WHERE '/var/root/.provisio', '/var/root/.Trash/', '/var/root/.viminfo', + '/var/root/.ssh/', '/var/root/.zsh_history', '/var/run/.heim_org.h5l.kcm-socket', '/var/run/.sim_diagnosticd_socket', @@ -177,8 +178,10 @@ WHERE '/var/setup/.TemporaryItems', '/var/setup/.TemporaryItems/', '/var/tmp/.ses', + '/tmp/.ses', '/var/tmp/.ses.bak', '/.vol/', + '/tmp/.git/', '/.VolumeIcon.icns' ) AND file.directory NOT IN ( @@ -189,6 +192,7 @@ WHERE AND file.path NOT LIKE '/%bin/bootstrapping/.default_components' AND file.path NOT LIKE '/tmp/.#%' AND file.path NOT LIKE '/lib/jvm/.java-%.jinfo' + AND file.path NOT LIKE '%/lib/.lib%.hmac' AND file.path NOT LIKE '/tmp/.lark_cache_%' AND file.path NOT LIKE '/tmp/.cdx.json%' AND file.path NOT LIKE '/var/roothome/.xauth%' @@ -199,6 +203,7 @@ WHERE AND file.path NOT LIKE '/tmp/.xfsm-ICE-%' AND file.path NOT LIKE '/tmp/.com.google.Chrome.%' AND file.path NOT LIKE '/tmp/.org.chromium.Chromium%' + AND file.path NOT LIKe '/tmp/.com.microsoft.Edge.%' AND file.path NOT LIKE '/var/run/.vfs_rsrc_streams_%/' AND file.path NOT LIKE '/tmp/.X1%-lock' AND file.path NOT LIKE '/usr/local/%/.keepme' @@ -213,6 +218,8 @@ WHERE type = 'regular' AND ( filename LIKE '%.swp' + OR filename LIKE '%.swo' + OR filename LIKE '%.swn' OR size < 2 ) ) @@ -261,3 +268,11 @@ WHERE AND uid = 501 AND gid = 0 ) + -- RX100 + AND NOT ( + file.path LIKE '/var/db/.%' + AND file.gid = 0 + AND file.uid = 0 + AND file.size = 28 + AND file.mode = '0666' + ) diff --git a/detection/evasion/unexpected-process-extension-linux.sql b/detection/evasion/unexpected-process-extension-linux.sql index 07cedf3..ee7cfd6 100644 --- a/detection/evasion/unexpected-process-extension-linux.sql +++ b/detection/evasion/unexpected-process-extension-linux.sql @@ -73,6 +73,7 @@ WHERE '29', '30', 'backend', + 'emacs', 'build', 'bin', 'nox', @@ -85,3 +86,4 @@ WHERE AND NOT basename LIKE 'python2.%' AND NOT basename LIKE 'terraform-provider%' AND NOT basename LIKE 'ld-%.so' + AND NOT basename LIKE 'unison-%' diff --git a/detection/evasion/unexpected-user-executables-macos.sql b/detection/evasion/unexpected-user-executables-macos.sql index 3262636..22e29bb 100644 --- a/detection/evasion/unexpected-user-executables-macos.sql +++ b/detection/evasion/unexpected-user-executables-macos.sql @@ -205,6 +205,8 @@ WHERE ) AND NOT homepath IN ( '~/.config/nvm/nvm.sh', + '~/.config/i3', + '~/.config/polybar', '~/Library/Assistant/SiriAnalytics.db', '~/Library/Calendars/Calendar.sqlitedb', '~/Library/Calendars/Calendar.sqlitedb-wal', @@ -214,7 +216,7 @@ WHERE '~/Library/Group Containers/group.com.docker/unleash-repo-schema-v1-Docker Desktop.json', '~/Library/HTTPStorages/com.apple.AddressBookSourceSync', '~/Library/HTTPStorages/com.apple.AddressBookSourceSync/httpstorages.sqlite-shm', - ' ~/Library/Keychains/login.keychain-db', + '~/Library/Keychains/login.keychain-db', '~/Library/Logs/zoom.us/upload_history.txt', '~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2' ) diff --git a/detection/evasion/unexpected-user-shared-entries.sql b/detection/evasion/unexpected-user-shared-entries.sql index 93e06ec..119486c 100644 --- a/detection/evasion/unexpected-user-shared-entries.sql +++ b/detection/evasion/unexpected-user-shared-entries.sql @@ -55,6 +55,7 @@ WHERE '/Users/Shared/CleanMyMac X/.licence', '/Users/Shared/LogiTuneInstallerStarted.txt', '/Users/Shared/.NSVolumeHeap', + '/Users/Shared/.4oaLkgIGnA', '/Users/Shared/.SeedEnrollment.plist' ) OR top3_dir IN ( @@ -68,12 +69,14 @@ WHERE '/Users/Shared/CleanMyMac X Menu', '/Users/Shared/LGHUB', '/Users/Shared/logi', - ' /Users/Shared/Maxon', + '/Users/Shared/Pixologic', + '/Users/Shared/Maxon', '/Users/Shared/AdobeInstalledCodecsTier2', '/Users/Shared/LogioptionsPlus', '/Users/Shared/LogiOptionsPlus', '/Users/Shared/.logishrd', '/Users/Shared/logitune', + '/Users/Shared/ZBrushData2024', '/Users/Shared/macenhance', '/Users/Shared/Parallels', '/Users/Shared/PPN', diff --git a/detection/evasion/unexpected-var-executables-linux.sql b/detection/evasion/unexpected-var-executables-linux.sql index 1c9d2a2..b9d1a88 100644 --- a/detection/evasion/unexpected-var-executables-linux.sql +++ b/detection/evasion/unexpected-var-executables-linux.sql @@ -39,6 +39,8 @@ WHERE AND file.path NOT LIKE '%/./%' AND file.path NOT LIKE '/var/tmp/images/%' AND file.path NOT LIKE '/var/tmp/packages/%' + AND file.path NOT LIKE '/var/tmp/buildah-cache-1000/var/cache/rpm-ostree/%' + AND file.directory NOT LIKE '/var/tmp/buildah%/run' AND ( file.mode LIKE '%7%' OR file.mode LIKE '%5%' diff --git a/detection/evasion/unexpected-var-run-linux.sql b/detection/evasion/unexpected-var-run-linux.sql index cfc7409..ff98638 100644 --- a/detection/evasion/unexpected-var-run-linux.sql +++ b/detection/evasion/unexpected-var-run-linux.sql @@ -34,6 +34,7 @@ WHERE 'apcupsd.pid', 'apport.lock', 'atd.pid', + 'atopacctd.pid', 'auditd.pid', 'com.rapid7.cnchub.pid', 'com.rapid7.component_insight_agent.pid', @@ -61,6 +62,7 @@ WHERE 'nvidia_runtimepm_enabled', 'nvidia_runtimepm_supported', 'ostree-booted', + 'pacct_source', 'pulseaudio-enable-autospawn', 'reboot-required', 'reboot-required.pkgs', diff --git a/detection/evasion/unexpected-var-run-macos.sql b/detection/evasion/unexpected-var-run-macos.sql index bf5f82e..93cf7ea 100644 --- a/detection/evasion/unexpected-var-run-macos.sql +++ b/detection/evasion/unexpected-var-run-macos.sql @@ -34,6 +34,7 @@ WHERE 'FirstBootAfterUpdate', 'FirstBootCleanupHandled', 'appfwd.pid', + 'MobileAssetStartupActivation.doneThisBoot', 'auditd.pid', 'automount.initialized', 'bootpd.pid', diff --git a/detection/evasion/unusual-process-name-macos.sql b/detection/evasion/unusual-process-name-macos.sql index 432ce34..0f865f7 100644 --- a/detection/evasion/unusual-process-name-macos.sql +++ b/detection/evasion/unusual-process-name-macos.sql @@ -114,6 +114,7 @@ WHERE AND NOT pname LIKE '%-macos-arm64' AND NOT pname LIKE 'debug.test%' AND NOT pname LIKE '__%go_build%' + AND NOt pname LIKE '___1Test%' AND NOT pname LIKE 'BetterTouchToolAppleScriptRunner%' AND NOT s.authority IN ( "Software Signing", diff --git a/detection/execution/exotic-commands-linux.sql b/detection/execution/exotic-commands-linux.sql index 425d214..137cd39 100644 --- a/detection/execution/exotic-commands-linux.sql +++ b/detection/execution/exotic-commands-linux.sql @@ -125,6 +125,7 @@ WHERE 'java', 'containerd-shim', 'code', + 'goland', 'emacs', 'vim', 'vim.nox' diff --git a/detection/execution/recently-created-executables-long-lived-linux.sql b/detection/execution/recently-created-executables-long-lived-linux.sql index 981edeb..9b6f0cc 100644 --- a/detection/execution/recently-created-executables-long-lived-linux.sql +++ b/detection/execution/recently-created-executables-long-lived-linux.sql @@ -45,7 +45,7 @@ WHERE p0.start_time > 0 AND f.ctime > 0 AND p0.start_time > (strftime('%s', 'now') - 43200) - AND (p0.start_time - MAX(f.ctime, f.btime)) < 900 + AND (p0.start_time - MAX(f.ctime, f.btime)) < 1200 AND p0.start_time >= MAX(f.ctime, f.ctime) AND NOT f.directory IN ('/usr/lib/firefox', '/usr/local/kolide-k2/bin') -- Typically daemons or long-running desktop apps -- These are binaries that are known to get updated and subsequently executed @@ -132,6 +132,7 @@ WHERE ) AND NOT p0.path LIKE '/home/%/bin/%' AND NOT p0.path LIKE '/home/%/git/%' + AND NOT p0.path LIKE '/home/%/upstream/%' AND NOT p0.path LIKE '/home/%/.local/share/JetBrains/Toolbox/apps/%' AND NOT p0.path LIKE '/home/%/.local/share/nvim/mason/packages/%' AND NOT p0.path LIKE '/home/%/.cache/JetBrains/%/GoLand/___%' @@ -158,6 +159,7 @@ WHERE AND NOT p0.path LIKE '%/.vscode/extensions/%' AND NOT p0.path LIKE '/var/home/linuxbrew/.linuxbrew/Cellar/%' AND NOT p0.path LIKE '%/.local/share/spotify-launcher/install/usr/%' + AND NOT p0.path LIKE '/var/opt/Elastic/Agent/data/elastic-agent-%/components/%' AND NOT ( p0.name IN ('osqtool-x86_64', 'osqtool-arm64') AND p0.cmdline LIKE './%' diff --git a/detection/execution/recently-created-executables-long-lived-macos.sql b/detection/execution/recently-created-executables-long-lived-macos.sql index cfe778b..4b4bd25 100644 --- a/detection/execution/recently-created-executables-long-lived-macos.sql +++ b/detection/execution/recently-created-executables-long-lived-macos.sql @@ -78,7 +78,7 @@ WHERE AND NOT path LIKE '/usr/local/kolide-k2/bin/%' AND NOT path LIKE '%/cloud_sql_proxy' ) - AND (p0.start_time - MAX(f.ctime, f.btime)) < 600 + AND (p0.start_time - MAX(f.ctime, f.btime)) < 1200 AND f.ctime > 0 AND NOT ( p0.euid > 499 @@ -118,6 +118,7 @@ WHERE '~/gohome/bin', '~/code/bin', '~/go/bin', + '/usr/local/aws-cli', '~/melange', '~/repos/bincapz/out', '~/Library/Application Support/cloud-code/installer/google-cloud-sdk/bin', @@ -138,6 +139,7 @@ WHERE OR dir LIKE '~/%/go/bin' OR dir LIKE '~/Downloads/%.app/Contents/MacOS' OR dir LIKE '~/dev/%' + OR dir LIKE '~/git/%' OR f.path LIKE '%go-build%' OR homepath LIKE '~/%/src/%.test' OR homepath LIKE '~/%/pkg/%.test' @@ -165,6 +167,7 @@ WHERE 'Developer ID Application: Brother Industries, LTD. (5HCL85FLGW)', 'Developer ID Application: Bryan Jones (49EYHPJ4Q3)', 'Developer ID Application: Canon Inc. (XE2XNRRXZ5)', + 'Developer ID Application: AMZN Mobile LLC (94KV3E626L)', 'Developer ID Application: Cisco (DE8Y96K9QP)', 'Developer ID Application: CodeWeavers Inc. (9C6B7X7Z8E)', 'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', @@ -190,7 +193,9 @@ WHERE 'Developer ID Application: Fumihiko Takayama (G43BCU2T37)', 'Developer ID Application: Logitech Inc. (QED4VVPZWA)', 'Developer ID Application: Wesley FURLONG (P4A6FU9KZ3)', + 'Developer ID Application: Autodesk (XXKJ396S2Y)', 'Developer ID Application: Michael Jones (YD6LEYT6WZ)', + 'Developer ID Application: VMware, Inc. (EG7KH642X6)', 'Developer ID Application: Microsoft Corporation (UBF8T346G9)', 'Developer ID Application: Mojang AB (HR992ZEAE6)', 'Developer ID Application: OPENVPN TECHNOLOGIES, INC. (ACV7L3WCD8)', diff --git a/detection/execution/sketchy-fetcher-events.sql b/detection/execution/sketchy-fetcher-events.sql index 1292676..dbf7dfa 100644 --- a/detection/execution/sketchy-fetcher-events.sql +++ b/detection/execution/sketchy-fetcher-events.sql @@ -182,6 +182,7 @@ WHERE 'releases.hashicorp.com', 'github.com', 'cdn.zoom.us', + 'repo1.maven.org', 'dl.enforce.dev' ) -- Ignore local addresses (Docker development) @@ -193,3 +194,4 @@ WHERE ) ) AND NOT p1_cmd LIKE '/usr/bin/bash /usr/bin/makepkg %' + AND NOT url in ('https://aur.archlinux.org') diff --git a/detection/execution/tiny-executable-events.sql b/detection/execution/tiny-executable-events.sql index a5ea974..f4e050d 100644 --- a/detection/execution/tiny-executable-events.sql +++ b/detection/execution/tiny-executable-events.sql @@ -45,6 +45,7 @@ WHERE '/sbin/ldconfig', '/usr/sbin/ldconfig', '/usr/bin/c_rehash', + '/home/smoser/bin/firefox', '/usr/sbin/update-ca-certificates' ) AND NOT ( @@ -59,3 +60,8 @@ WHERE p.path = "/" AND file.size < 8192 ) + AND NOT cmdline IN ( + 'bpftool --version', + 'bpftool --help', + 'bpftool -V' + ) diff --git a/detection/execution/unexpected-fetcher-parents.sql b/detection/execution/unexpected-fetcher-parents.sql index 5cffd30..b038439 100644 --- a/detection/execution/unexpected-fetcher-parents.sql +++ b/detection/execution/unexpected-fetcher-parents.sql @@ -78,7 +78,10 @@ WHERE -- NOTE: The remainder of this query is synced with unexpected-fetcher-par 'curl,500,Slack,launchd', 'curl,500,Stats,bash', 'curl,500,zsh,login', + 'curl,500,zsh,zellij', 'curl,500,zsh,sh', + 'curl,500,zsh,mc', + 'curl,0,bash,kandji-library-manager', 'wget,500,env,env', 'wget,500,sh,bwrap', 'wget,500,zsh,bash' diff --git a/detection/execution/unexpected-gatekeeper-approvals-macos.sql b/detection/execution/unexpected-gatekeeper-approvals-macos.sql index a5d45c9..a575523 100644 --- a/detection/execution/unexpected-gatekeeper-approvals-macos.sql +++ b/detection/execution/unexpected-gatekeeper-approvals-macos.sql @@ -39,6 +39,8 @@ WHERE AND gap.path NOT LIKE '/usr/local/bin/%' AND gap.path NOT LIKE '/Users/%/Downloads/openresty%/bundle/install' AND gap.path NOT LIKE '/Users/%/Downloads/U_STIGViewer%/STIGViewer' + AND gap.path NOT LIKE '/Users/%/Downloads/grpcurl_%' + AND gap.path NOT LIKE '/Users/%/Downloads/%_arm64%/%' AND signature.authority != 'Developer ID Application: Jamie Zawinski (4627ATJELP)' GROUP BY gap.requirement diff --git a/detection/execution/unexpected-packet-sniffer.sql b/detection/execution/unexpected-packet-sniffer.sql index a63d0a0..9ed8eeb 100644 --- a/detection/execution/unexpected-packet-sniffer.sql +++ b/detection/execution/unexpected-packet-sniffer.sql @@ -44,6 +44,7 @@ WHERE 'NetworkManager', 'dhclient', 'packetbeat', + 'tailscaled', 'dhcpcd', 'tcpdump' ) diff --git a/detection/execution/unexpected-security-framework-program-macos.sql b/detection/execution/unexpected-security-framework-program-macos.sql index aaeb890..a6bb9a1 100644 --- a/detection/execution/unexpected-security-framework-program-macos.sql +++ b/detection/execution/unexpected-security-framework-program-macos.sql @@ -152,6 +152,7 @@ WHERE '500,ko,,', '500,ko,a.out,', '500,kubectl,a.out,', + '500,Keeper Password Manager,com.callpod.keepermac.lite,Apple Mac OS Application Signing', '500,lua-language-server,lua-language-server,', '500,Magnet,com.crowdcafe.windowmagnet,Apple Mac OS Application Signing', '500,mattermost,a.out,', @@ -212,6 +213,7 @@ WHERE '500,TwitchStudioStreamDeck,TwitchStudioStreamDeck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', '500,LogicProThumbnailExtension,com.apple.logic10.LogicProThumbnailExtension,Apple Mac OS Application Signing', '500,vim,,', + '500,chromedriver,chromedriver,', '500,vim,vim,', '500,WinAppHelper,,', '500,WinAppHelper,WinAppHelper,' @@ -256,5 +258,6 @@ WHERE AND NOT exception_key LIKE '500,rzls,apphost-%,' AND NOT exception_key LIKE '500,sg-nvim-agent,sg_nvim_agent-%,' AND NOT exception_key LIKE '500,taplo-full-darwin-%,taplo-%,' + AND NOT exception_key LIKE '500,just,just-%,' GROUP BY p0.pid diff --git a/detection/execution/unexpected-sysutils-macos.sql b/detection/execution/unexpected-sysutils-macos.sql index 8c08db6..b1a2f56 100644 --- a/detection/execution/unexpected-sysutils-macos.sql +++ b/detection/execution/unexpected-sysutils-macos.sql @@ -101,6 +101,8 @@ WHERE 'sysctl -i sysctl.proc_translated', 'sysctl -n hw.optional.arm64', 'sw_vers -productName', + '/usr/bin/security authorizationdb read system.login.screensaver', + 'security authorizationdb read system.login.screensaver', 'unzip -h', 'sysctl -n sysctl.proc_translated', '/usr/sbin/system_profiler SPUSBDataType', @@ -111,10 +113,13 @@ WHERE ) AND NOT exception_key IN ( 'ditto,500,ruby,zsh', + 'system_profiler,500,bash,DDPM', 'ioreg,500,bash,Alfred Preferences', 'ioreg,500,com.docker.backend,launchd', 'system_profiler,0,launcher,launchd', 'system_profiler,500,bash,launchd', + 'ioreg,500,com.docker.backend,com.docker.backend', + 'security_authtrampoline,500,Raycast,launchd', 'system_profiler,500,bash,logioptionsplus_agent', 'system_profiler,500,Google Drive,launchd', 'system_profiler,500,steam_osx,launchd', diff --git a/detection/exfil/high_disk_bytes_read.sql b/detection/exfil/high_disk_bytes_read.sql index 8b8504f..f6971fe 100644 --- a/detection/exfil/high_disk_bytes_read.sql +++ b/detection/exfil/high_disk_bytes_read.sql @@ -84,7 +84,10 @@ WHERE 'emacs', 'steam_osx', 'factorio', + 'Google Chrome', 'firefox', + 'meta', + 'ollama', 'fish', 'fleet_backend', 'fsdaemon', @@ -108,9 +111,12 @@ WHERE 'nautilus', 'nessusd', 'nix', + 'Fedora Media Writer', + 'updatedb', 'nix-daemon', 'nvim', 'ollama', + 'Autodesk Identity Manager', 'ollama-runer', 'osqueryd', 'osqueryi', @@ -121,6 +127,7 @@ WHERE 'rpi-imager', 'rpm-ostree', 'rsync', + 'Microsoft Update Assistant', 'sh', 'simdiskimaged', 'slack', diff --git a/detection/initial_access/unexpected-diskimage-source-macos.sql b/detection/initial_access/unexpected-diskimage-source-macos.sql index 6b24fd6..cf7d613 100644 --- a/detection/initial_access/unexpected-diskimage-source-macos.sql +++ b/detection/initial_access/unexpected-diskimage-source-macos.sql @@ -42,26 +42,35 @@ WHERE 'alfredapp.com', 'amazon.com', 'android.com', + 'ankiweb.net', 'apple.com', 'arc.net', 'asana.com', + 'astutegraphics.com', + 'backblazeb2.com', 'balena.io', 'balsamiq.com', 'bblmw.com', 'bluestacks.com', + 'boxcdn.net', 'box.com', 'brave.com', + 'byfly.by', 'canon.co.uk', 'cdn.mozilla.net', 'charlesproxy.com', + 'chatgpt.com', 'cloudfront.net', 'cron.com', 'csclub.uwaterloo.ca', + 'curseforge.com', 'c-wss.com', 'descript.com', + 'desktop.evernote.com', 'digidesign.com', 'discordapp.net', 'discord.com', + 'dl.meitu.com', 'dl.sourceforge.net', 'docker.com', 'dogado.de', @@ -70,26 +79,35 @@ WHERE 'eclipse.org', 'emeet.com', 'epson.com', + 'eventideaudio.com', 'fcix.net', + 'figma.com', + 'foundry.com', 'gaomon.net', 'getutm.app', 'gimp.org', 'github.io', 'githubusercontent.com', 'google.ca', + 'google.com', 'grammarly.com', + 'imazing.com', 'integodownload.com', 'irccloud.com', 'jetbrains.com', - 'live.com', 'kagi.com', 'libreoffice.org', + 'live.com', 'logitech.com', 'loom.com', 'macbartender.com', + 'macroplant.com', + 'maxon.net', 'microsoft.com', 'minecraft.net', 'mirrorservice.org', + 'mm.cfix.net', + 'mm.fcix.net', 'mojang.com', 'mozilla.org', 'mutedeck.com', @@ -97,18 +115,27 @@ WHERE 'notion.so', 'notion-static.com', 'ocf.berkeley.edu', + 'odvdev.at' + 'office.com', 'oobesaas.adobe.com', 'openra.net', 'oracle.com', 'osuosl.org', + 'overwolf.com', + 'pathofexile.com', 'perforce.com', + 'poecdn.com', 'pqrs.org', + 'proxmox.com', 'prusa3d.com', + 'raspberrypi.com', + 'redhat.com', 'remarkable.com', 'rewind.ai', 's3.amazonaws.com', 'securew2.com', 'signal.org', + 'siliconmotion.com', 'skype.com', 'slack.com', 'slack-edge.com', @@ -118,18 +145,22 @@ WHERE 'tableplus.com', 'teams.cdn.office.net', 'techsmith.com', + 'tweaknews.eu', 'ubuntu.com', + 'ultimaker.com', 'umd.edu', 'usa.canon.com', 'uubyte.com', 'vc.logitech.com', 'vimcal.com', 'virtualbox.org', + 'viture.dev', 'vmware.com', 'warp.dev', 'webex.com', 'whatsapp.com', 'xtom.com', + 'xx.fbcdn.net', 'yubico.com', 'zoo.dev', 'zoomgov.com', @@ -141,10 +172,13 @@ WHERE 'adoptium.net', 'arc.net', 'asana.com', + 'awscli.amazonaws.com', 'balsamiq.com', 'bearly.ai', + 'blyt.net', 'brave.com', 'calibre-ebook.com', + 'chatgpt.com', 'cron.com', 'discord.com', 'dl.discordapp.net', @@ -153,40 +187,56 @@ WHERE 'dygma.com', 'emacsformacosx.com', 'epson.com', + 'evernote.com', + 'fbcdn.net', 'figma.com', 'flipperzero.one', 'getkap.co', 'github.com', 'go.dev', + 'imazing.com', 'kittycad.io', 'krisp.ai', - 'evernote.com', + 'macroplant.com', 'mail.google.com', 'manual.canon', + 'manytricks.com', + 'maxon.net', 'mimestream.com', 'mnvoip.mm.fcix.net', 'mutedeck.com', 'obdev.at', - 'awscli.amazonaws.com', 'obsidian.md', - 'universal-blue.discourse.group', 'obsproject.com', 'opalcamera.com', + 'persistent.oaistatic.com', 'posit.co', 'presenting.app', 'proton.me', 'rancherdesktop.io', 'rectangleapp.com', + 's3.amazonaws.com', + 'scribehow.com', + 'shottr.cc', + 'sipapp.fra1.digitaloceanspaces.com', + 'sipapp.io', + 'sourceforge.net', + 'sourcegraph.com', 'stclairsoft.s3.amazonaws.com', 'store.steampowered.com', + 'superkey.app', 'tableplus.com', 'textexpander.com', + 'transmissionbt.com', 'ubuntu.com', + 'ultimaker.com', + 'universal-blue.discourse.group', 'warp-releases.storage.googleapis.com', 'wavebox.io', 'www.google.com', 'www.messenger.com', 'zed.dev', + 'zoo.dev', 'zoom.us' ) -- Yes, these are meant to be fairly broad. @@ -206,13 +256,6 @@ WHERE AND host NOT LIKE 'software%' AND host NOT LIKE 'www.google.%' AND host NOT LIKE '%release%.storage.googleapis.com' - AND NOT ( - host LIKE '%.fbcdn.net' - AND ( - file.filename LIKE 'Messenger.%.dmg' - OR file.filename LIKE '%WhatsApp.dmg' - ) - ) AND ea.value NOT LIKE 'https://storage.googleapis.com/copilot-mac-releases/%' GROUP BY ea.value diff --git a/detection/initial_access/unexpected-shell-parent-events.sql b/detection/initial_access/unexpected-shell-parent-events.sql index 62b1c3b..a93c3ec 100644 --- a/detection/initial_access/unexpected-shell-parent-events.sql +++ b/detection/initial_access/unexpected-shell-parent-events.sql @@ -82,6 +82,7 @@ WHERE 'build-script-build', 'chainctl', 'chezmoi', + 'BambuStudio', 'clang-11', 'code', 'Code Helper (Renderer)', @@ -266,6 +267,7 @@ WHERE 'bash,0,udevadm,udevadm', 'bash,500,accounts-daemon,systemd', 'bash,500,busybox,bwrap', + 'bash,500,bwrap,bwrap', 'bash,500,com.docker.dev-envs,com.docker.backend', 'bash,500,docker-builder,bash', 'bash,500,Foxit PDF Reader,launchd', @@ -278,13 +280,13 @@ WHERE 'bash,500,plasmashell,systemd', 'bash,500,Private Internet Access,launchd', 'bash,500,ruby,zsh', + 'bash,500,screen,screen', 'bash,500,script,bash', 'bash,500,steam,bash', 'bash,500,xdg-desktop-portal,systemd', 'bash,500,xdg-permission-store,systemd', 'dash,0,anacron,systemd', 'dash,0,dpkg,apt', - 'bash,500,bwrap,bwrap', 'dash,0,dpkg,python3.10', 'dash,0,kindnetd,containerd-shim-runc-v2', 'dash,0,kube-proxy,containerd-shim-runc-v2', @@ -297,6 +299,7 @@ WHERE 'sh,0,expect,kandji-daemon', 'sh,500,cloud_sql_proxy,zsh', 'sh,500,docs,zsh', + 'bash,500,gdb,perl', 'sh,500,Google Drive,launchd', 'sh,500,LogiTune,launchd', 'sh,500,Meeting Center,launchd', diff --git a/detection/initial_access/unexpected-shell-parents.sql b/detection/initial_access/unexpected-shell-parents.sql index 0edd1ff..80ec480 100644 --- a/detection/initial_access/unexpected-shell-parents.sql +++ b/detection/initial_access/unexpected-shell-parents.sql @@ -68,6 +68,7 @@ WHERE 'Code - Insiders Helper', 'Code - Insiders Helper (Renderer)', 'collect2', + 'com.docker.back', 'configure', 'conmon', 'containerd-shim', @@ -88,6 +89,7 @@ WHERE 'FinderSyncExtension', 'fish', 'flock', + 'gopls', 'gdm-wayland-ses', 'gephi', 'git', @@ -109,6 +111,7 @@ WHERE 'inittool2', 'java', 'jetbrains_client', + 'just', 'kitty', 'ko', 'konsole', @@ -212,6 +215,7 @@ WHERE '/usr/sbin/networksetup', '/usr/bin/apt-get', '/usr/bin/bash', + '/usr/bin/perl', '/usr/bin/bwrap', '/usr/bin/crond', '/usr/bin/dash', @@ -235,6 +239,7 @@ WHERE '/bin/sh -c ioreg -rd1 -c IOPlatformExpertDevice', '/bin/sh -c system_profiler SPDisplaysDataType | grep "Chipset Model"', '/usr/bin/python3 /usr/bin/terminator', + 'sh -c echo zoomMute:disabled,zoomVideo:disabled,zoomStatus:closed,zoomShare:disabled,zoomRecord:disabled', '/bin/sh -c sysctl hw.model kern.osrelease', '/bin/sh /etc/security/audit_warn soft /var/audit', 'sh -c hugo-installer --version otherDependencies.hugo --extended --destination node_modules/.bin/hugo', diff --git a/detection/persistence/listening-from-unusual-location.sql b/detection/persistence/listening-from-unusual-location.sql index 7490110..9db14c5 100644 --- a/detection/persistence/listening-from-unusual-location.sql +++ b/detection/persistence/listening-from-unusual-location.sql @@ -75,17 +75,18 @@ WHERE p0.name IN ( 'caddy', 'controller', - 'docker-proxy', - 'hugo', - 'gopls', - 'limactl', - 'nuclei', - 'qemu-system-aarch64', - 'qemu-system-x86', 'crane', + 'docker-proxy', + 'gopls', + 'hugo', 'kubectl', + 'limactl', 'nginx-ingress-c', 'node', + 'nuclei', + 'ollama', + 'qemu-system-aarch64', + 'qemu-system-x86', 'rootlessport', 'webhook' ) @@ -108,6 +109,8 @@ WHERE AND NOT exception_key IN ( '16620,6,500,psi-bastion', '32768,6,500,java', + '32768,6,500,Chromium', + '32768,6,500,Code Helper (Plugin)', '24024,17,500,MTGA', '1,1,500,ping' ) diff --git a/detection/persistence/unexpected-active-systemd-units.sql b/detection/persistence/unexpected-active-systemd-units.sql index 55f56d6..d40de67 100644 --- a/detection/persistence/unexpected-active-systemd-units.sql +++ b/detection/persistence/unexpected-active-systemd-units.sql @@ -72,6 +72,9 @@ WHERE 'archlinux-keyring-wkd-sync.service,Refresh existing keys of archlinux-keyring,', 'archlinux-keyring-wkd-sync.timer,Refresh existing PGP keys of archlinux-keyring regularly,', 'atd.service,Deferred execution scheduler,', + 'atopacct.service,Atop process accounting daemon,', + 'atop-rotate.timer,Daily atop restart,', + 'atop.service,Atop advanced performance monitor,', 'auditd.service,Security Auditing Service,', 'auditd.service,Security Audit Logging Service,', 'audit.service,Kernel Auditing,', @@ -80,6 +83,7 @@ WHERE 'avahi-daemon.socket,Avahi mDNS/DNS-SD Stack Activation Socket,', 'backup-rpmdb.timer,Backup of RPM database,', 'backup-sysconfig.timer,Backup of /etc/sysconfig,', + 'bazzite-hardware-setup.service,Configure Bazzite for current hardware,', 'binfmt-support.service,Enable support for additional executable binary formats,', 'blk-availability.service,Availability of block devices,', 'bluetooth.service,Bluetooth service,', @@ -88,6 +92,7 @@ WHERE 'brew-update.service,Auto update brew for mutable brew installs,1000', 'brew-update.timer,Timer for brew update for mutable brew,', 'brew-upgrade.timer,Timer for brew upgrade for on image brew,', + 'btrfs-dedup@var-home.timer,Weekly Btrfs deduplication on /var/home,', 'ca-certificates.path,Watch for changes in CA certificates,', 'check-battery.timer,Check if mainboard battery is Ok,', 'chronyd.service,NTP client/server,', @@ -146,6 +151,7 @@ WHERE 'fwupd.service,Firmware update daemon,', 'gdm.service,GNOME Display Manager,', 'geoclue.service,Location Lookup Service,geoclue', + 'geoipupdate.timer,Weekly GeoIP update,', 'gitsign.service,Keyless Git signing with Sigstore!,', 'gnome-remote-desktop.service,GNOME Remote Desktop,gnome-remote-desktop', 'gssproxy.service,GSSAPI Proxy Daemon,', @@ -160,6 +166,7 @@ WHERE 'incus.socket,Incus - Daemon (unix socket),', 'incus-startup.service,Incus - Startup check,', 'incus-user.socket,Incus - Daemon (user unix socket),', + 'input-remapper.service,Service to inject keycodes without the GUI application,', 'ir_agent.service,Rapid7 Insight Agent,root', 'irqbalance.service,irqbalance daemon,', 'iscsid.socket,Open-iSCSI iscsid Socket,', @@ -260,6 +267,8 @@ WHERE 'plymouth-read-write.service,Tell Plymouth To Write Out Runtime Data,', 'plymouth-start.service,Show Plymouth Boot Screen,', 'pmcd.service,Performance Metrics Collector Daemon,', + 'podman-auto-update.timer,Podman auto-update timer,', + 'podman-restart.service,Podman Start All Containers With Restart Policy Set To Always,', 'podman.socket,Podman API Socket,', 'polkit.service,Authorization Manager,', 'polkit.service,Authorization Manager,polkitd', @@ -300,13 +309,17 @@ WHERE 'shadow.timer,Daily verification of password and group files,', '-.slice,Root Slice,', 'smartd.service,Self Monitoring and Reporting Technology (SMART) Daemon,', + 'smartmontools.service,Self Monitoring and Reporting Technology (SMART) Daemon,', 'snap.canonical-livepatch.canonical-livepatchd.service,Service for snap application canonical-livepatch.canonical-livepatchd,', + 'snap.cups.cups-browsed.service,Service for snap application cups.cups-browsed,', + 'snap.cups.cupsd.service,Service for snap application cups.cupsd,', 'snapd.apparmor.service,Load AppArmor profiles managed internally by snapd,', 'snapd.seeded.service,Wait until snapd is fully seeded,', 'snapd.service,Snap Daemon,', 'snapd.socket,Socket activation for snappy daemon,', 'snap.lxd.daemon.unix.socket,Socket unix for snap application lxd.daemon,', 'snap.lxd.user-daemon.unix.socket,Socket unix for snap application lxd.user-daemon,', + 'snap.multipass.multipassd.service,Service for snap application multipass.multipassd,', 'snap.yubioath-desktop.pcscd.service,Service for snap application yubioath-desktop.pcscd,', 'sshd.service,OpenSSH Daemon,', 'sshd.service,OpenSSH server daemon,', @@ -501,6 +514,7 @@ WHERE OR exception_key LIKE 'systemd-cryptsetup@%.service,Cryptography Setup for %,' OR exception_key LIKE 'zfs-snapshot-%.service,zfs-snapshot-%.service,' OR exception_key LIKE 'zfs-snapshot-%.timer,zfs-snapshot-%.timer,' + OR exception_key LIKE 'snap-aws\x2dcli-%.mount,Mount unit for aws-cli, revision %' OR id LIKE '' OR id LIKE 'dev-disk-by%.swap' OR id LIKE 'dev-mapper-%.swap' diff --git a/detection/persistence/unexpected-chrome-extensions.sql b/detection/persistence/unexpected-chrome-extensions.sql index 5531f32..2048e99 100644 --- a/detection/persistence/unexpected-chrome-extensions.sql +++ b/detection/persistence/unexpected-chrome-extensions.sql @@ -243,6 +243,7 @@ WHERE 'true,,Microsoft Single Sign On,ppnbnpeolgkicgegkbkbjmhlideopiji', 'true,Moustachauve,Cookie-Editor,hlkenndednhfkekhgcdicdfddnkalmdm', 'true,,MQTTLens,hemojaaeigabkbcookmlgmdigohjobjm', + 'true,,NordVPN - VPN proxy for privacy and security,fjoaledfpmneenckfbpdfhkmimnjocfa', 'true,NortonLifeLock Inc,Norton Safe Web,fnpbeacklnhmkkilekogeiekaglbmmka', 'true,,NoScript,doojmbjmlfjjnbmnoijecmcbfeoakpjm', 'true,,Notion Web Clipper,knheggckgoiihginacbkhaalnibhilkk', @@ -318,7 +319,9 @@ WHERE 'true,,Tab Wrangler,egnjhciaieeiiohknchakcodbpgjnchh', 'true,,Tag Assistant Legacy (by Google),kejbdjndbnbjgmefkgdddjlbokphdefk', 'true,,Tampermonkey BETA,gcalenpjmijncebpfijmoaglllgpjagf', + 'true,,Tampermonkey,dhdgffkkebhmkfjojejmpbldmpobfkfo', 'true,Team Octotree,Octotree - GitHub code tree,bkhaagjahfmjljalopjnoealnfndnagc', + 'true,,Text Blaze: Templates and Snippets,idgadaccgipmpannjkmfddolnnhmeklj', 'true,,TextExpander: Keyboard Shortcuts & Templates,mmfhhfjhpadoefoaahomoakamjcfcoil', 'true,,The Marvellous Suspender,noogafoofpebimajpfpamcfhoaifemoa', 'true,,The Org for LinkedIn,gnkbmaifcbniminbmbmiabamggncacag', @@ -358,6 +361,7 @@ WHERE 'true,,writeGPT - ChatGPT Prompt Engineer Assistant,dflcdbibjghipieemcligeelbmackgco', 'true,,Yesware Sales Engagement,gkjnkapjmjfpipfcccnjbjcbgdnahpjp', 'true,Yuri Konotopov ,GNOME Shell integration,gphhapmejobijbbhgpjhcjognlahblep', + 'true,Zinlab ,Better History,egehpkpgpgooebopjihjmnpejnjafefi', 'true,,Zoom,hmbjbjdpkobdjplfobhljndfdfdipjhg', 'true,,ZoomInfo Engage Chrome Extension,mnbjlpbmllanehlpbgilmbjgocpmcijp', 'true,,Zoom Scheduler,kgjfgplpablkjnlkjmjdecgdpfankdle', diff --git a/detection/persistence/unexpected-cron-entries.sql b/detection/persistence/unexpected-cron-entries.sql index eeab42f..ad8b744 100644 --- a/detection/persistence/unexpected-cron-entries.sql +++ b/detection/persistence/unexpected-cron-entries.sql @@ -26,3 +26,5 @@ WHERE AND command NOT LIKE 'docker run amouat/jocko%' AND command NOT LIKE 'gsutil %' AND command NOT LIKE 'root command -v debian-sa1%' + AND command NOT LIKE 'root test -x /usr/bin/geoipupdate % && /usr/bin/geoipupdate' + AND command NOT LIKe 'root [ -d "/run/systemd/system" ] || /usr/share/atop/atop%' diff --git a/detection/persistence/unexpected-device-linux.sql b/detection/persistence/unexpected-device-linux.sql new file mode 100644 index 0000000..36fd7b7 --- /dev/null +++ b/detection/persistence/unexpected-device-linux.sql @@ -0,0 +1,270 @@ +-- Finds unexpected device names, sometimes used for communication to a rootkit +-- +-- references: +-- * https://attack.mitre.org/techniques/T1014/ (Rootkit) +-- +-- Confirmed to catch revenge-rtkit +-- +-- false positives: +-- * custom kernel modules +-- +-- tags: persistent filesystem state +-- platform: linux +SELECT -- Remove numerals from device names + -- Ugly, but better than dealing with multiple rounds of nesting COALESCE + REGEX_MATCH + DISTINCT REPLACE( + REPLACE( + REPLACE( + REPLACE( + REPLACE( + REPLACE( + REPLACE( + REPLACE(REPLACE(REPLACE(path, "0", ""), "1", ""), "2", ""), + "3", + "" + ), + "4", + "" + ), + "5", + "" + ), + "6", + "" + ), + "7", + "" + ), + "8", + "" + ), + "9", + "" + ) AS path_expr, + file.* +FROM + file +WHERE + ( + path LIKE '/dev/%' + OR directory LIKE '/dev/%' + ) + AND path_expr NOT IN ( + '/dev/HID-SENSOR-e..auto', + '/dev/acpi_thermal_rel', + '/dev/autofs', + '/dev/block/', + '/dev/disk/by-loop-ref', + '/dev/disk/by-loop-inode', + '/dev/block/:', + '/dev/bsg/', + '/dev/bsg/:::', + '/dev/btrfs-control', + '/dev/bus/', + '/dev/bus/usb', + '/dev/cdrom', + '/dev/cec', + '/dev/char/', + '/dev/char/:', + '/dev/console', + '/dev/core', + '/dev/cpu/', + '/dev/cpu/microcode', + '/dev/cpu_dma_latency', + '/dev/cros_ec', + '/dev/cuse', + '/dev/disk/', + '/dev/disk/by-diskseq', + '/dev/disk/by-dname', + '/dev/disk/by-id', + '/dev/disk/by-label', + '/dev/disk/by-partlabel', + '/dev/disk/by-partuuid', + '/dev/disk/by-path', + '/dev/disk/by-uuid', + '/dev/dm-', + '/dev/dma_heap/', + '/dev/dma_heap/system', + '/dev/dmmidi', + '/dev/dri/', + '/dev/dri/by-path', + '/dev/dri/card', + '/dev/dri/renderD', + '/dev/drm_dp_aux', + '/dev/dvd', + '/dev/ecryptfs', + '/dev/fb', + '/dev/fd/', + '/dev/full', + '/dev/fuse', + '/dev/gpiochip', + '/dev/hidraw', + '/dev/hpet', + '/dev/hugepages/', + '/dev/hugepages/libvirt', + '/dev/hvc', + '/dev/hwrng', + '/dev/ic-', + '/dev/iio:device', + '/dev/initctl', + '/dev/input/', + '/dev/input/by-id', + '/dev/input/by-path', + '/dev/input/event', + '/dev/input/js', + '/dev/input/mice', + '/dev/input/mouse', + '/dev/kfd', + '/dev/kmsg', + '/dev/kvm', + '/dev/libmtp--', + '/dev/libmtp--.', + '/dev/log', + '/dev/loop', + '/dev/loop-control', + '/dev/lp', + '/dev/mapper/', + '/dev/mapper/control', + '/dev/mcelog', + '/dev/md', + '/dev/md/', + '/dev/md/ssdraid', + '/dev/md/ssraid', + '/dev/media', + '/dev/mei', + '/dev/mem', + '/dev/midi', + '/dev/mmcblk', + '/dev/mqueue/', + '/dev/mtd', + '/dev/mtd/', + '/dev/mtd/by-name', + '/dev/mtdro', + '/dev/net/', + '/dev/net/tun', + '/dev/ngn', + '/dev/null', + '/dev/nvidia', + '/dev/nvidia-caps/', + '/dev/nvidia-caps/nvidia-cap', + '/dev/nvidia-modeset', + '/dev/nvidia-uvm', + '/dev/nvidia-uvm-tools', + '/dev/nvidiactl', + '/dev/nvme', + '/dev/nvme-fabrics', + '/dev/nvmen', + '/dev/nvmenp', + '/dev/nvram', + '/dev/port', + '/dev/ppp', + '/dev/pps', + '/dev/psaux', + '/dev/ptmx', + '/dev/ptp', + '/dev/pts/', + '/dev/pts/ptmx', + '/dev/random', + '/dev/rfkill', + '/dev/rpool/', + '/dev/rpool/keystore', + '/dev/rtc', + '/dev/sda', + '/dev/sdb', + '/dev/serial/', + '/dev/serial/by-id', + '/dev/serial/by-path', + '/dev/sg', + '/dev/sgx_provision', + '/dev/sgx_vepc', + '/dev/shm/', + '/dev/shm/lttng-ust-wait--', + '/dev/shm/i-log-', + '/dev/shm/jack_db-', + '/dev/shm/libpod_lock', + '/dev/shm/libpod_rootless_lock_', + '/dev/shm/pulse-shm-', + '/dev/snapshot', + '/dev/snd/', + '/dev/snd/by-id', + '/dev/snd/by-path', + '/dev/snd/controlC', + '/dev/snd/hwCD', + '/dev/snd/midiCD', + '/dev/snd/pcmCDc', + '/dev/snd/pcmCDp', + '/dev/snd/seq', + '/dev/snd/timer', + '/dev/sr', + '/dev/stderr', + '/dev/stdin', + '/dev/stdout', + '/dev/tpm', + '/dev/tpmrm', + '/dev/tty', + '/dev/ttyACM', + '/dev/ttyAMA', + '/dev/ttyS', + '/dev/ttyUSB', + '/dev/ttyprintk', + '/dev/ubuntu-vg/', + '/dev/udmabuf', + '/dev/uhid', + '/dev/uinput', + '/dev/urandom', + '/dev/usb/', + '/dev/usb/hiddev', + '/dev/usbmon', + '/dev/userfaultfd', + '/dev/userio', + '/dev/vboxdrv', + '/dev/vboxdrvu', + '/dev/vboxnetctl', + '/dev/vboxusb/', + '/dev/vcs', + '/dev/vcsa', + '/dev/vcsu', + '/dev/vda', + '/dev/vfio/', + '/dev/vfio/vfio', + '/dev/vg/', + '/dev/vg/root', + '/dev/vg/swap', + '/dev/vga_arbiter', + '/dev/vgubuntu/', + '/dev/vgubuntu/incus-default', + '/dev/vgubuntu/root', + '/dev/vgubuntu/swap', + '/dev/vgubuntu/swap_', + '/dev/vhci', + '/dev/vhost-net', + '/dev/vhost-vsock', + '/dev/video', + '/dev/vl/', + '/dev/vl/by-id', + '/dev/vl/by-path', + '/dev/vlloopback', + '/dev/vportp', + '/dev/vsock', + '/dev/watchdog', + '/dev/wmi/', + '/dev/wmi/dell-smbios', + '/dev/wwanat', + '/dev/wwanmbim', + '/dev/zd', + '/dev/zero', + '/dev/zfs', + '/dev/zram', + '/dev/zvol/', + '/dev/zvol/rpool' + ) + AND NOT path LIKE '/dev/mapper/%' + AND NOT path LIKE '/dev/shm/byobu-%' + AND NOT path LIKE '/dev/shm/sem.rpc%' + AND NOT path LIKE '/dev/mqueue/us.zoom.aom.%' + AND NOT path LIKE '/dev/shm/aomshm.%' + AND NOT path LIKE '/dev/shm/sem.mp-%' + AND NOT path LIKE '/dev/shm/u%-Shm_%' + AND NOT path LIKE '/dev/shm/.com.google.Chrome.%' + AND NOT path LIKE '/dev/shm/u%-ValveIPC%' + AND NOT path LIKE '/dev/%-vg/%-lv' diff --git a/detection/persistence/unexpected-listening-port-linux.sql b/detection/persistence/unexpected-listening-port-linux.sql index fed859e..ff8e05f 100644 --- a/detection/persistence/unexpected-listening-port-linux.sql +++ b/detection/persistence/unexpected-listening-port-linux.sql @@ -93,6 +93,7 @@ WHERE '2380,6,500,etcd', '24800,6,500,synergy-core', '24802,6,500,synergy-service', + '255,255,0,atop', '255,255,500,mtr-packet', '27036,6,500,steam', '27500,6,500,passimd', @@ -149,6 +150,7 @@ WHERE '631,17,115,cups-browsed', '631,17,116,cups-browsed', '631,17,121,cups-browsed', + '631,17,132,cups-browsed', '631,17,133,cups-browsed', '6379,6,500,redis-server', '6443,6,0,kube-apiserver', diff --git a/detection/persistence/unexpected-listening-port-macos.sql b/detection/persistence/unexpected-listening-port-macos.sql index 6ddd16f..2f34f57 100644 --- a/detection/persistence/unexpected-listening-port-macos.sql +++ b/detection/persistence/unexpected-listening-port-macos.sql @@ -54,6 +54,7 @@ WHERE AND NOT exception_key IN ( '10011,6,0,launchd,Software Signing', '10011,6,0,webfilterproxyd,Software Signing', + '49152,6,500,Capture One,Developer ID Application: Capture One A/S (5WTDB5F65L)', '1024,6,0,systemmigrationd,Software Signing', '10250,6,500,OrbStack Helper,Developer ID Application: Orbital Labs, LLC (U.S.) (HUAQ24HBR6)', '111,17,1,rpcbind,Software Signing', @@ -125,6 +126,7 @@ WHERE '49152,6,500,dbeaver,Developer ID Application: DBeaver Corporation (42B6MDKMW8)', '49152,6,500,EcammLiveRemoteXPCServer,Developer ID Application: Ecamm Network, LLC (5EJH68M642)', '49152,6,500,GarageBand,Apple Mac OS Application Signing', + '49152,6,500,HP Smart,Apple Mac OS Application Signing', '49152,6,500,git-daemon,', '49152,6,500,idea,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)', '49152,6,500,IPNExtension,Apple Mac OS Application Signing', @@ -137,6 +139,7 @@ WHERE '49152,6,500,Luna Display,Developer ID Application: Astro HQ LLC (8356ZZ8Y5K)', '49152,6,500,Music,Software Signing', '49152,6,500,node,', + '49152,6,500,HP Smart,Apple Mac OS Application Signing', '49152,6,500,qemu-system-aarch64,', '49152,6,500,rapportd,Software Signing', '49152,6,500,Resolve,Developer ID Application: Blackmagic Design Inc (9ZGFBWLSYP)', diff --git a/detection/persistence/unexpected-systemctl-calls-linux.sql b/detection/persistence/unexpected-systemctl-calls-linux.sql index a861692..f7c1eb7 100644 --- a/detection/persistence/unexpected-systemctl-calls-linux.sql +++ b/detection/persistence/unexpected-systemctl-calls-linux.sql @@ -3,7 +3,7 @@ -- refs: -- * https://attack.mitre.org/techniques/T1543/002/ (Create or Modify System Process: Systemd Service) -- --- tags: transient process state often +-- tags: transient process events extra -- platform: linux -- interval: 300 SELECT -- Child @@ -77,6 +77,7 @@ WHERE 'systemctl,0,kubeadm,containerd-shim-runc-v2', 'systemctl,0,pacman,pacman', 'systemctl,0,pacman,sudo', + 'systemctl,500,snap,update-notifier', 'systemctl,0,snapd,systemd', 'systemctl,0,tailscaled,', 'systemctl,500,strace,bash', @@ -95,6 +96,8 @@ WHERE '/bin/systemctl -q is-enabled whoopsie.path', '/bin/systemctl --quiet is-enabled whoopsie.path', '/bin/systemctl stop --no-block nvidia-persistenced', + '/usr/bin/systemctl is-system-running', + 'systemctl is-system-running', '/sbin/runlevel', 'systemctl is-active systemd-resolved.service', 'systemctl is-enabled power-profiles-daemon.service', @@ -116,7 +119,8 @@ WHERE 'systemctl --system daemon-reexec', 'systemctl --user import-environment DISPLAY XAUTHORITY', '/usr/bin/systemctl try-reload-or-restart dbus', - '/usr/bin/systemctl --user is-active slack' + '/usr/bin/systemctl --user is-active slack', + 'systemctl --user is-active slack' ) -- apt-helper form AND NOT p0_cmd LIKE '%systemctl is-active -q %.service' AND NOT p0_cmd LIKE '%systemctl show --property=%' diff --git a/detection/persistence/unexpected-uid0-daemon-linux.sql b/detection/persistence/unexpected-uid0-daemon-linux.sql index ce5a8b5..b6492f6 100644 --- a/detection/persistence/unexpected-uid0-daemon-linux.sql +++ b/detection/persistence/unexpected-uid0-daemon-linux.sql @@ -83,8 +83,11 @@ WHERE 'NetworkManager,/usr/sbin/NetworkManager,0,system.slice,NetworkManager.service,0755', 'X,/nix/store/__VERSION__/bin/Xorg,0,system.slice,display-manager.service,0555', 'Xorg,/usr/lib/Xorg,0,system.slice,lightdm.service,0755', + 'atop,/usr/bin/atop,0,system.slice,atop.service,0755', + 'input-remapper-,/usr/bin/python3.12,0,system.slice,input-remapper.service,0755', 'Xorg,/usr/lib/Xorg,0,system.slice,sddm.service,0755', 'Xorg,/usr/lib/xorg/Xorg,0,system.slice,sddm.service,0755', + 'multipassd,/snap/multipass/__VERSION__/bin/multipassd,0,system.slice,snap.multipass.multipassd.service,0755', 'abrt-dump-journ,/usr/bin/abrt-dump-journal-core,0,system.slice,abrt-journal-core.service,0755', 'abrt-dump-journ,/usr/bin/abrt-dump-journal-oops,0,system.slice,abrt-oops.service,0755', 'abrt-dump-journ,/usr/bin/abrt-dump-journal-xorg,0,system.slice,abrt-xorg.service,0755', @@ -93,6 +96,7 @@ WHERE 'accounts-daemon,/usr/lib/accounts-daemon,0,system.slice,accounts-daemon.service,0755', 'accounts-daemon,/usr/libexec/accounts-daemon,0,system.slice,accounts-daemon.service,0755', 'acpid,/usr/sbin/acpid,0,system.slice,acpid.service,0755', + 'run-cups-browse,/usr/bin/dash,0,system.slice,snap.cups.cups-browsed.service,0755', 'agetty,/nix/store/__VERSION__/bin/agetty,0,system.slice,system-getty.slice,0555', 'agetty,/usr/bin/agetty,0,system.slice,system-getty.slice,0755', 'agetty,/usr/sbin/agetty,0,system.slice,system-getty.slice,0755', @@ -104,7 +108,9 @@ WHERE 'atd,/usr/sbin/atd,0,system.slice,atd.service,0755', 'auditd,/usr/bin/auditd,0,system.slice,auditd.service,0755', 'auditd,/usr/sbin/auditd,0,system.slice,auditd.service,0755', + 'atopacctd,/usr/sbin/atopacctd,0,system.slice,atopacct.service,0755', 'bash,/usr/bin/bash,0,user.slice,user-1000.slice,0755', + 'run-cups-browse,/usr/bin/dash,0,system.slice,snap.cups.cups-browsed.service,0755', 'blueman-mechani,/usr/bin/python3.10,0,system.slice,blueman-mechanism.service,0755', 'blueman-mechanism.service,Bluetooth management mechanism,,200', 'bluetoothd,/usr/lib/bluetooth/bluetoothd,0,system.slice,bluetooth.service,0755', @@ -308,6 +314,8 @@ WHERE 'unattended-upgr,/usr/bin/python3.12,0,system.slice,unattended-upgrades.service,0755', 'unattended-upgr,/usr/bin/python3.9,0,system.slice,unattended-upgrades.service,0755', 'unattended-upgr,/usr/bin/python__VERSION__,0,system.slice,unattended-upgrades.service,0755', + 'flock,/usr/bin/flock,0,system.slice,system-btrfs\x2ddedup.slice,0755', + 'sleep,/usr/bin/sleep,0,system.slice,system-btrfs\x2ddedup.slice,0755', 'upowerd,/usr/lib/upowerd,0,system.slice,upower.service,0755', 'upowerd,/usr/libexec/upowerd,0,system.slice,upower.service,0755', 'uresourced,/usr/libexec/uresourced,0,system.slice,uresourced.service,0755', diff --git a/detection/persistence/unexpected-uid0-daemon-macos.sql b/detection/persistence/unexpected-uid0-daemon-macos.sql index 42a1c5b..610b53e 100644 --- a/detection/persistence/unexpected-uid0-daemon-macos.sql +++ b/detection/persistence/unexpected-uid0-daemon-macos.sql @@ -62,6 +62,7 @@ WHERE -- Focus on longer-running programs '/Applications/Opal.app/Contents/Library/LaunchServices/com.opalcamera.cameraExtensionShim', '/Applications/Parallels Desktop.app/Contents/MacOS/Parallels Service.app/Contents/MacOS/prl_disp_service', '/Applications/Parallels Desktop.app/Contents/MacOS/prl_naptd', + '/Applications/WiFiman Desktop.app/Contents/service/wifiman-desktopd', '/Applications/VMware Fusion.app/Contents/Library/vmware-vmx', '/bin/bash', '/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS/XProtect', @@ -317,6 +318,7 @@ WHERE -- Focus on longer-running programs 'Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z)', 'Developer ID Application: Fortinet, Inc (AH4XFXJ7DK)', 'Developer ID Application: Foxit Corporation (8GN47HTP75)', + 'Developer ID Application: SURFSHARK LTD (YHUG37CKN8)', 'Developer ID Application: Fumihiko Takayama (G43BCU2T37)', 'Developer ID Application: Google LLC (EQHXZ8M8AV)', 'Developer ID Application: Ilya Parniuk (ACC5R6RH47)', diff --git a/detection/privesc/unexpected-setxid-process.sql b/detection/privesc/unexpected-setxid-process.sql index 707fde8..308ae00 100644 --- a/detection/privesc/unexpected-setxid-process.sql +++ b/detection/privesc/unexpected-setxid-process.sql @@ -39,6 +39,7 @@ WHERE '/usr/bin/crontab', '/usr/bin/fusermount', '/usr/bin/fusermount3', + '/usr/bin/schroot', '/usr/bin/keybase-redirector', '/usr/bin/login', '/usr/bin/mount',