RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2025-02-16 09:27:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

fpr: psi, arduino, bitdefender, keybase, cody, etc

Browse Source
This commit is contained in:
Thomas Stromberg 2024-01-22 10:36:01 -05:00
parent 54fc45e787
commit 5d31e8da5f
Failed to extract signature
22 changed files with 104 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
detection/c2/unexpected-dns-traffic-events.sql
View File

@ -79,6 +79,7 @@ WHERE
'ZaloCall,8.8.8.8,53',
'Telegram,8.8.8.8,53',
'com.docker.vpnkit,8.8.8.8,53',
'WebexHelper,8.8.8.8,53',
'Meeting Center,8.8.8.8,53',
'nuclei,1.0.0.1,53',
'limactl,8.8.8.8,53',

91
detection/c2/unexpected-https-macos.sql
View File

@ -107,78 +107,24 @@ WHERE
)
AND NOT exception_key IN (
'0,AGSService,AGSService,Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.ags',
'0,EdgeUpdater,EdgeUpdater,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.EdgeUpdater',
'0,Install,Install,Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.Install',
'0,Setup,Setup,Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.acc.Setup',
'0,com.fortinet.forticlient.macos.vpn.nwextension,com.fortinet.forticlient.macos.vpn.nwextension,Developer ID Application: Fortinet, Inc (AH4XFXJ7DK),com.fortinet.forticlient.macos.vpn.nwextension',
'0,com.google.one.NetworkExtension,com.google.one.NetworkExtension,Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.one.NetworkExtension',
'0,elastic-agent,elastic-agent,Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z),co.elastic.elastic-agent',
'0,elastic-endpoint,elastic-endpoint,Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z),co.elastic.endpoint',
'0,filebeat,filebeat,Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z),filebeat',
'0,io.tailscale.ipn.macsys.network-extension,io.tailscale.ipn.macsys.network-extension,Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension',
'0,ir_agent,ir_agent,Developer ID Application: Rapid7 LLC (UL6CGN7MAL),ir_agent',
'0,kandji-daemon,kandji-daemon,Developer ID Application: Kandji, Inc. (P3FGV63VK7),kandji-daemon',
'0,kandji-library-manager,kandji-library-manager,Developer ID Application: Kandji, Inc. (P3FGV63VK7),kandji-library-manager',
'0,kandji-parameter-agent,kandji-parameter-agent,Developer ID Application: Kandji, Inc. (P3FGV63VK7),kandji-parameter-agent',
'0,launcher,launcher,Developer ID Application: Kolide, Inc (X98UFR7HA3),com.kolide.agent',
'0,logioptionsplus_installer,logioptionsplus_installer,Developer ID Application: Logitech Inc. (QED4VVPZWA),com.logi.optionsplus.installer',
'0,metricbeat,metricbeat,Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z),metricbeat',
'0,multipassd,multipassd,Developer ID Application: Canonical Group Limited (X4QN7LTP59),com.canonical.multipass.multipassd',
'0,nessusd,nessusd,Developer ID Application: Tenable, Inc. (4B8J598M7U),nessusd',
'500,Authy,Authy,Apple iPhone OS Application Signing,com.authy',
'500,Code Helper (Plugin),Code Helper (Plugin),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
'500,Code Helper (Renderer),Code Helper (Renderer),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
'500,Code Helper,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode.helper',
'500,Ecamm Live Stream Deck Plugin,Ecamm Live Stream Deck Plugin,Developer ID Application: Ecamm Network, LLC (5EJH68M642),Ecamm Live Stream Deck Plugin',
'500,Electron,Electron,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode',
'500,Elgato Capture Device Utility,Elgato Capture Device Utility,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5),com.elgato.CaptureDeviceUtility',
'500,Fleet,~/Library/Caches/JetBrains/Fleet',
'500,GitX,GitX,Developer ID Application: Farhan Ahmed (4RZN52RN5P),net.phere.GitX',
'500,Google Chrome Helper,Google Chrome Helper,Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.Chrome.helper',
'500,Install Spotify,Install Spotify,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.installer',
'500,IterableRichNotifications,IterableRichNotifications,Apple iPhone OS Application Signing,com.plexapp.plex.IterableRichNotifications',
'500,Java Updater,Java Updater,Developer ID Application: Oracle America, Inc. (VB5E2TV963),com.oracle.java.Java-Updater',
'500,Kindle,Kindle,TestFlight Beta Distribution,com.amazon.Lassen',
'500,OneDriveStandaloneUpdater,OneDriveStandaloneUpdater,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.OneDriveStandaloneUpdater',
'500,PSI Bridge Secure Browser Helper,PSI Bridge Secure Browser Helper,Developer ID Application: PSI Services LLC (73AT498HPV),com.psiexams.psi-bridge-secure-browser.helper',
'500,Paintbrush,Paintbrush,Developer ID Application: Michael Schreiber (G966ML7VBG),com.soggywaffles.paintbrush',
'500,Plex,Plex,Developer ID Application: Plex Inc. (K4QJ56KR4A),tv.plex.desktop',
'500,PlexMobile,PlexMobile,Apple iPhone OS Application Signing,com.plexapp.plex',
'500,ZwiftAppSilicon,ZwiftAppSilicon,Developer ID Application: Zwift, Inc (C2GM8Y9VFM),ZwiftAppSilicon',
'500,Realm,Realm,Apple iPhone OS Application Signing,camera.youpi.metareal',
'500,Reflect Helper,Reflect Helper,Developer ID Application: Reflect App, LLC (789ULN5MZB),app.reflect.ReflectDesktop',
'500,Reflect,Reflect,Developer ID Application: Reflect App, LLC (789ULN5MZB),app.reflect.ReflectDesktop',
'500,Signal Helper (Renderer),Signal Helper (Renderer),Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR),org.whispersystems.signal-desktop.helper.Renderer',
'500,Slack Helper,Slack Helper,Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL),com.tinyspeck.slackmacgap.helper',
'500,Slack,Slack,Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL),com.tinyspeck.slackmacgap',
'500,SteelSeriesEngine,SteelSeriesEngine,Developer ID Application: SteelSeries (6WGL6CHFH2),SteelSeriesEngine',
'500,SteelSeriesGG,SteelSeriesGG,Developer ID Application: SteelSeries (6WGL6CHFH2),SteelSeriesGG',
'500,Transmit,Transmit,Developer ID Application: Panic, Inc. (VE8FC488U5),com.panic.Transmit',
'500,TwitchStudioStreamDeck,TwitchStudioStreamDeck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5),TwitchStudioStreamDeck',
'500,bash,bash,,bash',
'500,chrome_crashpad_handler,chrome_crashpad_handler,Developer ID Application: Microsoft Corporation (UBF8T346G9),chrome_crashpad_handler',
'500,cloud_sql_proxy,cloud_sql_proxy,,a.out',
'0,ir_agent,ir_agent,Developer ID Application: Rapid7 LLC (UL6CGN7MAL),bootstrap',
'500,git-remote-http,git-remote-http,,git-remote-http-55554944748a32c47cdc35cfa7f071bb69a39ce4',
'500,go,go,Developer ID Application: Google LLC (EQHXZ8M8AV),org.golang.go',
'500,grype,grype,Developer ID Application: ANCHORE, INC. (9MJHKYX5AT),grype',
'500,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV),ksfetch',
'0,com.bitdefender.cst.net.dci.dci-network-extension,com.bitdefender.cst.net.dci.dci-network-extension,Developer ID Application: Bitdefender SRL (GUNFMW623Y),com.bitdefender.cst.net.dci.dci-network-extension',
'500,melange,melange,,a.out',
'500,ngrok,ngrok,Developer ID Application: ngrok LLC (TEX8MHRDQ9),a.out',
'500,ngrok,ngrok,Developer ID Application: ngrok LLC (TEX8MHRDQ9),darwin_amd64',
'500,node,node,Developer ID Application: Node.js Foundation (HX7739G8FX),node',
'500,old,old,Developer ID Application: Denver Technologies, Inc (2BBY89MBSN),dev.warp.Warp-Stable',
'500,op,op,Developer ID Application: AgileBits Inc. (2BUA8C4S2C),com.1password.op',
'500,plugin_host-3.3,plugin_host-3.3,Developer ID Application: Sublime HQ Pty Ltd (Z6D26JE4Y4),plugin_host-3',
'500,sdaudioswitch,sdaudioswitch,,sdaudioswitch',
'500,snyk-ls_darwin_arm64,snyk-ls_darwin_arm64,,a.out',
'500,steam_osx,steam_osx,Developer ID Application: Valve Corporation (MXGJJ98X76),com.valvesoftware.steam',
'500,syncthing,syncthing,,syncthing',
'500,terraform,terraform,Developer ID Application: Hashicorp, Inc. (D38WU7D763),terraform',
'500,zoom.us,zoom.us,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3),us.zoom.xos'
'500,syncthing,syncthing,,syncthing'
)
AND NOT exception_key LIKE '500,tor-%-darwin-brave-%,tor-%-darwin-brave-%,Developer ID Application: Brave Software, Inc. (KL8N8XSYF4),tor-%-darwin-brave-%'
AND NOT alt_exception_key IN (
'0,velociraptor,velociraptor,0u,0g',
'0,velociraptor,velociraptor,0u,80g',
@ -219,6 +165,41 @@ WHERE
'500,vim,vim,0u,500g',
'500,wolfictl,wolfictl,500u,20g'
)
AND NOT s.authority IN (
'Developer ID Application: ANCHORE, INC. (9MJHKYX5AT)',
'Developer ID Application: Adobe Inc. (JQ525L2MZD)',
'Developer ID Application: AgileBits Inc. (2BUA8C4S2C)',
'Developer ID Application: Bitdefender SRL (GUNFMW623Y)',
'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4)',
'Developer ID Application: Canonical Group Limited (X4QN7LTP59)',
'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
'Developer ID Application: Denver Technologies, Inc (2BBY89MBSN)',
'Developer ID Application: Ecamm Network, LLC (5EJH68M642)',
'Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z)',
'Developer ID Application: Farhan Ahmed (4RZN52RN5P)',
'Developer ID Application: Fortinet, Inc (AH4XFXJ7DK)',
'Developer ID Application: Google LLC (EQHXZ8M8AV)',
'Developer ID Application: Hashicorp, Inc. (D38WU7D763)',
'Developer ID Application: Kandji, Inc. (P3FGV63VK7)',
'Developer ID Application: Kolide, Inc (X98UFR7HA3)',
'Developer ID Application: Logitech Inc. (QED4VVPZWA)',
'Developer ID Application: Michael Schreiber (G966ML7VBG)',
'Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'Developer ID Application: PSI Services LLC (73AT498HPV)',
'Developer ID Application: Panic, Inc. (VE8FC488U5)',
'Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR)',
'Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
'Developer ID Application: Reflect App, LLC (789ULN5MZB)',
'Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL)',
'Developer ID Application: Spotify (2FNC3A47ZF)',
'Developer ID Application: SteelSeries (6WGL6CHFH2)',
'Developer ID Application: Sublime HQ Pty Ltd (Z6D26JE4Y4)',
'Developer ID Application: Tailscale Inc. (W5364U7YZB)',
'Developer ID Application: Tenable, Inc. (4B8J598M7U)',
'Developer ID Application: Valve Corporation (MXGJJ98X76)',
'Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)',
'Developer ID Application: Zwift, Inc (C2GM8Y9VFM)'
)
AND NOT alt_exception_key LIKE '500,terraform-provider-%,terraform-provider-%,500u,20g'
AND NOT alt_exception_key LIKE '500,plugin_host-%,plugin_host-%,500u,20g'
AND NOT p0.path LIKE '/private/var/folders/%/T/GoLand/%'

22
detection/c2/unexpected-talker-events.sql
View File

@ -233,19 +233,37 @@ WHERE
'500,500,443,grype',
'500,500,443,istioctl',
'500,500,443,ksfetch',
'500,0,80,slack',
'500,500,443,kubectl',
'500,500,443,minikube',
'500,500,443,node',
'500,500,443,wolfibump',
'500,500,443,old',
'500,500,443,sublime_text',
'500,500,32768,DropboxMacUpdate',
'500,500,53,Google Chrome Helper',
'500,500,443,syft',
'500,500,443,webexmtaV2',
'500,500,20480,Google Chrome Helper',
'500,99,32768,Slack Helper',
'500,99,13568,Slack Helper',
'500,500,443,wolfictl',
'500,500,53,Code Helper',
'500,0,80,ir_agent',
'500,500,3307,cloud_sql_proxy',
'500,0,443,com.adguard.mac.adguard.network-extension',
'500,0,32768,com.adguard.mac.adguard.network-extension',
'500,500,53,Meeting Center',
'500,500,53,gitsign',
'500,0,443,BDCoreIssues',
'500,0,32768,Authy',
'500,0,443,BDLDaemon',
'500,0,443,Python',
'500,0,443,filebeat',
'500,500,80,Code Helper (Plugin)',
'500,500,80,Code Helper',
'500,500,80,Google Chrome Helper',
'500,0,443,rapid7_endpoint_broker',
'500,500,80,GoogleUpdater',
'500,500,80,cloud_sql_proxy',
'500,500,80,copilot-agent-macos-arm64',
@ -256,14 +274,18 @@ WHERE
'500,99,443,Slack'
)
AND NOT exception_key LIKE '500,500,443,terraform%'
AND NOT exception_key LIKE '500,500,80,terraform%'
AND NOT exception_key LIKE '500,0,%,syncthing'
AND NOT exception_key LIKE '500,0,%,chrome'
AND NOT exception_key LIKE '500,500,443,___%_%'
AND NOT exception_key LIKE '500,500,%,chrome'
AND NOT exception_key LIKE '500,500,%,Google Chrome Helper'
AND NOT exception_key LIKE '500,500,443,kubectl.%'
AND NOT p0_path LIKE '/Users/%/code/%'
AND NOT p0_path LIKE '/Users/%/go/%'
AND NOT p0_path LIKE '/Users/%/src/%'
AND NOT p0_path LIKE '/Users/%/Library/Caches/JetBrains/GoLand%'
AND NOT p0_path LIKE '/Users/%/dev/%'
AND NOT p0_path LIKE '/System/%'
AND NOT p0_path LIKE '/private/var/folders/%/T/AppTranslocation/%/%.app/Contents/MacOS/%'

3
detection/c2/unexpected-talkers-macos.sql
View File

@ -131,6 +131,7 @@ WHERE
'500,6,22,goland,goland,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland',
'500,6,8080,goland,goland,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland',
'500,6,22,Transmit,Transmit,Developer ID Application: Panic, Inc. (VE8FC488U5),com.panic.Transmit',
'500,6,4317,flyctl,flyctl,,a.out',
'500,6,2869,Spotify,Spotify,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client',
'500,6,32000,Spotify Helper,Spotify Helper,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client.helper',
'500,6,32400,PlexMobile,PlexMobile,Apple iPhone OS Application Signing,com.plexapp.plex',
@ -241,6 +242,8 @@ WHERE
'Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D),com.googlecode.iterm2',
'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.Chrome.helper',
'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.GoogleUpdater',
'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.teams2.helper',
'Developer ID Application: Bitdefender SRL (GUNFMW623Y),com.bitdefender.cst.net.dci.dci-network-extension',
'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.one.NetworkExtension',
'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.edgemac.helper',
'Developer ID Application: Microsoft Corporation (UBF8T346G9),net.java.openjdk.java',

1
detection/collection/high-disk-bytes-written.sql
View File

@ -198,4 +198,5 @@ WHERE
AND p0.path NOT LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd'
AND p0.path NOT LIKE '/nix/store/%kolide-launcher-%/bin/launcher'
AND NOT p0.cmdline LIKE '%/lib/gcloud.py components update'
AND NOT p0.cmdline LIKE '%/gsutil %rsync%'
AND NOT p0.cgroup_path LIKE '/system.slice/docker-%'

4
detection/credentials/unexpected-dev-opener-macos.sql
View File

@ -83,7 +83,9 @@ WHERE
'/dev/auditsessions,authd,Software Signing,com.apple.authd',
'/dev/auditsessions,securityd,Software Signing,com.apple.securityd',
'/dev/autofs,automountd,Software Signing,com.apple.automountd',
'/dev/bpf,BDLDaemon,Developer ID Application: Bitdefender SRL (GUNFMW623Y),com.bitdefender.epsecurity.BDLDaemonApp',
'/dev/bpf,airportd,Software Signing,com.apple.airport.airportd',
'/dev/bpf,core,Developer ID Application: TPZ Solucoes Digitais Ltda (X37R283V2T),com.topaz.warsaw.core',
'/dev/console,dbeaver,Developer ID Application: DBeaver Corporation (42B6MDKMW8),org.jkiss.dbeaver.core.product',
'/dev/console,kernelmanagerd,Software Signing,com.apple.kernelmanagerd',
'/dev/console,launchd,Software Signing,com.apple.xpc.launchd',
@ -114,7 +116,7 @@ WHERE
'/dev/macfuse,gcsfuse,,a.out',
'/dev/macfuse,rclone,,a.out',
'/dev/oslog,logd,Software Signing,com.apple.logd',
'/dev/bpf,BDLDaemon,Developer ID Application: Bitdefender SRL (GUNFMW623Y),com.bitdefender.epsecurity.BDLDaemonApp',
'/dev/shm,python3',
'/dev/tty.usbmodem21430,Bazecor Helper (Renderer),,',
'/dev/xcpm,PerfPowerServices,Software Signing,com.apple.PerfPowerServices',
'/dev/xcpm,systemstats,Software Signing,com.apple.systemstats',

2
detection/evasion/hidden-cwd.sql
View File

@ -104,8 +104,10 @@ WHERE
'dirhelper,/private/var/folders',
'Electron,~/.vscode/extensions',
'fish,~/.local/share',
'clangd,/private/var/folders',
'rustc,/home/build/.cargo',
'fish,~/.Trash',
'arduino-language-server,/private/var/folders',
'Arduino IDE Helper,/private/var/folders',
'git,~/.local/share',
'fileproviderd,~/Library/Mobile Documents',

2
detection/evasion/hidden-executable.sql
View File

@ -65,7 +65,9 @@ WHERE
AND NOT f.directory LIKE '%/.tflint.d/%'
AND NOT f.directory LIKE '%/.vs-kubernetes/%'
AND NOT f.directory LIKE '%/.vscode/extensions/%'
AND NOT f.directory LIKE '/Users/%/Library/Application Support/Code/User/globalStorage/ms-dotnettools.vscode-dotnet-runtime/.dotnet/%'
AND NOT f.directory LIKE '%/.vscode-insiders/extensions/%'
AND NOT f.directory LIKE '%/Applications/PSI Bridge Secure Browser.app/Contents/Resources/.apps/darwin/%'
AND NOT f.path LIKE '/home/%/.config/bluejeans-v2/BluejeansHelper'
AND NOT f.path LIKE '/nix/store/%/%-wrapped'
AND NOT (

1
detection/evasion/unexpected-alf-exceptions-macos.sql
View File

@ -51,6 +51,7 @@ WHERE
',,/Applications/Google%20Chrome.app/,',
',,/Applications/IntelliJ%20IDEA.app/,',
',,/Applications/ProtonMail%20Bridge.app/,',
',,/usr/local/sbin/iodined,501',
',,/Applications/Visual%20Studio%20Code.app/,',
',,/Applications/Visual%20Studio%20Code.app/Contents/Frameworks/Code%20Helper.app/,',
',a.out,/opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/kubectl,501',

1
detection/evasion/unexpected-tmp-executables-macos.sql
View File

@ -67,6 +67,7 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
OR file.path LIKE '/tmp/GoLand/___Test%.test'
OR file.path LIKE '%/git/%'
OR file.path LIKE '%/github/%'
OR file.path LIKE '%/elastic-agent-%'
OR file.path LIKE '%/go.%.sum'
OR file.path LIKE "%/%/gradlew"
OR file.path LIKE '%/guile-%/guile-%'

23
detection/evasion/unexpected-user-executables-macos.sql
View File

@ -163,26 +163,27 @@ WHERE
'~/.zsh_snap/zsh-snap'
)
AND NOT top2_homedir IN (
'/Users/Shared/LGHUB/cache',
'/Users/Shared/LogiOptionsPlus/cache',
'/Users/Shared/Red Giant/Uninstall',
'~/.antigen',
'~/.fzf/test',
'~/.iterm2',
'~/.magefile',
'~/.nvm',
'~/.revox/updates',
'~/.terraform.d',
'~/.terraform.versions',
'~/Library/Application Support',
'~/Library/Caches',
'~/Library/helm',
'~/Library/pnpm',
'~/Library/Printers',
'~/Library/Python',
'~/Library/QuickLook',
'~/Library/Screen Savers',
'~/Library/Services',
'~/Library/Thunderbird',
'~/.fzf/test',
'~/.revox/updates',
'~/.magefile',
'~/.nvm',
'~/.terraform.d',
'~/.terraform.versions',
'/Users/Shared/LGHUB/cache',
'/Users/Shared/LogiOptionsPlus/cache',
'/Users/Shared/Red Giant/Uninstall'
'~/Library/helm',
'~/Library/pnpm'
)
AND NOT f.directory LIKE '/Users/%/.docker/cli-plugins'
AND NOT f.directory LIKE '/Users/%/.nix-profile/bin'

1
detection/evasion/unusual-executable-name-macos.sql
View File

@ -101,6 +101,7 @@ WHERE
)
AND NOT pname LIKE '.%-wrapped'
AND NOT pname LIKE 'cody-engine-%'
AND NOT pname LIKE '__%go_build_%'
-- example: 85C27NK92C.com.flexibits.fantastical2.mac.helper
AND NOT pname LIKE "%.com.flexibits.fantastical2.mac.helper"
AND NOT s.authority = "Software Signing"

2
detection/execution/exotic-command-events-macos.sql
View File

@ -198,6 +198,7 @@ WHERE
AND NOT p0_cmd LIKE 'rm -f /tmp/locate%/mklocate%/_mklocatedb%'
AND NOT p0_cmd LIKE 'rm -f /tmp/insttmp_%'
AND NOT p0_cmd LIKE '%nc localhost%'
AND NOT p0_cmd LIKE '%nc -vz localhost%'
AND NOT p0_cmd LIKE '/bin/cp %history%sessions/%'
AND NOT p0_cmd LIKE '%ssh %/lima/%'
AND NOT p0_cmd LIKE 'touch -r /tmp/KSInstallAction.%'
@ -206,6 +207,7 @@ WHERE
AND NOT p0_name IN ('cc1', 'compile', 'yara')
AND NOT exception_key IN (
'dd,500,zsh,login',
'bash,500,idea,launchd',
'yara,500,bash,fish',
'ssh,500,limactl.ventura,launchd',
'git,500,zsh,login',

2
detection/execution/sketchy-fetcher.sql
View File

@ -160,3 +160,5 @@ WHERE
addr = "169.254.169.254"
AND p2.path = "/usr/local/qualys/cloud-agent/bin/qualys-scan-util"
)
-- Elastic Agent
AND NOT p0.path LIKE '/Library/Elastic/Agent/%'

2
detection/execution/unexpected-execdir-events-macos.sql
View File

@ -159,6 +159,7 @@ WHERE
'/opt/Elastic/Endpoint',
'/Library/Elastic/Agent',
'/opt/homebrew/Library',
'/private/tmp/golangci-lint',
'/private/var/kolide-k2',
'/usr/libexec/AssetCache',
'/usr/libexec/rosetta',
@ -308,6 +309,7 @@ WHERE
AND dir NOT LIKE '~/%repo%' -- When running code as root
AND dir NOT LIKE '~/%sigstore%'
AND dir NOT LIKE '%/.terraform/providers/%'
AND dir NOT LIKE '~/Library/Arduino%/packages/%'
AND dir NOT LIKE '/Volumes/com.getdropbox.dropbox-%' -- These signers can run from wherever the hell they want.
AND s.identifier != 'org.sparkle-project.Sparkle.Autoupdate'
AND s.authority NOT IN (

1
detection/execution/unexpected-root-signer-macos.sql
View File

@ -80,6 +80,7 @@ WHERE
'Developer ID Application: Adobe Inc. (JQ525L2MZD)',
'Developer ID Application: Canonical Group Limited (X4QN7LTP59)',
'Developer ID Application: Docker Inc (9BNSXJN65R)',
'Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z)',
'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)',
'Developer ID Application: Ecamm Network, LLC (5EJH68M642)',
'Developer ID Application: Fortinet, Inc (AH4XFXJ7DK)',

3
detection/execution/unexpected-security-framework-program-macos.sql
View File

@ -80,6 +80,7 @@ WHERE
AND exception_key NOT IN (
'0,ir_agent,bootstrap,Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
'0,ir_agent,ir_agent,Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
'0,rapid7_endpoint_broker,rapid7_endpoint_broker,Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
'0,nix,nix,',
'0,osqueryd,io.osquery.agent,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
'0,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
@ -145,6 +146,7 @@ WHERE
'500,cosign,a.out,',
'500,cpu,cpu-555549441132dc6b7af538428ce3359ae94eab37,',
'500,crane,a.out,',
'500,nvim,,',
'500,debug.test,a.out,',
'500,dive,a.out,',
'500,dlv,a.out,',
@ -218,6 +220,7 @@ WHERE
AND p0.path LIKE '/Users/%/go/bin/%'
)
AND NOT exception_key LIKE '500,terraform-provider-cosign_%,,'
AND NOT exception_key LIKE '500,cody-engine-%-macos-arm64,%,'
AND NOT exception_key LIKE '500,rust-analyzer-aarch64-apple-darwin,rust_analyzer-%,'
AND NOT exception_key LIKE '500,___Test%.test,a.out,'
AND NOT exception_key LIKE '500,zellij,zellij%,'

2
detection/exfil/high_disk_bytes_read.sql
View File

@ -117,6 +117,7 @@ WHERE
'spotify',
'steam',
'systemd',
'kandji-library-manager',
'terraform',
'terraform-ls',
'terraform-provider-apko',
@ -130,6 +131,7 @@ WHERE
'ZwiftAppSilicon',
'ykman-gui',
'yum',
'BDLDaemon',
'zsh'
)
AND NOT p0.path IN (

4
detection/exfil/yara-unexpected-go-crypt-exec-process.sql
View File

@ -75,6 +75,10 @@ WHERE
AND p0.path NOT LIKE '%rootlesskit%'
AND p0.path NOT LIKE '/opt/homebrew/%'
AND p0.path NOT LIKE '/private/var/folders/%/T/go-build%'
AND p0.path NOT IN (
'/Applications/Keybase.app/Contents/SharedSupport/bin/updater',
'/Applications/Keybase.app/Contents/SharedSupport/bin/kbfs'
)
AND p0.name NOT IN (
'buildkit',
'buildkitd',

1
detection/initial_access/unexpected-shell-parents.sql
View File

@ -59,6 +59,7 @@ WHERE
'bash',
'buildkit-runc',
'build-script-build',
'arduino-cli',
'chezmoi',
'clang-11',
'code',

1
detection/persistence/listening-from-unusual-location.sql
View File

@ -94,4 +94,5 @@ WHERE
'/Applications/Keybase.app/Contents/SharedSupport/bin',
'/opt/docker-desktop/bin'
)
AND NOT exception_key IN ('16620,6,500,psi-bastion')
AND NOT p0.path LIKE '/nix/store/%'

1
detection/persistence/unexpected-uid0-daemon-macos.sql
View File

@ -301,6 +301,7 @@ WHERE -- Focus on longer-running programs
'Developer ID Application: Adobe Inc. (JQ525L2MZD)',
'Developer ID Application: Canonical Group Limited (X4QN7LTP59)',
'Developer ID Application: Creative Labs Pte. Ltd. (5Q3552844F)',
'Developer ID Application: Bitdefender SRL (GUNFMW623Y)',
'Developer ID Application: Mullvad VPN AB (CKG9MXH72F)',
'Developer ID Application: Docker Inc (9BNSXJN65R)',
'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)',