From 92f2ce8f95b78f2e95d39ec44d4ae5c832463495 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Fri, 13 Jan 2023 12:33:19 -0500 Subject: [PATCH] new detector: unexpected security framework program --- ...ected-security-framework-program-macos.sql | 65 +++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 detection/execution/unexpected-security-framework-program-macos.sql diff --git a/detection/execution/unexpected-security-framework-program-macos.sql b/detection/execution/unexpected-security-framework-program-macos.sql new file mode 100644 index 0000000..5ed7595 --- /dev/null +++ b/detection/execution/unexpected-security-framework-program-macos.sql @@ -0,0 +1,65 @@ +-- Find programs that use the Security Framework on macOS - popular among malware authors +-- +-- platform: posix +-- tags: persistent state process +SELECT + pmm.pid, + pmm.path AS lib_path, + p.path, + p.name, + p.cmdline, + p.cwd, + p.euid, + p.parent, + pp.path AS parent_path, + pp.name AS parent_name, + pp.cmdline AS parent_cmdline, + pp.cwd AS parent_cwd, + pp.euid AS parent_euid, + hash.sha256 AS child_sha256, + phash.sha256 AS parent_sha256, + CONCAT ( + MIN(p.euid, 500), + ',', + p.name, + ',', + s.identifier, + ',', + s.authority + ) AS exception_key +FROM + processes p + LEFT JOIN process_memory_map pmm ON p.pid = pmm.pid + LEFT JOIN processes pp ON p.parent = pp.pid + LEFT JOIN hash ON p.path = hash.path + LEFT JOIN hash AS phash ON pp.path = phash.path + LEFT JOIN signature s ON p.path = s.path +WHERE + lib_path LIKE '%Security.framework%' + AND p.path NOT LIKE '/opt/homebrew/Cellar/%' + AND exception_key NOT IN ( + '0,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)', + '500,Bitwarden,com.bitwarden.desktop,Apple Mac OS Application Signing', + '500,Bitwarden Helper,com.bitwarden.desktop.helper,Apple Mac OS Application Signing', + '500,Bitwarden Helper (GPU),com.bitwarden.desktop.helper.GPU,Apple Mac OS Application Signing', + '500,Bitwarden Helper (Renderer),com.bitwarden.desktop.helper.Renderer,Apple Mac OS Application Signing', + '500,esbuild,a.out,', + '500,fake,a.out,', + '500,gitsign-credential-cache,a.out,', + '500,gopls,a.out,', + '500,lua-language-server,lua-language-server,', + '500,Magnet,com.crowdcafe.windowmagnet,Apple Mac OS Application Signing', + '500,rust-analyzer,rust_analyzer-d11ae4e1bae4360d,', + '500,Slack,com.tinyspeck.slackmacgap,Apple Mac OS Application Signing', + '500,Slack Helper,com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing', + '500,Slack Helper (GPU),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing', + '500,Slack Helper (Renderer),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing', + '500,terraform-provider-google-beta_v4.48.0_x5,a.out,', + '500,terraform-provider-google_v4.48.0_x5,a.out,', + '500,Todoist,com.todoist.mac.Todoist,Apple Mac OS Application Signing', + '500,Todoist Helper,com.todoist.mac.Todoist.helper,Apple Mac OS Application Signing', + '500,Todoist Helper (GPU),com.todoist.mac.Todoist.helper.GPU,Apple Mac OS Application Signing', + '500,Todoist Helper (Renderer),com.todoist.mac.Todoist.helper.Renderer,Apple Mac OS Application Signing' + ) +GROUP BY + pmm.pid \ No newline at end of file