RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2024-12-17 19:44:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

fpr: June 28 - final rule tuning

Browse Source
This commit is contained in:
Thomas Stromberg 2024-06-28 10:08:04 -04:00
parent eecc2a3ed0
commit 6fe74680a0
Failed to extract signature
18 changed files with 146 additions and 100 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
detection/c2/unexpected-dns-traffic.sql
View File

@ -94,6 +94,7 @@ WHERE
'/usr/sbin/mDNSResponder'
)
AND p.path NOT LIKE '/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/%/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper'
AND p.path NOT LIKE '%/podman/gvproxy'
-- Workaround for the GROUP_CONCAT subselect adding a blank ent
-- Workaround for the GROUP_CONCAT subselect adding a blank ent
GROUP BY

3
detection/c2/unexpected-https-linux.sql
View File

@ -109,6 +109,7 @@ WHERE
'0,.tailscaled-wrapped,0u,0g,.tailscaled-wra',
'0,velociraptor,0u,0g,velociraptor_cl',
'0,yay,0u,0g,yay',
'500,python3.11,u,g,pip',
'105,http,0u,0g,https',
'106,geoclue,0u,0g,geoclue',
'115,geoclue,0u,0g,geoclue',
@ -116,6 +117,7 @@ WHERE
'128,fwupdmgr,0u,0g,fwupdmgr',
'129,fwupdmgr,0u,0g,fwupdmgr',
'42,http,0u,0g,https',
'500,podman,0u,0g,podman',
'500,1password,0u,0g,1password',
'500,abrt-action-generate-core-backtrace,0u,0g,abrt-action-gen',
'500,act,0u,0g,act',
@ -330,6 +332,7 @@ WHERE
AND NOT exception_key LIKE '500,node,0u,0g,npm exec %'
AND NOT exception_key LIKE '500,node,0u,0g,npm install %'
AND NOT exception_key LIKE '500,python3.%,0u,0g,pip'
AND NOT exception_key LIKE '500,python3%,u,g,pip'
AND NOT exception_key LIKE '500,cosign-%,500u,500g,cosign-%'
AND NOT exception_key LIKE '500,terraform-provider-%,500u,500g,terraform-provi'
AND NOT (

28
detection/c2/unexpected-https-macos.sql
View File

@ -142,17 +142,9 @@ WHERE
)
AND NOT alt_exception_key IN (
'0,velociraptor,velociraptor,0u,0g',
'500,java,java,0u,0g',
'500,pulumi-resource-github,pulumi-resource-github,500u,20g',
'0,velociraptor,velociraptor,0u,80g',
'500,taplo,taplo,500u,20g',
'500,nodegizmo,nodegizmo,500u,20g',
'500,docker-scout,docker-scout,500u,20g',
'500,apko,apko,0u,0g',
'500,apko,apko,500u,20g',
'500,wolfibump,wolfibump,500u,20g',
'500,wolfictl,wolfictl,0u,0g',
'500,istioctl,istioctl,500u,20g',
'500,aws,aws,0u,0g',
'500,cargo,cargo,500u,80g',
'500,chainctl,chainctl,0u,0g',
@ -161,28 +153,38 @@ WHERE
'500,cilium,cilium,500u,123g',
'500,cloud-sql-proxy,cloud-sql-proxy,500u,20g',
'500,cosign,cosign,0u,500g',
'500,snyk-macos-arm64,snyk-macos-arm64,500u,20g',
'500,cosign,cosign,500u,20g',
'500,cosign,cosign,500u,80g',
'500,git-credential-osxkeychain,git-credential-osxkeychain,500u,80g',
'500,cpu,cpu,500u,20g',
'500,crane,crane,0u,500g',
'500,crane,crane,500u,80g',
'500,docker-scout,docker-scout,500u,20g',
'500,gh-dash,gh-dash,500u,20g',
'500,git-credential-osxkeychain,git-credential-osxkeychain,500u,80g',
'500,git,git,0u,500g',
'500,taplo-full-darwin-aarch64,taplo-full-darwin-aarch64,500u,20g',
'500,git-remote-http,git-remote-http,500u,20g',
'500,git-remote-http,git-remote-http,500u,80g',
'500,istioctl,istioctl,,a.out',
'500,gitsign,gitsign,500u,20g',
'500,go,go,500u,80g',
'500,vexi,vexi,500u,20g',
'500,hugo,hugo,500u,20g',
'500,istioctl,istioctl,500u,20g',
'500,istioctl,istioctl,,a.out',
'500,java,java,0u,0g',
'500,.man-wrapped,.man-wrapped,0u,500g',
'500,nodegizmo,nodegizmo,500u,20g',
'500,pprof,pprof,500u,80g',
'500,pulumi-resource-gcp,pulumi-resource-gcp,500u,20g',
'500,pulumi-resource-github,pulumi-resource-github,500u,20g',
'500,sdaudioswitch,sdaudioswitch,500u,20g',
'500,sdzoomplugin,sdzoomplugin,500u,20g',
'500,session-manager-plugin,session-manager-plugin,0u,0g',
'500,snyk-macos-arm64,snyk-macos-arm64,500u,20g',
'500,taplo-full-darwin-aarch64,taplo-full-darwin-aarch64,500u,20g',
'500,taplo,taplo,500u,20g',
'500,vexi,vexi,500u,20g',
'500,vim,vim,0u,500g',
'500,wolfibump,wolfibump,500u,20g',
'500,wolfictl,wolfictl,0u,0g',
'500,wolfictl,wolfictl,500u,20g'
)
AND NOT s.authority IN (

2
detection/c2/unexpected-talkers-linux.sql
View File

@ -84,6 +84,7 @@ WHERE
AND exception_key = '32768,6,%,sshd,0u,0g,sshd'
)
AND NOT exception_key IN (
'123,17,500,chronyd,0u,0g,chronyd',
'4070,6,500,spotify,u,g,spotify',
'8000,6,500,brave,0u,0g,brave',
'8000,6,500,chrome,0u,0g,chrome',
@ -93,6 +94,7 @@ WHERE
'80,6,0,kmod,0u,0g,depmod',
'80,6,0,kubelet,u,g,kubelet',
'80,6,0,ldconfig,0u,0g,ldconfig',
'80,6,0,NetworkManager,0u,0g,NetworkManager',
'80,6,0,packagekitd,0u,0g,packagekitd',
'80,6,0,pacman,0u,0g,pacman',
'80,6,0,pdftex,0u,0g,pdftex',

18
detection/credentials/unexpected-dev-opener-linux.sql
View File

@ -91,6 +91,7 @@ WHERE
AND pof.path NOT IN (
'/dev/dri/card0',
'/dev/dri/card1',
'/dev/dri/card2',
'/dev/dri/renderD128',
'/dev/dri/renderD129',
'/dev/fuse',
@ -126,6 +127,7 @@ WHERE
'/dev/input,acpid',
'/dev/input,gnome-shell',
'/dev/input,Hyprland',
'/dev/input,kwin_wayland',
'/dev/input,systemd',
'/dev/input,systemd-logind',
'/dev/input,thermald',
@ -174,13 +176,13 @@ WHERE
'/dev/hidraw,chrome',
'/dev/hvc,agetty',
'/dev/hwrng,rngd',
'/dev/input/event,Xorg',
'/dev/input/event,thermald',
'/dev/input/event,touchegg',
'/dev/kmsg,_k3s-inner',
'/dev/input/event,Xorg',
'/dev/kmsg,bpfilter_umh',
'/dev/kmsg,dmesg',
'/dev/kmsg,k3s',
'/dev/kmsg,_k3s-inner',
'/dev/kmsg,kubelet',
'/dev/kmsg,systemd',
'/dev/kmsg,systemd-coredump',
@ -190,10 +192,10 @@ WHERE
'/dev/mapper/control,gpartedbin',
'/dev/mapper/control,multipathd',
'/dev/mcelog,mcelog',
'/dev/media,pipewire',
'/dev/media,wireplumber',
'/dev/media0,pipewire',
'/dev/media0,wireplumber',
'/dev/media,pipewire',
'/dev/media,wireplumber',
'/dev/net/tun,openvpn',
'/dev/net/tun,qemu-system-x86_64',
'/dev/net/tun,slirp4netns',
@ -201,17 +203,18 @@ WHERE
'/dev/sda,ntfs-3g',
'/dev/shm/envoy_shared_memory_1,envoy',
'/dev/tpmrm,launcher',
'/dev/tty,Xorg',
'/dev/tty,agetty',
'/dev/tty,gdm-wayland-session',
'/dev/tty,gdm-x-session',
'/dev/tty,systemd-logind',
'/dev/tty,Xorg',
'/dev/uhid,bluetoothd',
'/dev/uinput,bluetoothd',
'/dev/usb/hiddev,apcupsd',
'/dev/usb/hiddev,upowerd',
'/dev/vhost-net,qemu-system-x86_64',
'/dev/vhost-vsock,qemu-system-x86_64',
'/dev/video0,chrome',
'/dev/video,brave',
'/dev/video,cheese',
'/dev/video,chrome',
@ -229,7 +232,6 @@ WHERE
'/dev/video,wireplumber',
'/dev/video,zoom',
'/dev/video,zoom.real',
'/dev/video0,chrome',
'/dev/wwan0mbim,mbim-proxy',
'/dev/zfs,',
'/dev/zfs,zed',
@ -248,6 +250,10 @@ WHERE
AND p0.name LIKE "solaar%"
AND p0.path LIKE '/usr/bin/python%'
)
AND NOT (
pof.path LIKE "/dev/input/event%"
AND p0.name = "openrazer-daemo"
)
AND NOT (
pof.path LIKE '/dev/bus/usb/%'
AND p0.name IN (

1
detection/evasion/hidden-executable.sql
View File

@ -54,6 +54,7 @@ WHERE
AND NOT f.directory LIKE '%/.config/nvm/%/bin'
AND NOT f.directory LIKE '%/.cursor/%'
AND NOT f.directory LIKE '%/.deno/bin'
AND NOT f.directory LIKE '%/.devpod/contexts/%'
AND NOT f.directory LIKE '%/.linuxbrew/Cellar/%/bin'
AND NOT f.directory LIKE '%/.docker/cli-plugins'
AND NOT f.directory LIKE '%/.fig/bin'

9
detection/evasion/unexpected-ld-so-files-linux.sql
View File

@ -29,26 +29,25 @@ WHERE
AND file.filename NOT IN ('.', '..')
AND exception_key NOT IN (
'/etc/ld.so.conf,0644,117,dad04a370e488aa85fb0a813a5c83cf6fd981ce01883fc59685447b092de84b5',
'/etc/ld.so.conf,0644,154,785c6c3614a27ae6115a27c1ca55bbf333654780997c4ba7e181172b021d1bf3',
'/etc/ld.so.conf,0644,28,239c865e4c0746a01f82b03d38d620853bab2a2ba8e81d6f5606c503e0ea379f',
'/etc/ld.so.conf,0644,34,d4b198c463418b493208485def26a6f4c57279467b9dfa491b70433cedb602e8',
'/etc/ld.so.conf.d/homebrew.conf,0644,33,f4972e79fa4966d9976487a5b5d4152c4cd7020b236b173ad1f2a3d2fa86f74a',
'/etc/ld.so.conf,0644,154,785c6c3614a27ae6115a27c1ca55bbf333654780997c4ba7e181172b021d1bf3',
'/etc/ld.so.conf.d/000_cuda.conf,0644,41,a9327cff9435220eac872cffedc7f6144d915bdcb70d985304c72f4c3cb9a7d3',
'/etc/ld.so.conf.d/989_cuda-11.conf,0644,44,915b1ed4caa95cf65a62a74d8255c5ef80ef864cc2767933c85e240a78957167',
'/etc/ld.so.conf.d/llvm16-x86_64.conf,0644,22,3ddda874af4dd14e9e873da09d082031abfacd4b5094982c28f53e1fd50a5fe3',
'/etc/ld.so.conf.d/bind-export-x86_64.conf,0644,26,efeec53def06657c947f064463d5ebdb68f7c6f9e40cc2e72fc11c263484942e',
'/etc/ld.so.conf.d/cuda.conf,0644,66,a65f7d96e2447eb40b1be9586b90eb0bd776a8938c93d21f9606d2880b548b28',
'/etc/ld.so.conf.d/dyninst-x86_64.conf,0644,19,a4c740c1f59176d816ba18d429ba823317d3db416accf6d79a9cb0ac845d9d50',
'/etc/ld.so.conf.d/fakechroot-x86_64-linux-gnu.conf,0644,37,b31d4e51d547996eaad550223d078701016504cdf6571abd2b37ece9db3caac7',
'/etc/ld.so.conf.d/fakeroot.conf,0644,21,564c4c4d369d005702d825d34edc5e5568cb1ab6ee1b19fa03d0d672fb8b3aee',
'/etc/ld.so.conf.d/fakeroot-x86_64-linux-gnu.conf,0644,38,af7edc777dd224bade078ba540538444db69856533c02e18a7f9fbbdd23bd181',
'/etc/ld.so.conf.d/gds-11-8.conf,0644,46,2b48cb0abd03ff1d8926eca02a71540f4ee00ebccad5515e4d28a542dae8438a',
'/etc/ld.so.conf.d/homebrew.conf,0644,33,f4972e79fa4966d9976487a5b5d4152c4cd7020b236b173ad1f2a3d2fa86f74a',
'/etc/ld.so.conf.d/i386-linux-gnu.conf,0644,168,023231b8d6d21a7f4b1a59b875576604395041c814c0fd640d4a1d3d29455e6a',
'/etc/ld.so.conf.d/intel-oneapi-compiler-dpcpp-cpp-runtime.conf,0644,48,c0c6efda46a86b0d0cbc620b910cec4ba455d09a2bc7a39adf45ce113093366d',
'/etc/ld.so.conf.d/intel-oneapi-compiler-dpcpp-cpp-runtime.conf,0644,92,c4f62f0bfed45e548755c60b5e012e79c9062bb2a993c041db661951eb994476',
'/etc/ld.so.conf.d/intel-oneapi-compiler-dpcpp-cpp-runtime-libs.conf,0644,44,9f123b367c8afdcd116047d24f91339a95724d6f6cd189967696d2eb8eda63b4',
'/etc/ld.so.conf.d/intel-oneapi-compiler-shared-opencl-cpu.conf,0644,92,c4f62f0bfed45e548755c60b5e012e79c9062bb2a993c041db661951eb994476',
'/etc/ld.so.conf.d/intel-oneapi-compiler-shared-runtime.conf,0644,157,0b4a1c81fcab2d345f99e0187f29cf28f085ae67bf42c86d7b509c06b345186e',
'/etc/ld.so.conf.d/fakechroot-x86_64-linux-gnu.conf,0644,37,b31d4e51d547996eaad550223d078701016504cdf6571abd2b37ece9db3caac7',
'/etc/ld.so.conf.d/intel-oneapi-compiler-shared-runtime.conf,0644,92,c4f62f0bfed45e548755c60b5e012e79c9062bb2a993c041db661951eb994476',
'/etc/ld.so.conf.d/intel-oneapi-compiler-shared-runtime-libs.conf,0644,65,0e9c472578fe009314f02ab64613fc41114f4d07cfd3a805191a5b755d780a43',
'/etc/ld.so.conf.d/intel-oneapi-openmp.conf,0644,155,160358af96f4a1a92e624fa84a1776d45c1a2c4695c8b96070374f6d66bf6061',
@ -61,6 +60,8 @@ WHERE
'/etc/ld.so.conf.d/libiscsi-x86_64.conf,0644,17,fa3839c3cb893d3a589a020a0a9a010de1332b8385ee8139660e2da8bcc932a3',
'/etc/ld.so.conf.d/llvm13-x86_64.conf,0644,22,4da62e9ec76b030c527e2ea87ccfab1baeff7d0f9092f980231e49961bb97de0',
'/etc/ld.so.conf.d/llvm15-x86_64.conf,0644,22,30e995961d9e382d287469acce7e168d15811356bf20971fc17bb582a8d62afa',
'/etc/ld.so.conf.d/llvm16-x86_64.conf,0644,22,3ddda874af4dd14e9e873da09d082031abfacd4b5094982c28f53e1fd50a5fe3',
'/etc/ld.so.conf.d/llvm17-x86_64.conf,0644,22,3aceee0a4efb8cc2b0f981035cdbb6f28be48634f72f9b6fb98c1e282d32347c',
'/etc/ld.so.conf.d/mariadb-x86_64.conf,0644,17,598466b4954bc66c6f45f1f119211b0698d4a549f6c01b5d9a933a2511b82626',
'/etc/ld.so.conf.d/mingw64-hostlib.conf,0644,29,df1b65371bead6dddc703346f56dde023e22d52d9f071a3b646beaaec75a53c9',
'/etc/ld.so.conf.d/nessus.conf,0644,16,5a9dc65a4a0daa50ce9dd70ff3973fcceef9660cc3fdf5bb0beec8e0b6c57708',

22
detection/evasion/unexpected-tmp-executables-linux.sql
View File

@ -43,12 +43,14 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
AND (
file.path LIKE '%/go-build%'
OR file.directory LIKE '/tmp/%/out'
OR file.path IN ('/tmp/mkinitramfs', '/tmp/mission')
OR file.path LIKE '%/bin/%'
OR file.path LIKE "%/bin/bash"
OR file.path LIKE "%/bin/busybox"
OR file.path LIKE '%/checkout/%'
OR file.path LIKE '%/ci/%'
OR file.path LIKE '%/Rakefile'
OR file.path LIKE '%/configure'
OR file.path LIKE '%/debug/%'
OR file.path LIKE '/tmp/ko%/out'
OR file.path LIKE '%/dist/%'
OR file.path LIKE '%/flow/%.npmzS_cacachezStmpzSgit-clone%'
OR file.path LIKE '%/git/%'
@ -56,27 +58,27 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
OR file.path LIKE '%/go.%.sum'
OR file.path LIKE "%/%/gradlew"
OR file.path LIKE '%/guile-%/guile-%'
OR file.path LIKE '%/melange-guest-%'
OR file.path LIKE '%integration_test%'
OR file.path LIKE '%/ko/%'
OR file.path LIKE '%/kots/%'
OR file.path LIKE "%/lib/%.so"
OR file.path LIKE '/tmp/GoLand/___go_build_%_go'
OR file.path LIKE "%/lib/%.so.%"
OR file.path LIKE '%/configure'
OR file.path LIKE '%integration_test%'
OR file.path LIKE '%test_script'
OR file.path LIKE "%/melange%"
OR file.path LIKE "%/bin/busybox"
OR file.path LIKE "%/bin/bash"
OR file.path LIKE "/tmp/lima/%"
OR file.path LIKE '%/melange-guest-%'
OR file.path LIKE '%/pdf-tools/%'
OR file.path LIKE '%/Rakefile'
OR file.path LIKE '%-release%/%'
OR file.path LIKE '%/site-packages/markupsafe/_speedups.cpython-%'
OR file.path LIKE '%/src/%'
OR file.path LIKE '%/target/%'
OR file.path LIKE '%/terraformer/%'
OR file.path LIKE '%test_script'
OR file.path LIKE '%/tmp/epdf%'
OR file.path LIKE '/tmp/GoLand/___go_build_%_go'
OR file.path LIKE '/tmp/ko%/out'
OR file.path LIKE "/tmp/lima/%"
OR file.path LIKE '/tmp/lima/%/out/%'
OR file.path LIKE '/tmp/wolfi%'
)
)
AND NOT (

8
detection/evasion/unexpected-user-executables-macos.sql
View File

@ -22,6 +22,7 @@ SELECT
f.size,
hash.sha256,
REPLACE(f.directory, u.directory, '~') AS homedir,
REPLACE(f.path, u.directory, '~') AS homepath,
RTRIM(
COALESCE(
REGEX_MATCH (
@ -199,6 +200,13 @@ WHERE
'~/Library/helm',
'~/Library/pnpm'
)
AND NOT homepath IN (
'~/Library/Assistant/SiriAnalytics.db',
'~/Library/Calendars/Calendar.sqlitedb-wal',
'~/Library/Finance/finance_cloud.db',
'~/Library/Finance/finance_cloud.db-wal',
'~/Library/HTTPStorages/com.apple.AddressBookSourceSync'
)
AND NOT f.directory LIKE '/Users/%/.docker/cli-plugins'
AND NOT f.directory LIKE '/Users/%/.nix-profile/bin'
AND NOT f.path LIKE '/Users/%/Library/Fonts/%.ttf'

2
detection/evasion/unexpected-user-shared-entries.sql
View File

@ -48,6 +48,7 @@ WHERE
'/Users/Shared/.betamigrated',
'/Users/Shared/.com.intego.reporting.plist',
'/Users/Shared/.DS_Store',
'/Users/Shared/Plugin Loading.log',
'/Users/Shared/.ks.intego_metrics_2.plist',
'/Users/Shared/.localized',
'/Users/Shared/.userfonts.cachedb',
@ -67,6 +68,7 @@ WHERE
'/Users/Shared/CleanMyMac X Menu',
'/Users/Shared/LGHUB',
'/Users/Shared/logi',
'/Users/Shared/AdobeInstalledCodecsTier2',
'/Users/Shared/LogioptionsPlus',
'/Users/Shared/LogiOptionsPlus',
'/Users/Shared/.logishrd',

2
detection/execution/unexpected-env-values-macos.sql
View File

@ -41,8 +41,10 @@ WHERE -- This time should match the interval
AND NOT pe.value LIKE '/opt/homebrew/Cellar/r/4.%/lib/R/lib/libR.dylib'
AND NOT pe.value LIKE '%/libsamply_mac_preload.dylib'
AND NOT pe.value LIKE '%/Steam/Steam.AppBundle/Steam/Contents/MacOS/steamloader.dylib:%/Steam/Steam.AppBundle/Steam/Contents/MacOS/gameoverlayrenderer.dylib'
AND NOT pe.value LIKE '%//libtrace.dylib'
)
OR (
key = 'DYLD_FRAMEWORK_PATH' -- sort of obsolete, but may affect SIP abusers
AND NOT pe.value LIKE '%/IDLE.app/%'
AND NOT pe.value = '/System/Library/Frameworks'
)

1
detection/execution/unexpected-gatekeeper-approvals-macos.sql
View File

@ -37,6 +37,7 @@ WHERE
AND gap.path NOT LIKE '/Users/%/rekor-cli'
AND gap.path NOT LIKE '/Users/%/trivy'
AND gap.path NOT LIKE '/usr/local/bin/%'
AND gap.path NOT LIKE '/Users/%/Downloads/openresty%/bundle/install'
AND signature.authority != 'Developer ID Application: Jamie Zawinski (4627ATJELP)'
GROUP BY
gap.requirement

126
detection/execution/unexpected-security-framework-program-macos.sql
View File

@ -80,137 +80,139 @@ WHERE
AND exception_key NOT IN (
'0,ir_agent,bootstrap,Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
'0,ir_agent,ir_agent,Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
'0,rapid7_endpoint_broker,rapid7_endpoint_broker,Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
'0,nix,nix,',
'500,dfu-discovery,a.out,',
'0,osqueryd,io.osquery.agent,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
'0,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
'0,rapid7_endpoint_broker,rapid7_endpoint_broker,Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
'0,velociraptor,a.out,',
'500,.cargo-wrapped,.cargo-wrapped,',
'500,serial-discovery,a.out,',
'500,AeroSpace,bobko.aerospace,aerospace-codesign-certificate',
'500,Android File Transfer Agent,com.google.android.mtpagent,Developer ID Application: Google, Inc. (EQHXZ8M8AV)',
'500,AppleMusic,AppleMusic,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
'500,Bazecor Helper,,',
'500,python,,',
'500,Bitwarden Helper (GPU),com.bitwarden.desktop.helper.GPU,Apple Mac OS Application Signing',
'500,Bitwarden Helper (Renderer),com.bitwarden.desktop.helper.Renderer,Apple Mac OS Application Signing',
'500,Bitwarden Helper,com.bitwarden.desktop.helper,Apple Mac OS Application Signing',
'500,Bitwarden,com.bitwarden.desktop,Apple Mac OS Application Signing',
'500,BloomRPC Helper,,',
'500,monorail,,',
'500,Chromium,Chromium,',
'500,clangd,,',
'500,GoLinks Extension,com.golinks.golinks-app.safari-app-extension,Apple Mac OS Application Signing',
'500,CopyClip,com.fiplab.clipboard,Apple Mac OS Application Signing',
'500,Divvy,com.mizage.Divvy,Apple Mac OS Application Signing',
'500,Duckly Helper (Renderer),Electron Helper (Renderer),',
'500,Duckly Helper,Electron Helper,',
'500,Duckly,Electron,',
'500,Emacs-arm64-11,Emacs-arm64-11,Developer ID Application: Galvanix (5BRAQAFB8B)',
'500,Evernote Helper (GPU),com.evernote.Evernote.helper.GPU,Apple Mac OS Application Signing',
'500,Evernote Helper (Renderer),com.evernote.Evernote.helper.Renderer,Apple Mac OS Application Signing',
'500,Evernote Helper,com.evernote.Evernote.helper,Apple Mac OS Application Signing',
'500,Evernote,com.evernote.Evernote,Apple Mac OS Application Signing',
'500,Final Cut Pro,com.apple.FinalCut,Apple Mac OS Application Signing',
'500,GitterHelperApp,com.troupe.gitter.mac.GitterHelperApp,Developer ID Application: Troupe Technology Limited (A86QBWJ43W)',
'500,Grammarly Safari Extension,com.grammarly.safari.extension.ext2,Apple Mac OS Application Signing',
'500,Grammarly for Safari,com.grammarly.safari.extension,Apple Mac OS Application Signing',
'500,InternalFiltersXPC,com.apple.InternalFiltersXPC,Apple Mac OS Application Signing',
'500,Magnet,com.crowdcafe.windowmagnet,Apple Mac OS Application Signing',
'500,Mattermost Helper (GPU),Mattermost.Desktop.helper.GPU,Apple Mac OS Application Signing',
'500,Mattermost Helper (Renderer),Mattermost.Desktop.helper.Renderer,Apple Mac OS Application Signing',
'500,Mattermost Helper,Mattermost.Desktop.helper,Apple Mac OS Application Signing',
'500,Mattermost,Mattermost.Desktop,Apple Mac OS Application Signing',
'500,OOPProResRawService,com.apple.videoapps.OOPProResRawService,Apple Mac OS Application Signing',
'500,PrinterProxy,com.apple.print.PrinterProxy,',
'500,Runner.Listener,apphost-55554944a938bab90f04347d83659c53dd1197d6,',
'500,Slack Helper (GPU),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
'500,Slack Helper (Plugin),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
'500,Slack Helper (Renderer),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
'500,Slack Helper,com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
'500,Slack,com.tinyspeck.slackmacgap,Apple Mac OS Application Signing',
'500,Speedtest,com.ookla.speedtest-macos,Apple Mac OS Application Signing',
'500,Steam Helper,com.valvesoftware.steam.helper,Developer ID Application: Valve Corporation (MXGJJ98X76)',
'500,Telegram,ru.keepcoder.Telegram,Apple Mac OS Application Signing',
'500,Todoist Helper (GPU),com.todoist.mac.Todoist.helper.GPU,Apple Mac OS Application Signing',
'500,Todoist Helper (Renderer),com.todoist.mac.Todoist.helper.Renderer,Apple Mac OS Application Signing',
'500,Todoist Helper,com.todoist.mac.Todoist.helper,Apple Mac OS Application Signing',
'500,Todoist,com.todoist.mac.Todoist,Apple Mac OS Application Signing',
'500,TwitchStudioStreamDeck,TwitchStudioStreamDeck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
'500,J8RPQ294UB.com.skitch.SkitchHelper,J8RPQ294UB.com.skitch.SkitchHelper,Apple Mac OS Application Signing',
'500,WinAppHelper,,',
'500,WinAppHelper,WinAppHelper,',
'500,bash,bash,',
'500,bash,com.apple.bash,Software Signing',
'500,Bazecor Helper,,',
'500,Bitwarden,com.bitwarden.desktop,Apple Mac OS Application Signing',
'500,Bitwarden Helper,com.bitwarden.desktop.helper,Apple Mac OS Application Signing',
'500,Bitwarden Helper (GPU),com.bitwarden.desktop.helper.GPU,Apple Mac OS Application Signing',
'500,Bitwarden Helper (Renderer),com.bitwarden.desktop.helper.Renderer,Apple Mac OS Application Signing',
'500,BloomRPC Helper,,',
'500,bufls,a.out,',
'500,.cargo-wrapped,.cargo-wrapped,',
'500,chainctl,a.out,',
'500,Chromium,Chromium,',
'500,clangd,,',
'500,clangd,clangd,',
'500,cloud-sql-proxy,a.out,',
'500,cloud-sql-proxy.darwin.arm64,a.out,',
'500,cloud_sql_proxy,a.out,',
'500,cloud-sql-proxy.darwin.arm64,a.out,',
'500,copilot-agent-macos-arm64,copilot-agent-macos-arm64-5555494405ae226b796431f588804b65cad1040e,',
'500,CopyClip,com.fiplab.clipboard,Apple Mac OS Application Signing',
'500,cosign,a.out,',
'500,cpu,cpu-555549441132dc6b7af538428ce3359ae94eab37,',
'500,crane,a.out,',
'500,nvim,,',
'500,J8RPQ294UB.com.skitch.SkitchHelper,J8RPQ294UB.com.skitch.SkitchHelper,Developer ID Application: Skitch Inc (J8RPQ294UB)',
'500,AeroSpace,bobko.aerospace,aerospace-codesign-certificate',
'500,debug.test,a.out,',
'500,dfu-discovery,a.out,',
'500,dive,a.out,',
'500,Divvy,com.mizage.Divvy,Apple Mac OS Application Signing',
'500,dlv,a.out,',
'500,docker,a.out,',
'500,Duckly,Electron,',
'500,Duckly Helper,Electron Helper,',
'500,Duckly Helper (Renderer),Electron Helper (Renderer),',
'500,Emacs-arm64-11,Emacs-arm64-11,Developer ID Application: Galvanix (5BRAQAFB8B)',
'500,epdfinfo,epdfinfo,',
'500,esbuild,,',
'500,esbuild,a.out,',
'500,Evernote,com.evernote.Evernote,Apple Mac OS Application Signing',
'500,Evernote Helper,com.evernote.Evernote.helper,Apple Mac OS Application Signing',
'500,Evernote Helper (GPU),com.evernote.Evernote.helper.GPU,Apple Mac OS Application Signing',
'500,Evernote Helper (Renderer),com.evernote.Evernote.helper.Renderer,Apple Mac OS Application Signing',
'500,fake,a.out,',
'500,Final Cut Pro,com.apple.FinalCut,Apple Mac OS Application Signing',
'500,git,git,',
'500,gitsign,a.out,',
'500,gitsign-credential-cache,a.out,',
'500,GitterHelperApp,com.troupe.gitter.mac.GitterHelperApp,Developer ID Application: Troupe Technology Limited (A86QBWJ43W)',
'500,gke-gcloud-auth-plugin,a.out,',
'500,go,a.out,',
'500,GoLinks Extension,com.golinks.golinks-app.safari-app-extension,Apple Mac OS Application Signing',
'500,gopls,a.out,',
'500,gopls,gopls,',
'500,gpg-agent,gpg-agent,',
'500,Grammarly for Safari,com.grammarly.safari.extension,Apple Mac OS Application Signing',
'500,Grammarly Safari Extension,com.grammarly.safari.extension.ext2,Apple Mac OS Application Signing',
'500,hugo,a.out,',
'500,InternalFiltersXPC,com.apple.InternalFiltersXPC,Apple Mac OS Application Signing',
'500,ipcserver,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
'500,ipcserver.old,,',
'500,J8RPQ294UB.com.skitch.SkitchHelper,J8RPQ294UB.com.skitch.SkitchHelper,Apple Mac OS Application Signing',
'500,J8RPQ294UB.com.skitch.SkitchHelper,J8RPQ294UB.com.skitch.SkitchHelper,Developer ID Application: Skitch Inc (J8RPQ294UB)',
'500,k9s,a.out,',
'500,keyboxd,keyboxd,',
'500,ko,,',
'500,ko,a.out,',
'500,kubectl,a.out,',
'500,lua-language-server,lua-language-server,',
'500,Magnet,com.crowdcafe.windowmagnet,Apple Mac OS Application Signing',
'500,mattermost,a.out,',
'500,Mattermost Helper (GPU),Mattermost.Desktop.helper.GPU,Apple Mac OS Application Signing',
'500,Mattermost Helper,Mattermost.Desktop.helper,Apple Mac OS Application Signing',
'500,Mattermost Helper (Renderer),Mattermost.Desktop.helper.Renderer,Apple Mac OS Application Signing',
'500,Mattermost,Mattermost.Desktop,Apple Mac OS Application Signing',
'500,melange,a.out,',
'500,melange-run,a.out,',
'500,monday.com,com.monday.desktop,Apple Mac OS Application Signing',
'500,monday.com Helper,com.monday.desktop.helper,Apple Mac OS Application Signing',
'500,monday.com Helper (GPU),com.monday.desktop.helper.GPU,Apple Mac OS Application Signing',
'500,monday.com Helper (Renderer),com.monday.desktop.helper.Renderer,Apple Mac OS Application Signing',
'500,monday.com Helper,com.monday.desktop.helper,Apple Mac OS Application Signing',
'500,monday.com,com.monday.desktop,Apple Mac OS Application Signing',
'500,monorail,,',
'500,monorail,a.out,',
'500,nvim,,',
'500,nvim,nvim,',
'500,OOPProResRawService,com.apple.videoapps.OOPProResRawService,Apple Mac OS Application Signing',
'500,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
'500,plugin-darwin-arm64,a.out,',
'500,PrinterProxy,com.apple.print.PrinterProxy,',
'500,python,,',
'500,registry,a.out,',
'500,registry-redirect,a.out,',
'500,ruff,,',
'500,Runner.Listener,apphost-55554944a938bab90f04347d83659c53dd1197d6,',
'500,rust-analyzer,rust_analyzer-d11ae4e1bae4360d,',
'500,scdaemon,scdaemon,',
'500,sdaudioswitch,,',
'500,sdaudioswitch,sdaudioswitch,',
'500,sdmicmute,,',
'500,sdmicmute,sdmicmute,',
'500,sdzoomplugin,,',
'500,serial-discovery,a.out,',
'500,Slack,com.tinyspeck.slackmacgap,Apple Mac OS Application Signing',
'500,Slack Helper,com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
'500,Slack Helper (GPU),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
'500,Slack Helper (Plugin),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
'500,Slack Helper (Renderer),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
'500,snyk-ls_darwin_arm64,a.out,',
'500,Speedtest,com.ookla.speedtest-macos,Apple Mac OS Application Signing',
'500,ssh,ssh,',
'500,Steam Helper,com.valvesoftware.steam.helper,Developer ID Application: Valve Corporation (MXGJJ98X76)',
'500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
'500,stern,a.out,',
'500,syncthing,syncthing,',
'500,Telegram,ru.keepcoder.Telegram,Apple Mac OS Application Signing',
'500,testing,com.yourcompany.testing,', -- Xcode iPhone emulator
'500,tflint,a.out,',
'500,tflint-ruleset-aws,a.out,',
'500,tflint-ruleset-google,a.out,',
'500,timestamp-server,a.out,',
'500,Todoist,com.todoist.mac.Todoist,Apple Mac OS Application Signing',
'500,Todoist Helper,com.todoist.mac.Todoist.helper,Apple Mac OS Application Signing',
'500,Todoist Helper (GPU),com.todoist.mac.Todoist.helper.GPU,Apple Mac OS Application Signing',
'500,Todoist Helper (Renderer),com.todoist.mac.Todoist.helper.Renderer,Apple Mac OS Application Signing',
'500,TwitchStudioStreamDeck,TwitchStudioStreamDeck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
'500,vim,,',
'500,ruff,,',
'500,vim,vim,'
'500,vim,vim,',
'500,WinAppHelper,,',
'500,WinAppHelper,WinAppHelper,'
)
AND NOT (
exception_key LIKE '500,%,a.out,'

12
detection/exfil/yara-unexpected-rust-http-exec-process.sql
View File

@ -59,14 +59,16 @@ WHERE
}'
AND yara.count > 0
AND p0.name NOT IN (
'old',
'Cody',
'deno',
'stable',
'DevPod',
'fig-darwin-universal',
'figma_agent',
'nvim',
'old',
'sg-nvim-agent',
'Cody',
'fig-darwin-universal',
'wezterm-gui'
'stable',
'wezterm-gui',
'zed'
)
AND p0.name NOT LIKE 'cody-engine-%'

2
detection/initial_access/unexpected-shell-parent-events.sql
View File

@ -189,7 +189,9 @@ WHERE
'xargs',
'xcrun',
'xfce4-terminal',
'xinit',
'Xorg',
'xterm',
'yay',
'yum',
'zed',

2
detection/initial_access/unexpected-shell-parents.sql
View File

@ -65,6 +65,7 @@ WHERE
'clang-11',
'code',
'Code Helper (Renderer)',
'Microsoft.VisualStudio.Reliability.Monitor',
'Code - Insiders Helper',
'Code - Insiders Helper (Renderer)',
'collect2',
@ -88,6 +89,7 @@ WHERE
'LogiMgrDaemon',
'gephi',
'git',
'terraform',
'git-remote-http',
'git-remote-https',
'gnome-session-b',

6
detection/persistence/listening-from-unusual-location.sql
View File

@ -77,6 +77,7 @@ WHERE
'controller',
'docker-proxy',
'hugo',
'gopls',
'limactl',
'qemu-system-aarch64',
'crane',
@ -89,6 +90,11 @@ WHERE
AND lp.port > 1024
and lp.protocol = 6
)
AND NOT (
p0.name = "ssh"
AND homecwd LIKE '/tmp/%'
AND lp.address IN ("127.0.0.1", "::1")
)
-- Overly broad, but prevents a lot of false positives
AND NOT homepath LIKE "~/.%"
AND NOT homecwd LIKE "~/.%"

1
detection/persistence/unexpected-listening-port-macos.sql
View File

@ -146,6 +146,7 @@ WHERE
'49152,6,65,mDNSResponder,Software Signing',
'5000,6,500,ControlCenter,Software Signing',
'5001,6,500,crane,',
'25565,6,500,java,',
'5001,6,500,gvproxy,',
'5060,6,500,CommCenter,Software Signing',
'53,17,500,dnsmasq,',