diff --git a/detection/c2/unexpected-dns-traffic-events.sql b/detection/c2/unexpected-dns-traffic-events.sql index b6d67c3..a3a3aec 100644 --- a/detection/c2/unexpected-dns-traffic-events.sql +++ b/detection/c2/unexpected-dns-traffic-events.sql @@ -73,7 +73,6 @@ WHERE '185.125.190.31', -- Canonical '185.125.190.77' -- Canonical ) - -- Exceptions that specifically talk to one server AND exception_key NOT IN ( 'adguard_dns,1.0.0.1,53', @@ -84,6 +83,7 @@ WHERE 'ChatGPT,8.8.8.8,53', 'com.docker.backend,8.8.8.8,53', 'com.docker.vpnkit,8.8.8.8,53', + 'Creative Cloud Content Manager.node,8.8.4.4,53', 'coredns,0.0.0.0,53', 'coredns,8.8.8.8,53', 'distnoted,8.8.8.8,53', diff --git a/detection/c2/unexpected-root-libcurl-proc-linux.sql b/detection/c2/unexpected-root-libcurl-proc-linux.sql index 1333e44..6aa6dcd 100644 --- a/detection/c2/unexpected-root-libcurl-proc-linux.sql +++ b/detection/c2/unexpected-root-libcurl-proc-linux.sql @@ -77,6 +77,7 @@ WHERE 'fwupd,/usr/libexec/fwupd/fwupd,0,system.slice,fwupd.service,0755', 'fwupd,/usr/lib/fwupd/fwupd,0,system.slice,fwupd.service,0755', 'libvirtd,/usr/bin/libvirtd,0,system.slice,libvirtd.service,0755', + 'implicitclass,/usr/lib/cups/backend/implicitclass,0,system.slice,cups.service,0744', 'NetworkManager,/usr/bin/NetworkManager,0,system.slice,NetworkManager.service,0755', 'NetworkManager,/usr/sbin/NetworkManager,0,system.slice,NetworkManager.service,0755', 'nix-daemon,/nix/store/__VERSION__/bin/nix,0,system.slice,nix-daemon.service,0555', diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql index bb72303..72abb8d 100644 --- a/detection/c2/unexpected-talkers-linux.sql +++ b/detection/c2/unexpected-talkers-linux.sql @@ -8,7 +8,8 @@ -- -- tags: transient state net rapid -- platform: linux -SELECT s.remote_address, +SELECT + s.remote_address, s.remote_port, s.local_port, s.local_address, @@ -39,12 +40,14 @@ SELECT s.remote_address, 'g,', p.name ) AS exception_key -FROM process_open_sockets s +FROM + process_open_sockets s LEFT JOIN processes p ON s.pid = p.pid LEFT JOIN processes pp ON p.parent = pp.pid LEFT JOIN file f ON p.path = f.path LEFT JOIN hash ON p.path = hash.path -WHERE protocol > 0 +WHERE + protocol > 0 AND s.remote_port > 0 -- See unexpected-https-client AND NOT ( s.remote_port = 443 @@ -108,11 +111,13 @@ WHERE protocol > 0 '80,6,0,python3.12,500u,500g,dnf-automatic', '80,6,0,python3.10,0u,0g,yum', '80,6,0,python3.11,0u,0g,dnf', + '123,17,106,chronyd,0u,0g,chronyd', '5222,6,500,msedge,0u,0g,msedge', '80,6,0,python3.11,0u,0g,dnf-automatic', '80,6,0,python3.11,0u,0g,yum', '80,6,0,python3.12,0u,0g,dnf', '80,6,0,python3.12,0u,0g,yum', + '80,6,0,python3.12,0u,0g,dnf-automatic', '89,6,500,chrome,0u,0g,chrome', '80,6,0,python3.9,u,g,yum', '80,6,0,rpm-ostree,0u,0g,rpm-ostree', @@ -294,4 +299,5 @@ WHERE protocol > 0 OR p.cgroup_path LIKE '/user.slice/user-%.slice/user@%.service/user.slice/nerdctl-%' ) ) -GROUP BY p.cmdline +GROUP BY + p.cmdline diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql index 005a4ac..ce535e5 100644 --- a/detection/c2/unexpected-talkers-macos.sql +++ b/detection/c2/unexpected-talkers-macos.sql @@ -5,7 +5,8 @@ -- -- tags: transient state net often -- platform: macos -SELECT pos.protocol, +SELECT + pos.protocol, pos.local_port, pos.remote_port, remote_address, @@ -40,17 +41,24 @@ SELECT pos.protocol, p1.euid AS p1_euid, p1.cmdline AS p1_cmd, p1_hash.sha256 AS p1_sha256 -FROM process_open_sockets pos +FROM + process_open_sockets pos LEFT JOIN processes p0 ON pos.pid = p0.pid LEFT JOIN hash p0_hash ON p0.path = p0_hash.path LEFT JOIN processes p1 ON p0.parent = p1.pid LEFT JOIN hash p1_hash ON p1.path = p1_hash.path LEFT JOIN file f ON p0.path = f.path LEFT JOIN signature s ON p0.path = s.path -WHERE pos.pid IN ( - SELECT pid - from process_open_sockets - WHERE protocol > 0 +WHERE + pos.pid IN ( + SELECT + pid + from + process_open_sockets + WHERE + protocol > 0 + AND local_port > 0 + AND remote_port > 0 AND NOT ( remote_port IN (53, 443) AND protocol IN (6, 17) @@ -124,4 +132,5 @@ WHERE pos.pid IN ( AND remote_port = 0 AND protocol = 0 ) -GROUP BY p0.cmdline +GROUP BY + p0.cmdline diff --git a/detection/collection/spotlight-database-export-macos.sql b/detection/collection/spotlight-database-export-macos.sql index cc1175f..edb167e 100644 --- a/detection/collection/spotlight-database-export-macos.sql +++ b/detection/collection/spotlight-database-export-macos.sql @@ -32,4 +32,5 @@ WHERE AND f.path NOT LIKE '%mysql-test/suite/%' AND f.path NOT LIKE '%.json' AND f.path NOT LIKE '%.log' + AND f.path NOT LIKE '%/testdata/%' AND f.size > 32768 diff --git a/detection/credentials/macos_keyboard_sniffer.sql b/detection/credentials/macos_keyboard_sniffer.sql index a5238ab..7fee33e 100644 --- a/detection/credentials/macos_keyboard_sniffer.sql +++ b/detection/credentials/macos_keyboard_sniffer.sql @@ -57,6 +57,7 @@ FROM LEFT JOIN hash p2_hash ON p2.path = p2_hash.path WHERE et.event_tapped IN ('EventKeyDown', 'EventKeyUp') + AND et.enabled != 0 AND s.authority != 'Software Signing' -- Popular programs that sniff keyboard events, but do not appear to be malware. AND NOT exception_key IN ( 'Alfred,com.runningwithcrayons.Alfred,Developer ID Application: Running with Crayons Ltd (XZZXE9SED4)', diff --git a/detection/credentials/unexpected-dev-opener-linux.sql b/detection/credentials/unexpected-dev-opener-linux.sql index 0d4be9e..79f4422 100644 --- a/detection/credentials/unexpected-dev-opener-linux.sql +++ b/detection/credentials/unexpected-dev-opener-linux.sql @@ -238,6 +238,8 @@ WHERE '/dev/video,zoom', '/dev/video,zoom.real', '/dev/wwan0mbim,mbim-proxy', + '/dev/udmabuf,xdg-desktop-portal-gnome', + '/dev/udmabuf,nautilus', '/dev/zfs,', '/dev/zfs,zed', '/dev/zfs,zfs', diff --git a/detection/credentials/unexpected-dev-opener-macos.sql b/detection/credentials/unexpected-dev-opener-macos.sql index 13d8683..45c6be1 100644 --- a/detection/credentials/unexpected-dev-opener-macos.sql +++ b/detection/credentials/unexpected-dev-opener-macos.sql @@ -108,6 +108,7 @@ WHERE '/dev/io8log,WiFiAgent,Software Signing,com.apple.wifi.WiFiAgent', '/dev/io8log,WirelessRadioManagerd,Software Signing,com.apple.WirelessRadioManagerd', '/dev/io8log,airportd,Software Signing,com.apple.airport.airportd', + '/dev/cu.debug-console,ZwiftAppSilicon,Developer ID Application: Zwift, Inc (C2GM8Y9VFM),ZwiftAppSilicon', '/dev/io8log,symptomsd,Software Signing,com.apple.symptomsd', '/dev/io8logmt,airportd,Software Signing,com.apple.airport.airportd', '/dev/io8logtemp,ControlCenter,Software Signing,com.apple.controlcenter', diff --git a/detection/evasion/hidden-cwd.sql b/detection/evasion/hidden-cwd.sql index 83e8389..e0769de 100644 --- a/detection/evasion/hidden-cwd.sql +++ b/detection/evasion/hidden-cwd.sql @@ -8,7 +8,8 @@ -- -- tags: transient often -- platform: posix -SELECT REPLACE(p0.cwd, u.directory, '~') AS dir, +SELECT + REPLACE(p0.cwd, u.directory, '~') AS dir, REGEX_MATCH ( REPLACE(p0.cwd, u.directory, '~'), '([/~].*?/.*?)/', @@ -55,7 +56,8 @@ SELECT REPLACE(p0.cwd, u.directory, '~') AS dir, p2.path AS p2_path, p2.cmdline AS p2_cmd, p2_hash.sha256 AS p2_sha256 -FROM processes p0 +FROM + processes p0 LEFT JOIN file f ON p0.path = f.path LEFT JOIN users u ON p0.uid = u.uid LEFT JOIN hash p0_hash ON p0.path = p0_hash.path @@ -64,10 +66,14 @@ FROM processes p0 LEFT JOIN hash p1_hash ON p1.path = p1_hash.path LEFT JOIN processes p2 ON p1.parent = p2.pid LEFT JOIN hash p2_hash ON p2.path = p2_hash.path -WHERE p0.pid IN ( - SELECT DISTINCT pid - FROM processes - WHERE cwd LIKE '%/.%' +WHERE + p0.pid IN ( + SELECT DISTINCT + pid + FROM + processes + WHERE + cwd LIKE '%/.%' AND NOT name IN ( 'apfsd', 'bindfs', @@ -94,6 +100,7 @@ WHERE p0.pid IN ( 'bash,~/.Trash', 'bash,~/.local/share', 'bash,~/go/src', + 'telegram-deskto,~/snap/telegram-desktop', 'c++,~/.cache/yay', 'cc1,/home/build/.cache', 'cc1plus,~/.cache/yay', @@ -119,6 +126,7 @@ WHERE p0.pid IN ( 'rust-analyzer-p,~/.cargo/registry', 'rustc,/home/build/.cargo', 'vet,/home/build/.cache', + 'npm install,/home/build/.npm', 'zsh,/private/tmp/workspace', 'zsh,~/.Trash' ) @@ -129,6 +137,7 @@ WHERE p0.pid IN ( OR dir IN ( '~/.config', '~/.local/bin', + '/home/build', '/var/home/linuxbrew/.linuxbrew/Cellar', '~/.vim', '~/dev/extra-packages/.chainguard', @@ -144,12 +153,7 @@ WHERE p0.pid IN ( '~/.hunter/_Base', '~/.zsh' ) - OR top_dir IN ( - '~/Sync', - '~/src', - '~/workspace', - '~/dev' - ) + OR top_dir IN ('~/Sync', '~/src', '~/workspace', '~/dev') OR dir LIKE '/Library/Apple/System/Library/InstallerSandboxes/.PKInstallSandboxManager-SystemSoftware/%' OR dir LIKE '/opt/homebrew/%/.cache/%' OR dir LIKE '~/%enterprise-packages/.chainguard' @@ -190,4 +194,5 @@ WHERE p0.pid IN ( AND p0.euid = 0 ) ) -GROUP BY p0.pid \ No newline at end of file +GROUP BY + p0.pid diff --git a/detection/evasion/hidden-executable.sql b/detection/evasion/hidden-executable.sql index 8f161cb..fa1bc62 100644 --- a/detection/evasion/hidden-executable.sql +++ b/detection/evasion/hidden-executable.sql @@ -5,7 +5,8 @@ -- -- tags: transient -- platform: posix -SELECT f.directory, +SELECT + f.directory, f.btime, p0.start_time, RTRIM( @@ -51,7 +52,8 @@ SELECT f.directory, p2.path AS p2_path, p2.cmdline AS p2_cmd, p2_hash.sha256 AS p2_sha256 -FROM processes p0 +FROM + processes p0 LEFT JOIN file f ON p0.path = f.path LEFT JOIN users u ON f.uid = u.uid LEFT JOIN hash p0_hash ON p0.path = p0_hash.path @@ -59,7 +61,8 @@ FROM processes p0 LEFT JOIN hash p1_hash ON p1.path = p1_hash.path LEFT JOIN processes p2 ON p1.parent = p2.pid LEFT JOIN hash p2_hash ON p2.path = p2_hash.path -WHERE ( +WHERE + ( p0.name LIKE '.%' OR f.filename LIKE '.%' OR f.directory LIKE '%/.%' @@ -88,6 +91,7 @@ WHERE ( '~/.terraform', '~/.tflint.d', '~/.vs-kubernetes', + '~/chainguard-images', '~/Code', '~/Projects', '~/code', @@ -116,7 +120,7 @@ WHERE ( AND NOT f.directory LIKE '%/Applications/PSI Bridge Secure Browser.app/Contents/Resources/.apps/darwin/%' AND NOT f.directory LIKE '/var/home/linuxbrew/.linuxbrew/Cellar/%' AND NOT f.directory LIKE '/Volumes/com.getdropbox.dropbox-%' - AND NOT f.directory LIKE '/var~/Code/cgr/private/.terraform/%' + AND NOT f.directory LIKE '%/.terraform/%' AND NOT f.path LIKE '/nix/store/%/%-wrapped' AND NOT ( f.path LIKE '/nix/store/%' @@ -127,4 +131,5 @@ WHERE ( AND NOT homedir LIKE '~/Library/Application Support/Code/User/globalStorage/ms-dotnettools.vscode-dotnet-runtime/.dotnet/%' AND NOT homedir LIKE '%/.Trash/1Password %.app/Contents/Library/LoginItems/1Password Extension Helper.app/Contents/MacOS' AND NOT homedir LIKE '%/.Trash/Logi Options.app/Contents/Support/LogiMgrDaemon.app/Contents/MacOS' -GROUP BY f.path +GROUP BY + f.path diff --git a/detection/evasion/old-binaries-running.sql b/detection/evasion/old-binaries-running.sql index ae0e115..79e14a4 100644 --- a/detection/evasion/old-binaries-running.sql +++ b/detection/evasion/old-binaries-running.sql @@ -65,6 +65,7 @@ WHERE '/usr/bin/pavucontrol', '/usr/bin/espeak', '/usr/bin/unpigz', + '/usr/bin/xsettingsd', '/usr/bin/xss-lock', '/usr/bin/i3lock', '/usr/bin/xbindkeys', diff --git a/detection/evasion/parent-missing-from-disk-linux.sql b/detection/evasion/parent-missing-from-disk-linux.sql index 7055af1..d930bae 100644 --- a/detection/evasion/parent-missing-from-disk-linux.sql +++ b/detection/evasion/parent-missing-from-disk-linux.sql @@ -53,9 +53,11 @@ WHERE '/usr/lib/electron22', '/usr/bin', '/opt/google/chrome', + '/opt/microsoft/msedge', '/usr/libexec', '/usr/lib/systemd', '/usr/lib', + '/usr/lib/go/bin', '/usr/share/code' ) -- long-running launchers AND NOT p1.name IN ( diff --git a/detection/evasion/unexpected-hidden-system-paths.sql b/detection/evasion/unexpected-hidden-system-paths.sql index c3c98a1..9921bdf 100644 --- a/detection/evasion/unexpected-hidden-system-paths.sql +++ b/detection/evasion/unexpected-hidden-system-paths.sql @@ -114,8 +114,10 @@ WHERE '/tmp/.SIGN.RSA.local-melange.rsa.pub', '/tmp/.SIGN.RSA.wolfi-signing.rsa.pub', '/tmp/.s.PGSQL.5432', + '/var/root/.nx/', '/tmp/.s.PGSQL.5432.lock', '/tmp/.terraform/', + '/.cache/', '/tmp/.terraform.lock.hcl', '/tmp/.Test-unix/', '/tmp/.touchpaddefaults', @@ -156,6 +158,7 @@ WHERE '/var/root/.bash_history', '/var/root/.bash_profile', '/var/root/.cache/', + '/var/root/.config/', '/var/root/.CFUserTextEncoding', '/var/root/.docker/', '/var/root/.forward', diff --git a/detection/evasion/unexpected-process-extension-linux.sql b/detection/evasion/unexpected-process-extension-linux.sql index 8e0d9fd..921da9a 100644 --- a/detection/evasion/unexpected-process-extension-linux.sql +++ b/detection/evasion/unexpected-process-extension-linux.sql @@ -93,3 +93,4 @@ WHERE AND NOT basename LIKE 'terraform-provider%' AND NOT basename LIKE 'ld-%.so' AND NOT basename LIKE 'unison-%' + AND NOT basename IN ('io.elementary.appcenter') diff --git a/detection/evasion/unexpected-var-run-macos.sql b/detection/evasion/unexpected-var-run-macos.sql index 93cf7ea..449f6ed 100644 --- a/detection/evasion/unexpected-var-run-macos.sql +++ b/detection/evasion/unexpected-var-run-macos.sql @@ -54,6 +54,9 @@ WHERE 'kdc.pid', 'prl_disp_service.pid', 'prl_naptd.pid', + 'prl_desktop_services.lock', + 'prl_desktop_services_foreground.lock', + 'prl_disp_service.urgent', 'prl_watchdog-ebdba5702a20.pid', 'resolv.conf', 'rtadvd.pid', diff --git a/detection/evasion/unusual-process-name-linux.sql b/detection/evasion/unusual-process-name-linux.sql index 76ce193..51fa865 100644 --- a/detection/evasion/unusual-process-name-linux.sql +++ b/detection/evasion/unusual-process-name-linux.sql @@ -120,6 +120,7 @@ WHERE "xdg-desktop-portal-gnome", "xdg-desktop-portal-gtk", "xdg-desktop-portal-kde", + "xdg-desktop-portal-xapp", "xdg-document-portal", "xdg-permission-store", "xwaylandvideobridge" diff --git a/detection/execution/exotic-commands-linux.sql b/detection/execution/exotic-commands-linux.sql index 0581f47..fc2e636 100644 --- a/detection/execution/exotic-commands-linux.sql +++ b/detection/execution/exotic-commands-linux.sql @@ -127,6 +127,9 @@ WHERE 'goland', 'java', 'pycharm', + 'zsh', + 'bash', + 'jetbrains', 'sh', 'vim', 'vim.nox' diff --git a/detection/execution/unexpected-long-running-security-framework-macos.sql b/detection/execution/unexpected-long-running-security-framework-macos.sql index 96815dd..77e3c98 100644 --- a/detection/execution/unexpected-long-running-security-framework-macos.sql +++ b/detection/execution/unexpected-long-running-security-framework-macos.sql @@ -2,7 +2,8 @@ -- -- platform: darwin -- tags: persistent state process seldom -SELECT s.authority, +SELECT + s.authority, s.identifier, CONCAT ( MIN(p0.euid, 500), @@ -38,7 +39,8 @@ SELECT s.authority, p2.path AS p2_path, p2.cmdline AS p2_cmd, p2_hash.sha256 AS p2_sha256 -FROM processes p0 +FROM + processes p0 JOIN process_memory_map pmm ON p0.pid = pmm.pid LEFT JOIN signature s ON p0.path = s.path LEFT JOIN hash p0_hash ON p0.path = p0_hash.path @@ -48,9 +50,12 @@ FROM processes p0 LEFT JOIN hash p2_hash ON p2.path = p2_hash.path WHERE -- Focus on longer-running programs p0.pid IN ( - SELECT pid - FROM processes - WHERE start_time < (strftime('%s', 'now') - 25200) + SELECT + pid + FROM + processes + WHERE + start_time < (strftime('%s', 'now') - 25200) AND parent != 0 -- Assume STP AND NOT path LIKE '/System/%' AND NOT path LIKE '/usr/libexec/%' @@ -100,4 +105,6 @@ WHERE -- Focus on longer-running programs AND NOT exception_key LIKE '500,___2go_build_main_go,a.out,' AND NOT exception_key LIKE '500,rust-analyzer,rust_analyzer-%,' AND NOT exception_key LIKE '500,package-version-server-v%,package_version_server-%,' -GROUP BY p0.pid + AND NOT exception_key LIKE '500,marksman-macos,marksman-%,' +GROUP BY + p0.pid diff --git a/detection/initial_access/unexpected-diskimage-source-macos.sql b/detection/initial_access/unexpected-diskimage-source-macos.sql index bdd9a2f..03b4248 100644 --- a/detection/initial_access/unexpected-diskimage-source-macos.sql +++ b/detection/initial_access/unexpected-diskimage-source-macos.sql @@ -96,6 +96,7 @@ WHERE 'irccloud.com', 'jetbrains.com', 'kagi.com', + 'kolide.com', 'libreoffice.org', 'live.com', 'logitech.com', @@ -266,5 +267,6 @@ WHERE AND host NOT LIKE 'www.google.%' AND host NOT LIKE '%release%.storage.googleapis.com' AND ea.value NOT LIKE 'https://storage.googleapis.com/copilot-mac-releases/%' + AND ea.value NOT LIKE 'https://storage.googleapis.com/kolide-k2-production-downloads-f414/%' GROUP BY ea.value diff --git a/detection/persistence/listening-from-unusual-location.sql b/detection/persistence/listening-from-unusual-location.sql index 42bf618..3c7dcd4 100644 --- a/detection/persistence/listening-from-unusual-location.sql +++ b/detection/persistence/listening-from-unusual-location.sql @@ -55,6 +55,7 @@ FROM LEFT JOIN hash p2_hash ON p2.path = p2_hash.path WHERE lp.port != 0 + AND NOT lp.address IN ("127.0.0.1", "::1") AND ( p0.path LIKE "/private/tmp%" OR p0.path LIKE "/private/var/tmp%" @@ -93,11 +94,6 @@ WHERE AND lp.port > 1024 and lp.protocol = 6 ) - AND NOT ( - p0.name = "ssh" - AND homecwd LIKE '/tmp/%' - AND lp.address IN ("127.0.0.1", "::1") - ) -- Overly broad, but prevents a lot of false positives AND NOT homepath LIKE "~/.%" AND NOT homecwd LIKE "~/.%" @@ -118,6 +114,7 @@ WHERE '32768,6,500,Python', '32768,6,500,python3', '32768,17,499,viscosity_openvpn', + '9867,6,500,bazel-remote', '1,1,500,ping' ) AND NOT p0.path LIKE '/nix/store/%' diff --git a/detection/persistence/unexpected-launchd-program-arguments.sql b/detection/persistence/unexpected-launchd-program-arguments.sql index 1ccb6e2..d6d0dfa 100644 --- a/detection/persistence/unexpected-launchd-program-arguments.sql +++ b/detection/persistence/unexpected-launchd-program-arguments.sql @@ -88,6 +88,7 @@ WHERE '/Library/PrivilegedHelperTools/MHLinkServer.app/Contents/MacOS/MHLinkServer', '/opt/homebrew/bin/gitsign-credential-cache', '/opt/homebrew/opt/emacs/bin/emacs --fg-daemon', + '/opt/homebrew/opt/libvirt/sbin/libvirtd -f /opt/homebrew/etc/libvirt/libvirtd.conf', '/opt/homebrew/opt/dnsmasq/sbin/dnsmasq --keep-in-foreground -C /opt/homebrew/etc/dnsmasq.conf -7 /opt/homebrew/etc/dnsmasq.d,*.conf', '/opt/homebrew/opt/jenkins/bin/jenkins --httpListenAddress=127.0.0.1 --httpPort=8080', '/opt/homebrew/opt/mariadb/bin/mysqld_safe', diff --git a/detection/persistence/unexpected-listening-port-linux.sql b/detection/persistence/unexpected-listening-port-linux.sql index ead1ff4..5fc6dfc 100644 --- a/detection/persistence/unexpected-listening-port-linux.sql +++ b/detection/persistence/unexpected-listening-port-linux.sql @@ -39,7 +39,7 @@ FROM LEFT JOIN hash ON p.path = hash.path WHERE port != 0 - AND lp.address NOT IN ('224.0.0.251', '::1') + AND lp.address NOT IN ('224.0.0.251', '::1', '127.0.0.1', '127.1.1.1') AND lp.address NOT LIKE '127.0.0.%' AND lp.address NOT LIKE '172.1%' AND lp.address NOT LIKE 'fe80::%' @@ -74,6 +74,7 @@ WHERE '10256,6,0,kube-proxy', '10256,6,500,kube-proxy', '1,1,500,ping', + '1,255,500,ping', '1,255,500,mtr-packet', '1337,6,500,kdenlive', '1716,6,500,daemon.js', diff --git a/detection/persistence/unexpected-listening-port-macos.sql b/detection/persistence/unexpected-listening-port-macos.sql index caafdbc..4307358 100644 --- a/detection/persistence/unexpected-listening-port-macos.sql +++ b/detection/persistence/unexpected-listening-port-macos.sql @@ -5,7 +5,8 @@ -- -- tags: persistent state net low -- platform: darwin -SELECT lp.address, +SELECT + lp.address, lp.port, lp.protocol, p.uid, @@ -27,11 +28,13 @@ SELECT lp.address, ',', signature.authority ) AS exception_key -FROM listening_ports lp +FROM + listening_ports lp LEFT JOIN processes p ON lp.pid = p.pid LEFT JOIN hash ON p.path = hash.path LEFT JOIN signature ON p.path = signature.path -WHERE port != 0 +WHERE + port != 0 AND lp.address NOT IN ('224.0.0.251', '::1') AND lp.address NOT LIKE '127.0.0.%' AND lp.address NOT LIKE '172.1%' @@ -57,9 +60,11 @@ WHERE port != 0 '111,6,1,rpcbind,Software Signing', '1144,6,500,fuscript,Developer ID Application: Blackmagic Design Inc (9ZGFBWLSYP)', '1234,6,500,qemu-system-aarch64,', + '5001,6,500,Record It,Apple Mac OS Application Signing', '1313,6,500,hugo,', '1338,6,500,ec2-metadata-mock,', '1338,6,500,registry,', + '4466,6,500,headlamp-server,Developer ID Application: Microsoft Corporation (UBF8T346G9)', '137,17,0,launchd,Software Signing', '137,17,222,netbiosd,Software Signing', '138,17,0,launchd,Software Signing', @@ -70,6 +75,7 @@ WHERE port != 0 '1824,6,500,WaveLink,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', '1834,6,500,Camera Hub,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', '2112,6,500,fake,', + '49152,6,0,webfilterproxyd,Software Signing', '2112,6,500,rekor-server,', '2112,6,500,timestamp-server,', '22000,6,500,syncthing,', @@ -275,4 +281,5 @@ WHERE port != 0 AND p.cmdline LIKE '%/.colima/_lima/colima-docker/ssh.sock%' ) ) -GROUP BY exception_key +GROUP BY + exception_key diff --git a/detection/persistence/unexpected-uid0-daemon-linux.sql b/detection/persistence/unexpected-uid0-daemon-linux.sql index 64a4919..ef741ac 100644 --- a/detection/persistence/unexpected-uid0-daemon-linux.sql +++ b/detection/persistence/unexpected-uid0-daemon-linux.sql @@ -308,6 +308,7 @@ WHERE 'supergfxd,/usr/bin/supergfxd,0,system.slice,supergfxd.service,0755', 'su,/usr/bin/su,0,user.slice,user-1000.slice,4755', 'su,/usr/bin/su,1000,user.slice,user-0.slice,4755', + 'mc,/usr/bin/mc,0,user.slice,user-0.slice,0755', 'switcheroo-cont,/usr/libexec/switcheroo-control,0,system.slice,switcheroo-control.service,0755', 'systemd-coredum,/nix/store/__VERSION__/lib/systemd/systemd-coredump,0,,,0555', 'systemd-homed,/usr/lib/systemd/systemd-homed,0,system.slice,systemd-homed.service,0755', diff --git a/detection/persistence/unexpected-uid0-daemon-macos.sql b/detection/persistence/unexpected-uid0-daemon-macos.sql index 44c5bf8..f389bea 100644 --- a/detection/persistence/unexpected-uid0-daemon-macos.sql +++ b/detection/persistence/unexpected-uid0-daemon-macos.sql @@ -272,6 +272,7 @@ WHERE -- Focus on longer-running programs '/usr/local/bin/warsaw/core', '/usr/local/kolide-k2/bin/osquery-extension.ext', '/usr/local/sbin/velociraptor', + '/opt/colima/bin/socket_vmnet', '/usr/sbin/aslmanager', '/usr/sbin/audioclocksyncd', '/usr/sbin/auditd',