Merge pull request #265 from tstromberg/fpr-may17

fpr: Parallels, Stream Deck, tflint, gitstatus, snyk
2023-05-17 17:58:27 -04:00 · 2023-05-17 17:58:27 -04:00 · 82134447fa
parent 0f94e56abc 56ede74c54
commit 82134447fa
15 changed files with 64 additions and 31 deletions
--- a/6
+++ b/6
@ -70,9 +70,9 @@ verify-ci: ./out/osqtool-$(ARCH)
 # Local verification
 .PHONY: verify
 verify: ./out/osqtool-$(ARCH)
-	$(SUDO) ./out/osqtool-$(ARCH) --max-results=150000 --max-query-duration=10s --max-total-daily-duration=90m verify incident_response
-	$(SUDO) ./out/osqtool-$(ARCH) --max-results=0 --max-query-duration=6s verify policy
-	$(SUDO) ./out/osqtool-$(ARCH) --max-results=0 --max-query-duration=8s --max-total-daily-duration=2h30m --max-query-daily-duration=1h verify detection
+	$(SUDO) ./out/osqtool-$(ARCH) --max-results=150000 --max-query-duration=10s --max-total-daily-duration=15m verify incident_response
+	$(SUDO) ./out/osqtool-$(ARCH) --max-results=0 --max-query-duration=6s --max-total-daily-duration=10m verify policy
+	$(SUDO) ./out/osqtool-$(ARCH) --max-results=0 --max-query-duration=8s --max-total-daily-duration=2h15m --max-query-daily-duration=1h verify detection

 all: out/odk-packs.zip

--- a/detection/c2/unexpected-https-linux.sql
+++ b/detection/c2/unexpected-https-linux.sql
@ -110,6 +110,7 @@ WHERE
    '500,Brackets,0u,0g,Brackets',
    '500,brave,0u,0g,brave',
    '500,buildkitd,500u,500g,buildkitd',
+    '500,buildkite-agent,500u,500g,buildkite-agent',
    '500,cargo,0u,0g,cargo',
    '500,cargo,500u,500g,cargo',
    '500,chainctl,0u,0g,chainctl',
@ -132,6 +133,7 @@ WHERE
    '500,Discord,0u,0g,Discord',
    '500,Discord,u,g,Discord',
    '500,docker,0u,0g,docker',
+    '500,docker-buildx,0u,0g,docker-buildx',
    '500,eksctl,0u,0g,eksctl',
    '500,eksctl,500u,500g,eksctl',
    '500,electron,0u,0g,electron',
@ -206,7 +208,6 @@ WHERE
    '500,node,0u,0g,npm install',
    '500,node,u,g,node',
    '500,obs,0u,0g,obs',
-    '500,docker-buildx,0u,0g,docker-buildx',
    '500,obs-browser-page,0u,0g,obs-browser-pag',
    '500,obs-ffmpeg-mux,0u,0g,obs-ffmpeg-mux',
    '500,obs-ffmpeg-mux,u,g,obs-ffmpeg-mux',
--- a/detection/c2/unexpected-https-macos.sql
+++ b/detection/c2/unexpected-https-macos.sql
@ -5,8 +5,7 @@
 --
 -- tags: transient state net often
 -- platform: macos
-SELECT
-  pos.protocol,
+SELECT pos.protocol,
  pos.local_port,
  pos.remote_port,
  pos.remote_address,
@ -58,8 +57,7 @@ SELECT
  p2.path AS p2_path,
  p2.cmdline AS p2_cmd,
  p2_hash.sha256 AS p2_sha256
-FROM
-  process_open_sockets pos
+FROM process_open_sockets pos
  LEFT JOIN processes p0 ON pos.pid = p0.pid
  LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
  LEFT JOIN processes p1 ON p0.parent = p1.pid
@ -68,8 +66,7 @@ FROM
  LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
  LEFT JOIN file f ON p0.path = f.path
  LEFT JOIN signature s ON p0.path = s.path
-WHERE
-  pos.protocol IN (6, 17)
+WHERE pos.protocol IN (6, 17)
  AND pos.remote_port = 443
  AND pos.remote_address NOT IN ('127.0.0.1', '::ffff:127.0.0.1', '::1')
  AND pos.remote_address NOT LIKE 'fe80:%'
@ -98,14 +95,14 @@ WHERE
  AND p0.path NOT LIKE '/opt/homebrew/Cellar/%/bin/%'
  AND p0.path NOT LIKE '/usr/libexec/%'
  AND p0.path NOT LIKE '/usr/sbin/%'
-  AND p0.path NOT LIKE '/usr/local/kolide-k2/bin/%'
-  AND p0.path NOT LIKE '/private/var/folders/%/go-build%/%'
-  -- Apple programs running from weird places, like the UpdateBrainService
+  AND p0.path NOT LIKE '/usr/local/kolide-k2/%'
+  AND p0.path NOT LIKE '/private/var/folders/%/go-build%/%' -- Apple programs running from weird places, like the UpdateBrainService
  AND NOT (
    s.identifier LIKE 'com.apple.%'
    AND s.authority = 'Software Signing'
  )
  AND NOT exception_key IN (
+    '0,launcher,launcher,Developer ID Application: Kolide, Inc (X98UFR7HA3),com.kolide.agent',
    '0,Setup,Setup,Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.acc.Setup',
    '500,bash,bash,,bash',
    '500,cloud_sql_proxy,cloud_sql_proxy,,a.out',
@ -151,7 +148,10 @@ WHERE
  AND NOT alt_exception_key LIKE '500,terraform-provider-%,terraform-provider-%,500u,20g'
  AND NOT p0.path LIKE '/private/var/folders/%/T/GoLand/%'
  AND NOT (
-    exception_key IN ('500,Python,Python,,org.python.python', '500,Python,Python,,Python')
+    exception_key IN (
+      '500,Python,Python,,org.python.python',
+      '500,Python,Python,,Python'
+    )
    AND (
      p0_cmd LIKE '%/gcloud.py%'
      OR p0_cmd LIKE '%pip install%'
@ -159,17 +159,14 @@ WHERE
      OR p0_cmd LIKE '%/main.py'
      OR p0_cmd LIKE '%/bin/aws%'
    )
-  )
-  -- theScore and other iPhone apps
+  ) -- theScore and other iPhone apps
  AND NOT (
    s.authority = 'Apple iPhone OS Application Signing'
    AND p0.cwd = '/'
    AND p0.path = '/private/var/folders/%/Wrapper/%.app/%'
-  )
-  -- nix socket inheritance
+  ) -- nix socket inheritance
  AND NOT (
    p0.path LIKE '/nix/store/%/bin/%'
    AND p1.path LIKE '/nix/store/%/bin/%'
  )
-GROUP BY
-  p0.cmdline
+GROUP BY p0.cmdline
--- a/detection/c2/unexpected-libcurl-user-linux.sql
+++ b/detection/c2/unexpected-libcurl-user-linux.sql
@ -80,5 +80,6 @@ WHERE
    'virtlogd,/usr/bin/virtlogd,0,system.slice,virtlogd.service,0755',
    'yum,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755'
  )
+  AND NOT p0.cgroup_path LIKE '/system.slice/docker-%'
 GROUP BY
  p0.pid
--- a/detection/c2/unexpected-talkers-macos.sql
+++ b/detection/c2/unexpected-talkers-macos.sql
@ -157,6 +157,7 @@ WHERE
    '500,6,22,ssh,ssh,500u,80g',
    '500,6,80,qemu-system-aarch64,qemu-system-aarch64,500u,80g',
    '500,6,3307,cloud_sql_proxy,cloud_sql_proxy,0u,0g',
+    '500,6,3307,cloud_sql_proxy,cloud_sql_proxy,500u,20g',
    '500,6,3307,cloud-sql-proxy,cloud-sql-proxy,500u,20g',
    '500,6,80,copilot-agent-macos-arm64,copilot-agent-macos-arm64,500u,20g'
  )
--- a/detection/evasion/ssh-notty.sql
+++ b/detection/evasion/ssh-notty.sql
@ -17,6 +17,7 @@ FROM
      p.pid,
      p.name,
      p.cmdline AS cmd,
+      p.start_time,
      p.cwd,
      cp.name AS child_name,
      cp.cmdline AS child_cmd,
@ -48,4 +49,6 @@ WHERE
  )
  AND child_name IS NOT NULL
  AND child_name NOT IN ('', 'zfs')
+  AND child_cmd NOT LIKE '%osquery-defense-kit%make verify'
+  AND grandchild_cmd NOT LIKE '%osquery-defense-kit%make verify'
  AND cmd != 'sshd: docker@notty'
--- a/detection/evasion/unexpected-hidden-system-paths.sql
+++ b/detection/evasion/unexpected-hidden-system-paths.sql
@ -15,8 +15,9 @@ SELECT
  uid,
  gid,
  mode,
+  atime,
+  btime,
  mtime,
-  ((strftime('%s', 'now') - file.ctime) / 86400) AS mtime_age_days,
  ctime,
  type,
  size,
@ -66,6 +67,7 @@ WHERE
    '/etc/.resolv.conf.systemd-resolved.bak',
    '/etc/selinux/.config_backup',
    '/etc/skel/.mozilla/',
+    '/etc/.#sudoers',
    '/.file',
    '/.lesshst',
    '/lib/jvm/.java-1.17.0-openjdk-amd64.jinfo',
@ -132,6 +134,7 @@ WHERE
    '/var/setup/.AppleSetupUser',
    '/var/setup/.TemporaryItems',
    '/var/setup/.TemporaryItems/',
+    '/var/tmp/.ses.bak',
    '/.vol/',
    '/.VolumeIcon.icns'
  )
--- a/detection/evasion/unexpected-tmp-executables-linux.sql
+++ b/detection/evasion/unexpected-tmp-executables-linux.sql
@ -190,8 +190,11 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
    AND file.filename LIKE "%.%"
    AND extension IN (
      'adoc',
+      'api',
+      'authn',
      'bat',
      'erb',
+      'iam',
      'java',
      'js',
      'json',
@ -202,6 +205,7 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
      'pl',
      'py',
      'rb',
+      'registry',
      'script',
      'sh',
      'strings',
--- a/detection/evasion/unexpected-var-run-linux.sql
+++ b/detection/evasion/unexpected-var-run-linux.sql
@ -30,6 +30,7 @@ WHERE
    'acpid.pid',
    'agetty.reload',
    'alsactl.pid',
+    'apcupsd.pid',
    'apport.lock',
    'atd.pid',
    "auditd.pid",
@ -43,8 +44,8 @@ WHERE
    'haproxy.pid',
    "lightdm.pid",
    'mcelog.pid',
-    'nvidia-powerd.pid',
    'motd',
+    'nvidia-powerd.pid',
    'nvidia_runtimepm_enabled',
    'nvidia_runtimepm_supported',
    'reboot-required',
--- a/detection/execution/recently-created-executables-macos.sql
+++ b/detection/execution/recently-created-executables-macos.sql
@ -88,6 +88,7 @@ WHERE
        '~/.vscode/extensions/ms-vscode.cpptools-1.15.4-darwin-arm64/',
        '~/Library/Application Support/Steam/',
        '~/Library/Application Support/Zed/',
+        '~/Library/Application Support/WebEx Folder/',
        '/Library/Application Support/EcammLive',
        '~/Library/Application Support/Foxit Software/',
        '~/Library/Application Support/JetBrains/',
@ -137,14 +138,15 @@ WHERE
    'Developer ID Application: Adobe Inc. (JQ525L2MZD)',
    'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4)',
    'Developer ID Application: Brother Industries, LTD. (5HCL85FLGW)',
-    'Developer ID Application: Eclipse Foundation, Inc. (JCDTMS22B4)',
    'Developer ID Application: Bryan Jones (49EYHPJ4Q3)',
    'Developer ID Application: Canon Inc. (XE2XNRRXZ5)',
+    'Developer ID Application: Cisco (DE8Y96K9QP)',
    'Developer ID Application: CodeWeavers Inc. (9C6B7X7Z8E)',
    'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
    'Developer ID Application: Denver Technologies, Inc (2BBY89MBSN)',
    'Developer ID Application: Docker Inc (9BNSXJN65R)',
    'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)',
+    'Developer ID Application: Eclipse Foundation, Inc. (JCDTMS22B4)',
    'Developer ID Application: Emmanouil Konstantinidis (3YP8SXP3BF)',
    'Developer ID Application: Galvanix (5BRAQAFB8B)',
    'Developer ID Application: General Arcade (Pte. Ltd.) (S8JLSG5ES7)',
--- a/detection/execution/unexpected-execdir-macos.sql
+++ b/detection/execution/unexpected-execdir-macos.sql
@ -97,9 +97,11 @@ WHERE
  AND NOT homedir IN (
    '~/bin',
    '~/code/bin',
+    '~/Library/Application Support/snyk-ls',
    '~/Downloads/google-cloud-sdk/bin',
    '~/Library/Application Support/minecraft/launcher/launcher.bundle/Contents/Frameworks/launcher-Helper (Renderer).app/Contents/MacOS',
    '~/go/bin',
+    '~/.cache/gitstatus',
    '~/Library/Application Support/sourcegraph-sp/',
    '~/Library/Application Support/cloud-code/installer/google-cloud-sdk/bin',
    '~/Library/Application Support/dev.warp.Warp-Stable',
--- a/detection/execution/unexpected-security-framework-program-macos.sql
+++ b/detection/execution/unexpected-security-framework-program-macos.sql
@ -136,12 +136,15 @@ WHERE
    '500,melange-run,a.out,',
    '500,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
    '500,plugin-darwin-arm64,a.out,',
+    '500,tflint,a.out,',
    '500,PrinterProxy,com.apple.print.PrinterProxy,',
    '500,registry,a.out,',
    '500,registry-redirect,a.out,',
+    '500,tflint-ruleset-google,a.out,',
    '500,Runner.Listener,apphost-55554944a938bab90f04347d83659c53dd1197d6,',
    '500,rust-analyzer,rust_analyzer-d11ae4e1bae4360d,',
    '500,scdaemon,scdaemon,',
+    '500,tflint-ruleset-aws,a.out,',
    '500,sdaudioswitch,,',
    '500,sdaudioswitch,sdaudioswitch,',
    '500,sdzoomplugin,,',
@ -173,6 +176,10 @@ WHERE
    exception_key LIKE '500,%,a.out,'
    AND p0.path LIKE '/private/var/folders%/T/go-build%/exe/%'
  )
+  AND NOT (
+    exception_key LIKE '500,tflint%,a.out,'
+    AND p0.path LIKE '/Users/%/.tflint.d/%'
+  )  
  AND NOT (
    exception_key LIKE '500,python3.%,%,'
    AND p0.path LIKE '/opt/homebrew/%/bin/python'
--- a/detection/persistence/minimal-socket-client-linux.sql
+++ b/detection/persistence/minimal-socket-client-linux.sql
@ -43,6 +43,7 @@ WHERE p.pid IN (
                '/usr/bin/i3blocks'
            )
            AND name NOT IN ('chrome_crashpad', 'dhcpcd', 'Brackets-node')
+        GROUP BY processes.path
    )
    AND pmm.path LIKE "%.so.%"
 GROUP BY pos.pid -- libc.so, ld-linux
--- a/detection/persistence/unexpected-lock-opener.sql
+++ b/detection/persistence/unexpected-lock-opener.sql
@ -8,16 +8,18 @@
 --
 -- tags: persistent filesystem state
 -- platform: posix
-SELECT
-    CONCAT(
+SELECT CONCAT(
        MIN(p0.euid, 500),
        ',',
        COALESCE(REGEX_MATCH (p0.path, '.*/(.*)', 1), p0.path),
        ',',
-        REGEX_MATCH (
-            REPLACE(pof.path, u.directory, '~'),
-            '(.*)/.*',
-            1
+        COALESCE(
+            REGEX_MATCH (
+                REPLACE(pof.path, u.directory, '~'),
+                '(.*)/.*',
+                1
+            ),
+            REPLACE(pof.path, u.directory, '~')
        )
    ) AS exception_key,
    pof.path AS lock,
@ -48,16 +50,22 @@ WHERE pof.path LIKE "%.lock"
        '500,bridge-gui,~/Library/Application Support/protonmail/bridge-v3/sentry_cache',
        '500,bridge-gui,~/Library/Caches/protonmail/bridge-v3',
        '500,bridge,~/Library/Application Support/protonmail/bridge-v3/sentry_cache',
+        '500,Stream Deck,~/Library/Application Support/com.elgato.StreamDeck/Sentry',
        '500,bridge,~/Library/Caches/protonmail/bridge-v3',
+        '500,Craft,~/Library/Containers/com.lukilabs.lukiapp/Data/Library/Application Support/com.lukilabs.lukiapp',
        '500,buildkitd,~/.local/share/buildkit',
        '500,com.docker.backend,~/Library/Containers/com.docker.docker',
        '500,photolibraryd,~/Library/Photos/Libraries/Syndication.photoslibrary/database',
-        '500,photolibraryd,~/Pictures/Photos Library.photoslibrary/database'
+        '500,photolibraryd,~/Pictures/Photos Library.photoslibrary/database',
+        '500,reMarkable,~/Library/Application Support/remarkable/desktop'
    )
    AND NOT exception_key LIKE '500,com.apple.Virtualization.VirtualMachine,~/%'
    AND NOT exception_key LIKE '500,com.apple.Virtualization.VirtualMachine,/private/var/folders/%'
    AND NOT exception_key LIKE '500,lua-language-server,~/%'
+    AND NOT exception_key LIKE '0,prl_disp_service,/Users/%/Parallels/%/vm.lock'
    AND NOT exception_key LIKE '500,iTermServer-%,~/Library/Application Support/iTerm2'
    AND NOT exception_key LIKE '500,%,/private/var/folders/%/T/Sentry_StreamDeck'
+    AND NOT exception_key LIKE '500,gnome-software,/var/tmp/flatpak-cache-%'
+    AND NOT exception_key LIKE '500,com.docker.backend,/private/var/folders/%/go/pkg/mod/cache/%'
 GROUP BY p0.path,
    pof.path
--- a/policy/gcp-service-account-keys-mdfind.sql
+++ b/policy/gcp-service-account-keys-mdfind.sql
@ -5,7 +5,9 @@
 SELECT
  file.path,
  file.size,
-  datetime(file.btime, 'unixepoch') AS file_created,
+  file.btime,
+  file.ctime,
+  file.mtime,
  magic.data,
  hash.sha256,
  u.username,