From 56ede74c5448689467358aca7a04637afd25056e Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Wed, 17 May 2023 17:52:55 -0400 Subject: [PATCH] fpr: Parallels, Stream Deck, tflint, gitstatus, snyk --- Makefile | 6 ++-- detection/c2/unexpected-https-linux.sql | 3 +- detection/c2/unexpected-https-macos.sql | 29 +++++++++---------- .../c2/unexpected-libcurl-user-linux.sql | 1 + detection/c2/unexpected-talkers-macos.sql | 1 + detection/evasion/ssh-notty.sql | 3 ++ .../unexpected-hidden-system-paths.sql | 5 +++- .../unexpected-tmp-executables-linux.sql | 4 +++ .../evasion/unexpected-var-run-linux.sql | 3 +- .../recently-created-executables-macos.sql | 4 ++- .../execution/unexpected-execdir-macos.sql | 2 ++ ...ected-security-framework-program-macos.sql | 7 +++++ .../minimal-socket-client-linux.sql | 1 + .../persistence/unexpected-lock-opener.sql | 22 +++++++++----- policy/gcp-service-account-keys-mdfind.sql | 4 ++- 15 files changed, 64 insertions(+), 31 deletions(-) diff --git a/Makefile b/Makefile index 93cb09f..89ad20e 100644 --- a/Makefile +++ b/Makefile @@ -70,9 +70,9 @@ verify-ci: ./out/osqtool-$(ARCH) # Local verification .PHONY: verify verify: ./out/osqtool-$(ARCH) - $(SUDO) ./out/osqtool-$(ARCH) --max-results=150000 --max-query-duration=10s --max-total-daily-duration=90m verify incident_response - $(SUDO) ./out/osqtool-$(ARCH) --max-results=0 --max-query-duration=6s verify policy - $(SUDO) ./out/osqtool-$(ARCH) --max-results=0 --max-query-duration=8s --max-total-daily-duration=2h30m --max-query-daily-duration=1h verify detection + $(SUDO) ./out/osqtool-$(ARCH) --max-results=150000 --max-query-duration=10s --max-total-daily-duration=15m verify incident_response + $(SUDO) ./out/osqtool-$(ARCH) --max-results=0 --max-query-duration=6s --max-total-daily-duration=10m verify policy + $(SUDO) ./out/osqtool-$(ARCH) --max-results=0 --max-query-duration=8s --max-total-daily-duration=2h15m --max-query-daily-duration=1h verify detection all: out/odk-packs.zip diff --git a/detection/c2/unexpected-https-linux.sql b/detection/c2/unexpected-https-linux.sql index 3b73a39..c991fe4 100644 --- a/detection/c2/unexpected-https-linux.sql +++ b/detection/c2/unexpected-https-linux.sql @@ -110,6 +110,7 @@ WHERE '500,Brackets,0u,0g,Brackets', '500,brave,0u,0g,brave', '500,buildkitd,500u,500g,buildkitd', + '500,buildkite-agent,500u,500g,buildkite-agent', '500,cargo,0u,0g,cargo', '500,cargo,500u,500g,cargo', '500,chainctl,0u,0g,chainctl', @@ -132,6 +133,7 @@ WHERE '500,Discord,0u,0g,Discord', '500,Discord,u,g,Discord', '500,docker,0u,0g,docker', + '500,docker-buildx,0u,0g,docker-buildx', '500,eksctl,0u,0g,eksctl', '500,eksctl,500u,500g,eksctl', '500,electron,0u,0g,electron', @@ -206,7 +208,6 @@ WHERE '500,node,0u,0g,npm install', '500,node,u,g,node', '500,obs,0u,0g,obs', - '500,docker-buildx,0u,0g,docker-buildx', '500,obs-browser-page,0u,0g,obs-browser-pag', '500,obs-ffmpeg-mux,0u,0g,obs-ffmpeg-mux', '500,obs-ffmpeg-mux,u,g,obs-ffmpeg-mux', diff --git a/detection/c2/unexpected-https-macos.sql b/detection/c2/unexpected-https-macos.sql index 5751f7e..ed8da72 100644 --- a/detection/c2/unexpected-https-macos.sql +++ b/detection/c2/unexpected-https-macos.sql @@ -5,8 +5,7 @@ -- -- tags: transient state net often -- platform: macos -SELECT - pos.protocol, +SELECT pos.protocol, pos.local_port, pos.remote_port, pos.remote_address, @@ -58,8 +57,7 @@ SELECT p2.path AS p2_path, p2.cmdline AS p2_cmd, p2_hash.sha256 AS p2_sha256 -FROM - process_open_sockets pos +FROM process_open_sockets pos LEFT JOIN processes p0 ON pos.pid = p0.pid LEFT JOIN hash p0_hash ON p0.path = p0_hash.path LEFT JOIN processes p1 ON p0.parent = p1.pid @@ -68,8 +66,7 @@ FROM LEFT JOIN hash p2_hash ON p2.path = p2_hash.path LEFT JOIN file f ON p0.path = f.path LEFT JOIN signature s ON p0.path = s.path -WHERE - pos.protocol IN (6, 17) +WHERE pos.protocol IN (6, 17) AND pos.remote_port = 443 AND pos.remote_address NOT IN ('127.0.0.1', '::ffff:127.0.0.1', '::1') AND pos.remote_address NOT LIKE 'fe80:%' @@ -98,14 +95,14 @@ WHERE AND p0.path NOT LIKE '/opt/homebrew/Cellar/%/bin/%' AND p0.path NOT LIKE '/usr/libexec/%' AND p0.path NOT LIKE '/usr/sbin/%' - AND p0.path NOT LIKE '/usr/local/kolide-k2/bin/%' - AND p0.path NOT LIKE '/private/var/folders/%/go-build%/%' - -- Apple programs running from weird places, like the UpdateBrainService + AND p0.path NOT LIKE '/usr/local/kolide-k2/%' + AND p0.path NOT LIKE '/private/var/folders/%/go-build%/%' -- Apple programs running from weird places, like the UpdateBrainService AND NOT ( s.identifier LIKE 'com.apple.%' AND s.authority = 'Software Signing' ) AND NOT exception_key IN ( + '0,launcher,launcher,Developer ID Application: Kolide, Inc (X98UFR7HA3),com.kolide.agent', '0,Setup,Setup,Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.acc.Setup', '500,bash,bash,,bash', '500,cloud_sql_proxy,cloud_sql_proxy,,a.out', @@ -151,7 +148,10 @@ WHERE AND NOT alt_exception_key LIKE '500,terraform-provider-%,terraform-provider-%,500u,20g' AND NOT p0.path LIKE '/private/var/folders/%/T/GoLand/%' AND NOT ( - exception_key IN ('500,Python,Python,,org.python.python', '500,Python,Python,,Python') + exception_key IN ( + '500,Python,Python,,org.python.python', + '500,Python,Python,,Python' + ) AND ( p0_cmd LIKE '%/gcloud.py%' OR p0_cmd LIKE '%pip install%' @@ -159,17 +159,14 @@ WHERE OR p0_cmd LIKE '%/main.py' OR p0_cmd LIKE '%/bin/aws%' ) - ) - -- theScore and other iPhone apps + ) -- theScore and other iPhone apps AND NOT ( s.authority = 'Apple iPhone OS Application Signing' AND p0.cwd = '/' AND p0.path = '/private/var/folders/%/Wrapper/%.app/%' - ) - -- nix socket inheritance + ) -- nix socket inheritance AND NOT ( p0.path LIKE '/nix/store/%/bin/%' AND p1.path LIKE '/nix/store/%/bin/%' ) -GROUP BY - p0.cmdline +GROUP BY p0.cmdline \ No newline at end of file diff --git a/detection/c2/unexpected-libcurl-user-linux.sql b/detection/c2/unexpected-libcurl-user-linux.sql index 5a5c2fc..2e259c8 100644 --- a/detection/c2/unexpected-libcurl-user-linux.sql +++ b/detection/c2/unexpected-libcurl-user-linux.sql @@ -80,5 +80,6 @@ WHERE 'virtlogd,/usr/bin/virtlogd,0,system.slice,virtlogd.service,0755', 'yum,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755' ) + AND NOT p0.cgroup_path LIKE '/system.slice/docker-%' GROUP BY p0.pid diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql index f5f00e6..6862d4e 100644 --- a/detection/c2/unexpected-talkers-macos.sql +++ b/detection/c2/unexpected-talkers-macos.sql @@ -157,6 +157,7 @@ WHERE '500,6,22,ssh,ssh,500u,80g', '500,6,80,qemu-system-aarch64,qemu-system-aarch64,500u,80g', '500,6,3307,cloud_sql_proxy,cloud_sql_proxy,0u,0g', + '500,6,3307,cloud_sql_proxy,cloud_sql_proxy,500u,20g', '500,6,3307,cloud-sql-proxy,cloud-sql-proxy,500u,20g', '500,6,80,copilot-agent-macos-arm64,copilot-agent-macos-arm64,500u,20g' ) diff --git a/detection/evasion/ssh-notty.sql b/detection/evasion/ssh-notty.sql index 972e712..3a68e57 100644 --- a/detection/evasion/ssh-notty.sql +++ b/detection/evasion/ssh-notty.sql @@ -17,6 +17,7 @@ FROM p.pid, p.name, p.cmdline AS cmd, + p.start_time, p.cwd, cp.name AS child_name, cp.cmdline AS child_cmd, @@ -48,4 +49,6 @@ WHERE ) AND child_name IS NOT NULL AND child_name NOT IN ('', 'zfs') + AND child_cmd NOT LIKE '%osquery-defense-kit%make verify' + AND grandchild_cmd NOT LIKE '%osquery-defense-kit%make verify' AND cmd != 'sshd: docker@notty' diff --git a/detection/evasion/unexpected-hidden-system-paths.sql b/detection/evasion/unexpected-hidden-system-paths.sql index 21199dd..f1605af 100644 --- a/detection/evasion/unexpected-hidden-system-paths.sql +++ b/detection/evasion/unexpected-hidden-system-paths.sql @@ -15,8 +15,9 @@ SELECT uid, gid, mode, + atime, + btime, mtime, - ((strftime('%s', 'now') - file.ctime) / 86400) AS mtime_age_days, ctime, type, size, @@ -66,6 +67,7 @@ WHERE '/etc/.resolv.conf.systemd-resolved.bak', '/etc/selinux/.config_backup', '/etc/skel/.mozilla/', + '/etc/.#sudoers', '/.file', '/.lesshst', '/lib/jvm/.java-1.17.0-openjdk-amd64.jinfo', @@ -132,6 +134,7 @@ WHERE '/var/setup/.AppleSetupUser', '/var/setup/.TemporaryItems', '/var/setup/.TemporaryItems/', + '/var/tmp/.ses.bak', '/.vol/', '/.VolumeIcon.icns' ) diff --git a/detection/evasion/unexpected-tmp-executables-linux.sql b/detection/evasion/unexpected-tmp-executables-linux.sql index 985f0a2..7974caf 100644 --- a/detection/evasion/unexpected-tmp-executables-linux.sql +++ b/detection/evasion/unexpected-tmp-executables-linux.sql @@ -190,8 +190,11 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f AND file.filename LIKE "%.%" AND extension IN ( 'adoc', + 'api', + 'authn', 'bat', 'erb', + 'iam', 'java', 'js', 'json', @@ -202,6 +205,7 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f 'pl', 'py', 'rb', + 'registry', 'script', 'sh', 'strings', diff --git a/detection/evasion/unexpected-var-run-linux.sql b/detection/evasion/unexpected-var-run-linux.sql index ad6e06c..e664bfd 100644 --- a/detection/evasion/unexpected-var-run-linux.sql +++ b/detection/evasion/unexpected-var-run-linux.sql @@ -30,6 +30,7 @@ WHERE 'acpid.pid', 'agetty.reload', 'alsactl.pid', + 'apcupsd.pid', 'apport.lock', 'atd.pid', "auditd.pid", @@ -43,8 +44,8 @@ WHERE 'haproxy.pid', "lightdm.pid", 'mcelog.pid', - 'nvidia-powerd.pid', 'motd', + 'nvidia-powerd.pid', 'nvidia_runtimepm_enabled', 'nvidia_runtimepm_supported', 'reboot-required', diff --git a/detection/execution/recently-created-executables-macos.sql b/detection/execution/recently-created-executables-macos.sql index fd9a8c9..f393da3 100644 --- a/detection/execution/recently-created-executables-macos.sql +++ b/detection/execution/recently-created-executables-macos.sql @@ -88,6 +88,7 @@ WHERE '~/.vscode/extensions/ms-vscode.cpptools-1.15.4-darwin-arm64/', '~/Library/Application Support/Steam/', '~/Library/Application Support/Zed/', + '~/Library/Application Support/WebEx Folder/', '/Library/Application Support/EcammLive', '~/Library/Application Support/Foxit Software/', '~/Library/Application Support/JetBrains/', @@ -137,14 +138,15 @@ WHERE 'Developer ID Application: Adobe Inc. (JQ525L2MZD)', 'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4)', 'Developer ID Application: Brother Industries, LTD. (5HCL85FLGW)', - 'Developer ID Application: Eclipse Foundation, Inc. (JCDTMS22B4)', 'Developer ID Application: Bryan Jones (49EYHPJ4Q3)', 'Developer ID Application: Canon Inc. (XE2XNRRXZ5)', + 'Developer ID Application: Cisco (DE8Y96K9QP)', 'Developer ID Application: CodeWeavers Inc. (9C6B7X7Z8E)', 'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', 'Developer ID Application: Denver Technologies, Inc (2BBY89MBSN)', 'Developer ID Application: Docker Inc (9BNSXJN65R)', 'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)', + 'Developer ID Application: Eclipse Foundation, Inc. (JCDTMS22B4)', 'Developer ID Application: Emmanouil Konstantinidis (3YP8SXP3BF)', 'Developer ID Application: Galvanix (5BRAQAFB8B)', 'Developer ID Application: General Arcade (Pte. Ltd.) (S8JLSG5ES7)', diff --git a/detection/execution/unexpected-execdir-macos.sql b/detection/execution/unexpected-execdir-macos.sql index 31fcb97..2ca9822 100644 --- a/detection/execution/unexpected-execdir-macos.sql +++ b/detection/execution/unexpected-execdir-macos.sql @@ -97,9 +97,11 @@ WHERE AND NOT homedir IN ( '~/bin', '~/code/bin', + '~/Library/Application Support/snyk-ls', '~/Downloads/google-cloud-sdk/bin', '~/Library/Application Support/minecraft/launcher/launcher.bundle/Contents/Frameworks/launcher-Helper (Renderer).app/Contents/MacOS', '~/go/bin', + '~/.cache/gitstatus', '~/Library/Application Support/sourcegraph-sp/', '~/Library/Application Support/cloud-code/installer/google-cloud-sdk/bin', '~/Library/Application Support/dev.warp.Warp-Stable', diff --git a/detection/execution/unexpected-security-framework-program-macos.sql b/detection/execution/unexpected-security-framework-program-macos.sql index 6c8b8a8..ff9e59c 100644 --- a/detection/execution/unexpected-security-framework-program-macos.sql +++ b/detection/execution/unexpected-security-framework-program-macos.sql @@ -136,12 +136,15 @@ WHERE '500,melange-run,a.out,', '500,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)', '500,plugin-darwin-arm64,a.out,', + '500,tflint,a.out,', '500,PrinterProxy,com.apple.print.PrinterProxy,', '500,registry,a.out,', '500,registry-redirect,a.out,', + '500,tflint-ruleset-google,a.out,', '500,Runner.Listener,apphost-55554944a938bab90f04347d83659c53dd1197d6,', '500,rust-analyzer,rust_analyzer-d11ae4e1bae4360d,', '500,scdaemon,scdaemon,', + '500,tflint-ruleset-aws,a.out,', '500,sdaudioswitch,,', '500,sdaudioswitch,sdaudioswitch,', '500,sdzoomplugin,,', @@ -173,6 +176,10 @@ WHERE exception_key LIKE '500,%,a.out,' AND p0.path LIKE '/private/var/folders%/T/go-build%/exe/%' ) + AND NOT ( + exception_key LIKE '500,tflint%,a.out,' + AND p0.path LIKE '/Users/%/.tflint.d/%' + ) AND NOT ( exception_key LIKE '500,python3.%,%,' AND p0.path LIKE '/opt/homebrew/%/bin/python' diff --git a/detection/persistence/minimal-socket-client-linux.sql b/detection/persistence/minimal-socket-client-linux.sql index 8d9ab8d..def37ad 100644 --- a/detection/persistence/minimal-socket-client-linux.sql +++ b/detection/persistence/minimal-socket-client-linux.sql @@ -43,6 +43,7 @@ WHERE p.pid IN ( '/usr/bin/i3blocks' ) AND name NOT IN ('chrome_crashpad', 'dhcpcd', 'Brackets-node') + GROUP BY processes.path ) AND pmm.path LIKE "%.so.%" GROUP BY pos.pid -- libc.so, ld-linux diff --git a/detection/persistence/unexpected-lock-opener.sql b/detection/persistence/unexpected-lock-opener.sql index fbae971..8e2881b 100644 --- a/detection/persistence/unexpected-lock-opener.sql +++ b/detection/persistence/unexpected-lock-opener.sql @@ -8,16 +8,18 @@ -- -- tags: persistent filesystem state -- platform: posix -SELECT - CONCAT( +SELECT CONCAT( MIN(p0.euid, 500), ',', COALESCE(REGEX_MATCH (p0.path, '.*/(.*)', 1), p0.path), ',', - REGEX_MATCH ( - REPLACE(pof.path, u.directory, '~'), - '(.*)/.*', - 1 + COALESCE( + REGEX_MATCH ( + REPLACE(pof.path, u.directory, '~'), + '(.*)/.*', + 1 + ), + REPLACE(pof.path, u.directory, '~') ) ) AS exception_key, pof.path AS lock, @@ -48,16 +50,22 @@ WHERE pof.path LIKE "%.lock" '500,bridge-gui,~/Library/Application Support/protonmail/bridge-v3/sentry_cache', '500,bridge-gui,~/Library/Caches/protonmail/bridge-v3', '500,bridge,~/Library/Application Support/protonmail/bridge-v3/sentry_cache', + '500,Stream Deck,~/Library/Application Support/com.elgato.StreamDeck/Sentry', '500,bridge,~/Library/Caches/protonmail/bridge-v3', + '500,Craft,~/Library/Containers/com.lukilabs.lukiapp/Data/Library/Application Support/com.lukilabs.lukiapp', '500,buildkitd,~/.local/share/buildkit', '500,com.docker.backend,~/Library/Containers/com.docker.docker', '500,photolibraryd,~/Library/Photos/Libraries/Syndication.photoslibrary/database', - '500,photolibraryd,~/Pictures/Photos Library.photoslibrary/database' + '500,photolibraryd,~/Pictures/Photos Library.photoslibrary/database', + '500,reMarkable,~/Library/Application Support/remarkable/desktop' ) AND NOT exception_key LIKE '500,com.apple.Virtualization.VirtualMachine,~/%' AND NOT exception_key LIKE '500,com.apple.Virtualization.VirtualMachine,/private/var/folders/%' AND NOT exception_key LIKE '500,lua-language-server,~/%' + AND NOT exception_key LIKE '0,prl_disp_service,/Users/%/Parallels/%/vm.lock' AND NOT exception_key LIKE '500,iTermServer-%,~/Library/Application Support/iTerm2' AND NOT exception_key LIKE '500,%,/private/var/folders/%/T/Sentry_StreamDeck' + AND NOT exception_key LIKE '500,gnome-software,/var/tmp/flatpak-cache-%' + AND NOT exception_key LIKE '500,com.docker.backend,/private/var/folders/%/go/pkg/mod/cache/%' GROUP BY p0.path, pof.path \ No newline at end of file diff --git a/policy/gcp-service-account-keys-mdfind.sql b/policy/gcp-service-account-keys-mdfind.sql index a8a0e26..fd522dd 100644 --- a/policy/gcp-service-account-keys-mdfind.sql +++ b/policy/gcp-service-account-keys-mdfind.sql @@ -5,7 +5,9 @@ SELECT file.path, file.size, - datetime(file.btime, 'unixepoch') AS file_created, + file.btime, + file.ctime, + file.mtime, magic.data, hash.sha256, u.username,