Merge pull request #265 from tstromberg/fpr-may17

fpr: Parallels, Stream Deck, tflint, gitstatus, snyk

Makefile

@@ -70,9 +70,9 @@ verify-ci: ./out/osqtool-$(ARCH)
 # Local verification
 .PHONY: verify
 verify: ./out/osqtool-$(ARCH)
-	$(SUDO) ./out/osqtool-$(ARCH) --max-results=150000 --max-query-duration=10s --max-total-daily-duration=90m verify incident_response
+	$(SUDO) ./out/osqtool-$(ARCH) --max-results=150000 --max-query-duration=10s --max-total-daily-duration=15m verify incident_response
-	$(SUDO) ./out/osqtool-$(ARCH) --max-results=0 --max-query-duration=6s verify policy
+	$(SUDO) ./out/osqtool-$(ARCH) --max-results=0 --max-query-duration=6s --max-total-daily-duration=10m verify policy
-	$(SUDO) ./out/osqtool-$(ARCH) --max-results=0 --max-query-duration=8s --max-total-daily-duration=2h30m --max-query-daily-duration=1h verify detection
+	$(SUDO) ./out/osqtool-$(ARCH) --max-results=0 --max-query-duration=8s --max-total-daily-duration=2h15m --max-query-daily-duration=1h verify detection
 
 all: out/odk-packs.zip
 

detection/c2/unexpected-https-linux.sql

@@ -110,6 +110,7 @@ WHERE
     '500,Brackets,0u,0g,Brackets',
     '500,brave,0u,0g,brave',
     '500,buildkitd,500u,500g,buildkitd',
+    '500,buildkite-agent,500u,500g,buildkite-agent',
     '500,cargo,0u,0g,cargo',
     '500,cargo,500u,500g,cargo',
     '500,chainctl,0u,0g,chainctl',
@@ -132,6 +133,7 @@ WHERE
     '500,Discord,0u,0g,Discord',
     '500,Discord,u,g,Discord',
     '500,docker,0u,0g,docker',
+    '500,docker-buildx,0u,0g,docker-buildx',
     '500,eksctl,0u,0g,eksctl',
     '500,eksctl,500u,500g,eksctl',
     '500,electron,0u,0g,electron',
@@ -206,7 +208,6 @@ WHERE
     '500,node,0u,0g,npm install',
     '500,node,u,g,node',
     '500,obs,0u,0g,obs',
-    '500,docker-buildx,0u,0g,docker-buildx',
     '500,obs-browser-page,0u,0g,obs-browser-pag',
     '500,obs-ffmpeg-mux,0u,0g,obs-ffmpeg-mux',
     '500,obs-ffmpeg-mux,u,g,obs-ffmpeg-mux',

detection/c2/unexpected-https-macos.sql

@@ -5,8 +5,7 @@
 --
 -- tags: transient state net often
 -- platform: macos
-SELECT
+SELECT pos.protocol,
-  pos.protocol,
   pos.local_port,
   pos.remote_port,
   pos.remote_address,
@@ -58,8 +57,7 @@ SELECT
   p2.path AS p2_path,
   p2.cmdline AS p2_cmd,
   p2_hash.sha256 AS p2_sha256
-FROM
+FROM process_open_sockets pos
-  process_open_sockets pos
   LEFT JOIN processes p0 ON pos.pid = p0.pid
   LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
   LEFT JOIN processes p1 ON p0.parent = p1.pid
@@ -68,8 +66,7 @@ FROM
   LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
   LEFT JOIN file f ON p0.path = f.path
   LEFT JOIN signature s ON p0.path = s.path
-WHERE
+WHERE pos.protocol IN (6, 17)
-  pos.protocol IN (6, 17)
   AND pos.remote_port = 443
   AND pos.remote_address NOT IN ('127.0.0.1', '::ffff:127.0.0.1', '::1')
   AND pos.remote_address NOT LIKE 'fe80:%'
@@ -98,14 +95,14 @@ WHERE
   AND p0.path NOT LIKE '/opt/homebrew/Cellar/%/bin/%'
   AND p0.path NOT LIKE '/usr/libexec/%'
   AND p0.path NOT LIKE '/usr/sbin/%'
-  AND p0.path NOT LIKE '/usr/local/kolide-k2/bin/%'
+  AND p0.path NOT LIKE '/usr/local/kolide-k2/%'
-  AND p0.path NOT LIKE '/private/var/folders/%/go-build%/%'
+  AND p0.path NOT LIKE '/private/var/folders/%/go-build%/%' -- Apple programs running from weird places, like the UpdateBrainService
-  -- Apple programs running from weird places, like the UpdateBrainService
   AND NOT (
     s.identifier LIKE 'com.apple.%'
     AND s.authority = 'Software Signing'
   )
   AND NOT exception_key IN (
+    '0,launcher,launcher,Developer ID Application: Kolide, Inc (X98UFR7HA3),com.kolide.agent',
     '0,Setup,Setup,Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.acc.Setup',
     '500,bash,bash,,bash',
     '500,cloud_sql_proxy,cloud_sql_proxy,,a.out',
@@ -151,7 +148,10 @@ WHERE
   AND NOT alt_exception_key LIKE '500,terraform-provider-%,terraform-provider-%,500u,20g'
   AND NOT p0.path LIKE '/private/var/folders/%/T/GoLand/%'
   AND NOT (
-    exception_key IN ('500,Python,Python,,org.python.python', '500,Python,Python,,Python')
+    exception_key IN (
+      '500,Python,Python,,org.python.python',
+      '500,Python,Python,,Python'
+    )
     AND (
       p0_cmd LIKE '%/gcloud.py%'
       OR p0_cmd LIKE '%pip install%'
@@ -159,17 +159,14 @@ WHERE
       OR p0_cmd LIKE '%/main.py'
       OR p0_cmd LIKE '%/bin/aws%'
     )
-  )
+  ) -- theScore and other iPhone apps
-  -- theScore and other iPhone apps
   AND NOT (
     s.authority = 'Apple iPhone OS Application Signing'
     AND p0.cwd = '/'
     AND p0.path = '/private/var/folders/%/Wrapper/%.app/%'
-  )
+  ) -- nix socket inheritance
-  -- nix socket inheritance
   AND NOT (
     p0.path LIKE '/nix/store/%/bin/%'
     AND p1.path LIKE '/nix/store/%/bin/%'
   )
-GROUP BY
+GROUP BY p0.cmdline
-  p0.cmdline

detection/c2/unexpected-libcurl-user-linux.sql

@@ -80,5 +80,6 @@ WHERE
     'virtlogd,/usr/bin/virtlogd,0,system.slice,virtlogd.service,0755',
     'yum,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755'
   )
+  AND NOT p0.cgroup_path LIKE '/system.slice/docker-%'
 GROUP BY
   p0.pid

detection/c2/unexpected-talkers-macos.sql

@@ -157,6 +157,7 @@ WHERE
     '500,6,22,ssh,ssh,500u,80g',
     '500,6,80,qemu-system-aarch64,qemu-system-aarch64,500u,80g',
     '500,6,3307,cloud_sql_proxy,cloud_sql_proxy,0u,0g',
+    '500,6,3307,cloud_sql_proxy,cloud_sql_proxy,500u,20g',
     '500,6,3307,cloud-sql-proxy,cloud-sql-proxy,500u,20g',
     '500,6,80,copilot-agent-macos-arm64,copilot-agent-macos-arm64,500u,20g'
   )

detection/evasion/ssh-notty.sql

@@ -17,6 +17,7 @@ FROM
       p.pid,
       p.name,
       p.cmdline AS cmd,
+      p.start_time,
       p.cwd,
       cp.name AS child_name,
       cp.cmdline AS child_cmd,
@@ -48,4 +49,6 @@ WHERE
   )
   AND child_name IS NOT NULL
   AND child_name NOT IN ('', 'zfs')
+  AND child_cmd NOT LIKE '%osquery-defense-kit%make verify'
+  AND grandchild_cmd NOT LIKE '%osquery-defense-kit%make verify'
   AND cmd != 'sshd: docker@notty'

detection/evasion/unexpected-hidden-system-paths.sql

@@ -15,8 +15,9 @@ SELECT
   uid,
   gid,
   mode,
+  atime,
+  btime,
   mtime,
-  ((strftime('%s', 'now') - file.ctime) / 86400) AS mtime_age_days,
   ctime,
   type,
   size,
@@ -66,6 +67,7 @@ WHERE
     '/etc/.resolv.conf.systemd-resolved.bak',
     '/etc/selinux/.config_backup',
     '/etc/skel/.mozilla/',
+    '/etc/.#sudoers',
     '/.file',
     '/.lesshst',
     '/lib/jvm/.java-1.17.0-openjdk-amd64.jinfo',
@@ -132,6 +134,7 @@ WHERE
     '/var/setup/.AppleSetupUser',
     '/var/setup/.TemporaryItems',
     '/var/setup/.TemporaryItems/',
+    '/var/tmp/.ses.bak',
     '/.vol/',
     '/.VolumeIcon.icns'
   )

detection/evasion/unexpected-tmp-executables-linux.sql

@@ -190,8 +190,11 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
     AND file.filename LIKE "%.%"
     AND extension IN (
       'adoc',
+      'api',
+      'authn',
       'bat',
       'erb',
+      'iam',
       'java',
       'js',
       'json',
@@ -202,6 +205,7 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
       'pl',
       'py',
       'rb',
+      'registry',
       'script',
       'sh',
       'strings',

detection/evasion/unexpected-var-run-linux.sql

@@ -30,6 +30,7 @@ WHERE
     'acpid.pid',
     'agetty.reload',
     'alsactl.pid',
+    'apcupsd.pid',
     'apport.lock',
     'atd.pid',
     "auditd.pid",
@@ -43,8 +44,8 @@ WHERE
     'haproxy.pid',
     "lightdm.pid",
     'mcelog.pid',
-    'nvidia-powerd.pid',
     'motd',
+    'nvidia-powerd.pid',
     'nvidia_runtimepm_enabled',
     'nvidia_runtimepm_supported',
     'reboot-required',

detection/execution/recently-created-executables-macos.sql

@@ -88,6 +88,7 @@ WHERE
         '~/.vscode/extensions/ms-vscode.cpptools-1.15.4-darwin-arm64/',
         '~/Library/Application Support/Steam/',
         '~/Library/Application Support/Zed/',
+        '~/Library/Application Support/WebEx Folder/',
         '/Library/Application Support/EcammLive',
         '~/Library/Application Support/Foxit Software/',
         '~/Library/Application Support/JetBrains/',
@@ -137,14 +138,15 @@ WHERE
     'Developer ID Application: Adobe Inc. (JQ525L2MZD)',
     'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4)',
     'Developer ID Application: Brother Industries, LTD. (5HCL85FLGW)',
-    'Developer ID Application: Eclipse Foundation, Inc. (JCDTMS22B4)',
     'Developer ID Application: Bryan Jones (49EYHPJ4Q3)',
     'Developer ID Application: Canon Inc. (XE2XNRRXZ5)',
+    'Developer ID Application: Cisco (DE8Y96K9QP)',
     'Developer ID Application: CodeWeavers Inc. (9C6B7X7Z8E)',
     'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
     'Developer ID Application: Denver Technologies, Inc (2BBY89MBSN)',
     'Developer ID Application: Docker Inc (9BNSXJN65R)',
     'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)',
+    'Developer ID Application: Eclipse Foundation, Inc. (JCDTMS22B4)',
     'Developer ID Application: Emmanouil Konstantinidis (3YP8SXP3BF)',
     'Developer ID Application: Galvanix (5BRAQAFB8B)',
     'Developer ID Application: General Arcade (Pte. Ltd.) (S8JLSG5ES7)',

detection/execution/unexpected-execdir-macos.sql

@@ -97,9 +97,11 @@ WHERE
   AND NOT homedir IN (
     '~/bin',
     '~/code/bin',
+    '~/Library/Application Support/snyk-ls',
     '~/Downloads/google-cloud-sdk/bin',
     '~/Library/Application Support/minecraft/launcher/launcher.bundle/Contents/Frameworks/launcher-Helper (Renderer).app/Contents/MacOS',
     '~/go/bin',
+    '~/.cache/gitstatus',
     '~/Library/Application Support/sourcegraph-sp/',
     '~/Library/Application Support/cloud-code/installer/google-cloud-sdk/bin',
     '~/Library/Application Support/dev.warp.Warp-Stable',

detection/execution/unexpected-security-framework-program-macos.sql

@@ -136,12 +136,15 @@ WHERE
     '500,melange-run,a.out,',
     '500,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
     '500,plugin-darwin-arm64,a.out,',
+    '500,tflint,a.out,',
     '500,PrinterProxy,com.apple.print.PrinterProxy,',
     '500,registry,a.out,',
     '500,registry-redirect,a.out,',
+    '500,tflint-ruleset-google,a.out,',
     '500,Runner.Listener,apphost-55554944a938bab90f04347d83659c53dd1197d6,',
     '500,rust-analyzer,rust_analyzer-d11ae4e1bae4360d,',
     '500,scdaemon,scdaemon,',
+    '500,tflint-ruleset-aws,a.out,',
     '500,sdaudioswitch,,',
     '500,sdaudioswitch,sdaudioswitch,',
     '500,sdzoomplugin,,',
@@ -173,6 +176,10 @@ WHERE
     exception_key LIKE '500,%,a.out,'
     AND p0.path LIKE '/private/var/folders%/T/go-build%/exe/%'
   )
+  AND NOT (
+    exception_key LIKE '500,tflint%,a.out,'
+    AND p0.path LIKE '/Users/%/.tflint.d/%'
+  )  
   AND NOT (
     exception_key LIKE '500,python3.%,%,'
     AND p0.path LIKE '/opt/homebrew/%/bin/python'

detection/persistence/minimal-socket-client-linux.sql

@@ -43,6 +43,7 @@ WHERE p.pid IN (
                 '/usr/bin/i3blocks'
             )
             AND name NOT IN ('chrome_crashpad', 'dhcpcd', 'Brackets-node')
+        GROUP BY processes.path
     )
     AND pmm.path LIKE "%.so.%"
 GROUP BY pos.pid -- libc.so, ld-linux

detection/persistence/unexpected-lock-opener.sql

@@ -8,16 +8,18 @@
 --
 -- tags: persistent filesystem state
 -- platform: posix
-SELECT
+SELECT CONCAT(
-    CONCAT(
         MIN(p0.euid, 500),
         ',',
         COALESCE(REGEX_MATCH (p0.path, '.*/(.*)', 1), p0.path),
         ',',
-        REGEX_MATCH (
+        COALESCE(
-            REPLACE(pof.path, u.directory, '~'),
+            REGEX_MATCH (
-            '(.*)/.*',
+                REPLACE(pof.path, u.directory, '~'),
-            1
+                '(.*)/.*',
+                1
+            ),
+            REPLACE(pof.path, u.directory, '~')
         )
     ) AS exception_key,
     pof.path AS lock,
@@ -48,16 +50,22 @@ WHERE pof.path LIKE "%.lock"
         '500,bridge-gui,~/Library/Application Support/protonmail/bridge-v3/sentry_cache',
         '500,bridge-gui,~/Library/Caches/protonmail/bridge-v3',
         '500,bridge,~/Library/Application Support/protonmail/bridge-v3/sentry_cache',
+        '500,Stream Deck,~/Library/Application Support/com.elgato.StreamDeck/Sentry',
         '500,bridge,~/Library/Caches/protonmail/bridge-v3',
+        '500,Craft,~/Library/Containers/com.lukilabs.lukiapp/Data/Library/Application Support/com.lukilabs.lukiapp',
         '500,buildkitd,~/.local/share/buildkit',
         '500,com.docker.backend,~/Library/Containers/com.docker.docker',
         '500,photolibraryd,~/Library/Photos/Libraries/Syndication.photoslibrary/database',
-        '500,photolibraryd,~/Pictures/Photos Library.photoslibrary/database'
+        '500,photolibraryd,~/Pictures/Photos Library.photoslibrary/database',
+        '500,reMarkable,~/Library/Application Support/remarkable/desktop'
     )
     AND NOT exception_key LIKE '500,com.apple.Virtualization.VirtualMachine,~/%'
     AND NOT exception_key LIKE '500,com.apple.Virtualization.VirtualMachine,/private/var/folders/%'
     AND NOT exception_key LIKE '500,lua-language-server,~/%'
+    AND NOT exception_key LIKE '0,prl_disp_service,/Users/%/Parallels/%/vm.lock'
     AND NOT exception_key LIKE '500,iTermServer-%,~/Library/Application Support/iTerm2'
     AND NOT exception_key LIKE '500,%,/private/var/folders/%/T/Sentry_StreamDeck'
+    AND NOT exception_key LIKE '500,gnome-software,/var/tmp/flatpak-cache-%'
+    AND NOT exception_key LIKE '500,com.docker.backend,/private/var/folders/%/go/pkg/mod/cache/%'
 GROUP BY p0.path,
     pof.path

policy/gcp-service-account-keys-mdfind.sql

@@ -5,7 +5,9 @@
 SELECT
   file.path,
   file.size,
-  datetime(file.btime, 'unixepoch') AS file_created,
+  file.btime,
+  file.ctime,
+  file.mtime,
   magic.data,
   hash.sha256,
   u.username,