RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2024-12-15 02:24:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #239 from tstromberg/fpr-apr14

Browse Source 
FPR: macOS, Kolide, Pacman, Nix, Hyprland, Wolfi, etc
This commit is contained in:
Thomas Strömberg 2023-04-17 16:21:39 -04:00 committed by GitHub
commit 870776bfb6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
29 changed files with 183 additions and 120 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
detection/c2/unexpected-dns-traffic-events.sql
View File

@ -86,8 +86,10 @@ WHERE
'coredns,0.0.0.0,53',
'syncthing,46.162.192.181,53',
'Code Helper,208.67.222.123,53',
'Code Helper,68.105.29.11,53',
'Opera Helper,77.111.247.77,53',
'chrome,74.125.250.47,53',
'AssetCacheLocatorService,0.0.0.0,53',
'Jabra Direct Helper,208.67.222.123,53'
)
AND exception_key NOT LIKE 'Opera Helper,77.111.247.%,53'

6
detection/c2/unexpected-libcurl-user-linux.sql
View File

@ -65,9 +65,11 @@ WHERE p0.euid = 0
'flatpak-system-,/usr/libexec/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755',
'fwupd,/usr/libexec/fwupd/fwupd,0,system.slice,fwupd.service,0755',
'fwupd,/usr/lib/fwupd/fwupd,0,system.slice,fwupd.service,0755',
'yum,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755',
'NetworkManager,/usr/bin/NetworkManager,0,system.slice,NetworkManager.service,0755',
'NetworkManager,/usr/sbin/NetworkManager,0,system.slice,NetworkManager.service,0755',
'packagekitd,/usr/libexec/packagekitd,0,system.slice,packagekit.service,0755'
'nix-daemon,/nix/store/__VERSION__/bin/nix,0,system.slice,nix-daemon.service,0555',
'packagekitd,/usr/libexec/packagekitd,0,system.slice,packagekit.service,0755',
'pacman,/usr/bin/pacman,0,user.slice,user-1000.slice,0755',
'yum,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755'
)
GROUP BY p0.pid

1
detection/c2/unexpected-talkers-linux.sql
View File

@ -66,6 +66,7 @@ WHERE
AND s.remote_address NOT LIKE 'fe80:%'
AND s.remote_address NOT LIKE '127.%'
AND s.remote_address NOT LIKE '192.168.%'
AND s.remote_address NOT LIKE '100.7%'
AND s.remote_address NOT LIKE '172.1%'
AND s.remote_address NOT LIKE '172.2%'
AND s.remote_address NOT LIKE '172.30.%'

7
detection/c2/unexpected-talkers-macos.sql
View File

@ -164,6 +164,7 @@ WHERE
'443,6,0,Adobe Installer,com.adobe.AAMHelper,Developer ID Application: Adobe Inc. (JQ525L2MZD)',
'443,6,0,com.apple.MobileSoftwareUpdate.UpdateBrainService,com.apple.MobileSoftwareUpdate.UpdateBrainService,Software Signing',
'443,6,0,com.apple.NRD.UpdateBrainService,com.apple.NRD.UpdateBrainService,Software Signing',
'443,6,0,com.google.one.NetworkExtension,com.google.one.NetworkExtension,Developer ID Application: Google LLC (EQHXZ8M8AV)',
'443,6,0,com.paragon-software.extfsd,com.paragon-software.extfsd,Developer ID Application: Paragon Software GmbH (LSJ6YVK468)', -- update checks
'443,6,0,com.paragon-software.ntfsd,com.paragon-software.ntfsd,Developer ID Application: Paragon Software GmbH (LSJ6YVK468)', -- update checks
'443,6,0,Install,com.adobe.cc.Install,Developer ID Application: Adobe Inc. (JQ525L2MZD)',
@ -175,6 +176,7 @@ WHERE
'443,6,0,launcher,launcher,Developer ID Application: Kolide Inc (YZ3EM74M78)',
'443,6,0,nessusd,nessusd,Developer ID Application: Tenable, Inc. (4B8J598M7U)',
'443,6,0,nix,nix,',
'80,6,500,Code Helper (Plugin),com.github.Electron.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'443,6,0,OneDrivePkgTelemetry,com.microsoft.OneDrivePkgTelemetry,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'443,6,0,Setup,com.adobe.acc.Setup,Developer ID Application: Adobe Inc. (JQ525L2MZD)',
'443,6,307,curl,curl,',
@ -182,6 +184,7 @@ WHERE
'443,6,500,Acrobat Update Helper,com.adobe.ARMDCHelper,Developer ID Application: Adobe Inc. (JQ525L2MZD)',
'443,6,500,Amazon Photos Installer,com.amazon.clouddrive.mac.installer,Developer ID Application: AMZN Mobile LLC (94KV3E626L)',
'443,6,500,apko,a.out,',
'443,6,0,AGSService,com.adobe.ags,Developer ID Application: Adobe Inc. (JQ525L2MZD)',
'443,6,500,aws,37c466-aws,Developer ID Application: AMZN Mobile LLC (94KV3E626L)',
'443,6,500,aws,e956a0-aws,Developer ID Application: AMZN Mobile LLC (94KV3E626L)',
'443,6,500,bash,bash,',
@ -274,6 +277,7 @@ WHERE
'443,6,500,policy-tester,a.out,',
'443,6,500,prober,a.out,',
'443,6,500,provisio,,',
'443,6,500,hugo,a.out,',
'443,6,500,pulumi-resource-gcp,a.out,',
'443,6,500,pulumi-resource-github,a.out,',
'443,6,500,python2.7,python2.7,',
@ -297,6 +301,7 @@ WHERE
'443,6,500,Slack Helper,com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
'443,6,500,Slack Helper,com.tinyspeck.slackmacgap.helper,Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL)',
'443,6,500,snyk,snyk_darwin_amd64,Developer ID Application: Snyk Limited (97QYW7LHSF)',
'443,6,500,snyk-ls_darwin_arm64,a.out,',
'443,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
'443,6,500,steampipe-plugin-aws.plugin,a.out,',
'443,6,500,step,step,',
@ -313,10 +318,12 @@ WHERE
'443,6,500,wolfictl,a.out,',
'443,6,500,zoom.us,us.zoom.xos,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)',
'443,6,500,zsh,com.apple.zsh,Software Signing',
'5228,6,500,Clay,com.clay.mac,Developer ID Application: Clay Software, Inc. (C68GA48KN3)',
'53,17,500,docker-credential-gcr,a.out,',
'53,17,500,trivy,,',
'6000,6,500,ssh,,',
'6000,6,500,ssh,com.apple.openssh,Software Signing',
'6000,6,500,ssh,com.apple.ssh,Software Signing',
'6000,6,500,ssh,ssh-55554944fbf65684ab9b37c2bad3a27ef78b23f4,',
'80,6,0,com.apple.MobileSoftwareUpdate.UpdateBrainService,com.apple.MobileSoftwareUpdate.UpdateBrainService,Software Signing',
'80,6,0,com.google.one.NetworkExtension,com.google.one.NetworkExtension,Developer ID Application: Google LLC (EQHXZ8M8AV)',

17
detection/credentials/unexpected-dev-opener-linux.sql
View File

@ -9,7 +9,6 @@
-- platform: linux
-- tags: persistent state sniffer
SELECT
pof.pid,
pof.path AS device,
CONCAT (
IIF(
@ -130,6 +129,7 @@ WHERE
'/dev/input,thermald',
'/dev/input,upowerd',
'/dev/input,Xorg',
'/dev/input,Hyprland',
'/dev/net,tailscaled',
'/dev/net,.tailscaled-wrapped',
'/dev/net/tun,qemu-system-x86_64',
@ -149,6 +149,8 @@ WHERE
'/dev/shm,slack',
'/dev/shm,spotify',
'/dev/shm,steam',
'/dev/shm,xdg-desktop-portal-hyprland',
'/dev/shm,Hyprland',
'/dev/shm,steamwebhelper',
'/dev/shm,wine64-preloader',
'/dev/shm,winedevice.exe',
@ -162,33 +164,34 @@ WHERE
)
AND NOT path_exception IN (
'/dev/autofs,systemd',
'/dev/video,guvcview',
'/dev/cpu/0/msr,nvidia-powerd',
'/dev/drm_dp_aux,fwupd',
'/dev/fb,Xorg',
'/dev/hidraw,chrome',
'/dev/hwrng,rngd',
'/dev/tpmrm,launcher',
'/dev/input/event,thermald',
'/dev/input/event,touchegg',
'/dev/input/event,Xorg',
'/dev/kmsg,bpfilter_umh',
'/dev/kmsg,dmesg',
'/dev/kmsg,k3s',
'/dev/net/tun,openvpn',
'/dev/kmsg,kubelet',
'/dev/mapper/control,multipathd',
'/dev/kmsg,systemd',
'/dev/kmsg,systemd-coredump',
'/dev/kmsg,systemd-journald',
'/dev/kvm,qemu-system-x86_64',
'/dev/mapper/control,dockerd',
'/dev/mapper/control,gpartedbin',
'/dev/mapper/control,multipathd',
'/dev/mcelog,mcelog',
'/dev/media0,pipewire',
'/dev/media0,wireplumber',
'/dev/media,pipewire',
'/dev/media,wireplumber',
'/dev/net/tun,openvpn',
'/dev/net/tun,slirp4netns',
'/dev/shm/envoy_shared_memory_1,envoy',
'/dev/tpmrm,launcher',
'/dev/tty,agetty',
'/dev/tty,gdm-wayland-session',
'/dev/tty,gdm-x-session',
@ -204,11 +207,11 @@ WHERE
'/dev/video,chrome',
'/dev/video,ffmpeg',
'/dev/video,firefox',
'/dev/drm_dp_aux,fwupd',
'/dev/video,guvcview',
'/dev/video,obs',
'/dev/video,slack',
'/dev/video,obs-ffmpeg-mux',
'/dev/video,pipewire',
'/dev/video,slack',
'/dev/video,vlc',
'/dev/video,wireplumber',
'/dev/video,zoom',

1
detection/evasion/hidden-home-library-dir.sql
View File

@ -41,6 +41,7 @@ WHERE
'~/Library/Finance/.finance_local_SUPPORT/_EXTERNAL_DATA',
'~/Library/Group Containers/.SiriTodayViewExtension/Library',
'~/Library/Group Containers/.SiriTodayViewExtension',
'~/Library/Saved Searches/.DockTags',
'~/Library/HomeKit/.core-cloudkit_SUPPORT/_EXTERNAL_DATA',
'~/Library/HomeKit/.core-cloudkit-shared_SUPPORT/_EXTERNAL_DATA',
'~/Library/Caches/.sigstore/gitsign',

1
detection/evasion/missing-from-disk-linux.sql
View File

@ -45,6 +45,7 @@ WHERE
)
-- This is truly a missing program, not just one that has been updated with a new binary.
AND file.inode IS NULL
AND p.path != '/bpfilter_umh'
-- Snap packages?
AND p.path NOT LIKE '/tmp/.mount_%'
AND p.path NOT LIKE '/home/%/.cache/yay/1password-cli/pkg/1password-cli/usr/bin/op'

4
detection/evasion/parent-missing-from-disk-linux.sql
View File

@ -54,10 +54,12 @@ WHERE
'/usr/bin/doas',
'/usr/libexec/gdm-x-session',
'/usr/bin/dockerd',
'/usr/sbin/gdm3',
'/usr/bin/fusermount3',
'/usr/bin/gnome-shell',
'/usr/sbin/sshd',
'usr/sbin/auditd',
'/usr/sbin/auditd',
'/usr/bin/kitty',
'/usr/bin/tmux',
'/usr/share/code/code',
'/usr/libexec/gdm-wayland-session',

5
detection/evasion/unexpected-alf-exceptions-macos.sql
View File

@ -56,7 +56,6 @@ WHERE
',,/Applications/IntelliJ%20IDEA.app/,',
',,/Applications/ProtonMail%20Bridge.app/,',
',,/Applications/Visual%20Studio%20Code.app/,',
'Developer ID Application: Voicemod Sociedad Limitada. (S2MC4XQDSM),net.voicemod.desktop,/Applications/Voicemod.app/,0',
',,/Applications/Visual%20Studio%20Code.app/Contents/Frameworks/Code%20Helper.app/,',
'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.sketch3,/Applications/Sketch.app/,501',
'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.SketchMirrorHelper,/Applications/Sketch.app/Contents/XPCServices/SketchMirrorHelper.xpc/,501',
@ -64,13 +63,16 @@ WHERE
'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5),com.elgato.WaveLink,/Applications/WaveLink.app/,0',
'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK),com.getdropbox.dropbox,/Applications/Dropbox.app/,501',
'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland,/Applications/GoLand.app/,501',
'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.pycharm,/Applications/PyCharm.app/,501',
'Developer ID Application: Opentest, Inc. (QGD2ZPXZZG),com.loom.desktop,/Applications/Loom.app/,501',
'Developer ID Application: RescueTime, Inc (FSY4RB8H39),com.rescuetime.RescueTime,/Applications/RescueTime.app/,0',
'Developer ID Application: Sonos, Inc. (2G4LW83Q3E),com.sonos.macController,/Applications/Sonos.app/,501',
'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client,/Applications/Spotify.app/,501',
'Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension,/Library/SystemExtensions/A30AF854-E980-4345-A658-17000BF66D00/io.tailscale.ipn.macsys.network-extension.systemextension/,0',
'Developer ID Application: VNG ONLINE CO.,LTD (CVB6BX97VM),com.vng.zalo,/Applications/Zalo.app/,501',
'Developer ID Application: Voicemod Sociedad Limitada. (S2MC4XQDSM),net.voicemod.desktop,/Applications/Voicemod.app/,0',
',dnsmasq,/opt/homebrew/Cellar/dnsmasq/2.88/sbin/dnsmasq,0',
'Developer ID Application: Cypress.Io, Inc. (7D655LWGLY),com.electron.cypress,/Users/garrying/Library/Caches/Cypress/12.9.0/Cypress.app/,501',
',iodined-55554944d1ffcb236a84363d9b667be6a1742a17,/usr/local/sbin/iodined,501',
',java,/opt/homebrew/Cellar/openjdk/19/libexec/openjdk.jdk/Contents/Home/bin/java,501',
',org.python.python,/opt/homebrew/Cellar/python@3.10/3.10.9/Frameworks/Python.framework/Versions/3.10/Resources/Python.app/,501',
@ -84,6 +86,7 @@ WHERE
'Software Signing,com.apple.xartstorageremoted,/usr/libexec/xartstorageremoted,0',
'/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/',
',,/usr/local/sbin/iodined,501'
)
AND NOT exception_key LIKE ',a.out,/opt/homebrew/Cellar/podman/%/libexec/podman/gvproxy,501'
AND NOT exception_key LIKE ',a.out,/private/var/folders/%/T/GoLand/%,501'

2
detection/evasion/unexpected-dev-entries.sql
View File

@ -33,7 +33,7 @@ WHERE
) -- We should also use uid for making decisions here
AND NOT (
file.uid > 499
AND NOT (
AND (
file.path LIKE '/dev/shm/.com.google.%'
OR file.path LIKE '/dev/shm/.org.chromium.%'
OR file.path LIKE '/dev/shm/wayland.mozilla.%'

1
detection/execution/exotic-command-events-linux.sql
View File

@ -152,7 +152,6 @@ WHERE
p0_cmd LIKE '%sh -i'
AND NOT p1_name IN ('sh', 'java')
)
OR p0_cmd LIKE '%socat%'
OR p0_cmd LIKE '%SOCK_STREAM%'
OR INSTR(p0_cmd, 'Socket.') > 0
OR (

2
detection/execution/exotic-command-events-macos.sql
View File

@ -142,7 +142,7 @@ WHERE
AND NOT p1_name IN ('sh', 'java')
AND NOT p1_cmd LIKE "%pipenv shell"
)
OR p0_cmd LIKE '%socat%'
OR p0_cmd LIKE 'socat %'
OR p0_cmd LIKE '%SOCK_STREAM%'
OR INSTR(p0_cmd, 'Socket.') > 0
) -- Things that could reasonably happen at boot.

2
detection/execution/exotic-commands-linux.sql
View File

@ -122,11 +122,11 @@ WHERE -- Known attack scripts
AND NOT p0.cgroup_path LIKE '/system.slice/docker-%'
AND NOT p0.cgroup_path LIKE '/user.slice/user-1000.slice/user@1000.service/user.slice/nerdctl-%'
)
OR p0.cmdline LIKE '%socat '
OR p0.cmdline LIKE '%SOCK_STREAM%'
OR INSTR(p0.cmdline, '%Socket.%') > 0 -- Keep the shell running, as in https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability
OR (
p0.cmdline LIKE '%tail -f /dev/null%'
AND NOT p0.cmdline LIKE 'docker run%'
AND NOT p0.cgroup_path LIKE '/system.slice/docker-%'
AND NOT p1.pid == 0
)

2
detection/execution/exotic-commands-macos.sql
View File

@ -79,7 +79,7 @@ WHERE
) != "" -- suspicious things
OR REGEX_MATCH (
p.cmdline,
"(UserKnownHostsFile=/dev/null|ransom|malware|plant|fsockopen|openssl.*quiet|pty.spawn|socat|SOCK_STREAM)",
"(UserKnownHostsFile=/dev/null|ransom|malware|plant|fsockopen|openssl.*quiet|pty.spawn|SOCK_STREAM)",
1
) != "" -- Crypto miners
OR REGEX_MATCH (

136
detection/execution/recently-created-executables-linux.sql
View File

@ -6,43 +6,49 @@
-- tags: transient process state often
-- platform: linux
SELECT
p.pid,
p.path,
p.name,
p.cmdline,
p.cwd,
p.euid,
p.parent,
f.directory,
f.ctime,
f.size,
f.mtime,
p.cgroup_path,
p.start_time,
pp.path AS parent_path,
pp.name AS parent_name,
pp.cmdline AS parent_cmdline,
pp.cwd AS parent_cwd,
pp.euid AS parent_euid,
ch.sha256 AS child_sha256,
ph.sha256 AS parent_sha256
-- Child
p0.pid AS p0_pid,
p0.path AS p0_path,
p0.name AS p0_name,
p0.cmdline AS p0_cmd,
p0.cwd AS p0_cwd,
p0.cgroup_path AS p0_cgroup,
p0.euid AS p0_euid,
p0_hash.sha256 AS p0_sha256,
-- Parent
p0.parent AS p1_pid,
p1.path AS p1_path,
p1.name AS p1_name,
p1.euid AS p1_euid,
p1.cmdline AS p1_cmd,
p1_hash.sha256 AS p1_sha256,
-- Grandparent
p1.parent AS p2_pid,
p2.name AS p2_name,
p2.path AS p2_path,
p2.cmdline AS p2_cmd,
p2_hash.sha256 AS p2_sha256
FROM
processes p
LEFT JOIN file f ON p.path = f.path
LEFT JOIN processes pp ON p.parent = pp.pid
LEFT JOIN hash AS ch ON p.path = ch.path
LEFT JOIN hash AS ph ON pp.path = ph.path
processes p0
LEFT JOIN file f ON p0.path = f.path
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
LEFT JOIN processes p1 ON p0.parent = p1.pid
LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE
p.start_time > 0
p0.start_time > 0
AND f.ctime > 0
AND p.start_time > (strftime('%s', 'now') - 7200)
AND (p.start_time - MAX(f.ctime, f.btime)) < 45
AND p.start_time >= MAX(f.ctime, f.ctime)
AND p0.start_time > (strftime('%s', 'now') - 7200)
AND (p0.start_time - MAX(f.ctime, f.btime)) < 45
AND p0.start_time >= MAX(f.ctime, f.ctime)
AND NOT f.directory IN ('/usr/lib/firefox', '/usr/local/kolide-k2/bin') -- Typically daemons or long-running desktop apps
-- These are binaries that are known to get updated and subsequently executed
--
-- What I would give for osquery to support binary signature verification on Linux
AND NOT p.path IN (
AND NOT p0.path IN (
'',
'/opt/google/chrome/chrome',
'/usr/bin/packer',
@ -54,6 +60,7 @@ WHERE
'/usr/lib/ibus/ibus-dconf',
'/usr/bin/limactl',
'/usr/lib/ibus/ibus-portal',
'/usr/libexec/gstreamer-1.0/gst-plugin-scanner',
'/usr/lib/ibus/ibus-engine-simple',
'/usr/bin/faked',
'/usr/bin/appstreamcli',
@ -169,51 +176,52 @@ WHERE
'/usr/share/spotify-client/spotify',
'/usr/share/teams/team'
)
AND NOT p.path LIKE '/home/%/bin/%'
AND NOT p.path LIKE '/home/%/.local/share/JetBrains/Toolbox/apps/%'
AND NOT p.path LIKE '/home/%/.local/share/nvim/mason/packages/%'
AND NOT p.path LIKE '/home/%/.local/share/Steam/ubuntu12_64/%'
AND NOT p.path LIKE '/home/%/.rustup/toolchains/%/libexec/%'
AND NOT p.path LIKE '/home/%/jbr/lib/jcef_helper'
AND NOT p.path LIKE '/home/%/jbr/bin/java'
AND NOT p.path LIKE '/home/%/node_modules/.bin/%'
AND NOT p.path LIKE '/home/%/Projects/%'
AND NOT p.path LIKE '/home/%/terraform-provider-%'
AND NOT p.path LIKE '/home/%/%.test'
AND NOT p.path LIKE '/nix/store/%/bin/%'
AND NOT p.path LIKE '/nix/store/%/libexec/%'
AND NOT p.path LIKE '/opt/%'
AND NOT p.path LIKE '/tmp/go-build%'
AND NOT p.path LIKE '/tmp/terraform_%/terraform'
AND NOT p.path LIKE '/tmp/tmp.%/%/bin/%'
AND NOT p.path LIKE '/usr/local/bin/%'
AND NOT p.path LIKE '/usr/local/Cellar/%'
AND NOT p.path LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd'
AND NOT p.path LIKE '%/.vscode/extensions/%'
AND NOT p0.path LIKE '/home/%/bin/%'
AND NOT p0.path LIKE '/home/%/.local/share/JetBrains/Toolbox/apps/%'
AND NOT p0.path LIKE '/home/%/.local/share/nvim/mason/packages/%'
AND NOT p0.path LIKE '/home/%/.local/share/Steam/ubuntu12_64/%'
AND NOT p0.path LIKE '/home/%/.rustup/toolchains/%/libexec/%'
AND NOT p0.path LIKE '/home/%/jbr/lib/jcef_helper'
AND NOT p0.path LIKE '/home/%/jbr/bin/java'
AND NOT p0.path LIKE '/home/%/node_modules/.bin/%'
AND NOT p0.path LIKE '/home/%/Projects/%'
AND NOT p0.path LIKE '/home/%/terraform-provider-%'
AND NOT p0.path LIKE '/home/%/%.test'
AND NOT p0.path LIKE '/nix/store/%/bin/%'
AND NOT p0.path LIKE '/nix/store/%/libexec/%'
AND NOT p0.path LIKE '/opt/%'
AND NOT p0.path LIKE '/tmp/go-build%'
AND NOT p0.path LIKE '/tmp/terraform_%/terraform'
AND NOT p0.path LIKE '/tmp/tmp0.%/%/bin/%'
AND NOT p0.path LIKE '/usr/local/bin/%'
AND NOT p0.path LIKE '/usr/local/Cellar/%'
AND NOT p0.path LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd'
AND NOT p0.path LIKE '/usr/local/kolide-k2/bin/launcher-updates/%/launcher'
AND NOT p0.path LIKE '%/.vscode/extensions/%'
AND NOT (
p.name IN ('osqtool-x86_64', 'osqtool-arm64')
AND p.cmdline LIKE './%'
p0.name IN ('osqtool-x86_64', 'osqtool-arm64')
AND p0.cmdline LIKE './%'
)
AND NOT pp.path IN ('/usr/bin/gnome-shell') -- Filter out developers working on their own code
AND NOT p1.path IN ('/usr/bin/gnome-shell') -- Filter out developers working on their own code
AND NOT (
p.path LIKE '/home/%'
AND p.uid > 499
p0.path LIKE '/home/%'
AND p0.uid > 499
AND f.ctime = f.mtime
AND f.uid = p.uid
AND p.cmdline LIKE './%'
AND f.uid = p0.uid
AND p0.cmdline LIKE './%'
)
AND NOT (
p.path LIKE '/tmp/%/osqtool-%'
AND p.uid > 499
p0.path LIKE '/tmp/%/osqtool-%'
AND p0.uid > 499
AND f.ctime = f.mtime
AND f.uid = p.uid
AND p.cmdline LIKE './%'
AND f.uid = p0.uid
AND p0.cmdline LIKE './%'
)
AND NOT (
p.path LIKE '/home/%/.magefile/%'
AND p.uid > 499
p0.path LIKE '/home/%/.magefile/%'
AND p0.uid > 499
AND f.ctime = f.mtime
AND f.uid = p.uid
AND f.uid = p0.uid
)
GROUP BY
p.pid
p0.pid

1
detection/execution/recently-created-executables-macos.sql
View File

@ -76,6 +76,7 @@ WHERE
AND NOT path LIKE '/Users/%/bin/%'
AND NOT path LIKE '/Users/%/code/%'
AND NOT path LIKE '/Users/%/dev/%'
AND NOT path LIKE '/Users/%/Library/Application Support/snyk-ls/snyk-ls_darwin_%'
AND NOT path LIKE '/Users/%/Library/Application Support/%/Contents/MacOS/%'
AND NOT path LIKE '/Users/%/Library/Application Support/iTerm2/iTermServer-%'
AND NOT path LIKE '/Users/%/Library/Caches/%/Contents/MacOS/%'

42
detection/execution/unexpected-execdir-events-macos.sql
View File

@ -23,7 +23,9 @@ SELECT
1
) AS top3_dir,
u.directory AS user_home_dir,
-- Child
s.identifier AS s_id,
s.authority AS s_auth,
-- Child
pe.path AS p0_path,
REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name,
TRIM(pe.cmdline) AS p0_cmd,
@ -119,9 +121,11 @@ WHERE
AND top3_dir NOT IN (
'/Library/Apple/System',
'/Library/Application Support/Adobe',
'~/Library/Caches/Cypress',
'~/Library/Application Support/BraveSoftware',
'/Library/Application Support/Canon_Inc_IC',
'~/Library/Application Support/com.elgato.StreamDeck',
'~/Library/Application Support/com.grammarly.ProjectLlama',
'/Library/Application Support/EcammLive',
'~/Library/Application Support/Foxit Software',
'/Library/Application Support/GPGTools',
@ -129,7 +133,7 @@ WHERE
'~/Library/Application Support/zoom.us',
'~/Library/Caches/com.knollsoft.Rectangle',
'~/Library/Caches/com.mimestream.Mimestream',
'~/Library/Application Support/com.grammarly.ProjectLlama',
'~/Library/Caches/JetBrains',
'~/Library/Caches/snyk',
'/Library/Developer/CommandLineTools',
'~/Library/Developer/Xcode',
@ -149,9 +153,18 @@ WHERE
)
AND dir NOT IN (
'/bin',
'~/bin',
'~/code/bin',
'~/Downloads/google-cloud-sdk/bin',
'~/Downloads/protoc/bin',
'~/go/bin',
'/Library/Printers/EPSON/InkjetPrinter2/Filter/commandtoescp.app/Contents/MacOS',
'~/Library/Application Support/cloud-code/installer/google-cloud-sdk/bin',
'~/Library/Application Support/dev.warp.Warp-Stable',
'/Library/Application Support/Kandji/Kandji Menu/Kandji Menu.app/Contents/MacOS',
'/Library/Application Support/Logitech.localized/LogiOptionsPlus/logioptionsplus_agent.app/Contents/MacOS',
'/Library/Application Support/Logitech.localized/Logitech Options.localized/LogiMgrUpdater.app/Contents/Resources',
'/Library/Application Support/X-Rite/Frameworks/XRiteDevice.framework/Versions/B/Resources/XRD Software Update.app/Contents/MacOS',
'/Library/Audio/Plug-Ins/HAL/ACE.driver/Contents/Resources',
'/Library/Audio/Plug-Ins/HAL/ACE.driver/Contents/Resources/aceagent.app/Contents/MacOS',
'/Library/DropboxHelperTools/Dropbox_u501',
@ -165,42 +178,38 @@ WHERE
'/Library/Printers/Brother/Utilities/Server/NETserver.app/Contents/MacOS',
'/Library/Printers/Brother/Utilities/Server/USBAppControl.app/Contents/MacOS',
'/Library/Printers/Brother/Utilities/Server/WorkflowAppControl.app/Contents/MacOS',
'/Library/Printers/Brother/Filter/rastertobrother2300.bundle/Contents/MacOS',
'/Library/Printers/DYMO/Utilities',
'/Library/PrivilegedHelperTools',
'/Library/TeX/texbin',
'~/.local/bin',
'~/.magefile',
'/node_modules/.bin',
'/opt/homebrew/bin',
'/opt/osquery/lib/osquery.app/Contents/MacOS',
'/opt/usr/bin',
'/opt/X11/bin',
'/opt/X11/libexec',
'~/projects/go/bin',
'/run/current-system/sw/bin',
'/sbin',
'/usr/bin',
'/usr/lib',
'/usr/lib/bluetooth',
'/usr/lib/cups/notifier',
'/usr/lib/fwupd',
'/usr/lib/ibus',
'/usr/lib/system',
'/usr/libexec/cups/backend',
'/usr/libexec',
'/usr/libexec/ApplicationFirewall',
'/usr/libexec/AssetCache',
'/usr/libexec/firmwarecheckers',
'/usr/libexec/firmwarecheckers/eficheck',
'/usr/libexec/rosetta',
'/usr/lib/fwupd',
'/usr/lib/ibus',
'/usr/lib/system',
'/usr/local/bin',
'/usr/local/MacGPG2/bin',
'/usr/sbin',
'~/.local/bin',
'~/.magefile',
'~/bin',
'~/code/bin',
'~/Downloads/google-cloud-sdk/bin',
'~/Downloads/protoc/bin',
'~/go/bin',
'~/Library/Application Support/cloud-code/installer/google-cloud-sdk/bin',
'~/Library/Application Support/dev.warp.Warp-Stable',
'~/projects/go/bin'
'/usr/sbin'
) -- Locally built executables
AND NOT (
s.identifier = 'a.out'
@ -234,6 +243,7 @@ WHERE
AND dir NOT LIKE '/private/var/db/com.apple.xpc.roleaccountd.staging/%.xpc/Contents/MacOS'
AND dir NOT LIKE '/private/var/folders/%/d/Wrapper/%.app/%'
AND dir NOT LIKE '/private/var/folders/%/bin'
AND dir NOT LIKE '/private/var/kolide-k2/k2device.kolide.com/updates/osqueryd/%'
AND dir NOT LIKE '/private/var/folders/%/Contents/%'
AND dir NOT LIKE '/private/var/folders/%/go-build%'
AND dir NOT LIKE '/private/var/folders/%/GoLand'

4
detection/execution/unexpected-execdir-macos.sql
View File

@ -140,11 +140,13 @@ WHERE
AND top3_homedir NOT IN (
'~/Library/Application Support/BraveSoftware/',
'~/Library/Application Support/com.elgato.StreamDeck/',
'~/Library/Application Support/duckly/',
'/Library/Application Support/EcammLive',
'~/Library/Application Support/Foxit Software/',
'~/Library/Application Support/JetBrains/',
'~/Library/Application Support/OpenLens',
'~/Library/Application Support/Zwift/',
'~/Library/Application Support/sourcegraph-sp/',
'~/Library/Application Support/Zwift/',
'~/Library/Caches/com.mimestream.Mimestream/',
'~/Library/Caches/com.sempliva.Tiles/',
'~/Library/Caches/org.gpgtools.updater/',

1
detection/execution/unexpected-root-signer-macos.sql
View File

@ -126,3 +126,4 @@ WHERE
AND p0_name = "node"
AND p1_name IN ("vim", "nvim")
)
AND NOT p0_path LIKE '/usr/local/Cellar/htop/%/bin/htop'

5
detection/execution/unexpected-security-framework-program-macos.sql
View File

@ -127,11 +127,16 @@ WHERE
'500,BloomRPC Helper,,',
'500,melange-run,a.out,',
'500,dlv,a.out,',
'500,copilot-agent-macos-arm64,copilot-agent-macos-arm64-5555494405ae226b796431f588804b65cad1040e,',
'500,Duckly Helper,Electron Helper,',
'500,registry-redirect,a.out,',
'500,Duckly Helper (Renderer),Electron Helper (Renderer),',
'500,Runner.Listener,apphost-55554944a938bab90f04347d83659c53dd1197d6,',
'500,rust-analyzer,rust_analyzer-d11ae4e1bae4360d,',
'500,scdaemon,scdaemon,',
'500,sdaudioswitch,,',
'500,Duckly,Electron,',
'500,git,git,',
'500,sdaudioswitch,sdaudioswitch,',
'500,sdzoomplugin,,',
'500,Slack,com.tinyspeck.slackmacgap,Apple Mac OS Application Signing',

2
detection/initial_access/sketchy-mounted-diskimage.sql
View File

@ -67,7 +67,7 @@ WHERE
OR (
file.mode LIKE "%7%"
AND file.type != 'directory'
AND REGEX_MATCH (file.filename, '([a-z]+[A-Z]+[a-z]+[A-Z])', 1) != ""
AND REGEX_MATCH (file.filename, '([a-z]+[A-Z][A-Z]+[a-z]+)', 1) != ""
AND magic.data LIKE "%executable%"
-- Some people do weird things!
AND signature.authority NOT IN (

2
detection/initial_access/unexpected-diskimage-source-macos.sql
View File

@ -116,6 +116,7 @@ WHERE
'zoom.us',
'zsa.io'
)
-- NOTE: Do not put all of storage.googleapis.com or similarly generic hosts here
AND host NOT IN (
'arc.net',
'balsamiq.com',
@ -171,5 +172,6 @@ WHERE
OR file.filename LIKE '%WhatsApp.dmg'
)
)
AND ea.value NOT LIKE 'https://storage.googleapis.com/copilot-mac-releases/%'
GROUP BY
ea.value

4
detection/initial_access/unexpected-volume-contents.sql
View File

@ -123,3 +123,7 @@ WHERE
AND trimpath NOT LIKE '/Volumes/JDK %/JDK %.pkg'
AND trimpath NOT LIKE '/Volumes/mysql-shell-%/mysql-shell-%.pkg'
AND magic.data NOT LIKE 'ASCII text%'
AND NOT (
magic.data = 'AppleDouble encoded Macintosh file'
AND basename LIKE '._%'
)

1
detection/persistence/unexpected-device.sql
View File

@ -170,6 +170,7 @@ WHERE
'/dev/shm/',
'/dev/shm/libpod_rootless_lock_',
'/dev/shm/pulse-shm-',
'/dev/shm/aomshm.b.',
'/dev/snapshot',
'/dev/snd/',
'/dev/snd/by-id',

1
detection/persistence/unexpected-launchd-program-arguments.sql
View File

@ -44,6 +44,7 @@ WHERE
'Developer ID Application: Kolide, Inc (X98UFR7HA3)',
'Developer ID Application: Logitech Inc. (QED4VVPZWA)',
'Developer ID Application: Fumihiko Takayama (G43BCU2T37)',
'Developer ID Application: X-Rite, Incorporated (2K7GT73B4R)',
'Developer ID Application: MacPaw Inc. (S8EX82NJP6)',
'Developer ID Application: Mersive Technologies (63B5A5WDNG)',
'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)',

1
detection/persistence/unexpected-listening-port-macos.sql
View File

@ -70,6 +70,7 @@ WHERE
'2112,6,500,rekor-server,',
'2112,6,500,timestamp-server,',
'22000,6,500,syncthing,',
'22000,6,500,syncthing,Developer ID Application: Jakob Borg (LQE5SYM783)',
'22,6,0,launchd,Software Signing',
'24678,6,500,node,',
'28197,6,500,Stream Deck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',

1
detection/persistence/unexpected-uid0-daemon-linux.sql
View File

@ -219,6 +219,7 @@ WHERE
'tailscaled,/usr/sbin/tailscaled,0,system.slice,tailscaled.service,0755',
'.tailscaled-wra,/nix/store/__VERSION__/bin/.tailscaled-wrapped,0,system.slice,tailscaled.service,0555',
'thermald,/usr/sbin/thermald,0,system.slice,thermald.service,0755',
'udisksd,/nix/store/__VERSION__/libexec/udisks2/udisksd,0,system.slice,udisks2.service,0555',
'udisksd,/usr/libexec/udisks2/udisksd,0,system.slice,udisks2.service,0755',
'udisksd,/usr/lib/udisks2/udisksd,0,system.slice,udisks2.service,0755',
'unattended-upgr,/usr/bin/python3.10,0,system.slice,unattended-upgrades.service,0755',

48
detection/persistence/unexpected-uid0-daemon-macos.sql
View File

@ -62,27 +62,19 @@ WHERE -- Focus on longer-running programs
'/Applications/Opal.app/Contents/Library/LaunchServices/com.opalcamera.cameraExtensionShim',
'/Applications/Parallels Desktop.app/Contents/MacOS/Parallels Service.app/Contents/MacOS/prl_disp_service',
'/Applications/Parallels Desktop.app/Contents/MacOS/prl_naptd',
'/Library/Application Support/VMware/VMware Fusion/Services/Contents/Library/vmnet-bridge',
'/Library/Application Support/VMware/VMware Fusion/Services/Contents/Library/vmnet-dhcpd',
'/Library/Application Support/VMware/VMware Fusion/Services/Contents/Library/vmnet-natd',
'/Library/Application Support/VMware/VMware Fusion/Services/Contents/Library/vmware-usbarbitrator',
'/Applications/VMware Fusion.app/Contents/Library/vmware-vmx',
'/bin/bash',
'/usr/sbin/sshd',
'/usr/libexec/trustdFileHelper',
'/usr/libexec/multiversed',
'/usr/libexec/firmwarecheckers/ethcheck/ethcheck',
'/usr/libexec/storagekitd',
'/usr/sbin/audioclocksyncd',
'/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kdc',
'/usr/libexec/thermald',
'/usr/libexec/mdmclient',
'/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS/XProtect',
'/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/XPCServices/XProtectPluginService.xpc/Contents/MacOS/XProtectPluginService',
'/Library/Application Support/Adobe/Adobe Desktop Common/ElevationManager/Adobe Installer',
'/Library/Application Support/Objective Development/Little Snitch/Components/at.obdev.littlesnitch.daemon.bundle/Contents/MacOS/at.obdev.littlesnitch.daemon',
'/Library/Application Support/Paragon Software/com.paragon-software.extfsd',
'/Library/Application Support/Paragon Software/com.paragon-software.ntfsd',
'/Library/Application Support/VMware/VMware Fusion/Services/Contents/Library/vmnet-bridge',
'/Library/Application Support/VMware/VMware Fusion/Services/Contents/Library/vmnet-dhcpd',
'/Library/Application Support/VMware/VMware Fusion/Services/Contents/Library/vmnet-natd',
'/Library/Application Support/VMware/VMware Fusion/Services/Contents/Library/vmware-usbarbitrator',
'/Library/Application Support/X-Rite/Frameworks/XRiteDevice.framework/Versions/B/Resources/xrdd',
'/Library/Audio/Plug-Ins/HAL/SolsticeDesktopSpeakers.driver/Contents/XPCServices/RelayXpc.xpc/Contents/MacOS/RelayXpc',
'/Library/Nessus/run/sbin/nessusd',
'/Library/Nessus/run/sbin/nessus-service',
@ -90,9 +82,11 @@ WHERE -- Focus on longer-running programs
'/Library/PrivilegedHelperTools/com.docker.vmnetd',
'/Library/PrivilegedHelperTools/com.macpaw.CleanMyMac4.Agent',
'/Library/PrivilegedHelperTools/keybase.Helper',
'/Library/SystemExtensions/CC9A335C-A6D0-4C87-B902-45EBDF4BFD85/com.google.one.NetworkExtension.systemextension/Contents/MacOS/com.google.one.NetworkExtension',
'/Library/SystemExtensions/2DA71D8A-7905-4012-A7D5-0B246D5AA77B/at.obdev.littlesnitch.networkextension.systemextension/Contents/MacOS/at.obdev.littlesnitch.networkextension',
'/Library/SystemExtensions/CC9A335C-A6D0-4C87-B902-45EBDF4BFD85/com.google.one.NetworkExtension.systemextension/Contents/MacOS/com.google.one.NetworkExtension',
'/Library/SystemExtensions/0FDB5206-860F-465C-B4D3-D6A0F43F4302/com.google.one.NetworkExtension.systemextension/Contents/MacOS/com.google.one.NetworkExtension',
'/opt/homebrew/Cellar/telepresence-arm64/2.7.6/bin/telepresence',
'/opt/socket_vmnet/bin/socket_vmnet',
'/sbin/launchd',
'/System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd',
'/System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd-helper',
@ -156,6 +150,7 @@ WHERE -- Focus on longer-running programs
'/System/Library/PrivateFrameworks/FindMyMac.framework/Versions/A/Resources/FindMyMacd',
'/System/Library/PrivateFrameworks/GenerationalStorage.framework/Versions/A/Support/revisiond',
'/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod',
'/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kdc',
'/System/Library/PrivateFrameworks/InstallerDiagnostics.framework/Versions/A/Resources/installerdiagd',
'/System/Library/PrivateFrameworks/InstallerDiagnostics.framework/Versions/A/Resources/installerdiagwatcher',
'/System/Library/PrivateFrameworks/MediaRemote.framework/Support/mediaremoted',
@ -180,7 +175,6 @@ WHERE -- Focus on longer-running programs
'/System/Library/PrivateFrameworks/XprotectFramework.framework/Versions/A/XPCServices/XprotectService.xpc/Contents/MacOS/XprotectService',
'/usr/bin/login',
'/usr/bin/sudo',
'/usr/libexec/dirhelper',
'/usr/bin/sysdiagnose',
'/usr/libexec/AirPlayXPCHelper',
'/usr/libexec/airportd',
@ -204,12 +198,15 @@ WHERE -- Focus on longer-running programs
'/usr/libexec/coreduetd',
'/usr/libexec/corestoraged',
'/usr/libexec/cryptexd',
'/opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd',
'/usr/libexec/dasd',
'/usr/libexec/dirhelper',
'/usr/libexec/diskarbitrationd',
'/usr/libexec/diskmanagementd',
'/usr/libexec/dprivacyd',
'/usr/libexec/endpointsecurityd',
'/usr/libexec/findmydeviced',
'/usr/libexec/firmwarecheckers/ethcheck/ethcheck',
'/usr/libexec/InternetSharing',
'/usr/libexec/IOMFB_bics_daemon',
'/usr/libexec/ioupsd',
@ -218,11 +215,13 @@ WHERE -- Focus on longer-running programs
'/usr/libexec/logd',
'/usr/libexec/logd_helper',
'/usr/libexec/lsd',
'/usr/libexec/mdmclient',
'/usr/libexec/memoryanalyticsd',
'/usr/libexec/microstackshot',
'/usr/libexec/misagent',
'/usr/libexec/mobileactivationd',
'/usr/libexec/mobileassetd',
'/usr/libexec/multiversed',
'/usr/libexec/nehelper',
'/usr/libexec/nesessionmanager',
'/usr/libexec/online-authd',
@ -239,26 +238,29 @@ WHERE -- Focus on longer-running programs
'/usr/libexec/secinitd',
'/usr/libexec/securityd_service',
'/usr/libexec/smd',
'/usr/libexec/storagekitd',
'/usr/libexec/symptomsd-diag',
'/usr/libexec/sysmond',
'/usr/libexec/syspolicyd',
'/usr/libexec/tailspind',
'/usr/libexec/taskgated',
'/usr/libexec/thermald',
'/usr/libexec/thermalmonitord',
'/usr/libexec/TouchBarServer',
'/usr/libexec/trustdFileHelper',
'/usr/libexec/tzd',
'/usr/libexec/tzlinkd',
'/usr/libexec/usbd',
'/usr/libexec/usermanagerd',
'/usr/libexec/UserEventAgent',
'/usr/libexec/usermanagerd',
'/usr/libexec/warmd',
'/usr/libexec/watchdogd',
'/usr/libexec/wifianalyticsd',
'/usr/libexec/wifip2pd',
'/usr/libexec/wifivelocityd',
'/usr/local/kolide-k2/bin/osquery-extension.ext',
'/opt/socket_vmnet/bin/socket_vmnet',
'/usr/sbin/aslmanager',
'/usr/sbin/audioclocksyncd',
'/usr/sbin/auditd',
'/usr/sbin/BlueTool',
'/usr/sbin/bluetoothd',
@ -271,6 +273,7 @@ WHERE -- Focus on longer-running programs
'/usr/sbin/notifyd',
'/usr/sbin/securityd',
'/usr/sbin/spindump',
'/usr/sbin/sshd',
'/usr/sbin/syslogd',
'/usr/sbin/systemsoundserverd',
'/usr/sbin/systemstats',
@ -283,27 +286,28 @@ WHERE -- Focus on longer-running programs
)
AND NOT s.authority IN (
'Developer ID Application: Adobe Inc. (JQ525L2MZD)',
'Developer ID Application: Logitech Inc. (QED4VVPZWA)',
'Developer ID Application: Fumihiko Takayama (G43BCU2T37)',
'Developer ID Application: Objective-See, LLC (VBG97UB4TA)',
'Developer ID Application: Docker Inc (9BNSXJN65R)',
'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)',
'Developer ID Application: Ecamm Network, LLC (5EJH68M642)',
'Developer ID Application: Foxit Corporation (8GN47HTP75)',
'Developer ID Application: Fumihiko Takayama (G43BCU2T37)',
'Developer ID Application: Google LLC (EQHXZ8M8AV)',
'Developer ID Application: Kandji, Inc. (P3FGV63VK7)',
'Developer ID Application: Keybase, Inc. (99229SGT5K)',
'Developer ID Application: Kolide, Inc (X98UFR7HA3)',
'Developer ID Application: Ecamm Network, LLC (5EJH68M642)',
'Developer ID Application: Kandji, Inc. (P3FGV63VK7)',
'Developer ID Application: Kolide Inc (YZ3EM74M78)',
'Developer ID Application: Logitech Inc. (QED4VVPZWA)',
'Developer ID Application: MacPaw Inc. (S8EX82NJP6)',
'Developer ID Application: Mersive Technologies (63B5A5WDNG)',
'Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R)',
'Developer ID Application: Objective-See, LLC (VBG97UB4TA)',
'Developer ID Application: Opal Camera Inc (97Z3HJWCRT)',
'Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
'Developer ID Application: Parallels International GmbH (4C6364ACXT)',
'Developer ID Application: Private Internet Access, Inc. (5357M5NW9W)',
'Developer ID Application: Tenable, Inc. (4B8J598M7U)',
'Developer ID Application: X-Rite, Incorporated (2K7GT73B4R)',
'Software Signing'
)
AND NOT (

1
detection/privesc/unexpected-elevated-children-events_macos.sql
View File

@ -107,6 +107,7 @@ WHERE
)
AND NOT exception_key IN (
'containermanagerd,262,com.docker.backend,Docker',
'sysextd,0,LogiTune,launchd',
'SCHelper,0,com.docker.backend,Docker'
)
AND NOT (