fpr: My ORA, Ecamm, setroubleshootd, etc

detection/c2/unexpected-dns-traffic-events.sql

@@ -75,6 +75,7 @@ WHERE
     '208.67.220.220', -- OpenDNS
     '208.67.222.222', -- OpenDNS
     '208.67.222.123', -- OpenDNS
+    '208.67.220.123', -- OpenDNS FamilyShield
     '75.75.75.75', -- Comcast
     '75.75.76.76', -- Comcast
     '68.105.28.13', -- Cox

detection/c2/unexpected-https-client-linux.sql

@@ -247,6 +247,7 @@ WHERE
     '500,/usr/step-cli,0u,0g,step',
     '500,/usr/syncthing,0u,0g,syncthing',
     '500,/usr/teams,0u,0g,teams',
+    '500,/home/cloud_sql_proxy,0u,0g,cloud_sql_proxy',
     '500,/usr/terraform,0u,0g,terraform',
     '500,/usr/thunderbird,0u,0g,thunderbird',
     '500,/usr/trivy,0u,0g,trivy',
@@ -259,6 +260,7 @@ WHERE
   -- Exceptions where we have to be more flexible for the process name
   AND NOT exception_key LIKE '500,/usr/node,0u,0g,npm exec %'
   AND NOT exception_key LIKE '500,/usr/node,0u,0g,npm install %'
+  AND NOT exception_key LIKE '500,/usr/cosign-%,500u,500g,cosign-%'
   AND NOT exception_key LIKE '500,%/terraform-provider-%,500u,500g,terraform-provi'
   AND NOT exception_key LIKE '0,/ko-app/%,u,g,%'
   -- stay weird, NixOS (Fastly nix mirror)

detection/c2/unexpected-talkers-linux.sql

@@ -89,6 +89,7 @@ WHERE
   AND NOT exception_key IN (
     '123,17,114,/usr/chronyd,0u,0g,chronyd',
     '123,17,500,/usr/chronyd,0u,0g,chronyd',
+    '4070,6,500,/home/spotify,500u,500g,spotify',
     '143,6,500,/app/thunderbird,u,g,thunderbird',
     '143,6,500,/usr/thunderbird,0u,0g,thunderbird',
     '19305,6,500,/opt/firefox,0u,0g,firefox',
@@ -169,6 +170,7 @@ WHERE
     '80,6,500,/opt/firefox,0u,0g,firefox',
     '80,6,500,/opt/spotify,0u,0g,spotify',
     '80,6,0,/usr/bash,0u,0g,bash',
+    '80,6,500,/home/cloud_sql_proxy,0u,0g,cloud_sql_proxy',
     '80,6,500,/opt/zoom,0u,0g,zoom',
     '80,6,500,/usr/spotify-launcher,0u,0g,spotify-launche',
     '80,6,500,/usr/chrome,0u,0g,chrome',

detection/c2/unexpected-talkers-macos.sql

@@ -277,7 +277,9 @@ WHERE
     '443,6,500,terraform-ls,terraform-ls,Developer ID Application: Hashicorp, Inc. (D38WU7D763)',
     '443,6,500,terraform,terraform,Developer ID Application: Hashicorp, Inc. (D38WU7D763)',
     '443,6,500,trivy,a.out,',
+    '443,6,0,Install,com.adobe.cc.Install,Developer ID Application: Adobe Inc. (JQ525L2MZD)',
     '443,6,500,vegeta,a.out,',
+    '443,6,500,FOX Sports Helper,Electron Helper,',
     '443,6,500,vim,vim,',
     '443,6,500,wolfictl,a.out,',
     '443,6,500,zoom.us,us.zoom.xos,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)',

detection/collection/high-disk-bytes-written.sql

@@ -115,6 +115,7 @@ WHERE
     'trivy',
     'dlv',
     'dnf',
+    'rsync',
     'docker-index',
     'esbuild',
     'firefox',

detection/credentials/unexpected-dev-opener-macos.sql

@@ -77,6 +77,7 @@ WHERE
     '/dev/afsc_type,revisiond,Software Signing,com.apple.revisiond',
     '/dev/auditpipe,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF),osqueryd',
     '/dev/auditsessions,authd,Software Signing,com.apple.authd',
+    '/dev/console,launchd_sim,Software Signing,com.apple.xpc.launchd',
     '/dev/auditsessions,GSSCred,Software Signing,com.apple.GSSCred',
     '/dev/auditsessions,securityd,Software Signing,com.apple.securityd',
     '/dev/auditsessions,TouchBarServer,Software Signing,com.apple.touchbarserver',

detection/evasion/unexpected-tmp-executables-macos.sql

@@ -67,6 +67,7 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
           OR file.path LIKE "%/%/gradlew"
           OR file.path LIKE '%/guile-%/guile-%'
           OR file.path LIKE '%/ko/%'
+          OR file.path LIKE '%/nix/%'
           OR file.path LIKE '%/kots/%'
           OR file.path LIKE "%/lib/%.so"
           OR file.path LIKE "%/lib/%.so.%"

detection/execution/exotic-commands-linux.sql

@@ -72,6 +72,9 @@ WHERE
   OR p0.name LIKE '%pwn%'
   OR p0.name LIKE '%xig%'
   OR p0.name LIKE '%xmr%'
+  OR p0.cmdline LIKE '%--pool%'
+  OR p0.cmdline LIKE '%--algo%'
+  OR p0.cmdline LIKE '%--wss%'
   OR p0.cmdline LIKE '%bitspin%'
   OR p0.cmdline LIKE '%lushput%'
   OR p0.cmdline LIKE '%incbit%'
@@ -130,8 +133,5 @@ WHERE
     p0.cmdline LIKE '%tail -f /dev/null%'
     AND p0.cgroup_path NOT LIKE '/system.slice/docker-%'
   )
-  AND NOT p0.cmdline IN (
-    'socat UNIX-LISTEN:/run/user/1000/app/com.discordapp0.Discord/discord-ipc-0,forever,fork UNIX-CONNECT:/run/user/1000/discord-ipc-0',
-    'socat UNIX-LISTEN:/run/user/1000/app/com.discordapp.Discord/discord-ipc-0,forever,fork UNIX-CONNECT:/run/user/1000/discord-ipc-0'
-  )
+  AND NOT p0.cmdline like 'socat UNIX-LISTEN:%/com.discordapp%fork UNIX-CONNECT:%'
   AND NOT p0.name IN ('cc1', 'compile', 'cmake', 'cc1plus')

detection/execution/exotic-commands-macos.sql

@@ -84,7 +84,7 @@ WHERE
       ) != "" -- Crypto miners
       OR REGEX_MATCH (
         p.cmdline,
-        "(c3pool|cryptonight|f2pool|hashrate|hashvault|minerd|monero|nanopool|nicehash|stratum)",
+        "(c3pool|cryptonight|f2pool|hashrate|hashvault|minerd|monero|nanopool|nicehash|stratum|wss://| --pool| --algo)",
         1
       ) != "" -- Needs to be case sensitive
       OR (

detection/execution/sketchy-fetcher-events.sql

@@ -101,6 +101,7 @@ WHERE
       'uk'
     )
     -- Or if it matches weird keywords we've seen
+    OR p.cmdline LIKE '%chmod%'
     OR pe.cmdline LIKE '%.onion%'
     OR pe.cmdline LIKE '%tor2web%'
     OR pe.cmdline LIKE '%aliyun%'

detection/execution/sketchy-fetcher.sql

@@ -66,6 +66,7 @@ WHERE
       'so',
       'uk'
     )
+    OR p.cmdline LIKE '%chmod%'
     OR p.cmdline LIKE '%.onion%'
     OR p.cmdline LIKE '%tor2web%'
     OR p.cmdline LIKE '%aliyun%'

detection/execution/unexpected-execdir-macos.sql

@@ -138,6 +138,8 @@ WHERE
     '~/Library/Application Support/com.elgato.StreamDeck/',
     '~/Library/Application Support/Foxit Software/',
     '~/Library/Caches/com.mimestream.Mimestream/',
+    '/Library/Application Support/EcammLive',
+    '/Library/Developer/Xcode/',
     '~/Library/Caches/com.sempliva.Tiles/',
     '~/Library/Caches/snyk/',
     '~/.terraform.d/plugin-cache/registry.terraform.io/'

detection/execution/unexpected-security-framework-program-macos.sql

@@ -82,6 +82,7 @@ WHERE
     '500,Bitwarden Helper (GPU),com.bitwarden.desktop.helper.GPU,Apple Mac OS Application Signing',
     '500,Bitwarden Helper (Renderer),com.bitwarden.desktop.helper.Renderer,Apple Mac OS Application Signing',
     '500,bufls,a.out,',
+    '500,testing,com.yourcompany.testing,', -- Xcode iPhone emulator
     '500,.cargo-wrapped,.cargo-wrapped,',
     '500,cloud_sql_proxy,a.out,',
     '500,CopyClip,com.fiplab.clipboard,Apple Mac OS Application Signing',

detection/initial_access/unexpected-diskimage-source-macos.sql

@@ -64,6 +64,7 @@ WHERE
     'epson.com',
     'fcix.net',
     'gaomon.net',
+    'kagi.com',
     'getutm.app',
     'gimp.org',
     'github.io',

detection/initial_access/unexpected-shell-parent-events.sql

@@ -166,6 +166,7 @@ WHERE
       'vi',
       'vim',
       'Vim',
+      'MacVim',
       'watch',
       'wezterm-gui',
       'xargs',

detection/initial_access/unexpected-shell-parents.sql

@@ -50,12 +50,14 @@ WHERE
     'conmon',
     'containerd-shim',
     'dash',
+    'Rancher Desktop',
     'dumb-init',
     'demoit',
     'direnv',
     'dnf',
     'Core Sync',
     'doas',
+    'steam_osx',
     'Docker Desktop',
     'erl_child_setup',
     'find',

detection/initial_access/unexpected-volume-contents.sql

@@ -93,7 +93,8 @@ WHERE
     '.VolumeIcon.icns'
   )
   AND authority NOT IN (
-    'Developer ID Application: Google LLC (EQHXZ8M8AV)'
+    'Developer ID Application: Google LLC (EQHXZ8M8AV)',
+    'Developer ID Application: Adobe Inc. (JQ525L2MZD)'
   ) -- Unsigned programs here
   AND trimpath NOT IN (
     '/Volumes/Google Chrome/.keystone_install',

detection/persistence/unexpected-active-systemd-units.sql

@@ -88,6 +88,7 @@ WHERE
         'bluetooth.target,Bluetooth Support,,400',
         'bolt.service,Thunderbolt system service,,600',
         'nessusd.service,The Nessus Vulnerability Scanner,,800',
+        'setroubleshootd.service,SETroubleshoot daemon for processing new SELinux denial logs,setroubleshoot,200',
         'chronyd.service,NTP client/server,,1500',
         "chrony.service,chrony, an NTP client/server,,1600",
         'colord.service,Manage, Install and Generate Color Profiles,colord,200',

detection/persistence/unexpected-chrome-extensions.sql

@@ -57,6 +57,7 @@ WHERE
     'false,,Google Drive,aghbiahbpaijignceidepookljebhfak', -- Deprecated Google Extension
     'false,,Google Photos,ncmjhecbjeaamljdfahankockkkdmedg', -- Deprecated Google Extension
     'false,julienv3@gmail.com,treasure-clicker,',
+    "true,Gareth Stephenson,My O'Reilly Downloader,deebiaolijlopiocielojiipnpnaldlk",
     'false,juverm@chainguard.dev,auto-close-gitsign,',
     'false,,Trotto go links,nkeoojidblilnkcbbmfhaeebndapehjk',
     'false,,YouTube,agimnkijcaahngcdmfeangaknmldooml', -- Deprecated Google Extension

detection/persistence/unexpected-listening-port-macos.sql

@@ -84,6 +84,7 @@ WHERE
     '49152,6,0,remotepairingdeviced,Software Signing',
     '49152,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)',
     '49152,6,500,com.docker.supervisor,Developer ID Application: Docker Inc (9BNSXJN65R)',
+    '49152,6,500,EcammLiveRemoteXPCServer,Developer ID Application: Ecamm Network, LLC (5EJH68M642)',
     '49152,6,500,GarageBand,Apple Mac OS Application Signing',
     '49152,6,500,IPNExtension,Apple Mac OS Application Signing',
     '49152,6,500,java,Developer ID Application: Eclipse Foundation, Inc. (JCDTMS22B4)',