diff --git a/detection/c2/unexpected-dns-traffic-events.sql b/detection/c2/unexpected-dns-traffic-events.sql index 00c6987..3030cf8 100644 --- a/detection/c2/unexpected-dns-traffic-events.sql +++ b/detection/c2/unexpected-dns-traffic-events.sql @@ -75,6 +75,7 @@ WHERE '208.67.220.220', -- OpenDNS '208.67.222.222', -- OpenDNS '208.67.222.123', -- OpenDNS + '208.67.220.123', -- OpenDNS FamilyShield '75.75.75.75', -- Comcast '75.75.76.76', -- Comcast '68.105.28.13', -- Cox diff --git a/detection/c2/unexpected-https-client-linux.sql b/detection/c2/unexpected-https-client-linux.sql index 3dc2477..28b615b 100644 --- a/detection/c2/unexpected-https-client-linux.sql +++ b/detection/c2/unexpected-https-client-linux.sql @@ -247,6 +247,7 @@ WHERE '500,/usr/step-cli,0u,0g,step', '500,/usr/syncthing,0u,0g,syncthing', '500,/usr/teams,0u,0g,teams', + '500,/home/cloud_sql_proxy,0u,0g,cloud_sql_proxy', '500,/usr/terraform,0u,0g,terraform', '500,/usr/thunderbird,0u,0g,thunderbird', '500,/usr/trivy,0u,0g,trivy', @@ -259,6 +260,7 @@ WHERE -- Exceptions where we have to be more flexible for the process name AND NOT exception_key LIKE '500,/usr/node,0u,0g,npm exec %' AND NOT exception_key LIKE '500,/usr/node,0u,0g,npm install %' + AND NOT exception_key LIKE '500,/usr/cosign-%,500u,500g,cosign-%' AND NOT exception_key LIKE '500,%/terraform-provider-%,500u,500g,terraform-provi' AND NOT exception_key LIKE '0,/ko-app/%,u,g,%' -- stay weird, NixOS (Fastly nix mirror) diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql index ab092ce..1412192 100644 --- a/detection/c2/unexpected-talkers-linux.sql +++ b/detection/c2/unexpected-talkers-linux.sql @@ -89,6 +89,7 @@ WHERE AND NOT exception_key IN ( '123,17,114,/usr/chronyd,0u,0g,chronyd', '123,17,500,/usr/chronyd,0u,0g,chronyd', + '4070,6,500,/home/spotify,500u,500g,spotify', '143,6,500,/app/thunderbird,u,g,thunderbird', '143,6,500,/usr/thunderbird,0u,0g,thunderbird', '19305,6,500,/opt/firefox,0u,0g,firefox', @@ -169,6 +170,7 @@ WHERE '80,6,500,/opt/firefox,0u,0g,firefox', '80,6,500,/opt/spotify,0u,0g,spotify', '80,6,0,/usr/bash,0u,0g,bash', + '80,6,500,/home/cloud_sql_proxy,0u,0g,cloud_sql_proxy', '80,6,500,/opt/zoom,0u,0g,zoom', '80,6,500,/usr/spotify-launcher,0u,0g,spotify-launche', '80,6,500,/usr/chrome,0u,0g,chrome', diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql index 1fb51c5..ad04b0a 100644 --- a/detection/c2/unexpected-talkers-macos.sql +++ b/detection/c2/unexpected-talkers-macos.sql @@ -277,7 +277,9 @@ WHERE '443,6,500,terraform-ls,terraform-ls,Developer ID Application: Hashicorp, Inc. (D38WU7D763)', '443,6,500,terraform,terraform,Developer ID Application: Hashicorp, Inc. (D38WU7D763)', '443,6,500,trivy,a.out,', + '443,6,0,Install,com.adobe.cc.Install,Developer ID Application: Adobe Inc. (JQ525L2MZD)', '443,6,500,vegeta,a.out,', + '443,6,500,FOX Sports Helper,Electron Helper,', '443,6,500,vim,vim,', '443,6,500,wolfictl,a.out,', '443,6,500,zoom.us,us.zoom.xos,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)', diff --git a/detection/collection/high-disk-bytes-written.sql b/detection/collection/high-disk-bytes-written.sql index b332b30..39b49e3 100644 --- a/detection/collection/high-disk-bytes-written.sql +++ b/detection/collection/high-disk-bytes-written.sql @@ -115,6 +115,7 @@ WHERE 'trivy', 'dlv', 'dnf', + 'rsync', 'docker-index', 'esbuild', 'firefox', diff --git a/detection/credentials/unexpected-dev-opener-macos.sql b/detection/credentials/unexpected-dev-opener-macos.sql index ce3b561..df55383 100644 --- a/detection/credentials/unexpected-dev-opener-macos.sql +++ b/detection/credentials/unexpected-dev-opener-macos.sql @@ -77,6 +77,7 @@ WHERE '/dev/afsc_type,revisiond,Software Signing,com.apple.revisiond', '/dev/auditpipe,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF),osqueryd', '/dev/auditsessions,authd,Software Signing,com.apple.authd', + '/dev/console,launchd_sim,Software Signing,com.apple.xpc.launchd', '/dev/auditsessions,GSSCred,Software Signing,com.apple.GSSCred', '/dev/auditsessions,securityd,Software Signing,com.apple.securityd', '/dev/auditsessions,TouchBarServer,Software Signing,com.apple.touchbarserver', diff --git a/detection/evasion/unexpected-tmp-executables-macos.sql b/detection/evasion/unexpected-tmp-executables-macos.sql index ec3f12d..9168e22 100644 --- a/detection/evasion/unexpected-tmp-executables-macos.sql +++ b/detection/evasion/unexpected-tmp-executables-macos.sql @@ -67,6 +67,7 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f OR file.path LIKE "%/%/gradlew" OR file.path LIKE '%/guile-%/guile-%' OR file.path LIKE '%/ko/%' + OR file.path LIKE '%/nix/%' OR file.path LIKE '%/kots/%' OR file.path LIKE "%/lib/%.so" OR file.path LIKE "%/lib/%.so.%" diff --git a/detection/execution/exotic-commands-linux.sql b/detection/execution/exotic-commands-linux.sql index 6ac60e8..ad484ef 100644 --- a/detection/execution/exotic-commands-linux.sql +++ b/detection/execution/exotic-commands-linux.sql @@ -72,6 +72,9 @@ WHERE OR p0.name LIKE '%pwn%' OR p0.name LIKE '%xig%' OR p0.name LIKE '%xmr%' + OR p0.cmdline LIKE '%--pool%' + OR p0.cmdline LIKE '%--algo%' + OR p0.cmdline LIKE '%--wss%' OR p0.cmdline LIKE '%bitspin%' OR p0.cmdline LIKE '%lushput%' OR p0.cmdline LIKE '%incbit%' @@ -130,8 +133,5 @@ WHERE p0.cmdline LIKE '%tail -f /dev/null%' AND p0.cgroup_path NOT LIKE '/system.slice/docker-%' ) - AND NOT p0.cmdline IN ( - 'socat UNIX-LISTEN:/run/user/1000/app/com.discordapp0.Discord/discord-ipc-0,forever,fork UNIX-CONNECT:/run/user/1000/discord-ipc-0', - 'socat UNIX-LISTEN:/run/user/1000/app/com.discordapp.Discord/discord-ipc-0,forever,fork UNIX-CONNECT:/run/user/1000/discord-ipc-0' - ) + AND NOT p0.cmdline like 'socat UNIX-LISTEN:%/com.discordapp%fork UNIX-CONNECT:%' AND NOT p0.name IN ('cc1', 'compile', 'cmake', 'cc1plus') diff --git a/detection/execution/exotic-commands-macos.sql b/detection/execution/exotic-commands-macos.sql index abacbc2..b90f233 100644 --- a/detection/execution/exotic-commands-macos.sql +++ b/detection/execution/exotic-commands-macos.sql @@ -84,7 +84,7 @@ WHERE ) != "" -- Crypto miners OR REGEX_MATCH ( p.cmdline, - "(c3pool|cryptonight|f2pool|hashrate|hashvault|minerd|monero|nanopool|nicehash|stratum)", + "(c3pool|cryptonight|f2pool|hashrate|hashvault|minerd|monero|nanopool|nicehash|stratum|wss://| --pool| --algo)", 1 ) != "" -- Needs to be case sensitive OR ( diff --git a/detection/execution/sketchy-fetcher-events.sql b/detection/execution/sketchy-fetcher-events.sql index 7ee0ded..e35739c 100644 --- a/detection/execution/sketchy-fetcher-events.sql +++ b/detection/execution/sketchy-fetcher-events.sql @@ -101,6 +101,7 @@ WHERE 'uk' ) -- Or if it matches weird keywords we've seen + OR p.cmdline LIKE '%chmod%' OR pe.cmdline LIKE '%.onion%' OR pe.cmdline LIKE '%tor2web%' OR pe.cmdline LIKE '%aliyun%' diff --git a/detection/execution/sketchy-fetcher.sql b/detection/execution/sketchy-fetcher.sql index cdfa219..6f6dda1 100644 --- a/detection/execution/sketchy-fetcher.sql +++ b/detection/execution/sketchy-fetcher.sql @@ -66,6 +66,7 @@ WHERE 'so', 'uk' ) + OR p.cmdline LIKE '%chmod%' OR p.cmdline LIKE '%.onion%' OR p.cmdline LIKE '%tor2web%' OR p.cmdline LIKE '%aliyun%' diff --git a/detection/execution/unexpected-execdir-macos.sql b/detection/execution/unexpected-execdir-macos.sql index 67f2ab2..39935cb 100644 --- a/detection/execution/unexpected-execdir-macos.sql +++ b/detection/execution/unexpected-execdir-macos.sql @@ -138,6 +138,8 @@ WHERE '~/Library/Application Support/com.elgato.StreamDeck/', '~/Library/Application Support/Foxit Software/', '~/Library/Caches/com.mimestream.Mimestream/', + '/Library/Application Support/EcammLive', + '/Library/Developer/Xcode/', '~/Library/Caches/com.sempliva.Tiles/', '~/Library/Caches/snyk/', '~/.terraform.d/plugin-cache/registry.terraform.io/' diff --git a/detection/execution/unexpected-security-framework-program-macos.sql b/detection/execution/unexpected-security-framework-program-macos.sql index 7567ee2..8054fd5 100644 --- a/detection/execution/unexpected-security-framework-program-macos.sql +++ b/detection/execution/unexpected-security-framework-program-macos.sql @@ -82,6 +82,7 @@ WHERE '500,Bitwarden Helper (GPU),com.bitwarden.desktop.helper.GPU,Apple Mac OS Application Signing', '500,Bitwarden Helper (Renderer),com.bitwarden.desktop.helper.Renderer,Apple Mac OS Application Signing', '500,bufls,a.out,', + '500,testing,com.yourcompany.testing,', -- Xcode iPhone emulator '500,.cargo-wrapped,.cargo-wrapped,', '500,cloud_sql_proxy,a.out,', '500,CopyClip,com.fiplab.clipboard,Apple Mac OS Application Signing', diff --git a/detection/initial_access/unexpected-diskimage-source-macos.sql b/detection/initial_access/unexpected-diskimage-source-macos.sql index 82d4263..4f1a54e 100644 --- a/detection/initial_access/unexpected-diskimage-source-macos.sql +++ b/detection/initial_access/unexpected-diskimage-source-macos.sql @@ -64,6 +64,7 @@ WHERE 'epson.com', 'fcix.net', 'gaomon.net', + 'kagi.com', 'getutm.app', 'gimp.org', 'github.io', diff --git a/detection/initial_access/unexpected-shell-parent-events.sql b/detection/initial_access/unexpected-shell-parent-events.sql index 87fa4e2..abfdba3 100644 --- a/detection/initial_access/unexpected-shell-parent-events.sql +++ b/detection/initial_access/unexpected-shell-parent-events.sql @@ -166,6 +166,7 @@ WHERE 'vi', 'vim', 'Vim', + 'MacVim', 'watch', 'wezterm-gui', 'xargs', diff --git a/detection/initial_access/unexpected-shell-parents.sql b/detection/initial_access/unexpected-shell-parents.sql index 59a0129..bd65257 100644 --- a/detection/initial_access/unexpected-shell-parents.sql +++ b/detection/initial_access/unexpected-shell-parents.sql @@ -50,12 +50,14 @@ WHERE 'conmon', 'containerd-shim', 'dash', + 'Rancher Desktop', 'dumb-init', 'demoit', 'direnv', 'dnf', 'Core Sync', 'doas', + 'steam_osx', 'Docker Desktop', 'erl_child_setup', 'find', diff --git a/detection/initial_access/unexpected-volume-contents.sql b/detection/initial_access/unexpected-volume-contents.sql index c77c748..a90efb2 100644 --- a/detection/initial_access/unexpected-volume-contents.sql +++ b/detection/initial_access/unexpected-volume-contents.sql @@ -93,7 +93,8 @@ WHERE '.VolumeIcon.icns' ) AND authority NOT IN ( - 'Developer ID Application: Google LLC (EQHXZ8M8AV)' + 'Developer ID Application: Google LLC (EQHXZ8M8AV)', + 'Developer ID Application: Adobe Inc. (JQ525L2MZD)' ) -- Unsigned programs here AND trimpath NOT IN ( '/Volumes/Google Chrome/.keystone_install', diff --git a/detection/persistence/unexpected-active-systemd-units.sql b/detection/persistence/unexpected-active-systemd-units.sql index e028137..8a84a6d 100644 --- a/detection/persistence/unexpected-active-systemd-units.sql +++ b/detection/persistence/unexpected-active-systemd-units.sql @@ -88,6 +88,7 @@ WHERE 'bluetooth.target,Bluetooth Support,,400', 'bolt.service,Thunderbolt system service,,600', 'nessusd.service,The Nessus Vulnerability Scanner,,800', + 'setroubleshootd.service,SETroubleshoot daemon for processing new SELinux denial logs,setroubleshoot,200', 'chronyd.service,NTP client/server,,1500', "chrony.service,chrony, an NTP client/server,,1600", 'colord.service,Manage, Install and Generate Color Profiles,colord,200', diff --git a/detection/persistence/unexpected-chrome-extensions.sql b/detection/persistence/unexpected-chrome-extensions.sql index 5faf2b2..ddad6b7 100644 --- a/detection/persistence/unexpected-chrome-extensions.sql +++ b/detection/persistence/unexpected-chrome-extensions.sql @@ -57,6 +57,7 @@ WHERE 'false,,Google Drive,aghbiahbpaijignceidepookljebhfak', -- Deprecated Google Extension 'false,,Google Photos,ncmjhecbjeaamljdfahankockkkdmedg', -- Deprecated Google Extension 'false,julienv3@gmail.com,treasure-clicker,', + "true,Gareth Stephenson,My O'Reilly Downloader,deebiaolijlopiocielojiipnpnaldlk", 'false,juverm@chainguard.dev,auto-close-gitsign,', 'false,,Trotto go links,nkeoojidblilnkcbbmfhaeebndapehjk', 'false,,YouTube,agimnkijcaahngcdmfeangaknmldooml', -- Deprecated Google Extension diff --git a/detection/persistence/unexpected-listening-port-macos.sql b/detection/persistence/unexpected-listening-port-macos.sql index 654ce8a..dea9ed9 100644 --- a/detection/persistence/unexpected-listening-port-macos.sql +++ b/detection/persistence/unexpected-listening-port-macos.sql @@ -84,6 +84,7 @@ WHERE '49152,6,0,remotepairingdeviced,Software Signing', '49152,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)', '49152,6,500,com.docker.supervisor,Developer ID Application: Docker Inc (9BNSXJN65R)', + '49152,6,500,EcammLiveRemoteXPCServer,Developer ID Application: Ecamm Network, LLC (5EJH68M642)', '49152,6,500,GarageBand,Apple Mac OS Application Signing', '49152,6,500,IPNExtension,Apple Mac OS Application Signing', '49152,6,500,java,Developer ID Application: Eclipse Foundation, Inc. (JCDTMS22B4)',