RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2024-12-25 23:32:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

fpr: nvidia drivers, su, agetty, crystalhd, hercules, etc

Browse Source
This commit is contained in:
Thomas Stromberg 2023-07-19 15:22:43 -04:00
parent 931ef2ab15
commit 921cdc521e
Failed to extract signature
28 changed files with 161 additions and 88 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
detection/c2/unexpected-https-linux.sql
View File

@ -156,6 +156,7 @@ WHERE
'500,fulcio,500u,500g,fulcio',
'500,geoclue,0u,0g,geoclue',
'500,gh,0u,0g,gh',
'500,beeper,u,g,beeper',
'500,git,0u,0g,git',
'500,git-remote-http,0u,0g,git-remote-http',
'500,git-remote-http,u,g,git-remote-http',
@ -166,6 +167,7 @@ WHERE
'500,gjs-console,0u,0g,org.gnome.Maps',
'500,gnome-recipes,0u,0g,gnome-recipes',
'500,gnome-shell,0u,0g,gnome-shell',
'500,chrome,u,g,chrome',
'500,gnome-software,0u,0g,gnome-software',
'500,go,0u,0g,go',
'500,go,500u,500g,go',
@ -234,6 +236,7 @@ WHERE
'500,python3.10,0u,0g,python',
'500,python3.10,0u,0g,python3',
'500,python3.11,0u,0g,aws',
'500,python3.11,0u,0g,dnf',
'500,python3.11,0u,0g,gnome-abrt',
'500,python3.11,0u,0g,protonvpn',
'500,python3.11,0u,0g,prowler',
@ -283,9 +286,7 @@ WHERE
'500,yay,0u,0g,yay',
'500,zdup,500u,500g,zdup',
'500,zoom,0u,0g,zoom',
'500,zoom.real,u,g,zoom.real',
'80,6,500,python3.11,0u,0g,yum',
'88,6,500,syncthing,0u,0g,syncthing'
'500,zoom.real,u,g,zoom.real'
) -- Exceptions where we have to be more flexible for the process name
AND NOT exception_key LIKE '500,node,0u,0g,npm exec %'
AND NOT exception_key LIKE '500,node,0u,0g,npm install %'
@ -299,8 +300,7 @@ WHERE
OR p.cwd LIKE "/home/%/src/%"
OR p.cwd LIKE "/home/%/github/%"
)
)
-- JetBrains
) -- JetBrains
AND NOT exception_key LIKE '500,___1go_build_%,500u,500g,___1go_build_%'
AND NOT (
p.path = '/usr/bin/mage'

8
detection/c2/unexpected-https-macos.sql
View File

@ -105,7 +105,6 @@ WHERE
AND s.authority = 'Software Signing'
)
AND NOT exception_key IN (
'0,nessusd,nessusd,Developer ID Application: Tenable, Inc. (4B8J598M7U),nessusd',
'0,AGSService,AGSService,Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.ags',
'0,com.google.one.NetworkExtension,com.google.one.NetworkExtension,Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.one.NetworkExtension',
'0,EdgeUpdater,EdgeUpdater,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.EdgeUpdater',
@ -114,10 +113,12 @@ WHERE
'0,kandji-library-manager,kandji-library-manager,Developer ID Application: Kandji, Inc. (P3FGV63VK7),kandji-library-manager',
'0,kandji-parameter-agent,kandji-parameter-agent,Developer ID Application: Kandji, Inc. (P3FGV63VK7),kandji-parameter-agent',
'0,launcher,launcher,Developer ID Application: Kolide, Inc (X98UFR7HA3),com.kolide.agent',
'0,logioptionsplus_installer,logioptionsplus_installer,Developer ID Application: Logitech Inc. (QED4VVPZWA),com.logi.optionsplus.installer',
'0,multipassd,multipassd,Developer ID Application: Canonical Group Limited (X4QN7LTP59),com.canonical.multipass.multipassd',
'0,nessusd,nessusd,Developer ID Application: Tenable, Inc. (4B8J598M7U),nessusd',
'0,Setup,Setup,Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.acc.Setup',
'500,Elgato Capture Device Utility,Elgato Capture Device Utility,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5),com.elgato.CaptureDeviceUtility',
'500,bash,bash,,bash',
'500,Java Updater,Java Updater,Developer ID Application: Oracle America, Inc. (VB5E2TV963),com.oracle.java.Java-Updater',
'500,chrome_crashpad_handler,chrome_crashpad_handler,Developer ID Application: Microsoft Corporation (UBF8T346G9),chrome_crashpad_handler',
'500,cloud_sql_proxy,cloud_sql_proxy,,a.out',
'500,Code Helper,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode.helper',
@ -129,8 +130,10 @@ WHERE
'500,git-remote-http,git-remote-http,,git-remote-http-55554944748a32c47cdc35cfa7f071bb69a39ce4',
'500,go,go,Developer ID Application: Google LLC (EQHXZ8M8AV),org.golang.go',
'500,grype,grype,Developer ID Application: ANCHORE, INC. (9MJHKYX5AT),grype',
'500,OneDriveStandaloneUpdater,OneDriveStandaloneUpdater,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.OneDriveStandaloneUpdater',
'500,Install Spotify,Install Spotify,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.installer',
'500,IterableRichNotifications,IterableRichNotifications,Apple iPhone OS Application Signing,com.plexapp.plex.IterableRichNotifications',
'500,Java Updater,Java Updater,Developer ID Application: Oracle America, Inc. (VB5E2TV963),com.oracle.java.Java-Updater',
'500,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV),ksfetch',
'500,melange,melange,,a.out',
'500,ngrok,ngrok,Developer ID Application: ngrok LLC (TEX8MHRDQ9),a.out',
@ -200,6 +203,7 @@ WHERE
)
AND (
p0_cmd LIKE '%/gcloud.py%'
OR p0_cmd LIKE '%/google-cloud-sdk/bin/%'
OR p0_cmd LIKE '%pip install%'
OR p0_cmd LIKE '%googlecloudsdk/core/metrics_reporter.py%'
OR p0_cmd LIKE '%/bin/aws%'

7
detection/c2/unexpected-talkers-linux.sql
View File

@ -189,6 +189,7 @@ WHERE
'80,6,500,python3.10,0u,0g,yum',
'80,6,500,python3.11,0u,0g,abrt-action-ins',
'80,6,500,python3.11,0u,0g,dnf',
'80,6,500,python3.11,0u,0g,yum',
'80,6,500,qemu-system-x86_64,0u,0g,qemu-system-x86',
'80,6,500,rpi-imager,0u,0g,rpi-imager',
'80,6,500,signal-desktop,0u,0g,signal-desktop',
@ -253,21 +254,21 @@ WHERE
p.name = 'steam'
AND f.filename = 'steam'
AND s.remote_port > 27000
AND s.protocol IN (6,17)
AND s.protocol IN (6, 17)
AND p.euid > 500
)
AND NOT (
p.name = 'brave'
AND f.filename = 'brave'
AND s.remote_port > 3000
AND s.protocol IN (6,17)
AND s.protocol IN (6, 17)
AND p.euid > 500
)
AND NOT (
p.name = 'firefox'
AND f.filename = 'firefox'
AND s.remote_port > 3000
AND s.protocol IN (6,17)
AND s.protocol IN (6, 17)
AND p.euid > 500
) -- TODO: Move this to a custom override overlay, as it is extremely obscure (small ISP)
AND NOT (

5
detection/c2/unexpected-talkers-macos.sql
View File

@ -128,11 +128,12 @@ WHERE
'500,6,32000,Spotify Helper,Spotify Helper,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client.helper',
'500,6,32400,PlexMobile,PlexMobile,Apple iPhone OS Application Signing,com.plexapp.plex',
'500,6,32768,IPNExtension,IPNExtension,Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension',
'500,6,3389,Microsoft Remote Desktop,Microsoft Remote Desktop,Apple Mac OS Application Signing,com.microsoft.rdc.macos',
'500,6,4070,Spotify,Spotify,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client',
'500,6,4318,Code Helper (Plugin),Code Helper (Plugin),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
'500,6,5053,bridge,bridge,Developer ID Application: Proton Technologies AG (6UN54H93QT),bridge',
'500,6,5091,ZoomPhone,ZoomPhone,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3),us.zoom.ZoomPhone',
'500,6,5222,Telegram,Telegram,Apple Mac OS Application Signing,ru.keepcoder.Telegram',
'500,6,5053,bridge,bridge,Developer ID Application: Proton Technologies AG (6UN54H93QT),bridge',
'500,6,5223,KakaoTalk,KakaoTalk,Apple Mac OS Application Signing,com.kakao.KakaoTalkMac',
'500,6,5228,Clay,Clay,Developer ID Application: Clay Software, Inc. (C68GA48KN3),com.clay.mac',
'500,6,8009,Spotify Helper,Spotify Helper,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client.helper',
@ -144,12 +145,14 @@ WHERE
'500,6,80,com.docker.backend,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R),com.docker',
'500,6,80,Creative Cloud UI Helper,Creative Cloud UI Helper,Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.acc.HEXHelper',
'500,6,80,firefox,firefox,Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.firefox',
'500,6,80,Google Drive Helper,Google Drive Helper,Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.drivefs.helper',
'500,6,80,IPNExtension,IPNExtension,Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension',
'500,6,80,Jabra Direct,Jabra Direct,Developer ID Application: GN Audio AS (55LV32M29R),com.jabra.directonline',
'500,6,80,KakaoTalk,KakaoTalk,Apple Mac OS Application Signing,com.kakao.KakaoTalkMac',
'500,6,80,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV),ksfetch',
'500,6,80,launcher-Helper,launcher-Helper,Developer ID Application: Mojang AB (HR992ZEAE6),com.mojang.mclauncher.helper',
'500,6,80,node,node,Developer ID Application: Node.js Foundation (HX7739G8FX),node',
'500,6,80,rpi-imager,rpi-imager,Developer ID Application: Floris Bos (WYH7G79LM6),org.raspberrypi.imagingutility',
'500,6,80,Signal Helper (Renderer),Signal Helper (Renderer),Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR),org.whispersystems.signal-desktop.helper.Renderer',
'500,6,80,Slack Helper,Slack Helper,Apple Mac OS Application Signing,com.tinyspeck.slackmacgap.helper',
'500,6,80,Snagit 2020,Snagit 2020,Apple Mac OS Application Signing,com.TechSmith.Snagit2020',

2
detection/evasion/hidden-home-libappsupport.sql
View File

@ -59,6 +59,7 @@ WHERE
'~/Library/Application Support/com.tinyapp.TablePlus',
'~/Library/Application Support/discord',
'~/Library/Application Support/Docker Desktop',
'~/Library/Application Support/BetterTouchTool',
'~/Library/Application Support/DropboxElectron',
'~/Library/Application Support/GitHub Desktop',
'~/Library/Application Support/Jabra Direct',
@ -77,6 +78,7 @@ WHERE
'~/Library/Application Support/.settings'
)
AND NOT homepath LIKE '~/Library/Application Support/.syssettings%'
AND NOT magic.data = 'XML 1.0 document, ASCII text'
-- Capture One
AND NOT (
file.mode = "0666"

1
detection/evasion/parent-missing-from-disk-linux.sql
View File

@ -61,6 +61,7 @@ WHERE
'/usr/bin/kitty',
'/usr/lib/electron22/electron',
'/usr/bin/osqueryd',
'/usr/libexec/gvfsd',
'/usr/bin/sudo',
'/usr/bin/tmux',
'/usr/bin/yay',

1
detection/evasion/unexpected-etc-executables.sql
View File

@ -44,6 +44,7 @@ WHERE
'/etc/console-setup',
'/etc/cron.daily',
'/etc/cron.hourly',
'/etc/mc',
'/etc/cron.monthly',
'/etc/cron.weekly',
'/etc/dhcp/dhclient.d',

1
detection/evasion/unexpected-hidden-system-paths.sql
View File

@ -108,6 +108,7 @@ WHERE
'/var/db/.AppleInstallType.plist',
'/var/db/.AppleUpgrade',
'/var/db/.com.apple.iokit.graphics',
'/var/db/.com.intego.netupdate.serviceId',
'/var/db/.GKRearmTimer',
'/var/db/.LastGKApp',
'/var/db/.LastGKReject',

4
detection/evasion/unexpected-user-executables-macos.sql
View File

@ -114,6 +114,10 @@ WHERE
magic.data IS NOT NULL
AND magic.data LIKE "0420 Alliant virtual executable%"
)
AND NOT (
magic.data IS NOT NULL
AND magic.data LIKE "%shell script%"
)
AND NOT homedir LIKE '~/%/bin'
AND NOT homedir LIKE '~/%/shims'
AND NOT homedir LIKE '~/%/plugins'

5
detection/evasion/unexpected-user-shared-entries.sql
View File

@ -40,13 +40,14 @@ WHERE
)
AND NOT (
file.type = 'directory'
OR file.size = 0
OR file.path LIKE '%/../%'
OR file.path LIKE '%/./%'
OR file.path IN (
'/Users/Shared/.BetaEnrollmentData.plist',
'/Users/Shared/.betamigrated',
'/Users/Shared/.DS_Store',
'/Users/Shared/.ks.intego_metrics_2.pli',
'/Users/Shared/.ks.intego_metrics_2.plist',
'/Users/Shared/.localized',
'/Users/Shared/CleanMyMac X/.licence',
'/Users/Shared/LogiTuneInstallerStarted.txt',
@ -59,6 +60,8 @@ WHERE
'/Users/Shared/AdobeGCInfo',
'/Users/Shared/Audiority',
'/Users/Shared/Canon_Inc_IC',
'/Users/Shared/CleanMyMac X',
'/Users/Shared/CleanMyMac X Menu',
'/Users/Shared/LGHUB',
'/Users/Shared/logi',
'/Users/Shared/LogioptionsPlus',

50
detection/evasion/unusually-tainted-kernel-linux.sql
View File

@ -12,21 +12,37 @@
-- tags: persistent kernel state
-- platform: linux
--
-- 12289 is an unsigned, out of tree, proprietary driver
SELECT taint,
taint & 65536 AS is_aux,
taint & 8192 is_unsigned,
taint & 4096 AS out_of_tree,
taint & 512 AS kernel_warning,
taint & 614 AS requested_by_userspace,
taint & 8 AS force_unloaded,
taint & 4 AS out_of_spec,
taint & 2 AS force_loaded,
taint & 1 AS proprietary,
modules
FROM (
SELECT sc.current_value AS taint,
GROUP_CONCAT(km.name) AS modules
FROM system_controls sc,
kernel_modules km
WHERE sc.name = "kernel.tainted"
ORDER BY km.name ASC
)
-- 4097 is a signed, out of tree, proprietary driver
SELECT
current_value AS value,
current_value & 65536 AS is_aux,
current_value & 8192 is_unsigned,
current_value & 4096 AS out_of_tree,
current_value & 512 AS kernel_warning,
current_value & 614 AS requested_by_userspace,
current_value & 8 AS force_unloaded,
current_value & 4 AS out_of_spec,
current_value & 2 AS force_loaded,
current_value & 1 AS proprietary
FROM
system_controls
WHERE
name = "kernel.tainted"
AND current_value NOT IN (0, 512, 12289, 12352, 4097)
-- 512 is a kernel warning
WHERE taint NOT IN (0, 512, 4097)
AND NOT (
(
-- 12289 is an unsigned, out of tree, proprietary
taint = 12289
AND modules LIKE "%,nvidia,%"
)
OR (
-- 12352 is unsigned, out of tree, requested by user space
taint = 12352
AND modules LIKE "%,v4l2loopback,%"
)
)

7
detection/execution/exotic-command-events-macos.sql
View File

@ -195,9 +195,14 @@ WHERE
AND NOT p0_cmd LIKE 'rm -f /tmp/locate%/_updatedb%'
AND NOT p0_cmd LIKE 'rm -f /tmp/locate%/mklocate%/_mklocatedb%'
AND NOT p0_cmd LIKE 'rm -f /tmp/insttmp_%'
AND NOT p0_cmd LIKE '%nc localhost%'
AND NOT p0_cmd LIKE '/bin/cp %history%sessions/%'
AND NOT p0_cmd LIKE 'touch -r /tmp/KSInstallAction.%'
AND NOT p0_cmd LIKE '%find /Applications/LogiTuneInstaller.app -type d -exec chmod 777 {}%'
AND NOT p0_cmd LIKE '/bin/rm -f /tmp/com.adobe.%.updater/%'
AND NOT p0_name IN ('cc1', 'compile')
AND NOT exception_key IN ('dd,500,zsh,login', 'git,500,zsh,goland')
AND NOT exception_key IN (
'dd,500,zsh,login',
'git,500,zsh,goland',
'cat,500,zsh,login'
)

4
detection/execution/exotic-commands-macos.sql
View File

@ -97,6 +97,10 @@ WHERE
p0_cmd LIKE '%UserKnownHostsFile=/dev/null%'
AND p1.name == 'limactl'
)
AND NOT (
p0_cmd LIKE '%UserKnownHostsFile=/dev/null%'
AND p0_cmd LIKE '%@localhost'
)
AND NOT (
p0_cmd LIKE '%sh -i'
AND p1_cmd LIKE '%pipenv shell'

79
detection/execution/recently-created-executables-long-lived-linux.sql
View File

@ -53,58 +53,58 @@ WHERE
-- What I would give for osquery to support binary signature verification on Linux
AND NOT p0.path IN (
'',
'/usr/sbin/irqbalance',
'/bin/containerd',
'/bin/containerd-shim-runc-v2',
'/opt/google/chrome/chrome',
'/usr/bin/packer',
'/usr/bin/cmake',
'/usr/sbin/cups-browsed',
'/opt/google/chrome/chrome_crashpad_handler',
'/opt/google/chrome/nacl_helper',
'/usr/bin/gnome-software',
'/opt/Lens/chrome_crashpad_handler',
'/opt/Lens/lens',
'/usr/lib/ibus/ibus-dconf',
'/usr/bin/limactl',
'/usr/lib/ibus/ibus-portal',
'/usr/libexec/gstreamer-1.0/gst-plugin-scanner',
'/usr/lib/ibus/ibus-engine-simple',
'/usr/bin/faked',
'/usr/bin/appstreamcli',
'/opt/sublime_text/sublime_text',
'/usr/lib/systemd/systemd-machined',
'/usr/lib/upowerd',
'/usr/bin/nvidia-persistenced',
'/usr/bin/alacritty',
'/usr/bin/dash',
'/usr/bin/appstreamcli',
'/usr/bin/bash',
'/usr/bin/rpmbuild',
'/usr/bin/make',
'/usr/bin/cargo',
'/usr/bin/cmake',
'/usr/bin/containerd',
'/usr/libexec/power-profiles-daemon',
'/usr/bin/containerd-shim-runc-v2',
'/usr/bin/dash',
'/usr/bin/docker',
'/usr/bin/dockerd',
'/usr/bin/docker-proxy',
'/usr/bin/faked',
'/usr/bin/fusermount3',
'/usr/bin/gedit',
'/usr/bin/gitsign-credential-cache',
'/usr/bin/gjs-console',
'/usr/bin/gnome-calendar',
'/usr/bin/gnome-keyring-daemon',
'/usr/bin/gnome-shell',
'/usr/bin/gnome-software',
'/usr/bin/golangci-lint',
'/usr/bin/hugo',
'/usr/bin/ibus-daemon',
'/usr/bin/kbfsfuse',
'/usr/bin/keybase',
'/usr/bin/keybase-redirector',
'/usr/bin/limactl',
'/usr/bin/make',
'/usr/bin/NetworkManager',
'/usr/bin/nm-applet',
'/usr/bin/nvidia-persistenced',
'/usr/bin/obs',
'/usr/bin/packer',
'/usr/bin/pavucontrol',
'/usr/bin/pipewire',
'/usr/bin/pipewire-pulse',
'/usr/bin/python3.11',
'/usr/bin/rpi-imager',
'/usr/bin/rpmbuild',
'/usr/bin/snap',
'/usr/bin/tailscaled',
'/usr/bin/ssh-agent',
'/usr/bin/sshfs',
'/usr/bin/sudo',
'/usr/bin/tailscaled',
'/usr/bin/udevadm',
'/usr/bin/wireplumber',
'/usr/bin/wpa_supplicant',
@ -114,17 +114,21 @@ WHERE
'/usr/lib64/thunderbird/thunderbird',
'/usr/lib/at-spi2-registryd',
'/usr/lib/at-spi-bus-launcher',
'/usr/lib/docker/cli-plugins/docker-compose',
'/usr/lib/electron25/electron',
'/usr/libexec/accounts-daemon',
'/usr/libexec/bluetooth/bluetoothd',
'/usr/libexec/docker/docker-proxy',
'/usr/libexec/flatpak-system-helper',
'/usr/libexec/fwupd/fwupd',
'/usr/libexec/gnome-shell-calendar-server',
'/usr/libexec/gstreamer-1.0/gst-plugin-scanner',
'/usr/libexec/ibus-dconf',
'/usr/libexec/ibus-engine-simple',
'/usr/libexec/ibus-extension-gtk3',
'/usr/libexec/ibus-portal',
'/usr/lib/polkit-gnome/polkit-gnome-authentication-agent-1',
'/usr/lib/systemd/systemd-hostnamed',
'/usr/libexec/ibus-x11',
'/usr/bin/hugo',
'/usr/libexec/power-profiles-daemon',
'/usr/libexec/snapd/snapd',
'/usr/libexec/sssd/sssd_kcm',
'/usr/libexec/tracker-extract-3',
@ -132,51 +136,48 @@ WHERE
'/usr/lib/flatpak-session-helper',
'/usr/lib/fwupd/fwupd',
'/usr/lib/gdm',
'/usr/bin/gnome-shell',
'/usr/lib/gnome-shell-calendar-server',
'/usr/lib/gdm-session-worker',
'/usr/bin/sudo',
'/usr/lib/gdm-x-session',
'/usr/lib/gnome-shell-calendar-server',
'/usr/lib/google-cloud-sdk/platform/bundledpythonunix/bin/python3',
'/usr/lib/ibus/ibus-dconf',
'/usr/lib/ibus/ibus-engine-simple',
'/usr/lib/ibus/ibus-portal',
'/usr/lib/libreoffice/program/oosplash',
'/usr/lib/libreoffice/program/soffice.bin',
'/usr/lib/polkit-1/polkitd',
'/usr/lib/polkit-gnome/polkit-gnome-authentication-agent-1',
'/usr/lib/slack/chrome_crashpad_handler',
'/usr/lib/slack/slack',
'/usr/lib/snapd/snapd',
'/usr/lib/systemd/systemd',
'/bin/containerd-shim-runc-v2',
'/bin/containerd',
'/usr/lib/systemd/systemd-homed',
'/usr/lib/systemd/systemd-hostnamed',
'/usr/lib/systemd/systemd-journald',
'/usr/lib/systemd/systemd-logind',
'/usr/lib/systemd/systemd-homed',
'/usr/lib/systemd/systemd-machined',
'/usr/lib/systemd/systemd-oomd',
'/usr/lib/systemd/systemd-resolved',
'/usr/lib/systemd/systemd-timesyncd',
'/usr/lib/systemd/systemd-userdbd',
'/usr/lib/systemd/systemd-userwork',
'/usr/sbin/sshd',
'/usr/lib/tracker-extract-3',
'/usr/bin/gitsign-credential-cache',
'/usr/libexec/gnome-shell-calendar-server',
'/usr/lib/upowerd',
'/usr/lib/x86_64-linux-gnu/obs-plugins/obs-browser-page',
'/usr/sbin/semodule',
'/usr/lib/xdg-desktop-portal-gtk',
'/usr/libexec/accounts-daemon',
'/usr/bin/gnome-calendar',
'/usr/bin/ssh-agent',
'/usr/lib/xf86-video-intel-backlight-helper',
'/usr/local/bin/kind',
'/usr/libexec/flatpak-system-helper',
'/usr/bin/golangci-lint',
'/usr/sbin/alsactl',
'/usr/lib/docker/cli-plugins/docker-compose',
'/usr/sbin/avahi-daemon',
'/usr/sbin/chronyd',
'/usr/sbin/cups-browsed',
'/usr/sbin/cupsd',
'/usr/sbin/irqbalance',
'/usr/sbin/ModemManager',
'/usr/sbin/NetworkManager',
'/usr/sbin/rngd',
'/usr/sbin/semodule',
'/usr/sbin/sshd',
'/usr/sbin/tailscaled',
'/usr/share/code/chrome_crashpad_handler',
'/usr/share/code/code',

2
detection/execution/unexpected-execdir-events-macos.sql
View File

@ -292,6 +292,7 @@ WHERE
'Apple iPhone OS Application Signing',
'Apple Mac OS Application Signing',
'Developer ID Application: Adobe Inc. (JQ525L2MZD)',
'Developer ID Application: LG Electronics (5SKT5H4CPQ)',
'Developer ID Application: Brother Industries, LTD. (5HCL85FLGW)',
'Developer ID Application: Canonical Group Limited (X4QN7LTP59)',
'Developer ID Application: Cisco (DE8Y96K9QP)',
@ -301,6 +302,7 @@ WHERE
'Developer ID Application: MacPaw Inc. (S8EX82NJP6)',
'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)',
'Developer ID Application: Figma, Inc. (T8RA8NE3B7)',
'Developer ID Application: Keybase, Inc. (99229SGT5K)',
'Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D)',
'Developer ID Application: Google LLC (EQHXZ8M8AV)',
'Developer ID Application: Hashicorp, Inc. (D38WU7D763)',

14
detection/execution/unexpected-execdir-macos.sql
View File

@ -99,15 +99,12 @@ WHERE
)
AND NOT homedir IN (
'~/bin',
'~/code/bin',
'~/Downloads/google-cloud-sdk/bin',
'~/go/bin',
'~/.cache/gitstatus',
'~/.gvm/binscripts',
'~/.local/share/gh/extensions/gh-sbom',
'~/.local/bin',
'~/.magefile',
'~/projects/go/bin'
'~/.magefile'
)
AND NOT homedir LIKE '~/%/bin'
AND NOT top_homedir IN (
'~/Applications/',
'~/Applications (Parallels)/',
@ -183,15 +180,16 @@ WHERE
'Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D)',
'Developer ID Application: Google LLC (EQHXZ8M8AV)',
'Developer ID Application: Hashicorp, Inc. (D38WU7D763)',
'Developer ID Application: Sublime HQ Pty Ltd (Z6D26JE4Y4)',
'Developer ID Application: Logitech Inc. (QED4VVPZWA)',
'Developer ID Application: Hercules Labs Inc. (B8PC799ZGU)',
'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)',
'Developer ID Application: Logitech Inc. (QED4VVPZWA)',
'Developer ID Application: Microsoft Corporation (UBF8T346G9)',
'Developer ID Application: Node.js Foundation (HX7739G8FX)',
'Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R)',
'Developer ID Application: Objective-See, LLC (VBG97UB4TA)',
'Developer ID Application: Opal Camera Inc (97Z3HJWCRT)',
'Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
'Developer ID Application: Sublime HQ Pty Ltd (Z6D26JE4Y4)',
'Developer ID Application: TablePlus Inc (3X57WP8E8V)',
'Developer ID Application: Tenable, Inc. (4B8J598M7U)',
'Developer ID Application: Valve Corporation (MXGJJ98X76)',

5
detection/execution/unexpected-executable-permissions.sql
View File

@ -69,6 +69,11 @@ WHERE
AND f.mode = '0777'
AND f.uid > 500
)
AND NOT (
f.path LIKE '/Users/%/.local/bin/%'
AND f.mode = '0777'
AND f.uid > 500
)
AND NOT (
f.path LIKE '/Users/%/Library/Application Support/Code/User/globalStorage/grafana.vscode-jsonnet/bin/jsonnet-language-server'
AND f.mode = '0777'

4
detection/execution/unexpected-fetcher-parents.sql
View File

@ -52,6 +52,7 @@ WHERE -- NOTE: The remainder of this query is synced with unexpected-fetcher-par
'curl,303,bash,nix',
'curl,305,bash,nix',
'curl,307,bash,nix',
'curl,500,nwg-panel,systemd',
'curl,500,bash,bash',
'curl,500,bash,fakeroot',
'curl,500,bash,fish',
@ -95,7 +96,8 @@ WHERE -- NOTE: The remainder of this query is synced with unexpected-fetcher-par
)
AND NOT p.cmdline IN (
'curl -s -6 https://api.serhiy.io/v1/stats/ip',
'curl -s -4 https://api.serhiy.io/v1/stats/ip'
'curl -s -4 https://api.serhiy.io/v1/stats/ip',
'curl https://wttr.in/?format=1 -s'
)
AND NOT parent_name IN ('yay')
AND NOT p.cmdline LIKE 'curl -s https://support-sp.apple.com/sp/product%'

3
detection/execution/unexpected-root-signer-macos.sql
View File

@ -19,7 +19,6 @@ SELECT
-- pe.cwd is NULL on macOS
p.cwd AS p0_cwd,
pe.pid AS p0_pid,
pe.euid AS p0_euid,
-- Parent
pe.parent AS p1_pid,
TRIM(COALESCE(p1.cmdline, pe1.cmdline)) AS p1_cmd,
@ -82,6 +81,7 @@ WHERE
'Developer ID Application: Docker Inc (9BNSXJN65R)',
'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)',
'Developer ID Application: Ecamm Network, LLC (5EJH68M642)',
'Developer ID Application: Canonical Group Limited (X4QN7LTP59)',
'Developer ID Application: Foxit Corporation (8GN47HTP75)',
'Developer ID Application: Fumihiko Takayama (G43BCU2T37)',
'Developer ID Application: Google LLC (EQHXZ8M8AV)',
@ -98,6 +98,7 @@ WHERE
'Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
'Developer ID Application: Parallels International GmbH (4C6364ACXT)',
'Developer ID Application: Private Internet Access, Inc. (5357M5NW9W)',
'Developer ID Application: Rogue Amoeba Software, LLC (7266XEXAPM)',
'Developer ID Application: Ryan Hanson (XSYZ3E4B7D)',
'Developer ID Application: Sanford, L.P. (N3S6676K3E)',
'Developer ID Application: Tailscale Inc. (W5364U7YZB)',

2
detection/execution/unexpected-security-framework-program-macos.sql
View File

@ -133,11 +133,13 @@ WHERE
'500,kubectl,a.out,',
'500,lua-language-server,lua-language-server,',
'500,Magnet,com.crowdcafe.windowmagnet,Apple Mac OS Application Signing',
'500,AppleMusic,AppleMusic,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
'500,Mattermost Helper (GPU),Mattermost.Desktop.helper.GPU,Apple Mac OS Application Signing',
'500,Mattermost Helper (Renderer),Mattermost.Desktop.helper.Renderer,Apple Mac OS Application Signing',
'500,Mattermost Helper,Mattermost.Desktop.helper,Apple Mac OS Application Signing',
'500,mattermost,a.out,',
'500,Mattermost,Mattermost.Desktop,Apple Mac OS Application Signing',
'500,Android File Transfer Agent,com.google.android.mtpagent,Developer ID Application: Google, Inc. (EQHXZ8M8AV)',
'500,melange-run,a.out,',
'500,monorail,a.out,',
'500,OOPProResRawService,com.apple.videoapps.OOPProResRawService,Apple Mac OS Application Signing',

1
detection/execution/unexpected-sysutils-macos.sql
View File

@ -108,6 +108,7 @@ WHERE
AND NOT exception_key IN (
'system_profiler,500,Google Drive,launchd',
'system_profiler,500,bash,launchd',
'system_profiler,500,bash,logioptionsplus_agent',
'system_profiler,0,launcher,launchd'
)
AND NOT p0_cmd LIKE '/usr/libexec/security_authtrampoline /Library/Application Support/Adobe/Adobe Desktop Common/ElevationManager/Adobe Installer auth%'

4
detection/initial_access/unexpected-shell-parent-events.sql
View File

@ -312,6 +312,10 @@ WHERE
exception_key = 'sh,500,ruby,zsh'
AND p1_cmd LIKE '%brew.rb'
)
OR (
exception_key = 'sh,500,ruby,ruby'
AND p1_cmd LIKE '%homebrew%'
)
OR p1_cmd LIKE '%Python /opt/homebrew/bin/aws configure sso'
OR p2_cmd LIKE '/bin/bash /usr/local/bin/brew%'
OR p2_cmd LIKE '/usr/bin/python3 -m py_compile %'

4
detection/initial_access/unexpected-shell-parents.sql
View File

@ -73,6 +73,7 @@ WHERE
'dash',
'demoit',
'direnv',
'auditd',
'dnf',
'dnf-automatic',
'doas',
@ -132,6 +133,7 @@ WHERE
'systemd',
'terminator',
'test2json',
'timeout',
'tmux',
'qcalc',
'tmux:server',
@ -151,6 +153,7 @@ WHERE
AND p1_path NOT IN (
'/Applications/Docker.app/Contents/MacOS/Docker',
'/Applications/Docker.app/Contents/MacOS/install',
'/Applications/Visual Studio Code.app/Contents/MacOS/Electron',
'/Applications/Docker.app/Contents/Resources/bin/com.docker.cli',
'/Applications/Docker.app/Contents/Resources/bin/docker-credential-desktop',
'/Applications/IntelliJ IDEA.app/Contents/MacOS/idea',
@ -195,6 +198,7 @@ WHERE
'sh -c /usr/bin/defaults write us.zoom.xos NSQuitAlwaysKeepsWindows -bool false',
'/bin/sh -c ioreg -rd1 -c IOPlatformExpertDevice',
'/bin/sh -c sysctl hw.model kern.osrelease',
'/bin/sh /etc/security/audit_warn soft /var/audit',
'sh -c hugo-installer --version otherDependencies.hugo --extended --destination node_modules/.bin/hugo',
'/bin/bash -c ioreg -l -w 0 | grep SecureInput',
"sh -c acpi -b | grep -v 'unavailable'",

2
detection/persistence/minimal-socket-client-macos.sql
View File

@ -74,9 +74,9 @@ WHERE
'500,WhatsApp Helper (GPU),/Applications/WhatsApp.app/Contents/Frameworks/WhatsApp Helper (GPU).app/Contents/MacOS/WhatsApp Helper (GPU)'
)
AND exception_key NOT LIKE '500,MacVim,/%/MacVim.app/Contents/MacOS/MacVim'
AND exception_key NOT LIKE '500,PrinterProxy,/Users/%/Library/Printers/Brother %.app/Contents/MacOS/PrinterProxy'
GROUP BY
pos.pid
HAVING
lib_count IN (1, 2)
AND libs NOT LIKE '/Applications/%/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib,/usr/lib/libobjc-trampolines.dylib'

14
detection/persistence/unexpected-chrome-extensions.sql
View File

@ -7,7 +7,8 @@
-- * Almost unlimited: any extension that isn't on your whitelist
--
-- tags: persistent seldom browser
SELECT name,
SELECT
name,
profile,
chrome_extensions.description AS 'descr',
persistent AS persists,
@ -30,11 +31,13 @@ SELECT name,
identifier
) AS exception_key,
hash.sha256
FROM users
FROM
users
CROSS JOIN chrome_extensions USING (uid)
LEFT JOIN file ON chrome_extensions.path = file.path
LEFT JOIN hash ON chrome_extensions.path = hash.path
WHERE state = 1
WHERE
state = 1
AND (
(
from_webstore != 'true'
@ -184,6 +187,7 @@ WHERE state = 1
'true,Opera Norway AS,Opera AI Prompts,mljbnbeedpkgakdchcmfapkjhfcogaoc',
'true,Opera Software AS,Rich Hints Agent,enegjkbbakeegngfapepobipndnebkdk',
'true,,Outbrain Pixel Tracker,daebadnaphbiobojnpgcenlkgpihmbdc',
'true,,Outreach Everywhere,chmpifjjfpeodjljjadlobceoiflhdid',
'true,,Page Analytics (by Google),fnbdnhhicmebfgdgglcdacdapkcihcoh',
'true,,Password Alert,noondiphcddnnabmjcihcjfbhfklnnep',
'true,Pawel Psztyc,Advanced REST client,hgmloofddffdnphfgcellkdfbfbjeloo',
@ -254,10 +258,10 @@ WHERE state = 1
'true,,Zoom,hmbjbjdpkobdjplfobhljndfdfdipjhg',
'true,,ZoomInfo Engage Chrome Extension,mnbjlpbmllanehlpbgilmbjgocpmcijp',
'true,,Zoom Scheduler,kgjfgplpablkjnlkjmjdecgdpfankdle'
)
AND NOT (
exception_key = 'false,AgileBits,1Password Password Manager,dppgmdbiimibapkepcbdbmkaabgiofem'
AND chrome_extensions.path LIKE '%/Microsoft Edge/%'
)
GROUP BY exception_key
GROUP BY
exception_key

1
detection/persistence/unexpected-launchd-program-arguments.sql
View File

@ -77,6 +77,7 @@ WHERE
'/opt/homebrew/opt/yubikey-agent/bin/yubikey-agent -l /opt/homebrew/var/run/yubikey-agent.sock',
'/usr/local/MacGPG2/libexec/fixGpgHome'
)
AND program_arguments NOT LIKE '/opt/homebrew/opt/mongodb-community%/bin/mongod --config /opt/homebrew/etc/mongod.conf'
AND program_arguments NOT LIKE '/Users/%/Library/Application Support/com.grammarly.ProjectLlama/Scripts/Grammarly Uninstaller'
AND program_arguments NOT LIKE '/Users/%/Library/Application Support/com.grammarly.ProjectLlama/Scripts/post-uninstall.sh'
AND program_arguments NOT LIKE '%/mysqld_safe --datadir=%'

5
detection/persistence/unexpected-small-udev-entry-linux.sql
View File

@ -30,15 +30,14 @@ WHERE
file.path LIKE '/usr/lib/udev/rules.d/%'
AND file.size < 180
AND file.path NOT IN (
'/usr/lib/udev/rules.d/20-crystalhd.rules',
'/usr/lib/udev/rules.d/40-redhat-disable-dell-ir-camera.rules',
'/usr/lib/udev/rules.d/50-apport.rules',
'/usr/lib/udev/rules.d/60-drm.rules',
'/usr/lib/udev/rules.d/60-net.rules',
'/usr/lib/udev/rules.d/99-lxd-agent.rules',
'/usr/lib/udev/rules.d/60-rfkill.rules',
'/usr/lib/udev/rules.d/61-accelerometer.rules',
'/usr/lib/udev/rules.d/61-mutter.rules',
'/usr/lib/udev/rules.d/90-usb-microbit.rules',
'/usr/lib/udev/rules.d/66-saned.rules',
'/usr/lib/udev/rules.d/70-hypervfcopy.rules',
'/usr/lib/udev/rules.d/70-hypervkvp.rules',
@ -56,6 +55,7 @@ WHERE
'/usr/lib/udev/rules.d/85-regulatory.rules',
'/usr/lib/udev/rules.d/90-daxctl-device.rules',
'/usr/lib/udev/rules.d/90-rdma-umad.rules',
'/usr/lib/udev/rules.d/90-usb-microbit.rules',
'/usr/lib/udev/rules.d/90-wireshark-usbmon.rules',
'/usr/lib/udev/rules.d/91-drm-modeset.rules',
'/usr/lib/udev/rules.d/95-udev-late.rules',
@ -65,6 +65,7 @@ WHERE
'/usr/lib/udev/rules.d/99-fuse3.rules',
'/usr/lib/udev/rules.d/99-fuse.rules',
'/usr/lib/udev/rules.d/99-libsane1.rules',
'/usr/lib/udev/rules.d/99-lxd-agent.rules',
'/usr/lib/udev/rules.d/99-nfs.rules',
'/usr/lib/udev/rules.d/99-qemu-guest-agent.rules'
)

4
detection/persistence/unexpected-uid0-daemon-linux.sql
View File

@ -83,6 +83,7 @@ WHERE
'accounts-daemon,/usr/libexec/accounts-daemon,0,system.slice,accounts-daemon.service,0755',
'acpid,/usr/sbin/acpid,0,system.slice,acpid.service,0755',
'agetty,/nix/store/__VERSION__/bin/agetty,0,system.slice,system-getty.slice,0555',
'agetty,/usr/bin/agetty,0,system.slice,system-getty.slice,0755',
'agetty,/usr/sbin/agetty,0,system.slice,system-getty.slice,0755',
'agetty,/usr/sbin/agetty,0,system.slice,system-serial\x2dgetty.slice,0755',
'alsactl,/usr/sbin/alsactl,0,system.slice,alsa-state.service,0755',
@ -99,6 +100,7 @@ WHERE
'boltd,/usr/lib/boltd,0,system.slice,bolt.service,0755',
'boltd,/usr/libexec/boltd,0,system.slice,bolt.service,0755',
'bpfilter_umh,/bpfilter_umh,0,,,',
'su,/usr/bin/su,0,user.slice,user-1000.slice,4755',
'chainctl,/usr/local/bin/chainctl,0,user.slice,user-1000.slice,0755',
'containerd,/nix/store/__VERSION__/bin/containerd,0,system.slice,docker.service,0555',
'containerd-shim,/usr/bin/containerd-shim-runc-v2,0,system.slice,containerd.service,0755',
@ -242,6 +244,7 @@ WHERE
'upowerd,/usr/lib/upowerd,0,system.slice,upower.service,0755',
'uresourced,/usr/libexec/uresourced,0,system.slice,uresourced.service,0755',
'/usr/bin/monito,/usr/bin/perl,0,system.slice,monitorix.service,0755',
'velociraptor_cl,/usr/local/bin/velociraptor,0,system.slice,velociraptor_client.service,0700',
'virtlogd,/usr/bin/virtlogd,0,system.slice,virtlogd.service,0755',
'wpa_supplicant,/usr/bin/wpa_supplicant,0,system.slice,wpa_supplicant.service,0755',
'wpa_supplicant,/usr/sbin/wpa_supplicant,0,system.slice,wpa_supplicant.service,0755',
@ -251,7 +254,6 @@ WHERE
'xdg-permission-,/usr/libexec/xdg-permission-store,0,user.slice,user-1000.slice,0755',
'X,/nix/store/__VERSION__/bin/Xorg,0,system.slice,display-manager.service,0555',
'Xorg,/usr/lib/Xorg,0,system.slice,lightdm.service,0755',
'velociraptor_cl,/usr/local/bin/velociraptor,0,system.slice,velociraptor_client.service,0700',
'yum,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755',
'zed,/nix/store/__VERSION__/bin/zed,0,system.slice,zfs-zed.service,0555',
'zed,/usr/sbin/zed,0,system.slice,zfs-zed.service,0755',