diff --git a/detection/c2/unexpected-dns-traffic-events.sql b/detection/c2/unexpected-dns-traffic-events.sql index c127b79..3a83f32 100644 --- a/detection/c2/unexpected-dns-traffic-events.sql +++ b/detection/c2/unexpected-dns-traffic-events.sql @@ -81,6 +81,7 @@ WHERE 'Socket Process,8.8.8.8,53', 'com.docker.backend,8.8.8.8,53', 'ZoomPhone,8.8.8.8,53', + 'ZoomPhone,200.48.225.130,53', 'gvproxy,170.247.170.2,53', 'CapCut,8.8.8.8,53', 'ZaloCall,8.8.8.8,53', diff --git a/detection/c2/unexpected-https-macos.sql b/detection/c2/unexpected-https-macos.sql index bdbb39b..2cb9099 100644 --- a/detection/c2/unexpected-https-macos.sql +++ b/detection/c2/unexpected-https-macos.sql @@ -108,6 +108,7 @@ WHERE AND NOT exception_key IN ( '0,AGSService,AGSService,Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.ags', '0,licenseDaemon,licenseDaemon,Developer ID Application: PACE Anti-Piracy, Inc. (TFZ8226T6X),com.paceap.eden.licenseDaemon', + '0,chainctl,chainctl,,a.out', '500,agent,agent,Developer ID Application: Datadog, Inc. (JKFCB4CN7C),agent', '500,Authy,Authy,Apple iPhone OS Application Signing,com.authy', '500,podman,podman,Developer ID Application: Red Hat, Inc. (HYSCB8KRL2),podman', @@ -135,6 +136,7 @@ WHERE '500,melange,melange,,a.out', '500,ngrok,ngrok,Developer ID Application: ngrok LLC (TEX8MHRDQ9),a.out', '500,node,node,Developer ID Application: Node.js Foundation (HX7739G8FX),node', + '500,odo-darwin-amd64-b4853e1fa,odo-darwin-amd64-b4853e1fa,500u,20g', '500,Paintbrush,Paintbrush,Developer ID Application: Michael Schreiber (G966ML7VBG),com.soggywaffles.paintbrush', '500,PlexMobile,PlexMobile,Apple iPhone OS Application Signing,com.plexapp.plex', '500,Plex,Plex,Developer ID Application: Plex Inc. (K4QJ56KR4A),tv.plex.desktop', diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql index 39b9498..e5b5599 100644 --- a/detection/c2/unexpected-talkers-linux.sql +++ b/detection/c2/unexpected-talkers-linux.sql @@ -181,6 +181,7 @@ WHERE protocol > 0 '80,6,500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr', '80,6,500,wget,0u,0g,wget', '80,6,500,wine64-preloader,0u,0g,control.exe', + '80,6,500,zen,u,g,zen', '80,6,500,zoom,0u,0g,zoom', '80,6,500,zoom.real,u,g,zoom.real', '8080,6,500,brave,0u,0g,brave', @@ -286,4 +287,4 @@ WHERE protocol > 0 OR p.cgroup_path LIKE '/user.slice/user-%.slice/user@%.service/user.slice/nerdctl-%' ) ) -GROUP BY p.cmdline \ No newline at end of file +GROUP BY p.cmdline diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql index f5f233e..a949f8c 100644 --- a/detection/c2/unexpected-talkers-macos.sql +++ b/detection/c2/unexpected-talkers-macos.sql @@ -101,4 +101,8 @@ WHERE pos.pid IN ( unsigned_exception = '500,6,80,main,main' AND p0.path LIKE '/var/folders/%/T/go-build%/b001/exe/main' ) -GROUP BY p0.cmdline \ No newline at end of file + AND NOT ( + unsigned_exception = '500,6,32768,gvproxy,gvproxy' + AND p0.path LIKE '/opt/homebrew/Cellar/podman/%/libexec/podman/gvproxy' + ) +GROUP BY p0.cmdline diff --git a/detection/credentials/macos_keyboard_sniffer.sql b/detection/credentials/macos_keyboard_sniffer.sql index 34d28e8..e784bd9 100644 --- a/detection/credentials/macos_keyboard_sniffer.sql +++ b/detection/credentials/macos_keyboard_sniffer.sql @@ -67,6 +67,7 @@ WHERE 'HueSync,com.lighting.huesync,Developer ID Application: Signify Netherlands B.V. (PREPN2W95S)', 'Hyperkey,com.knollsoft.Hyperkey,Developer ID Application: Ryan Hanson (XSYZ3E4B7D)', 'Lunar,fyi.lunar.Lunar,Developer ID Application: Alin Panaitiu (RDDXV84A73)', + 'Magnet,com.crowdcafe.windowmagnet,Apple Mac OS Application Signing', 'MonitorControl,me.guillaumeb.MonitorControl,Developer ID Application: Joni Van Roost (CYC8C8R4K9)', 'Rocket,net.matthewpalmer.Rocket,Developer ID Application: Matthew Palmer (Z4JV2M65MH)', 'Superkey,com.knollsoft.Superkey,Developer ID Application: Ryan Hanson (XSYZ3E4B7D)', diff --git a/detection/evasion/hidden-executable.sql b/detection/evasion/hidden-executable.sql index c41d838..6826342 100644 --- a/detection/evasion/hidden-executable.sql +++ b/detection/evasion/hidden-executable.sql @@ -81,7 +81,8 @@ WHERE ( '~/.supermaven', '~/.terraform', '~/.tflint.d', - '~/.vs-kubernetes' + '~/.vs-kubernetes', + '~/.krew' ) AND NOT top3_dir IN ( '~/.arkade/bin', @@ -113,6 +114,7 @@ WHERE ( ) AND NOT dir LIKE '~/Library/Application Support/Code/User/globalStorage/ms-dotnettools.vscode-dotnet-runtime/.dotnet/%' AND NOT dir LIKE '%/.terraform/providers/%' + AND NOT dir LIKE '%/node_modulues/.bin/hugo' AND NOT dir LIKE '%/node_modules/.pnpm/%' AND NOT f.directory LIKE '/Applications/Corsair iCUE5 Software/.cuepkg-%' AND NOT f.directory LIKE '%/Applications/PSI Bridge Secure Browser.app/Contents/Resources/.apps/darwin/%' @@ -122,5 +124,7 @@ WHERE ( f.path LIKE '/nix/store/%' AND p0.name LIKE '%-wrappe%' ) + AND NOT f.path LIKE '%/.Trash/1Password %.app/Contents/Library/LoginItems/1Password Extension Helper.app/Contents/MacOS' AND NOT f.path LIKE '/private/var/root/.Trash/OneDrive %.app/Contents/StandaloneUpdater.app/Contents/MacOS' -GROUP BY f.path \ No newline at end of file + AND NOT f.path LIKE '/home/%/.local/share/AppImage/ZenBrowser.AppImage' +GROUP BY f.path diff --git a/detection/evasion/unexpected-alf-exceptions-macos.sql b/detection/evasion/unexpected-alf-exceptions-macos.sql index f450c16..0cd607d 100644 --- a/detection/evasion/unexpected-alf-exceptions-macos.sql +++ b/detection/evasion/unexpected-alf-exceptions-macos.sql @@ -55,6 +55,7 @@ WHERE -- Filter out stock exceptions to decrease overhead 'Developer ID Application: Adguard Software Limited (TC3Q7MAJXF),com.adguard.mac.adguard.network-extension,/Library/SystemExtensions/AD3BCA34-237A-4135-B7A4-0F7477D9144C/com.adguard.mac.adguard.network-extension.systemextension/,0', 'Developer ID Application: Python Software Foundation (BMM5U3QVKW),org.python.python,/Library/Frameworks/Python.framework/Versions/3.11/Resources/Python.app/,0', 'Developer ID Application: Python Software Foundation (BMM5U3QVKW),org.python.python,/Library/Frameworks/Python.framework/Versions/3.12/Resources/Python.app/,0', + 'Developer ID Application: Ned Deily (DJ3H93M7VJ),org.python.python,/Library/Frameworks/Python.framework/Versions/3.11/Resources/Python.app/,0', 'Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension,/Library/SystemExtensions/A30AF854-E980-4345-A658-17000BF66D00/io.tailscale.ipn.macsys.network-extension.systemextension/,0', '/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/', ',,/Users/cpanato/code/src/github.com/sigstore/docs/node_modules/.bin/hugo/hugo,501' diff --git a/detection/evasion/unexpected-hidden-system-paths.sql b/detection/evasion/unexpected-hidden-system-paths.sql index 97e7b4e..f9077a6 100644 --- a/detection/evasion/unexpected-hidden-system-paths.sql +++ b/detection/evasion/unexpected-hidden-system-paths.sql @@ -78,6 +78,8 @@ WHERE '/.mozilla/', '/tmp/.accounts-agent/', '/tmp/.audio-agent/', + -- Xcode; see https://github.com/pyenv/pyenv/issues/1066#issuecomment-536782897 + '/tmp/.BBE72B41371180178E084EEAF106AED4F350939DB95D3516864A1CC62E7AE82', '/tmp/.bazelci/', '/tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress', '/tmp/.content-agent/', diff --git a/detection/evasion/unusual-executable-name-macos.sql b/detection/evasion/unusual-executable-name-macos.sql index 3f55b7c..5e14283 100644 --- a/detection/evasion/unusual-executable-name-macos.sql +++ b/detection/evasion/unusual-executable-name-macos.sql @@ -106,6 +106,7 @@ WHERE AND NOT pname LIKE '__%go_build_%' AND NOT pname LIKE '__%go_test_%' AND NOT pname LIKE '__Test%' + AND NOT pname LIKE '___%Test_%.test' -- example: 85C27NK92C.com.flexibits.fantastical2.mac.helper AND NOT pname LIKE "%.com.flexibits.fantastical2.mac.helper" AND NOT s.authority = "Software Signing" diff --git a/detection/execution/unexpected-executable-permissions.sql b/detection/execution/unexpected-executable-permissions.sql index c2aae9d..24be4e0 100644 --- a/detection/execution/unexpected-executable-permissions.sql +++ b/detection/execution/unexpected-executable-permissions.sql @@ -128,3 +128,7 @@ WHERE p0.name = 'ShortcutDroplet' AND f.mode = '0751' ) + AND NOT ( + f.path = '/home/%/.local/share/AppImage/ZenBrowser.AppImage' + AND f.mode = '0600' + ) diff --git a/detection/execution/unexpected-long-running-security-framework-macos.sql b/detection/execution/unexpected-long-running-security-framework-macos.sql index 623d863..652580e 100644 --- a/detection/execution/unexpected-long-running-security-framework-macos.sql +++ b/detection/execution/unexpected-long-running-security-framework-macos.sql @@ -84,6 +84,7 @@ WHERE -- Focus on longer-running programs ) AND exception_key NOT IN ( '0,velociraptor,a.out,', + '500,cloud_sql_proxy,a.out,', '500,sdzoomplugin,,', '500,sdaudioswitch,,', '500,gopls,a.out,', @@ -94,4 +95,4 @@ WHERE -- Focus on longer-running programs AND NOT exception_key LIKE '500,___Test%.test,a.out' AND NOT exception_key LIKE '500,nvim,bob-%,' AND NOT exception_key LIKE '500,sm-agent,sm_agent-%' -GROUP BY p0.pid \ No newline at end of file +GROUP BY p0.pid diff --git a/detection/initial_access/unexpected-diskimage-source-macos.sql b/detection/initial_access/unexpected-diskimage-source-macos.sql index d027f0e..a1dc166 100644 --- a/detection/initial_access/unexpected-diskimage-source-macos.sql +++ b/detection/initial_access/unexpected-diskimage-source-macos.sql @@ -193,6 +193,7 @@ WHERE 'fbcdn.net', 'figma.com', 'flipperzero.one', + 'fnord.com', 'getkap.co', 'github.com', 'gitbutler.com', @@ -213,6 +214,7 @@ WHERE 'obsproject.com', 'opalcamera.com', 'persistent.oaistatic.com', + 'portswigger-cdn.net', 'posit.co', 'presenting.app', 'proton.me', diff --git a/detection/persistence/listening-from-unusual-location.sql b/detection/persistence/listening-from-unusual-location.sql index 0b22abe..42bf618 100644 --- a/detection/persistence/listening-from-unusual-location.sql +++ b/detection/persistence/listening-from-unusual-location.sql @@ -116,6 +116,7 @@ WHERE '32768,6,500,Code Helper (Plugin)', '24024,17,500,MTGA', '32768,6,500,Python', + '32768,6,500,python3', '32768,17,499,viscosity_openvpn', '1,1,500,ping' ) diff --git a/detection/persistence/unexpected-launchd-program-arguments.sql b/detection/persistence/unexpected-launchd-program-arguments.sql index 380f8f4..1ccb6e2 100644 --- a/detection/persistence/unexpected-launchd-program-arguments.sql +++ b/detection/persistence/unexpected-launchd-program-arguments.sql @@ -80,6 +80,7 @@ WHERE ) AND program_arguments NOT IN ( '/Applications/AeroSpace.app/Contents/MacOS/AeroSpace --started-at-login', + '/Applications/RODE Virtual Channels.app/Contents/MacOS/RODE Virtual Channels', '/Applications/Stream Deck.app/Contents/MacOS/Stream Deck --runinbk', '/Applications/Tunnelblick.app/Contents/Resources/launchAtLogin.sh', '/Library/Application Support/Sony Application Launcher/SonyAutoLauncher.app/Contents/MacOS/SonyAutoLauncher', diff --git a/detection/persistence/unexpected-listening-port-macos.sql b/detection/persistence/unexpected-listening-port-macos.sql index 57e5592..4ad5a59 100644 --- a/detection/persistence/unexpected-listening-port-macos.sql +++ b/detection/persistence/unexpected-listening-port-macos.sql @@ -76,6 +76,7 @@ WHERE port != 0 '22000,6,500,syncthing,Developer ID Application: Jakob Borg (LQE5SYM783)', '22000,6,500,syncthing,Developer ID Application: Kastelo AB (LQE5SYM783)', '22,6,0,launchd,Software Signing', + '22,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)', '2345,6,500,dlv,', '24678,6,500,node,', '24800,6,500,deskflow-server,', @@ -268,4 +269,10 @@ WHERE port != 0 AND lp.protocol = 6 ) ) -GROUP BY exception_key \ No newline at end of file + AND NOT ( + ( + exception_key LIKE '80,6,500,ssh,Software Signing' + AND p.cmdline LIKE '%/.colima/_lima/colima-docker/ssh.sock' + ) + ) +GROUP BY exception_key