fpr: sharingd, sparkle, golang, Snagit

2023-05-05 15:10:54 -04:00 · 2023-05-05 15:10:54 -04:00 · 9eed574026
parent 61d503db0e
commit 9eed574026
4 changed files with 18 additions and 5 deletions
--- a/detection/c2/unexpected-talkers-macos.sql
+++ b/detection/c2/unexpected-talkers-macos.sql
@ -112,6 +112,7 @@ WHERE pos.protocol > 0
    AND s.authority = 'Software Signing'
  )
  AND NOT exception_key IN (
+    '0,6,80,prl_naptd,prl_naptd,Developer ID Application: Parallels International GmbH (4C6364ACXT),com.parallels.naptd',
    '500,17,8801,zoom.us,zoom.us,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3),us.zoom.xos',
    '500,6,22,Cyberduck,Cyberduck,Developer ID Application: David Kocher (G69SCX94XU),ch.sudo.cyberduck',
    '500,6,22,goland,goland,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland',
@ -120,7 +121,6 @@ WHERE pos.protocol > 0
    '500,6,4070,Spotify,Spotify,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client',
    '500,6,5091,ZoomPhone,ZoomPhone,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3),us.zoom.ZoomPhone',
    '500,6,5228,Clay,Clay,Developer ID Application: Clay Software, Inc. (C68GA48KN3),com.clay.mac',
-    '0,6,80,prl_naptd,prl_naptd,Developer ID Application: Parallels International GmbH (4C6364ACXT),com.parallels.naptd',
    '500,6,8009,Spotify Helper,Spotify Helper,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client.helper',
    '500,6,80,Arc Helper,Arc Helper,Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G),company.thebrowser.browser.helper',
    '500,6,80,Code Helper (Plugin),Code Helper (Plugin),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
@ -135,6 +135,7 @@ WHERE pos.protocol > 0
    '500,6,80,Signal Helper (Renderer),Signal Helper (Renderer),Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR),org.whispersystems.signal-desktop.helper.Renderer',
    '500,6,80,Snagit 2023,Snagit 2023,Developer ID Application: TechSmith Corporation (7TQL462TU8),com.TechSmith.Snagit2023',
    '500,6,80,SnagitHelper2020,SnagitHelper2020,Apple Mac OS Application Signing,com.techsmith.snagit.capturehelper2020',
+    '500,6,80,SnagitHelper2023,SnagitHelper2023,Developer ID Application: TechSmith Corporation (7TQL462TU8),com.techsmith.snagit.capturehelper2023',
    '500,6,80,Spotify,Spotify,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client',
    '500,6,80,Telegram,Telegram,Apple Mac OS Application Signing,ru.keepcoder.Telegram',
    '500,6,80,thunderbird,thunderbird,Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird',
--- a/detection/execution/recently-created-executables-macos.sql
+++ b/detection/execution/recently-created-executables-macos.sql
@ -89,6 +89,8 @@ WHERE p0.pid IN (
        '~/Library/Caches/JetBrains/',
        '~/Library/Caches/org.gpgtools.updater/',
        '~/Library/Caches/snyk/',
+        '~/projects/go/src/',
+        '~/Library/Caches/company.thebrowser.Browser/',
        '/Library/Developer/Xcode/',
        '~/.terraform.d/plugin-cache/registry.terraform.io/'
      )
@ -106,6 +108,8 @@ WHERE p0.pid IN (
      )
      OR dir LIKE '~/%/node_modules/.bin/%'
      OR f.path LIKE '%go-build%'
+      OR f.path LIKE '~/%/src/%.test'
+      OR f.path LIKE '~/%/pkg/%.test'
      OR f.path LIKE '/private/tmp/%/Creative Cloud Installer.app/Contents/MacOS/Install'
      OR f.path LIKE '/private/tmp/go-%'
      OR f.path LIKE '/private/tmp/nix-build-%'
@ -163,4 +167,9 @@ WHERE p0.pid IN (
    AND f.uid = p0.uid
    AND p0.cmdline LIKE './%'
  )
+  AND NOT (
+    s.authority != ""
+    AND s.identifier = 'org.sparkle-project.Sparkle.Updater'
+    AND top3_dir LIKE '~/Library/Caches/%'
+  )
 GROUP BY p0.pid
--- a/detection/persistence/unexpected-listening-port-macos.sql
+++ b/detection/persistence/unexpected-listening-port-macos.sql
@ -55,9 +55,6 @@ WHERE
    '10011,6,0,launchd,Software Signing',
    '1024,6,0,systemmigrationd,Software Signing',
    '1313,6,500,hugo,',
-    '80,6,500,limactl,',
-    '443,6,500,limactl,',
-    '2345,6,500,dlv,',
    '1338,6,500,registry,',
    '137,17,0,launchd,Software Signing',
    '137,17,222,netbiosd,Software Signing',
@ -72,8 +69,8 @@ WHERE
    '22000,6,500,syncthing,',
    '22000,6,500,syncthing,Developer ID Application: Jakob Borg (LQE5SYM783)',
    '22,6,0,launchd,Software Signing',
+    '2345,6,500,dlv,',
    '24678,6,500,node,',
-    '5454,6,0,xrdd,Developer ID Application: X-Rite, Incorporated (2K7GT73B4R)',
    '28197,6,500,Stream Deck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
    '2968,6,500,EEventManager,Developer ID Application: Seiko Epson Corporation (TXAEAV5RN4)',
    '33060,6,74,mysqld,Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
@ -83,6 +80,7 @@ WHERE
    '41949,6,500,IPNExtension,Apple Mac OS Application Signing',
    '43398,6,500,IPNExtension,Apple Mac OS Application Signing',
    '443,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)',
+    '443,6,500,limactl,',
    '44450,6,500,Linear Helper,Developer ID Application: Linear Orbit, Inc. (7VZ2S3V9RV)',
    '45972,6,500,IPNExtension,Apple Mac OS Application Signing',
    '49152,6,0,AirPlayXPCHelper,Software Signing',
@ -115,6 +113,7 @@ WHERE
    '53,17,65,mDNSResponder,Software Signing',
    '53,6,500,dnsmasq,',
    '53,6,65,mDNSResponder,Software Signing',
+    '5454,6,0,xrdd,Developer ID Application: X-Rite, Incorporated (2K7GT73B4R)',
    '546,17,0,configd,Software Signing',
    '547,17,500,dhcp6d,Software Signing',
    '5900,6,0,launchd,Software Signing',
@ -127,7 +126,9 @@ WHERE
    '68,17,0,configd,Software Signing',
    '7000,6,500,ControlCenter,Software Signing',
    '80,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)',
+    '80,6,500,limactl,',
    '8770,6,500,sharingd,Software Signing',
+    '8771,6,500,sharingd,Software Signing',
    '88,17,0,kdc,Software Signing',
    '8828,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
    '8829,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
--- a/policy/gcp-service-account-keys.sql
+++ b/policy/gcp-service-account-keys.sql
@ -45,7 +45,9 @@ WHERE
  ) == 1
  -- Demo keys
  AND NOT file.filename LIKE 'host-project-%'
+  AND NOT file.filename LIKE 'ulabs-%'
  AND NOT hash.sha256 IN (
    "c7d6bac8e942511e25973889ac38656d4d46f68044650d694721017fda23716e",
+    "bd5f4c01ebb5636b94584ee4ae42514b27d371859f7344f6aa5a37332ee714ba",
    "bd5f4c01ebb5636b94584ee4ae42514b27d371859f7344f6aa5a37332ee714ba"
  )