diff --git a/detection/c2/unexpected-dns-traffic-events.sql b/detection/c2/unexpected-dns-traffic-events.sql index 0c33d5c..b42e46f 100644 --- a/detection/c2/unexpected-dns-traffic-events.sql +++ b/detection/c2/unexpected-dns-traffic-events.sql @@ -62,6 +62,7 @@ WHERE ) -- Some applications hard-code a safe DNS resolver, or allow the user to configure one AND s.remote_address NOT IN ( + '1.1.1.1', -- Cloudflare '100.100.100.100', -- Tailscale Magic DNS '208.67.220.123', -- OpenDNS FamilyShield '75.75.75.75', -- Comcast @@ -90,6 +91,7 @@ WHERE 'limactl,8.8.8.8,53', 'msedge,8.8.8.8,53', 'adguard_dns,1.0.0.1,53', + 'helm,185.199.108.133,53', 'coredns,8.8.8.8,53', 'signal-desktop,8.8.8.8,53', 'slack,8.8.8.8,53', @@ -121,6 +123,7 @@ WHERE 'limactl', 'mDNSResponder', 'melange', + 'syncthing', 'nessusd', 'nuclei', 'systemd-resolved', diff --git a/detection/c2/unexpected-https-linux.sql b/detection/c2/unexpected-https-linux.sql index e21511a..29889df 100644 --- a/detection/c2/unexpected-https-linux.sql +++ b/detection/c2/unexpected-https-linux.sql @@ -56,6 +56,10 @@ WHERE AND s.remote_address NOT LIKE '::ffff:10.%' AND s.remote_address NOT LIKE 'fc00:%' AND p.path != '' + AND p.path NOT LIKE '/app/bin/%' + AND p.path NOT LIKE '/usr/bin/%' + AND p.path NOT LIKE '/usr/local/bin/%' + AND p.path NOT LIKE '/opt/%' AND NOT exception_key IN ( '0,agentbeat,0u,0g,agentbeat', '0,apk,u,g,apk', @@ -65,6 +69,7 @@ WHERE '0,bash,0u,0g,sh', '0,canonical-livepatchd,0u,0g,canonical-livep', '0,chainctl,0u,0g,chainctl', + '0,chainctl,500u,500g,chainctl', '0,cmake,u,g,cmake', '0,containerd,u,g,containerd', '0,dirmngr,0u,0g,dirmngr', @@ -192,6 +197,7 @@ WHERE '500,gh,0u,0g,gh', '500,gh-dash,500u,500g,gh-dash', '500,git,0u,0g,git', + '500,github-desktop,0u,0g,github-desktop', '500,git-remote-http,0u,0g,git-remote-http', '500,git-remote-http,u,g,git-remote-http', '500,gitsign,0u,0g,gitsign', @@ -229,6 +235,7 @@ WHERE '500,k6,500u,500g,k6', '500,k9s,0u,0g,k9s', '500,kbfsfuse,0u,0g,kbfsfuse', + '500,keepassxc,u,g,keepassxc', '500,keybase,0u,0g,keybase', '500,Keybase,0u,0g,Keybase', '500,kioslave5,0u,0g,kioslave5', @@ -330,8 +337,6 @@ WHERE '500,terraform,500u,500g,terraform', '500,terraform-ls,500u,500g,terraform-ls', '500,thunderbird,0u,0g,thunderbird', - '500,wolfi-package-status,500u,500g,wolfi-package-s', - '500,github-desktop,0u,0g,github-desktop', '500,thunderbird-bin,u,g,thunderbird-bin', '500,thunderbird,u,g,thunderbird', '500,tidal-hifi,u,g,tidal-hifi', @@ -340,13 +345,13 @@ WHERE '500,todoist,0u,0g,todoist', '500,trivy,0u,0g,trivy', '500,trivy,500u,500g,trivy', - '0,chainctl,500u,500g,chainctl', '500,ubuntu-report,0u,0g,ubuntu-report', '500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr', '500,wget,0u,0g,wget', '500,wine64-preloader,500u,500g,DaveTheDiver.ex', '500,wine64-preloader,500u,500g,Root.exe', '500,wolfictl,500u,500g,wolfictl', + '500,wolfi-package-status,500u,500g,wolfi-package-s', '500,WPILibInstaller,500u,500g,WPILibInstaller', '500,writerside,500u,500g,writerside', '500,xmobar,0u,0g,xmobar', @@ -357,6 +362,7 @@ WHERE ) -- Exceptions where we have to be more flexible for the process name AND NOT exception_key LIKE '0,python3.%,0u,0g,dnf' AND NOT exception_key LIKE '0,python3.%,0u,0g,dnf-automatic' + AND NOT exception_key LIKE '0,python3.%,500u,500g,dnf-automatic' AND NOT exception_key LIKE '0,python3.%,0u,0g,yum' AND NOT exception_key LIKE '500,python3.%,0u,0g,update-manager' AND NOT exception_key LIKE '500,cosign-%,500u,500g,cosign-%' diff --git a/detection/c2/unexpected-https-macos.sql b/detection/c2/unexpected-https-macos.sql index 83e2c0e..df4c51d 100644 --- a/detection/c2/unexpected-https-macos.sql +++ b/detection/c2/unexpected-https-macos.sql @@ -96,7 +96,7 @@ WHERE AND p0.path NOT LIKE '/Users/%/bin/%' AND p0.path NOT LIKE '/System/%' AND p0.path NOT LIKE '/Users/%/Library/Caches/JetBrains/%/tmp/GoLand/___%' - AND p0.path NOT LIKE '/opt/homebrew/Cellar/%/bin/%' + AND p0.path NOT LIKE '/opt/%' AND p0.path NOT LIKE '/usr/libexec/%' AND p0.path NOT LIKE '/usr/sbin/%' AND p0.path NOT LIKE '/usr/local/kolide-k2/%' @@ -110,6 +110,7 @@ WHERE '0,licenseDaemon,licenseDaemon,Developer ID Application: PACE Anti-Piracy, Inc. (TFZ8226T6X),com.paceap.eden.licenseDaemon', '500,agent,agent,Developer ID Application: Datadog, Inc. (JKFCB4CN7C),agent', '500,Authy,Authy,Apple iPhone OS Application Signing,com.authy', + '500,podman,podman,Developer ID Application: Red Hat, Inc. (HYSCB8KRL2),podman', '500,bash,bash,,bash', '500,CrossyRoad,CrossyRoad,Apple iPhone OS Application Signing,com.hipsterwhale.crossy', '500,cloud_sql_proxy,cloud_sql_proxy,,a.out', @@ -141,6 +142,7 @@ WHERE '500,pycharm,pycharm,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.pycharm', '500,Realm,Realm,Apple iPhone OS Application Signing,camera.youpi.metareal', '500,sdaudioswitch,sdaudioswitch,,sdaudioswitch', + '500,Signal Helper (Renderer),Signal Helper (Renderer),500u,20g', '500,Skitch,Skitch,Developer ID Application: Skitch Inc (J8RPQ294UB),com.skitch.skitch', '500,Sky Go,Sky Go,Developer ID Application: Sky UK Limited (GJ24C8864F),com.bskyb.skygoplayer', '500,snyk-ls_darwin_arm64,snyk-ls_darwin_arm64,,a.out', diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql index d2f6012..9e53a08 100644 --- a/detection/c2/unexpected-talkers-macos.sql +++ b/detection/c2/unexpected-talkers-macos.sql @@ -152,9 +152,11 @@ WHERE '500,6,5222,WhatsApp,WhatsApp,Developer ID Application: WhatsApp Inc. (57T9237FN3),net.whatsapp.WhatsApp', '500,6,5223,KakaoTalk,KakaoTalk,Apple Mac OS Application Signing,com.kakao.KakaoTalkMac', '500,6,5228,Clay,Clay,Developer ID Application: Clay Software, Inc. (C68GA48KN3),com.clay.mac', + '500,6,3389,Windows App,Windows App,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.rdc.macos', '500,6,5228,com.adguard.mac.adguard.network-extension,com.adguard.mac.adguard.network-extension,0u,0g', '500,6,5228,com.adguard.mac.adguard.network-extension,com.adguard.mac.adguard.network-extension,Developer ID Application: Adguard Software Limited (TC3Q7MAJXF),com.adguard.mac.adguard.network-extension', '500,6,5228,Fellow,Fellow,Developer ID Application: Fellow Insights, Inc. (2NF46HY8D8),com.electron.fellow', + '500,6,5228,Superhuman,Superhuman,Developer ID Application: SUPERHUMAN LABS INC. (6XHFYUTQGX),com.superhuman.electron', '500,6,7881,zed,zed,Developer ID Application: Zed Industries, Inc. (MQ55VZLNZQ),dev.zed.Zed', '500,6,8009,Spotify Helper,Spotify Helper,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client.helper', '500,6,8080,goland,goland,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland', diff --git a/detection/evasion/hidden-launchd-files-macos.sql b/detection/evasion/hidden-launchd-files-macos.sql index dcdd132..2fea61f 100644 --- a/detection/evasion/hidden-launchd-files-macos.sql +++ b/detection/evasion/hidden-launchd-files-macos.sql @@ -36,3 +36,8 @@ WHERE file.filename = '.DS_Store' AND hash.sha256 = 'd65165279105ca6773180500688df4bdc69a2c7b771752f0a46ef120b7fd8ec3' ) + -- Kandji temp file + AND NOT ( + file.path LIKE '/Library/LaunchAgents/.dat.nosync%' + AND size = 242 + ) diff --git a/detection/execution/recently-created-executables-long-lived-macos.sql b/detection/execution/recently-created-executables-long-lived-macos.sql index 16ca878..4a4d749 100644 --- a/detection/execution/recently-created-executables-long-lived-macos.sql +++ b/detection/execution/recently-created-executables-long-lived-macos.sql @@ -72,7 +72,7 @@ WHERE AND NOT path LIKE '/Applications/%' AND NOT path LIKE '/Library/Apple/%' AND NOT path LIKE '/nix/store/%' - AND NOT path LIKE '/opt/homebrew/%' + AND NOT path LIKE '/opt/%' AND NOT path LIKE '%/bin/cargo' AND NOT path LIKE '/System/%' AND NOT path LIKE '/usr/local/kolide-k2/bin/%' diff --git a/detection/execution/unexpected-security-framework-program-macos.sql b/detection/execution/unexpected-long-running-security-framework-macos.sql similarity index 95% rename from detection/execution/unexpected-security-framework-program-macos.sql rename to detection/execution/unexpected-long-running-security-framework-macos.sql index 74f0ef6..ec436f7 100644 --- a/detection/execution/unexpected-security-framework-program-macos.sql +++ b/detection/execution/unexpected-long-running-security-framework-macos.sql @@ -56,31 +56,32 @@ WHERE FROM processes WHERE - start_time < (strftime('%s', 'now') - 7200) + start_time < (strftime('%s', 'now') - 25200) AND parent != 0 -- Assume STP AND NOT path LIKE '/System/%' AND NOT path LIKE '/usr/libexec/%' AND NOT path LIKE '/usr/sbin/%' + -- Regular apps + AND NOT path LIKE '/Applications/%.app/%' -- Other oddball binary paths - AND NOT path LIKE '/opt/homebrew/Cellar/%' + AND NOT path LIKE '/opt/%' AND NOT path LIKE '/usr/local/Cellar/%/bin/%' - AND NOT path LIKE '/Users/%/go/src/%/%.test' - AND NOT ( - path LIKE '/Users/%/homebrew/Cellar/%' - AND name IN ('limactl', 'Python', 'bash') - ) + AND NOT path LIKE '/Users/%/go/%' + AND NOT path LIKE '/Users/%/dev/%' + AND NOT path LIKE '/Users/%/src/%' + AND NOT path LIKE '/Users/%/homebrew/Cellar/%' AND NOT ( path LIKE '/Users/%/Library/Application Support/com.elgato.StreamDeck/Plugins/com.elgato.cpu.sdPlugin/cpu' AND name = 'cpu' ) - AND NOT path IN ('/opt/socket_vmnet/bin/socket_vmnet') ) AND pmm.path LIKE '%Security.framework%' AND exception_key NOT IN ( '0,ir_agent,bootstrap,Developer ID Application: Rapid7 LLC (UL6CGN7MAL)', '0,ir_agent,ir_agent,Developer ID Application: Rapid7 LLC (UL6CGN7MAL)', '0,nix,nix,', + '500,dirmngr,dirmngr,', '0,osqueryd,io.osquery.agent,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)', '0,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)', '0,rapid7_endpoint_broker,rapid7_endpoint_broker,Developer ID Application: Rapid7 LLC (UL6CGN7MAL)', @@ -154,6 +155,7 @@ WHERE '500,keyboxd,,', '500,keyboxd,keyboxd,', '500,ko,,', + '500,dirmngr,,', '500,ko,a.out,', '500,kubectl,a.out,', '500,LogicProThumbnailExtension,com.apple.logic10.LogicProThumbnailExtension,Apple Mac OS Application Signing', @@ -241,6 +243,8 @@ WHERE AND p0.path LIKE '/Users/%/go/bin/%' ) AND NOT exception_key LIKE '500,terraform-provider-cosign_%,,' + AND NOT exception_key LIKE '500,sm-agent,sm_agent-%,' + AND NOT exception_key LIKE '500,lifx-streamdeck,lifx-streamdeck-%' AND NOT exception_key LIKE '500,cody-engine-%-macos-arm64,%,' AND NOT exception_key LIKE '500,rust-analyzer-aarch64-apple-darwin,rust_analyzer-%,' AND NOT exception_key LIKE '500,___%,a.out,' diff --git a/detection/initial_access/unexpected-shell-parents.sql b/detection/initial_access/unexpected-shell-parents.sql index f99114c..5dbba88 100644 --- a/detection/initial_access/unexpected-shell-parents.sql +++ b/detection/initial_access/unexpected-shell-parents.sql @@ -210,6 +210,7 @@ WHERE '/Library/Developer/CommandLineTools/usr/bin/git', '/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateDaemon', '/Library/Kandji/Kandji Agent.app/Contents/MacOS/kandji-library-manager', + '/Library/Kandji/Kandji Agent.app/Contents/Helpers/Kandji Library Manager.app/Contents/MacOS/kandji-library-manager', '/opt/X11/libexec/launchd_startx', '/Applications/DDPM/DDPM.app/Contents/MacOS/DDPM', '/sbin/launchd',