RepoMirrors
/
osquery-defense-kit
mirror of https://github.com/chainguard-dev/osquery-defense-kit
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

merge conflict

This commit is contained in:
Thomas Stromberg 2024-02-16 17:17:45 -05:00
parent f87a8e8197 0d5467e72d
commit b1e05d6612
21 changed files with 96 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
detection/c2/unexpected-https-linux.sql
View File

@ -303,6 +303,7 @@ WHERE
'500,wolfictl,500u,500g,wolfictl',
'500,xmobar,0u,0g,xmobar',
'500,yay,0u,0g,yay',
'0,packetbeat,0u,0g,packetbeat',
'500,zdup,500u,500g,zdup',
'500,zoom,0u,0g,zoom',
'500,zoom.real,u,g,zoom.real'
@ -335,7 +336,7 @@ WHERE
)
AND NOT (
exception_key = '0,curl,0u,0g,curl'
AND p.cmdline = 'curl --fail https://ipinfo.io/timezone'
AND p.cmdline LIKE 'curl --fail %'
) -- Exclude processes running inside of containers
AND NOT p.cgroup_path LIKE '/system.slice/docker-%'
AND NOT p.cgroup_path LIKE '/system.slice/system.slice:docker:%'

1
detection/c2/unexpected-https-macos.sql
View File

@ -218,6 +218,7 @@ WHERE
'500,Python,Python,,org.python.python',
'500,Python,Python,,Python',
'500,Python,Python,,',
'500,Python,Python,0u,80g',
'500,Python,Python,Developer ID Application: Ned Deily (DJ3H93M7VJ),org.python.python'
)
AND (

12
detection/c2/unexpected-talker-events.sql
View File

@ -118,6 +118,7 @@ WHERE
'500,0,20480,com.adguard.mac.adguard.network-extension',
'500,0,20480,io.tailscale.ipn.macsys.network-extension',
'500,0,22,ssh',
'500,0,27668,com.adguard.mac.adguard.network-extension',
'500,0,31488,sntp',
'500,0,32768,Authy',
'500,0,32768,BDLDaemon',
@ -138,9 +139,11 @@ WHERE
'500,0,443,Authy',
'500,0,443,BDCoreIssues',
'500,0,443,BDLDaemon',
'500,0,443,BDUpdDaemon',
'500,0,443,Brackets',
'500,0,443,OneDriveStandaloneUpdater',
'500,0,443,Python',
'500,0,443,bdredline',
'500,0,443,chrome',
'500,0,443,chrome_crashpad_handler',
'500,0,443,com.adguard.mac.adguard.network-extension',
@ -161,6 +164,7 @@ WHERE
'500,0,443,gnome-software',
'500,0,443,go',
'500,0,443,http',
'500,0,443,incusd',
'500,0,443,io.tailscale.ipn.macsys.network-extension',
'500,0,443,ir_agent',
'500,0,443,kioslave5',
@ -168,8 +172,10 @@ WHERE
'500,0,443,launcher',
'500,0,443,metricbeat',
'500,0,443,nessusd',
'500,500,32768,old',
'500,0,443,networkQuality',
'500,0,443,node',
'500,0,443,packetbeat',
'500,0,443,pingsender',
'500,0,443,rapid7_endpoint_broker',
'500,0,443,slack',
@ -181,6 +187,7 @@ WHERE
'500,0,443,velociraptor',
'500,0,443,wget',
'500,0,5228,chrome',
'500,0,443,packetbeat',
'500,0,53,Brackets',
'500,0,53,NetworkManager',
'500,0,53,chrome',
@ -194,7 +201,9 @@ WHERE
'500,0,53,wget',
'500,0,5632,ssh',
'500,0,80,BDUpdDaemon',
'500,0,27668,com.adguard.mac.adguard.network-extension',
'500,0,80,chrome',
'500,0,80,com.adguard.mac.adguard.network-extension',
'500,0,80,com.apple.NRD.UpdateBrainService',
'500,0,80,com.bitdefender.cst.net.dci.dci-network-extension',
'500,0,80,electron',
@ -286,6 +295,8 @@ WHERE
'500,500,80,ksfetch',
'500,500,80,node',
'500,500,9000,Meeting Center',
'500,500,32768,Microsoft.ServiceHub.Controller',
'500,500,32768,Microsoft.VisualStudio.Code.ServiceHost',
'500,99,13568,Slack Helper',
'500,99,32768,Slack Helper',
'500,99,32768,Slack',
@ -294,6 +305,7 @@ WHERE
'500,99,53,Slack Helper'
)
AND NOT exception_key LIKE '500,500,443,terraform%'
AND NOT exception_key LIKE '500,500,32768,terraform-provider-%'
AND NOT exception_key LIKE '500,500,2304,terraform%'
AND NOT exception_key LIKE '500,500,53,terraform%'
AND NOT exception_key LIKE '500,500,80,terraform%'

39
detection/c2/unexpected-talkers-linux.sql
View File

@ -87,10 +87,9 @@ WHERE
'123,17,500,chronyd,0u,0g,chronyd',
'143,6,500,thunderbird,0u,0g,thunderbird',
'143,6,500,thunderbird,u,g,thunderbird',
'19305,6,500,firefox,0u,0g,firefox',
'19305,6,500,firefox,0u,0g,.firefox-wrappe',
'19305,6,500,firefox,0u,0g,firefox',
'1983,6,500,dleyna-renderer-service,0u,0g,dleyna-renderer',
'22000,6,500,syncthing,0u,0g,syncthing',
'22,6,0,ssh,0u,0g,ssh',
'22,6,0,tailscaled,0u,0g,tailscaled',
'22,6,500,cargo,0u,0g,cargo',
@ -99,6 +98,8 @@ WHERE
'22,6,500,netcat,0u,0g,nc',
'22,6,500,ssh,0u,0g,ssh',
'22,6,500,terraform,500u,500g,terraform',
'80,6,500,firefox-bin,500u,500g,firefox-bin',
'22000,6,500,syncthing,0u,0g,syncthing',
'3000,6,500,brave,0u,0g,brave',
'3000,6,500,chrome,0u,0g,chrome',
'32768,17,500,traceroute,0u,0g,traceroute',
@ -108,8 +109,6 @@ WHERE
'80,6,500,firefox-bin,500u,500g,firefox-bin',
'3307,6,500,cloud_sql_proxy,0u,0g,cloud_sql_proxy',
'3443,6,500,chrome,0u,0g,chrome',
'500,0,32768,com.apple.MobileSoftwareUpdate.UpdateBrainService',
'500,0,80,com.apple.NRD.UpdateBrainService',
'3478,6,500,chrome,0u,0g,chrome',
'3478,6,500,firefox,0u,0g,firefox',
'4070,6,500,spotify,0u,0g,spotify',
@ -120,18 +119,21 @@ WHERE
'444,6,500,firefox,0u,0g,firefox',
'4460,6,114,chronyd,0u,0g,chronyd',
'465,6,500,thunderbird,0u,0g,thunderbird',
'5004,6,500,brave,0u,0g,brave',
'5006,6,500,brave,0u,0g,brave',
'500,0,32768,com.apple.MobileSoftwareUpdate.UpdateBrainService',
'500,0,80,com.apple.NRD.UpdateBrainService',
'500,htop,0u,0g,htop',
'500,syft,0u,0g,syft',
'5004,6,500,brave,0u,0g,brave',
'5006,6,500,brave,0u,0g,brave',
'5228,6,500,chrome,0u,0g,chrome',
'587,6,500,thunderbird,0u,0g,thunderbird',
'587,6,500,thunderbird,u,g,thunderbird',
'6443,6,500,kubectl,0u,0g,kubectl',
'67,17,0,NetworkManager,0u,0g,NetworkManager',
'8000,6,500,brave,0u,0g,brave',
'8000,6,500,chrome,0u,0g,chrome',
'8000,6,500,firefox,0u,0g,firefox',
'80,6,0,.tailscaled-wrapped,0u,0g,.tailscaled-wra',
'80,6,0,/usr/python2.7,u,g,yum',
'80,6,0,/usr/xargs,0u,0g,xargs',
'80,6,0,NetworkManager,0u,0g,NetworkManager',
'80,6,0,applydeltarpm,0u,0g,applydeltarpm',
'80,6,0,appstreamcli,0u,0g,appstreamcli',
'80,6,0,bash,0u,0g,bash',
@ -147,7 +149,6 @@ WHERE
'80,6,0,kmod,0u,0g,depmod',
'80,6,0,kubelet,u,g,kubelet',
'80,6,0,ldconfig,0u,0g,ldconfig',
'80,6,0,NetworkManager,0u,0g,NetworkManager',
'80,6,0,packagekitd,0u,0g,packagekitd',
'80,6,0,pacman,0u,0g,pacman',
'80,6,0,pdftex,0u,0g,pdftex',
@ -157,18 +158,17 @@ WHERE
'80,6,0,python3.11,0u,0g,dnf',
'80,6,0,python3.11,0u,0g,dnf-automatic',
'80,6,0,python3.11,0u,0g,yum',
'80,6,0,python3.12,0u,0g,yum',
'80,6,0,python3.9,u,g,yum',
'80,6,0,sort,0u,0g,sort',
'80,6,0,systemd-hwdb,0u,0g,systemd-hwdb',
'80,6,0,tailscaled,0u,0g,tailscaled',
'80,6,0,.tailscaled-wrapped,0u,0g,.tailscaled-wra',
'80,6,0,/usr/python2.7,u,g,yum',
'80,6,0,/usr/xargs,0u,0g,xargs',
'80,6,0,wget,0u,0g,wget',
'80,6,0,zstd,0u,0g,zstd',
'80,6,100,http,0u,0g,http',
'80,6,105,http,0u,0g,http',
'80,6,42,http,0u,0g,http',
'80,6,500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
'80,6,500,aws-iam-authenticator,0u,0g,aws-iam-authent',
'80,6,500,brave,0u,0g,brave',
'80,6,500,chrome,0u,0g,chrome',
@ -176,8 +176,9 @@ WHERE
'80,6,500,copilot-agent-linux,500u,500g,copilot-agent-l',
'80,6,500,curl,0u,0g,curl',
'80,6,500,electron,0u,0g,electron',
'80,6,500,firefox,0u,0g,firefox',
'80,6,500,firefox,0u,0g,.firefox-wrappe',
'80,6,500,firefox,0u,0g,firefox',
'80,6,500,firefox-bin,500u,500g,firefox-bin',
'80,6,500,firefox-bin,u,g,firefox-bin',
'80,6,500,git-remote-http,0u,0g,git-remote-http',
'80,6,500,gnome-software,0u,0g,gnome-software',
@ -202,9 +203,8 @@ WHERE
'80,6,500,slirp4netns,500u,500g,slirp4netns',
'80,6,500,spotify,0u,0g,spotify',
'80,6,500,spotify,500u,500g,spotify',
'80,6,500,spotify-launcher,0u,0g,spotify-launche',
'80,6,0,python3.12,0u,0g,yum',
'80,6,500,spotify,u,g,spotify',
'80,6,500,spotify-launcher,0u,0g,spotify-launche',
'80,6,500,steam,500u,100g,steam',
'80,6,500,steam,500u,500g,steam',
'80,6,500,steamwebhelper,500u,500g,steamwebhelper',
@ -212,10 +212,12 @@ WHERE
'80,6,500,terraform,500u,500g,terraform',
'80,6,500,thunderbird,0u,0g,thunderbird',
'80,6,500,thunderbird,u,g,thunderbird',
'80,6,500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
'80,6,500,wine64-preloader,0u,0g,control.exe',
'80,6,500,zoom,0u,0g,zoom',
'80,6,500,zoom.real,u,g,zoom.real',
'8000,6,500,brave,0u,0g,brave',
'8000,6,500,chrome,0u,0g,chrome',
'8000,6,500,firefox,0u,0g,firefox',
'8080,6,500,brave,0u,0g,brave',
'8080,6,500,chrome,0u,0g,chrome',
'8080,6,500,firefox,0u,0g,firefox',
@ -223,9 +225,9 @@ WHERE
'8080,6,500,speedtest,500u,500g,speedtest',
'8443,6,500,chrome,0u,0g,chrome',
'8443,6,500,firefox,0u,0g,firefox',
'88,6,500,syncthing,0u,0g,syncthing',
'8801,17,500,zoom,0u,0g,zoom',
'8801,17,500,zoom.real,u,g,zoom.real',
'88,6,500,syncthing,0u,0g,syncthing',
'8987,6,500,whois,0u,0g,whois',
'9418,6,500,git,0u,0g,git',
'993,6,500,evolution,0u,0g,evolution',
@ -235,6 +237,7 @@ WHERE
)
AND NOT exception_key LIKE '80,6,500,terraform_1.1.5,500u,500g,terraform'
AND NOT exception_key LIKE '%,6,500,nuclei,500u,500g,nuclei'
AND NOT exception_key LIKE '%,6,500,ssh,0u,0g,ssh'
AND NOT (
p.name = 'java'
AND p.cmdline LIKE '/home/%/.local/share/JetBrains/Toolbox/%'

12
detection/c2/unexpected-talkers-macos.sql
View File

@ -142,6 +142,7 @@ WHERE
'500,6,5222,Telegram,Telegram,Apple Mac OS Application Signing,ru.keepcoder.Telegram',
'500,6,5222,WhatsApp,WhatsApp,Developer ID Application: WhatsApp Inc. (57T9237FN3),net.whatsapp.WhatsApp',
'500,6,5223,KakaoTalk,KakaoTalk,Apple Mac OS Application Signing,com.kakao.KakaoTalkMac',
'500,6,995,KakaoTalk,KakaoTalk,Apple Mac OS Application Signing,com.kakao.KakaoTalkMac',
'500,6,5228,Clay,Clay,Developer ID Application: Clay Software, Inc. (C68GA48KN3),com.clay.mac',
'500,6,5228,com.adguard.mac.adguard.network-extension,com.adguard.mac.adguard.network-extension,0u,0g',
'500,6,5228,com.adguard.mac.adguard.network-extension,com.adguard.mac.adguard.network-extension,Developer ID Application: Adguard Software Limited (TC3Q7MAJXF),com.adguard.mac.adguard.network-extension',
@ -223,10 +224,10 @@ WHERE
AND NOT (
alt_exception_key = '500,6,80,main,main,500u,20g'
AND p0.path LIKE '/var/folders/%/T/go-build%/b001/exe/main'
) -- Known Web Browsers
) -- Wider
AND NOT (
(
pos.remote_port IN (80, 587, 999)
pos.remote_port IN (80, 123, 587, 999)
OR pos.remote_port > 1024
)
AND id_exception_key IN (
@ -234,7 +235,7 @@ WHERE
'Apple Mac OS Application Signing,com.ookla.speedtest-macos',
'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.AdobeResourceSynchronizer',
'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.Reader',
'Developer ID Application: WhatsApp Inc. (57T9237FN3),net.whatsapp.WhatsApp.ServiceExtension',
'Developer ID Application: Bitdefender SRL (GUNFMW623Y),com.bitdefender.cst.net.dci.dci-network-extension',
'Developer ID Application: Bookry Ltd (4259LE8SU5),com.bookry.wavebox.helper',
'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4),com.brave.Browser.helper',
'Developer ID Application: Cloudflare Inc. (68WVV388M8),CloudflareWARP',
@ -246,13 +247,13 @@ WHERE
'Developer ID Application: Fortinet, Inc (AH4XFXJ7DK),fctupdate',
'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode.helper',
'Developer ID Application: Vivaldi Technologies AS (4XF3XNRN6Y),com.vivaldi.Vivaldi.helper',
'Developer ID Application: Adguard Software Limited (TC3Q7MAJXF),com.adguard.mac.adguard.network-extension',
'Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D),com.googlecode.iterm2',
'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.Chrome.helper',
'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.GoogleUpdater',
'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.teams2.helper',
'Developer ID Application: Bitdefender SRL (GUNFMW623Y),com.bitdefender.cst.net.dci.dci-network-extension',
'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.one.NetworkExtension',
'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.edgemac.helper',
'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.teams2.helper',
'Developer ID Application: Microsoft Corporation (UBF8T346G9),net.java.openjdk.java',
'Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.firefox',
'Developer ID Application: ]Mozilla Corporation (43AQ936H96),org.mozilla.firefoxdeveloperedition',
@ -268,6 +269,7 @@ WHERE
'Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G),company.thebrowser.browser.helper',
'Developer ID Application: Valve Corporation (MXGJJ98X76),com.valvesoftware.steam',
'Developer ID Application: Vladimir Prelovac (TFVG979488),com.apple.WebKit.Networking',
'Developer ID Application: WhatsApp Inc. (57T9237FN3),net.whatsapp.WhatsApp.ServiceExtension',
'Developer ID Application: Zwift, Inc (C2GM8Y9VFM),ZwiftAppSilicon'
)
)

1
detection/credentials/unexpected-dev-opener-macos.sql
View File

@ -79,6 +79,7 @@ WHERE
'/dev/auditpipe,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF),io.osquery.agent',
'/dev/auditpipe,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF),osqueryd',
'/dev/auditsessions,GSSCred,Software Signing,com.apple.GSSCred',
'/dev/bpf,packetbeat,Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z),packetbeat',
'/dev/auditsessions,TouchBarServer,Software Signing,com.apple.touchbarserver',
'/dev/auditsessions,authd,Software Signing,com.apple.authd',
'/dev/auditsessions,securityd,Software Signing,com.apple.securityd',

2
detection/evasion/missing-from-disk-linux.sql
View File

@ -49,4 +49,4 @@ WHERE
-- Snap packages?
AND p.path NOT LIKE '/tmp/.mount_%'
AND p.path NOT LIKE '/home/%/.cache/yay/1password-cli/pkg/1password-cli/usr/bin/op'
AND p.path NOT IN ('/usr/bin/python3.10', '/opt/google/chrome/nacl_helper')
AND p.path NOT IN ('/usr/bin/python3.10', '/opt/google/chrome/nacl_helper', '/opt/Synergy/resources/synergy-tray')

6
detection/evasion/unexpected-hidden-system-paths.sql
View File

@ -221,3 +221,9 @@ WHERE
file.path = '/var/root/.oracle_jre_usage/'
AND file.size = 96
)
AND NOT (
file.path LIKE '/tmp/.ssh-%'
AND file.type = "socket"
AND file.mode = '0600'
)

1
detection/evasion/unexpected-tmp-executables-macos.sql
View File

@ -59,6 +59,7 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
OR file.path LIKE '/tmp/%ctl'
OR file.path LIKE '%/CCLBS/%'
OR file.path LIKE '%/checkout/%'
OR file.path LIKE '/tmp/lima/%'
OR file.path LIKE '%/ci/%'
OR file.path LIKE '%/debug/%'
OR file.path LIKE '%/dist/%'

6
detection/evasion/unexpected-user-executables-macos.sql
View File

@ -54,6 +54,9 @@ WHERE
directory = '/Users/Shared/'
OR directory LIKE '/Users/Shared/%'
OR directory LIKE '/Users/Shared/.%'
OR directory = '/var/root/'
OR directory LIKE '/var/root/%%'
OR directory LIKE '/var/root/.%'
OR directory LIKE '/Users/%/Library'
OR directory LIKE '/Users/%/Library/%'
OR directory LIKE '/Users/%/Library/%/.%'
@ -137,11 +140,14 @@ WHERE
'~/.config/nvim.bak',
'~/.docker/cli-plugins',
'~/.emacs.d/backups',
'~/Library/Logs/com.logmein.GoToOpener',
'~/.emacs.d.bak/bin',
'~/.fig/bin',
'~/.fzf',
'~/.fzf/bin',
'~/.gvm/bin',
'~/.vs-tekton',
'~/.dotnet/tools',
'~/.kn/plugins',
'~/Library/Mobile Documents/com~apple~CloudDocs',
'~/.kuberlr/darwin-amd64',

1
detection/execution/recently-created-executables-long-lived-macos.sql
View File

@ -181,6 +181,7 @@ WHERE
'Developer ID Application: Keybase, Inc. (99229SGT5K)',
'Developer ID Application: Kolide Inc (YZ3EM74M78)',
'Developer ID Application: Kolide, Inc (X98UFR7HA3)',
'Developer ID Application: Fumihiko Takayama (G43BCU2T37)',
'Developer ID Application: Logitech Inc. (QED4VVPZWA)',
'Developer ID Application: Wesley FURLONG (P4A6FU9KZ3)',
'Developer ID Application: Michael Jones (YD6LEYT6WZ)',

3
detection/execution/sketchy-fetcher.sql
View File

@ -161,4 +161,5 @@ WHERE
AND p2.path = "/usr/local/qualys/cloud-agent/bin/qualys-scan-util"
)
-- Elastic Agent
AND NOT p0.path LIKE '/Library/Elastic/Agent/%'
AND NOT p0.path LIKE '/Library/Elastic/Agent/%'
AND NOt p0.cmdline LIKE '%/osqueryd %'

1
detection/execution/unexpected-execdir-events-macos.sql
View File

@ -334,6 +334,7 @@ WHERE
'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
'Developer ID Application: Docker Inc (9BNSXJN65R)',
'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)',
'Developer ID Application: Silicon Laboratories Inc (52444FG85C)',
'Developer ID Application: Epic Games International, S.a.r.l. (96DBZ92D3Y)',
'Developer ID Application: Figma, Inc. (T8RA8NE3B7)',
'Developer ID Application: Fortinet, Inc (AH4XFXJ7DK)',

4
detection/execution/unexpected-executable-permissions.sql
View File

@ -123,4 +123,8 @@ WHERE
AND NOT (
f.path = '/Library/Bitdefender/AVP/product/bin/EndpointSecurityforMac.app/Contents/MacOS/EndpointSecurityforMac'
AND f.mode = '0655'
)
AND NOT (
p0.name = 'ShortcutDroplet'
AND f.mode = '0751'
)

1
detection/execution/unexpected-osascript-calls.sql
View File

@ -102,6 +102,7 @@ WHERE
OR p0_cmd LIKE '/usr/bin/osascript /Users/%/osx-trash/trashfile.AppleScript %'
OR p1_cmd LIKE '%aws %sso%'
OR p1_cmd LIKE '%gcloud% auth %login%'
OR p1_cmd LIKE '%gcloud% init'
OR p1_cmd LIKE '% /opt/homebrew/bin/jupyter%notebook'
OR p1_cmd LIKE '/bin/sh %/opt/homebrew/bin/git-gui%'
OR p1_authority = 'Developer ID Application: Docker Inc (9BNSXJN65R)'

1
detection/execution/unexpected-packet-sniffer.sql
View File

@ -43,6 +43,7 @@ WHERE
'systemd-network',
'NetworkManager',
'dhclient',
'packetbeat',
'dhcpcd',
'tcpdump'
)

16
detection/exfil/high_disk_bytes_read.sql
View File

@ -139,21 +139,23 @@ WHERE
AND NOT p0.path IN (
'/System/Volumes/Preboot/Cryptexes/App/System/Applications/Safari.app/Contents/XPCServices/com.apple.Safari.BrowserDataImportingService.xpc/Contents/MacOS/com.apple.Safari.BrowserDataImportingService',
'/System/Volumes/Preboot/Cryptexes/Incoming/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent',
'/usr/bin/apt',
'/app/libexec/mediawriter/helper',
'/usr/libexec/diskimagesiod',
'/usr/bin/apt',
'/usr/bin/darktable',
'/usr/libexec/snapd/snapd',
'/usr/bin/rsync',
'/usr/bin/dockerd',
'/usr/bin/gnome-shell',
'/usr/bin/teskdisk',
'/usr/bin/gnome-software',
'/usr/bin/rsync',
'/usr/bin/teskdisk',
'/usr/bin/udevadm',
'/usr/bin/update-notifier',
'/usr/lib/systemd/systemd',
'/usr/lib64/electron/electron',
'/usr/libexec/PerfPowerServices',
'/usr/libexec/aned',
'/usr/libexec/biomesyncd',
'/usr/libexec/coreduetd',
'/usr/libexec/diskimagesiod',
'/usr/libexec/diskmanagementd',
'/usr/libexec/flatpak-system-helper',
'/usr/libexec/logd',
@ -162,10 +164,10 @@ WHERE
'/Library/Elastic/Endpoint/elastic-endpoint',
'/usr/libexec/PerfPowerServices',
'/usr/libexec/signpost_reporter',
'/usr/libexec/snapd/snapd',
'/usr/libexec/syspolicyd',
'/usr/libexec/tracker-miner-fs-3',
'/usr/libexec/tracker-extract-3',
'/usr/lib/systemd/systemd',
'/usr/libexec/tracker-miner-fs-3',
'/usr/sbin/spindump',
'/usr/sbin/systemstats'
)

1
detection/exfil/yara-unexpected-go-crypt-exec-process.sql
View File

@ -94,6 +94,7 @@ WHERE
'kubectl',
'yay',
'syft',
'Proton Mail Bridge',
'syncthing',
'go',
'grype',

8
detection/persistence/unexpected-chrome-extensions.sql
View File

@ -74,7 +74,7 @@ WHERE
)
)
AND NOT exception_key IN (
"true,Daniel Kladnik @ kiboke studio,I don't care about cookies,fihnjjcciajhdojfnbdddfaoknhalnja",
"true,Gareth Stephenson,My O'Reilly Downloader,deebiaolijlopiocielojiipnpnaldlk",
'false,privacybadger-owner@eff.org,Privacy Badger,mkejgcgkdlddbggjhhflekkondicpnop',
'true,,Acorns Earn,facncfnojagdpibmijfjdmhkklabakgd',
@ -144,7 +144,11 @@ WHERE
'true,,Google Mail Checker,mihcahmgecmbnbcchbopgniflfhgnkff',
'true,,Google Optimize,bhdplaindhdkiflmbfbciehdccfhegci',
'true,,Google Play Books,mmimngoggfoobjdlefbcabngfnmieonb',
<<<<<<< HEAD
'true,,Grammarly: AI Writing and Grammar Checker App,kbfnbcaeplbcioakkpcpgfkobkghlhen',
=======
'true,,Grammarly: AI Writing and Grammar Checker App,kbfnbcaeplbcioakkpcpgfkobkghlhen',
>>>>>>> main
'true,,Grammarly: Grammar Checker and AI Writing App,kbfnbcaeplbcioakkpcpgfkobkghlhen',
'true,,Grammarly: Grammar Checker and Writing App,kbfnbcaeplbcioakkpcpgfkobkghlhen',
'true,,Gravit Designer,pdagghjnpkeagmlbilmjmclfhjeaapaa',
@ -252,7 +256,7 @@ WHERE
'true,,uBlock,epcnnfbjfcgphgdmggkamkmgojdagdnn',
'true,,writeGPT - ChatGPT Prompt Engineer Assistant,dflcdbibjghipieemcligeelbmackgco',
'true,Adaware,Safe Torrent Scanner,aegnopegbbhjeeiganiajffnalhlkkjb',
'true,Adblock for Chrome Team,Adblock for Chrome™,onomjaelhagjjojbkcafidnepbfkpnee',
'true,Adblock for Chrome Team,Adblock for Chrome™,onomjaelhagjjojbkcafidnepbfkpnee',
'true,Adblock, Inc.,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom',
'true,Adguard Software Ltd,AdGuard AdBlocker,bgnkhhnnamicmpeenaelnjfhikgbkllg',
'true,AgileBits,1Password extension (desktop app required),aomjjhallfgjeglblehebfpbcfeobpgk',

17
detection/persistence/unexpected-device.sql
View File

@ -50,6 +50,7 @@ WHERE
OR directory LIKE '/dev/%'
)
AND path_expr NOT IN (
'/dev/HID-SENSOR-e..auto',
'/dev/acpi_thermal_rel',
'/dev/autofs',
'/dev/block/',
@ -66,8 +67,8 @@ WHERE
'/dev/console',
'/dev/core',
'/dev/cpu/',
'/dev/cpu_dma_latency',
'/dev/cpu/microcode',
'/dev/cpu_dma_latency',
'/dev/cros_ec',
'/dev/cuse',
'/dev/disk/',
@ -96,11 +97,8 @@ WHERE
'/dev/fuse',
'/dev/gpiochip',
'/dev/hidraw',
'/dev/HID-SENSOR-e..auto',
'/dev/hpet',
'/dev/hugepages/',
'/dev/mtd/',
'/dev/mtd/by-name',
'/dev/hugepages/libvirt',
'/dev/hvc',
'/dev/hwrng',
@ -137,6 +135,8 @@ WHERE
'/dev/mmcblk',
'/dev/mqueue/',
'/dev/mtd',
'/dev/mtd/',
'/dev/mtd/by-name',
'/dev/mtdro',
'/dev/net/',
'/dev/net/tun',
@ -145,10 +145,10 @@ WHERE
'/dev/nvidia',
'/dev/nvidia-caps/',
'/dev/nvidia-caps/nvidia-cap',
'/dev/nvidiactl',
'/dev/nvidia-modeset',
'/dev/nvidia-uvm',
'/dev/nvidia-uvm-tools',
'/dev/nvidiactl',
'/dev/nvme',
'/dev/nvme-fabrics',
'/dev/nvmen',
@ -201,9 +201,9 @@ WHERE
'/dev/tty',
'/dev/ttyACM',
'/dev/ttyAMA',
'/dev/ttyprintk',
'/dev/ttyS',
'/dev/ttyUSB',
'/dev/ttyprintk',
'/dev/ubuntu-vg/',
'/dev/udmabuf',
'/dev/uhid',
@ -225,11 +225,13 @@ WHERE
'/dev/vfio/',
'/dev/vfio/vfio',
'/dev/vg/',
'/dev/vga_arbiter',
'/dev/vg/root',
'/dev/vg/swap',
'/dev/vga_arbiter',
'/dev/vgubuntu/',
'/dev/vgubuntu/incus-default',
'/dev/vgubuntu/root',
'/dev/vgubuntu/swap',
'/dev/vgubuntu/swap_',
'/dev/vhci',
'/dev/vhost-net',
@ -240,6 +242,7 @@ WHERE
'/dev/vl/by-path',
'/dev/vlloopback',
'/dev/vportp',
'/dev/vsock',
'/dev/watchdog',
'/dev/wmi/',
'/dev/wmi/dell-smbios',

2
detection/persistence/unexpected-uid0-daemon-linux.sql
View File

@ -293,6 +293,8 @@ WHERE
AND NOT exception_key LIKE 'abrt-dbus,/usr/sbin/abrt-dbus,0,system.slice,system-dbus%org.freedesktop.problems.slice,0755'
AND NOT exception_key LIKE 'fusermount3,/usr/bin/fusermount3,%,user.slice,user-%.slice,4755'
AND NOT exception_key LIKE '%beat,/opt/Elastic/Agent/data/elastic-%/components/%beat,0,system.slice,elastic-agent.service,0750'
AND NOT exception_key LIKE 'osquery-extensi,/opt/Elastic/Agent/data/elastic-agent-%/components/osquery-extension.ext,0,system.slice,elastic-agent.service,0750'
AND NOT exception_key LIKE 'osqueryd,/opt/Elastic/Agent/data/elastic-agent-%/components/osqueryd,0,system.slice,elastic-agent.service,0750'
AND NOT exception_key LIKE 'elastic-agent,/opt/Elastic/Agent/data/elastic-agent-%/elastic-agent,0,system.slice,elastic-agent.service,0770'
AND NOT p0.path IN ('/bin/bash', '/usr/bin/bash')
AND NOT p0.cgroup_path LIKE '/system.slice/docker-%'