fpr: Canon Universal Installer, melange, GPG, key names

2025-02-16 09:27:06 +00:00 · 2023-03-06 15:11:11 -05:00 · 2023-03-06 15:11:11 -05:00 · b3825ba2b9
commit b3825ba2b9
parent cb8162d3c6
25 changed files with 66 additions and 16 deletions
--- a/detection/c2/unexpected-dns-traffic-events.sql
+++ b/detection/c2/unexpected-dns-traffic-events.sql
@ -95,10 +95,12 @@ WHERE
  -- Local DNS servers and custom clients go here
  -- Electron apps
  AND p.path NOT LIKE '/Applications/%.app/Contents/MacOS/% Helper'
+  AND p.path NOT LIKE '/Volumes/Google Chrome/%.app/Contents/MacOS/% Helper'
  AND p.path NOT IN (
    '/Library/Nessus/run/sbin/nessusd',
    '/opt/google/chrome/chrome',
    '/usr/bin/apko',
+    '/System/Volumes/Preboot/Cryptexes/Incoming/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/Contents/MacOS/com.apple.WebKit.Networking',
    '/usr/lib/systemd/systemd-resolved'
  )
  -- Chromium apps can send stray DNS packets
--- a/detection/c2/unexpected-https-client-linux.sql
+++ b/detection/c2/unexpected-https-client-linux.sql
@ -135,6 +135,7 @@ WHERE
    '500,gitsign,0u,0g,gitsign',
    '500,gitsign,500u,0g,gitsign',
    '500,gitsign,500u,500g,gitsign',
+    '0,git-remote-http,0u,0g,git-remote-http',
    '500,gitsign-credential-cache,500u,500g,gitsign-credent',
    '500,gjs-console,0u,0g,org.gnome.Maps',
    '500,gnome-recipes,0u,0g,gnome-recipes',
--- a/detection/c2/unexpected-talkers-linux.sql
+++ b/detection/c2/unexpected-talkers-linux.sql
@ -76,6 +76,11 @@ WHERE
  AND s.remote_address NOT LIKE '::ffff:192.168.%'
  AND s.remote_address NOT LIKE 'fc00:%'
  AND p.path != ''
+  AND NOT (
+    s.remote_address LIKE '100.%'
+    AND s.local_address LIKE '100.%'
+    AND exception_key = '32768,6,74,sshd,0u,0g,sshd'
+  )
  AND NOT exception_key IN (
    '123,17,114,chronyd,0u,0g,chronyd',
    '123,17,500,chronyd,0u,0g,chronyd',
@ -127,6 +132,7 @@ WHERE
    '80,6,0,find,0u,0g,find',
    '80,6,0,gawk,0u,0g,awk',
    '80,6,0,gpg,0u,0g,gpg',
+    '80,6,0,grep,0u,0g,grep',
    '80,6,0,kmod,0u,0g,depmod',
    '80,6,0,kubelet,u,g,kubelet',
    '80,6,0,ldconfig,0u,0g,ldconfig',
--- a/detection/collection/high-disk-bytes-written.sql
+++ b/detection/collection/high-disk-bytes-written.sql
@ -125,6 +125,7 @@ WHERE
    'gopls',
    'grype',
    'idea',
+    'melange-run',
    'Install',
    'java',
    'jetbrains-toolb',
--- a/detection/evasion/empty_root_environ_linux.sql
+++ b/detection/evasion/empty_root_environ_linux.sql
@ -45,6 +45,7 @@ WHERE
    'gdm-session-wor',
    'gdm-x-session',
    'gpg-agent',
+    'Xorg',
    'modprobe',
    'nginx',
    'osqueryi',
--- a/detection/evasion/hidden-cwd.sql
+++ b/detection/evasion/hidden-cwd.sql
@ -85,6 +85,7 @@ WHERE
        'Code Helper'
      )
      AND NOT cgroup_path LIKE '/system.slice/docker-%'
+      AND NOT cgroup_path LIKE '/system.slice/system.slice:docker:%'
  )
  AND NOT (
    exception_key IN (
@ -133,15 +134,13 @@ WHERE
    )
    OR top_dir IN ('~/Sync')
    OR dir LIKE '~/.%'
+    OR dir LIKE '%/.build'
    OR dir LIKE '~/code/%'
    OR dir LIKE '~/%/.config/nvim'
    OR dir LIKE '~/dev/%/dots/%/.config%'
-    OR dir LIKE '~/%/.git'
-    OR dir LIKE '/private/tmp/%/.git'
-    OR dir LIKE '/tmp/%/.git'
-    OR dir LIKE '~/%/.github%'
    OR dir LIKE '~/%/.docker%'
-    OR dir LIKE '~/%/.vercel%'
+    OR dir LIKE '~/%/.git'
+    OR dir LIKE '~/%/.github%'
    OR dir LIKE '~/%/github.com/%'
    OR dir LIKE '~/%google-cloud-sdk/.install/.backup%'
    OR dir LIKE '~/.gradle/%'
@ -149,11 +148,14 @@ WHERE
    OR dir LIKE '~/%/.modcache/%'
    OR dir LIKE '~/%/node_modules/.pnpm/%'
    OR dir LIKE '/opt/homebrew/%/.cache/%'
+    OR dir LIKE '/private/tmp/%/.git'
    OR dir LIKE '~/%/src/%'
    OR dir LIKE '~/src/%'
    OR dir LIKE '~/%/.terraform%'
+    OR dir LIKE '/tmp/%/.git'
    OR dir LIKE '/tmp/%/.github/workflows'
    OR dir LIKE '/tmp/.mount_%'
+    OR dir LIKE '~/%/.vercel%'
    -- For sudo calls to other things
    OR (
      dir LIKE '/home/.terraform.d/%'
--- a/detection/evasion/parent-missing-from-disk-linux.sql
+++ b/detection/evasion/parent-missing-from-disk-linux.sql
@ -51,6 +51,7 @@ WHERE
    '/opt/google/chrome/chrome',
    '/usr/bin/alacritty',
    '/usr/bin/doas',
+    '/usr/libexec/gdm-x-session',
    '/usr/bin/dockerd',
    '/usr/bin/fusermount3',
    '/usr/bin/gnome-shell',
--- a/detection/evasion/touched-executable-macos.sql
+++ b/detection/evasion/touched-executable-macos.sql
@ -86,6 +86,7 @@ WHERE
        '/Applications/Canon Utilities/Inkjet Extended Survey Program/Inkjet Extended Survey Program.app/Contents/MacOS/ESPController.app/Contents/Library/LoginItems/CanonIJExtendedSurveyLaunchAgent.app/Contents/MacOS/CanonIJExtendedSurveyLaunchAgent'
      )
      OR p.path LIKE '/Users/%/Library/Application Support/com.elgato.StreamDeck/Plugins/%'
+      OR p.path LIKE '/private/var/folders/%/T/AppTranslocation/%/Contents/MacOS/%'
      OR p.path LIKE '/Applications/%.app/Contents/MacOS/%'
      OR p.path LIKE '/Applications/%.app/Contents/Frameworks/%/Versions/A/Resources/%'
      OR p.path LIKE '/opt/homebrew/Cellar/%/bin/%'
--- a/detection/evasion/unexpected-hidden-system-paths.sql
+++ b/detection/evasion/unexpected-hidden-system-paths.sql
@ -119,7 +119,7 @@ WHERE
    '/var/run/.sim_diagnosticd_socket',
    '/var/run/.vfs_rsrc_streams_0x2b725bbfb94ba4ef0/',
    '/var/setup/.AppleSetupUser',
-    '/var/setup/.TemporaryItems',
+    '/var/setup/.TemporaryItems/',
    '/.vol/',
    '/.VolumeIcon.icns'
  )
--- a/detection/evasion/unusually-tainted-kernel-linux.sql
+++ b/detection/evasion/unusually-tainted-kernel-linux.sql
@ -26,4 +26,4 @@ SELECT current_value AS value,
    current_value & 1 AS proprietary
 FROM system_controls
 WHERE name = "kernel.tainted"
-    AND current_value NOT IN (0, 512, 12289, 4097)
+    AND current_value NOT IN (0, 512, 12289, 12352, 4097)
--- a/detection/execution/exotic-command-events-macos.sql
+++ b/detection/execution/exotic-command-events-macos.sql
@ -149,8 +149,8 @@ WHERE
    pe.path = '/usr/bin/mkfifo'
    AND (
      p0_cmd LIKE '%/org.gpgtools.log.%/fifo'
-      OR p0_cmd LIKE '/var/%/gitstatus.POWERLEVEL9K.%'
-      OR p0_cmd LIKE '/var/%/p10k.worker.%'
+      OR p0_cmd LIKE '%/var/%/gitstatus.POWERLEVEL9K.%'
+      OR p0_cmd LIKE '%/var/%/p10k.worker.%'
    )
  )
  AND NOT (
--- a/detection/execution/recently-created-executables-macos.sql
+++ b/detection/execution/recently-created-executables-macos.sql
@ -120,6 +120,7 @@ WHERE
    'Developer ID Application: GitHub (VEKTX9H2N7)',
    'Developer ID Application: Google LLC (EQHXZ8M8AV)',
    'Developer ID Application: GPGTools GmbH (PKV8ZPD836)',
+    'Developer ID Application: Canon Inc. (XE2XNRRXZ5)',
    'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)',
    'Developer ID Application: Kolide Inc (YZ3EM74M78)',
    'Developer ID Application: Logitech Inc. (QED4VVPZWA)',
--- a/detection/execution/relative-exec-low-uid-events.sql
+++ b/detection/execution/relative-exec-low-uid-events.sql
@ -64,6 +64,6 @@ WHERE
    './ksinstall --install=Keystone.tbz'
  )
  AND p0_cmd NOT LIKE './tools/bpf/resolve_btfids/resolve_btfids -b vmlinux /var/lib/dkms/%'
-  AND p0_cmd NOT LIKE './tools/objtool/objtool --hacks=jump_label --link --module%'
+  AND p0_cmd NOT LIKE './tools/objtool/objtool --hacks=jump_label%'
  AND p0_cmd NOT LIKE './out/osqtool-% %'
  AND p0_path NOT LIKE '/private/tmp/PKInstallSandbox.%/Scripts/com.microsoft.OneDrive.%/OneDrivePkgTelemetry'
--- a/detection/execution/sketchy-fetcher-events.sql
+++ b/detection/execution/sketchy-fetcher-events.sql
@ -179,6 +179,7 @@ WHERE
      addr IN (
        'releases.hashicorp.com',
        'github.com',
+        'cdn.zoom.us',
        'dl.enforce.dev'
      )
      -- Ignore local addresses (Docker development)
@ -187,3 +188,4 @@ WHERE
      OR ip LIKE '192.168.%'
    )
  )
+  AND NOT p1_cmd LIKE '/usr/bin/bash /usr/bin/makepkg %'
--- a/detection/execution/unexpected-execdir-events-macos.sql
+++ b/detection/execution/unexpected-execdir-events-macos.sql
@ -122,15 +122,18 @@ WHERE
    '/Library/Application Support/EcammLive',
    '/Library/Application Support/GPGTools',
    '~/Library/Application Support/JetBrains',
-    '~/Library/Caches/com.knollsoft.Rectangle',
    '~/Library/Application Support/zoom.us',
+    '~/Library/Caches/com.knollsoft.Rectangle',
    '~/Library/Caches/com.mimestream.Mimestream',
+    '/Library/Application Support/Canon_Inc_IC',
    '~/Library/Caches/snyk',
    '/Library/Developer/CommandLineTools',
    '~/Library/Developer/Xcode',
    '/Library/Google/GoogleSoftwareUpdate',
    '~/Library/Google/GoogleSoftwareUpdate',
+    '/Library/Java/JavaVirtualMachines',
    '/Library/Plug-Ins/FxPlug',
+    '~/Library/Application Support/Foxit Software',
    '/opt/homebrew/Caskroom',
    '/opt/homebrew/Cellar',
    '/opt/homebrew/Library',
@ -151,6 +154,7 @@ WHERE
    '~/Library/Application Support/dev.warp.Warp-Stable',
    '/Library/Application Support/Logitech.localized/LogiOptionsPlus/logioptionsplus_agent.app/Contents/MacOS',
    '/Library/Application Support/Logitech.localized/Logitech Options.localized/LogiMgrUpdater.app/Contents/Resources',
+    '/Library/Audio/Plug-Ins/HAL/ACE.driver/Contents/Resources',
    '/Library/Audio/Plug-Ins/HAL/ACE.driver/Contents/Resources/aceagent.app/Contents/MacOS',
    '/Library/DropboxHelperTools/Dropbox_u501',
    '/Library/Filesystems/kbfuse.fs/Contents/Resources',
@ -185,6 +189,7 @@ WHERE
    '/usr/lib/ibus',
    '/usr/lib/system',
    '/usr/local/bin',
+    '/usr/local/MacGPG2/bin',
    '/usr/sbin'
  ) -- Locally built executables
  AND NOT (
--- a/detection/execution/unexpected-osascript-calls.sql
+++ b/detection/execution/unexpected-osascript-calls.sql
@ -85,13 +85,14 @@ WHERE
      OR p0_cmd LIKE 'osascript -e set zoomStatus to "closed"%'
      OR p0_cmd LIKE 'osascript -e%tell application "System Preferences"%reveal anchor "shortcutsTab"%"com.apple.preference.keyboard"'
      OR p0_cmd LIKE 'osascript -e tell application "zoom.us"%'
+      OR p0_cmd LIKE 'osascript -l JavaScript /tmp/PKInstallSandbox.%/Scripts/org.gpgtools.gpgmailloader.pkg.%/mailbundle-enabled.jxa -- GPGMailLoader.mailbundle'
      OR p0_cmd LIKE 'osascript openChrome.applescript http://127.0.0.1:%'
      OR p0_cmd LIKE 'osascript openChrome.applescript http%://localhost%'
+      OR p0_cmd LIKE '/usr/bin/osascript /Applications/Amazon Photos.app/Contents/Resources/quit_and_restart_app.scpt /Applications/Amazon Photos.app com.amazon.clouddrive.mac%'
      OR p0_cmd LIKE '/usr/bin/osascript /Users/%/Library/Caches/com.runningwithcrayons.Alfred/Workflow Scripts/%'
      OR p0_cmd LIKE '/usr/bin/osascript /Users/%/osx-trash/trashfile.AppleScript %'
-      OR p0_cmd LIKE '/usr/bin/osascript /Applications/Amazon Photos.app/Contents/Resources/quit_and_restart_app.scpt /Applications/Amazon Photos.app com.amazon.clouddrive.mac%'
-      OR p1_cmd LIKE '%gcloud% auth %login%'
      OR p1_cmd LIKE '%aws %sso%'
+      OR p1_cmd LIKE '%gcloud% auth %login%'
      OR p1_cmd LIKE '% /opt/homebrew/bin/jupyter%notebook'
      OR p1_authority = 'Developer ID Application: Docker Inc (9BNSXJN65R)'
      OR p1_name IN ('yubikey-agent')
--- a/detection/execution/unexpected-security-framework-program-macos.sql
+++ b/detection/execution/unexpected-security-framework-program-macos.sql
@ -117,6 +117,7 @@ WHERE
    '500,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
    '500,PrinterProxy,com.apple.print.PrinterProxy,',
    '500,BloomRPC Helper,,',
+    '500,melange-run,a.out,',
    '500,registry-redirect,a.out,',
    '500,Runner.Listener,apphost-55554944a938bab90f04347d83659c53dd1197d6,',
    '500,rust-analyzer,rust_analyzer-d11ae4e1bae4360d,',
--- a/detection/execution/unexpected-xattr-calls-macos.sql
+++ b/detection/execution/unexpected-xattr-calls-macos.sql
@ -91,6 +91,10 @@ WHERE
    pe.euid > 500
    AND p0_cmd LIKE '%xattr -p com.apple.quarantine %'
  )
+  AND NOT (
+    pe.euid > 500
+    AND p0_cmd LIKE '%xattr -p com.apple.rootless /Users/%/Library/Containers/%'
+  )
  AND NOT (
    pe.euid > 500
    AND p0_cmd LIKE '%xattr -p com.apple.metadata:kMDItemAlternateNames %'
--- a/detection/initial_access/unexpected-shell-parents.sql
+++ b/detection/initial_access/unexpected-shell-parents.sql
@ -35,6 +35,7 @@ WHERE
  AND pp.name NOT IN (
    'abrt-handle-eve',
    'alacritty',
+    'anacron',
    'Alfred',
    'bash',
    'buildkit-runc',
--- a/detection/initial_access/unexpected-volume-contents.sql
+++ b/detection/initial_access/unexpected-volume-contents.sql
@ -96,6 +96,7 @@ WHERE
  )
  AND authority NOT IN (
    'Developer ID Application: Google LLC (EQHXZ8M8AV)',
+    'Developer ID Application: Canon Inc. (XE2XNRRXZ5)',
    'Developer ID Application: Logitech Inc. (QED4VVPZWA)',
    'Developer ID Application: Adobe Inc. (JQ525L2MZD)'
  ) -- Unsigned programs here
--- a/detection/persistence/unexpected-active-systemd-units.sql
+++ b/detection/persistence/unexpected-active-systemd-units.sql
@ -51,6 +51,8 @@ WHERE
        'abrt-xorg.service,ABRT Xorg log watcher,,225',
        'accounts-daemon.service,Accounts Service,,1800',
        'accounts-daemon.service,Accounts Service,,675',
+        'gitsign.service,Keyless Git signing with Sigstore!,,900',
+        'supergfxd.service,SUPERGFX,,450',
        'acpid.path,ACPI Events Check,,0',
        'acpid.service,ACPI Daemon,,1125',
        'acpid.service,ACPI event daemon,,225',
--- a/detection/persistence/unexpected-device.sql
+++ b/detection/persistence/unexpected-device.sql
@ -94,6 +94,8 @@ WHERE
    '/dev/fuse',
    '/dev/gpiochip',
    '/dev/hidraw',
+    '/dev/shm/pulse-shm-',
+    '/dev/md/ssdraid',
    '/dev/HID-SENSOR-e..auto',
    '/dev/hpet',
    '/dev/hugepages/',
--- a/detection/persistence/unexpected-uid0-daemon-linux.sql
+++ b/detection/persistence/unexpected-uid0-daemon-linux.sql
@ -101,7 +101,6 @@ WHERE
    'containerd-shim,/usr/bin/containerd-shim-runc-v2,0,system.slice,containerd.service,0755',
    'containerd-shim,/usr/bin/containerd-shim-runc-v2,0,system.slice,docker.service,0755',
    'containerd,/usr/bin/containerd,0,system.slice,containerd.service,0755',
-    'yum,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755',
    'containerd,/usr/bin/containerd,0,system.slice,docker.service,0755',
    'crond,/usr/bin/crond,0,system.slice,cronie.service,0755',
    'crond,/usr/sbin/crond,0,system.slice,crond.service,0755',
@ -122,6 +121,7 @@ WHERE
    'fish,/usr/bin/fish,0,user.slice,user-1000.slice,0755',
    'flatpak-system-,/usr/libexec/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755',
    'flatpak-system-,/usr/lib/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755',
+    'fprintd,/usr/libexec/fprintd,0,system.slice,fprintd.service,0755',
    'fstrim,/usr/sbin/fstrim,0,system.slice,fstrim.service,0755',
    'fusermount3,/usr/bin/fusermount3,1000,user.slice,user-1000.slice,4755',
    'fusermount3,/usr/bin/fusermount3,127,user.slice,user-127.slice,4755',
@ -193,6 +193,7 @@ WHERE
    'ssh,/nix/store/__VERSION__/bin/ssh,0,system.slice,znapzend.service,0555',
    'sssd_kcm,/usr/libexec/sssd/sssd_kcm,0,system.slice,sssd-kcm.service,0755',
    'sudo,/usr/bin/sudo,1000,user.slice,user-1000.slice,4111',
+    'supergfxd,/usr/bin/supergfxd,0,system.slice,supergfxd.service,0755',
    'switcheroo-cont,/usr/libexec/switcheroo-control,0,system.slice,switcheroo-control.service,0755',
    'systemd-coredum,/nix/store/__VERSION__/lib/systemd/systemd-coredump,0,,,0555',
    'systemd-homed,/usr/lib/systemd/systemd-homed,0,system.slice,systemd-homed.service,0755',
@ -224,6 +225,7 @@ WHERE
    'wpa_supplicant,/usr/sbin/wpa_supplicant,0,system.slice,wpa_supplicant.service,0755',
    'X,/nix/store/__VERSION__/bin/Xorg,0,system.slice,display-manager.service,0555',
    'Xorg,/usr/lib/Xorg,0,system.slice,lightdm.service,0755',
+    'yum,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755',
    'zed,/nix/store/__VERSION__/bin/zed,0,system.slice,zfs-zed.service,0555',
    'zfs-auto-snapsh,/nix/store/__VERSION__/bin/ruby,0,system.slice,zfs-snapshot-frequent.service,0555',
    'zfs-auto-snapsh,/nix/store/__VERSION__/bin/ruby,0,system.slice,zfs-snapshot-hourly.service,0555',
--- a/detection/privesc/unexpected-privilege-escalation_macos.sql
+++ b/detection/privesc/unexpected-privilege-escalation_macos.sql
@ -59,3 +59,7 @@ WHERE
    '/usr/local/bin/doas',
    '/Applications/VMware Fusion.app/Contents/Library/vmware-vmx'
  )
+  AND NOT (
+    p0.path LIKE '/var/folders/%/T/CanonOFI_TEMP/Data/Software/Install/UniversalInstaller.app/Contents/Frameworks/UIx.framework/Resources/relay'
+    AND s.authority = 'Developer ID Application: Canon Inc. (XE2XNRRXZ5)'
+  )
--- a/policy/gcp-service-account-keys-mdfind.sql
+++ b/policy/gcp-service-account-keys-mdfind.sql
@ -20,7 +20,13 @@ FROM
  LEFT JOIN signature ON mdfind.path = signature.path
 WHERE
  mdfind.query = "kMDItemFSName == '*.json'"
-  AND file.filename LIKE "%-%-%.json"
+  AND (
+    file.filename LIKE "%-%-%.json"
+    OR file.filename LIKE 'sa%.json'
+    OR file.filename LIKE '%s%r%v%acc%t%json'
+    OR file.filename LIKE '%prod.json'
+    OR file.filename LIKE 'prod%.json'
+  )
  AND file.size BETWEEN 2311 AND 2385 -- Don't alert on tokens that begin with the username-, as they may be personal
  AND NOT INSTR(file.filename, CONCAT (u.username, "-")) == 1 -- Don't alert on tokens that begin with the users full name and a dash
  AND NOT INSTR(
@ -29,15 +35,18 @@ WHERE
  ) == 1 -- Common locations of test or demo keys
  AND NOT file.directory LIKE '%/go/pkg/%'
  AND NOT file.directory LIKE '%/go/src/%'
+  AND NOT file.directory LIKE '%/pkg/mod/%'
  AND NOT file.directory LIKE '%/aws-sdk/apis'
  AND NOT file.directory LIKE '%/mock-infras/%'
-  AND NOT file.directory LIKE '%/testdata/%'
+  AND NOT file.directory LIKE '%/testdata%'
  AND NOT file.directory LIKE '%/schemas'
  AND NOT file.directory LIKE '/Users/%/Library/Application Support/%'
  AND NOT file.directory LIKE '%demo' -- Common filenames that are non-controversial
  AND NOT file.filename IN (
    'service-account-file.json',
    'redshift-2012-12-01.waiters2.json',
+    'update-all-transforms.json',
+    'update-arrayremove-multi.json',
    'organizations-2016-11-28.paginators.json'
  )
 GROUP BY