Merge pull request #233 from tstromberg/fpr-mar20

fpr: snyk-ls, electron
2024-12-15 10:34:35 +00:00 · 2023-03-24 11:22:53 -04:00 · 2023-03-24 11:22:53 -04:00 · c35144f214
commit c35144f214
parent 608158a179 21cadbeb28
2 changed files with 16 additions and 14 deletions
--- a/detection/execution/unexpected-security-framework-program-macos.sql
+++ b/detection/execution/unexpected-security-framework-program-macos.sql
@ -105,6 +105,7 @@ WHERE
    '500,gopls,a.out,',
    '500,gopls,gopls,',
    '500,dive,a.out,',
+    '500,snyk-ls_darwin_arm64,a.out,',
    '500,gpg-agent,gpg-agent,',
    '500,InternalFiltersXPC,com.apple.InternalFiltersXPC,Apple Mac OS Application Signing',
    '500,ipcserver,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
--- a/detection/exfil/high_disk_bytes_read.sql
+++ b/detection/exfil/high_disk_bytes_read.sql
@ -58,75 +58,76 @@ WHERE
    'bash',
    'bwrap',
    'chrome',
-    'go',
-    'fsnotifier',
    'clamscan',
    'code',
    'com.apple.NRD.UpdateBrainService',
    'docker',
-    'emacs',
    'electron',
+    'emacs',
    'firefox',
-    'osqueryi',
    'fish',
    'fleet_backend',
    'fsdaemon',
+    'fsnotifier',
+    'go',
    'golangci-lint',
-    'Safari',
    'GoogleSoftwareUpdateAgent',
    'gopls',
    'grype',
    'java',
    'kube-apiserver',
    'kube-controller',
-    'ZwiftAppMetal',
    'kube-scheduler',
    'kue',
    'launcher',
    'LogiFacecamService',
+    'melange',
    'nautilus',
    'nessusd',
-    'melange',
    'nix',
-    'tilt',
    'nix-daemon',
    'nvim',
    'osqueryd',
-    'unattended-upgr',
+    'osqueryi',
    'qemu-system-aarch64',
    'qemu-system-x86',
    'qemu-system-x86-64',
+    'Safari',
    'sh',
    'slack',
    'steam',
    'systemd',
    'thunderbird',
+    'tilt',
+    'unattended-upgr',
    'vim',
    'wineserver',
    'yay',
    'ykman-gui',
-    'zsh'
+    'zsh',
+    'ZwiftAppMetal'
  )
  AND NOT p0.path IN (
+    '/System/Volumes/Preboot/Cryptexes/App/System/Applications/Safari.app/Contents/XPCServices/com.apple.Safari.BrowserDataImportingService.xpc/Contents/MacOS/com.apple.Safari.BrowserDataImportingService',
+    '/System/Volumes/Preboot/Cryptexes/Incoming/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent',
    '/usr/bin/apt',
    '/usr/bin/darktable',
    '/usr/bin/dockerd',
    '/usr/bin/gnome-shell',
    '/usr/bin/udevadm',
+    '/usr/bin/update-notifier',
+    '/usr/lib64/electron/electron',
    '/usr/libexec/aned',
    '/usr/libexec/coreduetd',
    '/usr/libexec/diskmanagementd',
-    '/usr/bin/update-notifier',
-    '/System/Volumes/Preboot/Cryptexes/Incoming/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent',
-    '/System/Volumes/Preboot/Cryptexes/App/System/Applications/Safari.app/Contents/XPCServices/com.apple.Safari.BrowserDataImportingService.xpc/Contents/MacOS/com.apple.Safari.BrowserDataImportingService',
    '/usr/libexec/flatpak-system-helper',
    '/usr/libexec/logd',
    '/usr/libexec/logd_helper',
-    '/usr/libexec/tracker-miner-fs-3',
    '/usr/libexec/packagekitd',
    '/usr/libexec/PerfPowerServices',
    '/usr/libexec/signpost_reporter',
    '/usr/libexec/syspolicyd',
+    '/usr/libexec/tracker-miner-fs-3',
    '/usr/lib/systemd/systemd',
    '/usr/sbin/spindump',
    '/usr/sbin/systemstats'