diff --git a/detection/c2/unexpected-https-linux.sql b/detection/c2/unexpected-https-linux.sql index c0f548c..cb26612 100644 --- a/detection/c2/unexpected-https-linux.sql +++ b/detection/c2/unexpected-https-linux.sql @@ -69,21 +69,24 @@ WHERE '0,dockerd,0u,0g,dockerd', '0,flatpak-system-helper,0u,0g,flatpak-system-', '0,git-remote-http,0u,0g,git-remote-http', + '0,go,0u,0g,go', '0,gtk4-update-icon-cache,0u,0g,gtk-update-icon', '0,http,0u,0g,https', '0,kmod,0u,0g,depmod', '0,launcher,0u,0g,launcher', '0,launcher,500u,500g,launcher', '0,ldconfig,0u,0g,ldconfig', + '0,make,0u,0g,make', '0,nessusd,0u,0g,nessusd', '0,nix,0u,0g,nix', '0,nix,0u,0g,nix-daemon', + '0,orbit,0u,0g,orbit', + '0,osqueryd,0u,0g,osqueryd', '0,packagekitd,0u,0g,packagekitd', '0,pacman,0u,0g,pacman', '0,python3.10,0u,0g,dnf', '0,python3.10,0u,0g,dnf-automatic', '0,python3.10,0u,0g,yum', - '500,evolution-source-registry,0u,0g,evolution-sourc', '0,python3.11,0u,0g,dnf', '0,python3.11,0u,0g,dnf-automatic', '0,python3.11,0u,0g,yum', @@ -124,6 +127,7 @@ WHERE '500,cloud_sql_proxy,0u,0g,cloud_sql_proxy', '500,code,0u,0g,code', '500,code,500u,500g,code', + '500,code,u,g,code', '500,containerd,u,g,containerd', '500,copilot-agent-linux,500u,500g,copilot-agent-l', '500,cosign,500u,500g,cosign', @@ -140,9 +144,11 @@ WHERE '500,electron,0u,0g,electron', '500,evolution-addressbook-factory,0u,0g,evolution-addre', '500,evolution-calendar-factory,0u,0g,evolution-calen', + '500,evolution-source-registry,0u,0g,evolution-sourc', '500,firefox,0u,0g,firefox', '500,firefox,0u,0g,.firefox-wrappe', '500,firefox,0u,0g,Socket Process', + '500,firefox-bin,u,g,firefox-bin', '500,flameshot,0u,0g,flameshot', '500,flatpak-oci-authenticator,0u,0g,flatpak-oci-aut', '500,flux,500u,500g,flux', @@ -160,12 +166,9 @@ WHERE '500,gnome-recipes,0u,0g,gnome-recipes', '500,gnome-shell,0u,0g,gnome-shell', '500,gnome-software,0u,0g,gnome-software', - '0,go,0u,0g,go', '500,go,0u,0g,go', - '500,code,u,g,code', '500,go,500u,500g,go', '500,goa-daemon,0u,0g,goa-daemon', - '500,TJPP8_Vulkan,500u,500g,TJPP8_Vulkan', '500,___go_build_main_go,500u,500g,___go_build_mai', '500,go,u,g,go', '500,grafana,u,g,grafana', @@ -229,7 +232,6 @@ WHERE '500,python3.10,0u,0g,aws', '500,python3.10,0u,0g,python', '500,python3.10,0u,0g,python3', - '0,osqueryd,0u,0g,osqueryd', '500,python3.11,0u,0g,aws', '500,python3.11,0u,0g,gnome-abrt', '500,python3.11,0u,0g,protonvpn', @@ -252,7 +254,6 @@ WHERE '500,spotify,500u,500g,spotify', '500,spotify,u,g,spotify', '500,steam,500u,100g,steam', - '500,buildkite-agent,500u,500g,buildkite-agent', '500,steam,500u,500g,steam', '500,steamwebhelper,500u,100g,steamwebhelper', '500,steamwebhelper,500u,500g,steamwebhelper', @@ -267,16 +268,15 @@ WHERE '500,thunderbird,0u,0g,thunderbird', '500,thunderbird,u,g,thunderbird', '500,tilt,500u,500g,tilt', + '500,TJPP8_Vulkan,500u,500g,TJPP8_Vulkan', '500,todoist,0u,0g,todoist', '500,trivy,0u,0g,trivy', '500,trivy,500u,500g,trivy', - '500,firefox-bin,u,g,firefox-bin', '500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr', '500,wget,0u,0g,wget', - '0,make,0u,0g,make', + '500,wine64-preloader,500u,500g,DaveTheDiver.ex', '500,wine64-preloader,500u,500g,Root.exe', '500,wolfictl,500u,500g,wolfictl', - '0,orbit,0u,0g,orbit', '500,WPILibInstaller,500u,500g,WPILibInstaller', '500,xmobar,0u,0g,xmobar', '500,yay,0u,0g,yay', diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql index 800cc3e..82368a5 100644 --- a/detection/c2/unexpected-talkers-macos.sql +++ b/detection/c2/unexpected-talkers-macos.sql @@ -115,17 +115,16 @@ WHERE AND s.authority = 'Software Signing' ) AND NOT exception_key IN ( + '0,6,5228,prl_naptd,prl_naptd,Developer ID Application: Parallels International GmbH (4C6364ACXT),com.parallels.naptd', '0,6,80,prl_naptd,prl_naptd,Developer ID Application: Parallels International GmbH (4C6364ACXT),com.parallels.naptd', '500,17,123,Garmin Express,Garmin Express,Developer ID Application: Garmin International (72ES32VZUA),com.garmin.renu.client', '500,17,68,com.docker.backend,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R),com.docker', '500,17,8801,zoom.us,zoom.us,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3),us.zoom.xos', '500,17,9000,Meeting Center,Meeting Center,Developer ID Application: Cisco (DE8Y96K9QP),com.webex.meetingmanager', '500,6,22,Cyberduck,Cyberduck,Developer ID Application: David Kocher (G69SCX94XU),ch.sudo.cyberduck', - '500,6,80,Wavebox Helper,Wavebox Helper,Developer ID Application: Bookry Ltd (4259LE8SU5),com.bookry.wavebox.helper', '500,6,22,goland,goland,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland', '500,6,22,Transmit,Transmit,Developer ID Application: Panic, Inc. (VE8FC488U5),com.panic.Transmit', '500,6,2869,Spotify,Spotify,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client', - '500,6,80,Brackets,Brackets,Developer ID Application: CORE.AI SCIENTIFIC TECHNOLOGIES PRIVATE LIMITED (8F632A866K),io.brackets.appshell', '500,6,32000,Spotify Helper,Spotify Helper,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client.helper', '500,6,32400,PlexMobile,PlexMobile,Apple iPhone OS Application Signing,com.plexapp.plex', '500,6,32768,IPNExtension,IPNExtension,Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension', @@ -137,6 +136,7 @@ WHERE '500,6,5228,Clay,Clay,Developer ID Application: Clay Software, Inc. (C68GA48KN3),com.clay.mac', '500,6,8009,Spotify Helper,Spotify Helper,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client.helper', '500,6,80,Arc Helper,Arc Helper,Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G),company.thebrowser.browser.helper', + '500,6,80,Brackets,Brackets,Developer ID Application: CORE.AI SCIENTIFIC TECHNOLOGIES PRIVATE LIMITED (8F632A866K),io.brackets.appshell', '500,6,80,CEPHtmlEngine Helper,CEPHtmlEngine Helper,Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.cep.CEPHtmlEngine Helper', '500,6,80,Code Helper (Plugin),Code Helper (Plugin),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper', '500,6,80,Code - Insiders Helper (Plugin),Code - Insiders Helper (Plugin),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper', @@ -159,6 +159,7 @@ WHERE '500,6,80,Telegram,Telegram,Apple Mac OS Application Signing,ru.keepcoder.Telegram', '500,6,80,thunderbird,thunderbird,Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird', '500,6,80,Twitter,Twitter,Apple Mac OS Application Signing,maccatalyst.com.atebits.Tweetie2', + '500,6,80,Wavebox Helper,Wavebox Helper,Developer ID Application: Bookry Ltd (4259LE8SU5),com.bookry.wavebox.helper', '500,6,80,WhatsApp,WhatsApp,Developer ID Application: WhatsApp Inc. (57T9237FN3),WhatsApp', '500,6,993,Mimestream,Mimestream,Developer ID Application: Mimestream, LLC (P2759L65T8),com.mimestream.Mimestream', '500,6,993,thunderbird,thunderbird,Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird' @@ -194,19 +195,19 @@ WHERE OR pos.remote_port > 1024 ) AND id_exception_key IN ( - 'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker', + 'Developer ID Application: Bookry Ltd (4259LE8SU5),com.bookry.wavebox.helper', 'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4),com.brave.Browser.helper', - 'Developer ID Application: Microsoft Corporation (UBF8T346G9),net.java.openjdk.java', - 'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.Chrome.helper', 'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker', - 'Developer ID Application: Vladimir Prelovac (TFVG979488),com.apple.WebKit.Networking', - 'Developer ID Application: Valve Corporation (MXGJJ98X76),com.valvesoftware.steam', + 'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.Chrome.helper', 'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.edgemac.helper', + 'Developer ID Application: Microsoft Corporation (UBF8T346G9),net.java.openjdk.java', 'Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.firefox', 'Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.firefoxdeveloperedition', 'Developer ID Application: Opera Software AS (A2P9LX4JPN),com.operasoftware.Opera.helper', 'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client.helper', - 'Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G),company.thebrowser.browser.helper' + 'Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G),company.thebrowser.browser.helper', + 'Developer ID Application: Valve Corporation (MXGJJ98X76),com.valvesoftware.steam', + 'Developer ID Application: Vladimir Prelovac (TFVG979488),com.apple.WebKit.Networking' ) ) GROUP BY diff --git a/detection/evasion/hidden-home-libappsupport.sql b/detection/evasion/hidden-home-libappsupport.sql index 94764bf..225870b 100644 --- a/detection/evasion/hidden-home-libappsupport.sql +++ b/detection/evasion/hidden-home-libappsupport.sql @@ -45,28 +45,29 @@ WHERE AND size > 0 ) AND NOT homedir IN ( + '~/Library/Application Support/1Password', '~/Library/Application Support/Adobe', '~/Library/Application Support/Beeper', - '~/Library/Application Support/com.tinyapp.TablePlus', - '~/Library/Application Support/Jabra Direct', - '~/Library/Application Support/discord', - '~/Library/Application Support/Keybase', - '~/Library/Application Support/1Password', - '~/Library/Application Support/com.intelliscapesolutions.caffeine', - '~/Library/Application Support/com.psiexams.psi-bridge-secure-browser', - '~/Library/Application Support/GitHub Desktop', - '~/Library/Application Support/Loom', - '~/Library/Application Support/ZaloApp', - '~/Library/Application Support/ZaloPC', - '~/Library/Application Support/com.bohemiancoding.sketch3', - '~/Library/Application Support/DropboxElectron', - '~/Library/Application Support/Docker Desktop', - '~/Library/Application Support/Slack', '~/Library/Application Support/Code', - '~/Library/Application Support/lghub', - '~/Library/Application Support/com.operasoftware.Opera', '~/Library/Application Support/com.apple.spotlight', - '~/Library/Application Support/Lens' + '~/Library/Application Support/com.bohemiancoding.sketch3', + '~/Library/Application Support/com.intelliscapesolutions.caffeine', + '~/Library/Application Support/com.operasoftware.Opera', + '~/Library/Application Support/com.psiexams.psi-bridge-secure-browser', + '~/Library/Application Support/com.tinyapp.TablePlus', + '~/Library/Application Support/discord', + '~/Library/Application Support/Docker Desktop', + '~/Library/Application Support/DropboxElectron', + '~/Library/Application Support/GitHub Desktop', + '~/Library/Application Support/Jabra Direct', + '~/Library/Application Support/Keybase', + '~/Library/Application Support/Lens', + '~/Library/Application Support/lghub', + '~/Library/Application Support/Loom', + '~/Library/Application Support/Presenting', + '~/Library/Application Support/Slack', + '~/Library/Application Support/ZaloApp', + '~/Library/Application Support/ZaloPC' ) AND NOT homepath IN ( '~/Library/Application Support/.Shadowland5.5', diff --git a/detection/evasion/parent-missing-from-disk-linux.sql b/detection/evasion/parent-missing-from-disk-linux.sql index 691ad98..d5ecbcc 100644 --- a/detection/evasion/parent-missing-from-disk-linux.sql +++ b/detection/evasion/parent-missing-from-disk-linux.sql @@ -76,16 +76,17 @@ WHERE '/usr/share/code/code' ) -- long-running launchers AND NOT p1.name IN ( + 'bash', + 'dnf', + 'electron', + 'fish', + 'gnome-shell', + 'kubelet', + 'kube-proxy', 'lightdm', 'nvim', - 'electron', 'sh', - 'gnome-shell', - 'fish', - 'bash', - 'slack', - 'kube-proxy', - 'kubelet' + 'slack' ) -- These alerts were unfortunately useless - lots of spam on macOS AND NOT ( p1.path LIKE '/app/%' diff --git a/detection/execution/unexpected-execdir-events-macos.sql b/detection/execution/unexpected-execdir-events-macos.sql index 64eaed8..8ff75d3 100644 --- a/detection/execution/unexpected-execdir-events-macos.sql +++ b/detection/execution/unexpected-execdir-events-macos.sql @@ -138,6 +138,7 @@ WHERE '~/Library/Application Support/BraveSoftware', '/Library/Application Support/Canon_Inc_IC', '~/.docker/cli-plugins/docker-sbom', + '/Library/Application Support/com.canonical.multipass', '~/.docker/cli-plugins', '~/Library/Application Support/minecraft', '~/Library/Application Support/com.elgato.StreamDeck', @@ -270,6 +271,7 @@ WHERE AND dir NOT LIKE '/private/tmp/go-build%/exe' AND dir NOT LIKE '/private/tmp/KSInstallAction.%/Install Google Software Update.app/Contents/Helpers' AND dir NOT LIKE '/private/tmp/nix-build-%' + AND dir NOT LIKE '/private/var/folders/%/T/cargo-install%' AND dir NOT LIKE '/private/tmp/PKInstallSandbox.%/Scripts/com.microsoft.OneDrive.%' AND dir NOT LIKE '/private/var/db/com.apple.xpc.roleaccountd.staging/%.xpc/Contents/MacOS' AND dir NOT LIKE '/private/var/folders/%/bin' @@ -286,23 +288,21 @@ WHERE AND s.authority NOT IN ( 'Apple iPhone OS Application Signing', 'Apple Mac OS Application Signing', - 'Developer ID Application: reMarkable AS (4FFUD2H2F6)', 'Developer ID Application: Adobe Inc. (JQ525L2MZD)', - 'Developer ID Application: Cisco (DE8Y96K9QP)', 'Developer ID Application: Brother Industries, LTD. (5HCL85FLGW)', + 'Developer ID Application: Canonical Group Limited (X4QN7LTP59)', + 'Developer ID Application: Cisco (DE8Y96K9QP)', 'Developer ID Application: CodeWeavers Inc. (9C6B7X7Z8E)', - 'Developer ID Application: Sublime HQ Pty Ltd (Z6D26JE4Y4)', 'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', 'Developer ID Application: Docker Inc (9BNSXJN65R)', - 'Developer ID Application: Mojang AB (HR992ZEAE6)', 'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)', 'Developer ID Application: Figma, Inc. (T8RA8NE3B7)', 'Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D)', - 'Developer ID Application: Snyk Limited (97QYW7LHSF)', 'Developer ID Application: Google LLC (EQHXZ8M8AV)', 'Developer ID Application: Hashicorp, Inc. (D38WU7D763)', 'Developer ID Application: Logitech Inc. (QED4VVPZWA)', 'Developer ID Application: Microsoft Corporation (UBF8T346G9)', + 'Developer ID Application: Mojang AB (HR992ZEAE6)', 'Developer ID Application: Ned Deily (DJ3H93M7VJ)', -- ^-- Python 'Developer ID Application: Node.js Foundation (HX7739G8FX)', @@ -310,6 +310,9 @@ WHERE 'Developer ID Application: Objective-See, LLC (VBG97UB4TA)', 'Developer ID Application: Opal Camera Inc (97Z3HJWCRT)', 'Developer ID Application: Oracle America, Inc. (VB5E2TV963)', + 'Developer ID Application: reMarkable AS (4FFUD2H2F6)', + 'Developer ID Application: Snyk Limited (97QYW7LHSF)', + 'Developer ID Application: Sublime HQ Pty Ltd (Z6D26JE4Y4)', 'Developer ID Application: TablePlus Inc (3X57WP8E8V)', 'Developer ID Application: Tenable, Inc. (4B8J598M7U)', 'Developer ID Application: Valve Corporation (MXGJJ98X76)', diff --git a/detection/initial_access/sketchy-mounted-diskimage.sql b/detection/initial_access/sketchy-mounted-diskimage.sql index a5e5488..cb0c2e3 100644 --- a/detection/initial_access/sketchy-mounted-diskimage.sql +++ b/detection/initial_access/sketchy-mounted-diskimage.sql @@ -128,13 +128,17 @@ WHERE ) -- 7. Volumes containing a top-level symlink to something other than /Applications, such as yWnBJLaF (1302.app) OR ( file.symlink = 1 - AND magic.data != 'symbolic link to /Applications' - AND magic.data != 'symbolic link to /Applications/' - AND magic.data != 'symbolic link to .' + AND magic.data NOT IN ( + '/Library/Application Support/Apple/Safari/SafariForWebKitDevelopment', + 'symbolic link to .', + 'symbolic link to /Applications', + 'symbolic link to /Applications/', + 'symbolic link to ../Resources/public', + 'symbolic link to steam_osx' + ) -- emacs - AND magic.data != 'symbolic link to bin-x86%' + AND magic.data NOT LIKE 'symbolic link to bin-x86%' AND magic.data NOT LIKE 'symbolic link to /Users/%/My Drive' - AND magic.data NOT LIKE 'symbolic link to /Library/Application Support/Apple/Safari/SafariForWebKitDevelopment' ) ) GROUP BY diff --git a/detection/initial_access/unexpected-diskimage-source-macos.sql b/detection/initial_access/unexpected-diskimage-source-macos.sql index f0d4724..c1bba41 100644 --- a/detection/initial_access/unexpected-diskimage-source-macos.sql +++ b/detection/initial_access/unexpected-diskimage-source-macos.sql @@ -38,12 +38,12 @@ WHERE AND file.btime > (strftime('%s', 'now') -86400) AND domain NOT IN ( 'adobe.com', - 'asana.com', 'akmedia.digidesign.com', 'alfredapp.com', 'android.com', 'apple.com', 'arc.net', + 'asana.com', 'balena.io', 'balsamiq.com', 'brave.com', @@ -94,8 +94,10 @@ WHERE 'osuosl.org', 'pqrs.org', 'prusa3d.com', + 'amazon.com', 'remarkable.com', 'rewind.ai', + 's3.amazonaws.com', 'securew2.com', 'signal.org', 'skype.com', @@ -123,6 +125,7 @@ WHERE -- NOTE: Do not put all of storage.googleapis.com or similarly generic hosts here AND host NOT IN ( 'arc.net', + 'presenting.app', 'adoptium.net', 'balsamiq.com', 'brave.com', @@ -162,6 +165,7 @@ WHERE -- Yes, these are meant to be fairly broad. AND host NOT LIKE 'download%' AND host NOT LIKE 'cdn%' + AND host NOT LIKE '%.cdn.%.com' AND host NOT LIKE '%.edu' AND host NOT LIKE 'github-production-release-asset-%.s3.amazonaws.com' AND host NOT LIKE '%.org' diff --git a/detection/persistence/unexpected-uid0-daemon-macos.sql b/detection/persistence/unexpected-uid0-daemon-macos.sql index 1c0c3e6..22f3aa1 100644 --- a/detection/persistence/unexpected-uid0-daemon-macos.sql +++ b/detection/persistence/unexpected-uid0-daemon-macos.sql @@ -280,9 +280,14 @@ WHERE -- Focus on longer-running programs '/usr/sbin/systemstats', '/usr/sbin/WirelessRadioManagerd' ) + AND NOT path LIKE '/nix/store/%-nix-%/bin/nix' + AND NOT path LIKE '/opt/homebrew/Cellar/htop/%/bin/htop' + AND NOT path LIKE '/opt/homebrew/Cellar/btop/%/bin/btop' + AND NOT path LIKE '/opt/homebrew/Cellar/socket_vmnet/%/bin/socket_vmnet' + AND NOT path LIKE '/usr/local/Cellar/htop/%/bin/htop' + AND NOT path LIKE '/usr/local/Cellar/btop/%/bin/btop' AND NOT path LIKE '/usr/local/kolide-k2/bin/launcher-updates/%/Kolide.app/Contents/MacOS/launcher' AND NOT path LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd' - AND NOT path LIKE '/usr/local/Cellar/htop/%/bin/htop' GROUP BY path ) @@ -315,14 +320,6 @@ WHERE -- Focus on longer-running programs 'Developer ID Application: X-Rite, Incorporated (2K7GT73B4R)', 'Software Signing' ) - AND NOT ( - p0.path LIKE '/opt/homebrew/Cellar/socket_vmnet/%/bin/socket_vmnet' - AND s.identifier = 'socket_vmnet' - ) - AND NOT ( - p0.path LIKE '/nix/store/%-nix-%/bin/nix' - AND s.identifier = 'nix' - ) AND NOT ( p0.path = '/Library/Printers/DYMO/Utilities/pnpd' AND s.identifier = 'pnpd'