Merge pull request #325 from tstromberg/fpr-oct2

fpr: containerd, hyper, Docker, Chromium, spotify, busycal
2025-02-19 19:26:55 +00:00 · 2023-10-02 16:13:10 -04:00 · 2023-10-02 16:13:10 -04:00 · db67613a38
commit db67613a38
parent c8f2fa0cb5 bf66053d5c
9 changed files with 27 additions and 13 deletions
--- a/detection/c2/unexpected-talker-events.sql
+++ b/detection/c2/unexpected-talker-events.sql
@ -11,7 +11,7 @@ SELECT
  s.family,
  s.path,
  s.fd,
-  REPLACE("::ffff:", "", s.remote_address),
+  REPLACE(s.remote_address, "::ffff:", "") AS remote_address,
  s.remote_port,
  s.local_port,
  COALESCE(REGEX_MATCH (s.path, '.*/(.*)', 1), s.path) AS basename,
@ -103,6 +103,8 @@ WHERE
  AND NOT exception_key IN (
    '500,0,110,syncthing',
    '500,0,123,sntp',
+    '500,0,53,spotify',
+    '500,0,1234,spotify',
    '500,0,20480,io.tailscale.ipn.macsys.network-extension',
    '500,0,22,ssh',
    '500,0,31488,sntp',
@ -131,6 +133,7 @@ WHERE
    '500,0,443,ssh',
    '500,500,53,Code Helper',
    '500,0,43,whois',
+    '500,0,443,spotify',
    '500,0,443,syncthing',
    '500,0,443,velociraptor',
    '500,0,443,wget',
--- a/detection/evasion/old-binaries-running.sql
+++ b/detection/evasion/old-binaries-running.sql
@ -56,6 +56,7 @@ WHERE
    '/usr/bin/sshfs',
    '/usr/bin/xclip',
    '/usr/bin/xss-lock',
+    '/usr/bin/i3lock',
    '/usr/local/bin/dive'
  )
  AND p.name NOT IN (
--- a/detection/evasion/unexpected-alf-exceptions-macos.sql
+++ b/detection/evasion/unexpected-alf-exceptions-macos.sql
@ -64,6 +64,7 @@ WHERE
    '/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/',
    'Apple Mac OS Application Signing,com.anydo.mac,/Applications/Anydo.app/,0',
    'Apple Mac OS Application Signing,com.apple.garageband10,/Applications/GarageBand.app/,0',
+    'Apple Mac OS Application Signing,com.busymac.busycal3,/Applications/BusyCal.app/,0',
    'Apple Mac OS Application Signing,com.joeallen.teleprompter.mac,/Applications/Teleprompter.app/,0',
    'Apple Mac OS Application Signing,com.utmapp.QEMULauncher,/Applications/UTM.app/Contents/XPCServices/QEMUHelper.xpc/Contents/MacOS/QEMULauncher.app/,0',
    'Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension,/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/,0',
@ -73,6 +74,7 @@ WHERE
    'Developer ID Application: Brother Industries, LTD. (5HCL85FLGW),com.brother.utility.WorkflowAppControlServer,/Library/Printers/Brother/Utilities/Server/WorkflowAppControl.app/,0',
    'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5),com.elgato.WaveLink,/Applications/WaveLink.app/,0',
    'Developer ID Application: Cypress.Io, Inc. (7D655LWGLY),com.electron.cypress,/Users/garrying/Library/Caches/Cypress/12.9.0/Cypress.app/,501',
+    'Developer ID Application: DBeaver Corporation (42B6MDKMW8),org.jkiss.dbeaver.core.product,/Applications/DBeaver.app/,501',
    'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK),com.getdropbox.dropbox,/Applications/Dropbox.app/,501',
    'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland,/Applications/GoLand.app/,501',
    'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.pycharm,/Applications/PyCharm.app/,501',
@ -81,7 +83,6 @@ WHERE
    'Developer ID Application: RescueTime, Inc (FSY4RB8H39),com.rescuetime.RescueTime,/Applications/RescueTime.app/,0',
    'Developer ID Application: Sonos, Inc. (2G4LW83Q3E),com.sonos.macController,/Applications/Sonos.app/,501',
    'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client,/Applications/Spotify.app/,501',
-    'Developer ID Application: DBeaver Corporation (42B6MDKMW8),org.jkiss.dbeaver.core.product,/Applications/DBeaver.app/,501',
    'Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension,/Library/SystemExtensions/A30AF854-E980-4345-A658-17000BF66D00/io.tailscale.ipn.macsys.network-extension.systemextension/,0',
    'Developer ID Application: VNG ONLINE CO.,LTD (CVB6BX97VM),com.vng.zalo,/Applications/Zalo.app/,501',
    'Developer ID Application: Voicemod Sociedad Limitada. (S2MC4XQDSM),net.voicemod.desktop,/Applications/Voicemod.app/,0',
--- a/detection/execution/exotic-command-events-macos.sql
+++ b/detection/execution/exotic-command-events-macos.sql
@ -209,6 +209,7 @@ WHERE
    'yara,500,bash,fish',
    'ssh,500,limactl.ventura,launchd',
    'git,500,zsh,login',
+    'bat,500,zsh,login',
    'git,500,zsh,goland',
    'sh,0,Ecamm Live,launchd',
    'cat,500,zsh,login'
--- a/detection/execution/unexpected-execdir-events-macos.sql
+++ b/detection/execution/unexpected-execdir-events-macos.sql
@ -258,7 +258,10 @@ WHERE
  ) -- Locally built executables
  AND NOT (
    s.identifier = 'a.out'
-    AND dir LIKE '~/%'
+    AND (
+      dir LIKE '~/%'
+      OR dir LIKE '/Users/%'
+    )
    AND p1_name IN ('fish', 'sh', 'bash', 'zsh', 'terraform', 'code')
  )
  AND NOT (
--- a/detection/execution/unexpected-security-framework-program-macos.sql
+++ b/detection/execution/unexpected-security-framework-program-macos.sql
@ -96,6 +96,9 @@ WHERE
    '500,Duckly Helper,Electron Helper,',
    '500,Duckly,Electron,',
    '500,Emacs-arm64-11,Emacs-arm64-11,Developer ID Application: Galvanix (5BRAQAFB8B)',
+    '500,Evernote Helper (Renderer),com.evernote.Evernote.helper.Renderer,Apple Mac OS Application Signing',
+    '500,Evernote Helper,com.evernote.Evernote.helper,Apple Mac OS Application Signing',
+    '500,Evernote,com.evernote.Evernote,Apple Mac OS Application Signing',
    '500,Final Cut Pro,com.apple.FinalCut,Apple Mac OS Application Signing',
    '500,GitterHelperApp,com.troupe.gitter.mac.GitterHelperApp,Developer ID Application: Troupe Technology Limited (A86QBWJ43W)',
    '500,Grammarly Safari Extension,com.grammarly.safari.extension.ext2,Apple Mac OS Application Signing',
@ -126,8 +129,6 @@ WHERE
    '500,bash,bash,',
    '500,bash,com.apple.bash,Software Signing',
    '500,bufls,a.out,',
-    '500,timestamp-server,a.out,',
-    '500,docker,a.out,',
    '500,chainctl,a.out,',
    '500,cloud-sql-proxy,a.out,',
    '500,cloud-sql-proxy.darwin.arm64,a.out,',
@ -137,11 +138,9 @@ WHERE
    '500,cpu,cpu-555549441132dc6b7af538428ce3359ae94eab37,',
    '500,crane,a.out,',
    '500,debug.test,a.out,',
-    '500,gke-gcloud-auth-plugin,a.out,',
    '500,dive,a.out,',
-    '500,monday.com Helper (Renderer),com.monday.desktop.helper.Renderer,Apple Mac OS Application Signing',
-    '500,Divvy,com.mizage.Divvy,Apple Mac OS Application Signing',
    '500,dlv,a.out,',
+    '500,docker,a.out,',
    '500,epdfinfo,epdfinfo,',
    '500,esbuild,,',
    '500,esbuild,a.out,',
@ -149,6 +148,7 @@ WHERE
    '500,git,git,',
    '500,gitsign,a.out,',
    '500,gitsign-credential-cache,a.out,',
+    '500,gke-gcloud-auth-plugin,a.out,',
    '500,go,a.out,',
    '500,gopls,a.out,',
    '500,gopls,gopls,',
@ -164,6 +164,7 @@ WHERE
    '500,mattermost,a.out,',
    '500,melange,a.out,',
    '500,melange-run,a.out,',
+    '500,monday.com Helper (Renderer),com.monday.desktop.helper.Renderer,Apple Mac OS Application Signing',
    '500,monday.com Helper,com.monday.desktop.helper,Apple Mac OS Application Signing',
    '500,monorail,a.out,',
    '500,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
@ -172,6 +173,7 @@ WHERE
    '500,registry-redirect,a.out,',
    '500,rust-analyzer,rust_analyzer-d11ae4e1bae4360d,',
    '500,scdaemon,scdaemon,',
+    '500,Chromium,Chromium,',
    '500,sdaudioswitch,,',
    '500,sdaudioswitch,sdaudioswitch,',
    '500,sdzoomplugin,,',
@ -184,6 +186,7 @@ WHERE
    '500,tflint,a.out,',
    '500,tflint-ruleset-aws,a.out,',
    '500,tflint-ruleset-google,a.out,',
+    '500,timestamp-server,a.out,',
    '500,vim,,',
    '500,vim,vim,'
  )
--- a/detection/initial_access/sketchy-mounted-diskimage.sql
+++ b/detection/initial_access/sketchy-mounted-diskimage.sql
@ -97,7 +97,6 @@ WHERE
    OR (
      (
        vol_name LIKE "Install%"
-
        -- The rest are synced with sketchy-download-names
        OR vol_name LIKE "%.app%"
        OR vol_name LIKE "%AnyDesk%"
@ -174,6 +173,8 @@ WHERE
      -- emacs
      AND magic.data NOT LIKE 'symbolic link to bin-x86%'
      AND magic.data NOT LIKE 'symbolic link to /Users/%/My Drive'
+      -- Docker
+      AND magic.data NOT LIKE 'cannot open%'
    )
  )
 GROUP BY
--- a/detection/initial_access/unexpected-shell-parents.sql
+++ b/detection/initial_access/unexpected-shell-parents.sql
@ -157,6 +157,7 @@ WHERE
  AND p1_path NOT IN (
    '/Applications/Docker.app/Contents/MacOS/Docker',
    '/Applications/Docker.app/Contents/MacOS/install',
+    '/Applications/Hyper.app/Contents/MacOS/Hyper',
    '/Applications/Visual Studio Code.app/Contents/MacOS/Electron',
    '/Applications/Docker.app/Contents/Resources/bin/com.docker.cli',
    '/Applications/Docker.app/Contents/Resources/bin/docker-credential-desktop',
--- a/detection/persistence/yara-suspicious-strings-process-linux.sql
+++ b/detection/persistence/yara-suspicious-strings-process-linux.sql
@ -43,8 +43,7 @@ FROM
  LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
 WHERE
  p0.start_time > (strftime('%s', 'now') - 7200)
-  AND
-  yara.sigrule = '    
+  AND yara.sigrule = '    
    rule redflags {
    strings:
        $bash_history = ".bash_history"
@ -90,6 +89,7 @@ WHERE
    '/usr/bin/sudo',
    '/usr/bin/bash',
    '/usr/bin/containerd-shim-runc-v2',
+    '/bin/containerd-shim-runc-v2',
    '/usr/bin/docker-proxy',
    '/usr/bin/fish',
    '/usr/bin/gnome-software',
@ -102,7 +102,7 @@ WHERE
    '/usr/bin/udevadm',
    '/usr/bin/update-notifier',
    '/usr/bin/Xwayland',
-    '/usr/lib/bluetooth/bluetoothd',    
+    '/usr/lib/bluetooth/bluetoothd',
    '/usr/lib/bluetooth/obexd',
    '/usr/libexec/accounts-daemon',
    '/usr/libexec/bluetooth/bluetoothd',
@ -123,4 +123,4 @@ WHERE
    '/usr/sbin/NetworkManager',
    '/usr/sbin/rsyslogd',
    '/usr/sbin/smartd'
-  )
+  )