Merge pull request #348 from tstromberg/rapid7-elastic-bob

fpr: elastic, rapid7, zwift

detection/c2/unexpected-talker-events.sql

@@ -113,11 +113,12 @@ WHERE
     '500,0,1234,spotify',
     '500,0,123,sntp',
     '500,0,20480,io.tailscale.ipn.macsys.network-extension',
-    '500,0,32768,com.apple.MobileSoftwareUpdate.UpdateBrainService',
     '500,0,22,ssh',
     '500,0,31488,sntp',
-    '500,0,443,go',
+    '500,0,32768,com.apple.MobileSoftwareUpdate.UpdateBrainService',
     '500,0,32768,com.apple.NRD.UpdateBrainService',
+    '500,0,32768,elastic-endpoint',
+    '500,500,443,ZwiftAppSilicon',
     '500,0,32768,firefox',
     '500,0,32768,io.tailscale.ipn.macsys.network-extension',
     '500,0,32768,ksfetch',
@@ -134,13 +135,16 @@ WHERE
     '500,0,443,com.fortinet.forticlient.macos.vpn.nwextension',
     '500,0,443,com.google.one.NetworkExtension',
     '500,0,443,curl',
+    '500,0,443,elastic-endpoint',
     '500,0,443,electron',
     '500,0,443,firefox',
     '500,0,443,fwupdmgr',
     '500,0,443,git-remote-http',
     '500,0,443,gnome-software',
+    '500,0,443,go',
     '500,0,443,http',
     '500,0,443,io.tailscale.ipn.macsys.network-extension',
+    '500,0,443,ir_agent',
     '500,0,443,kioslave5',
     '500,0,443,ksfetch',
     '500,0,443,launcher',
@@ -149,13 +153,11 @@ WHERE
     '500,0,443,node',
     '500,0,443,OneDriveStandaloneUpdater',
     '500,0,443,pingsender',
-    '500,0,9,snapd',
     '500,0,443,slack',
     '500,0,443,snapd',
     '500,0,443,spotify',
     '500,0,443,ssh',
     '500,0,443,syncthing',
-    '500,500,443,Acrobat Updater',
     '500,0,443,velociraptor',
     '500,0,443,wget',
     '500,0,5228,chrome',
@@ -165,13 +167,10 @@ WHERE
     '500,0,53,launcher',
     '500,0,53,nessusd',
     '500,0,53,NetworkManager',
-    '500,99,32768,Slack',
     '500,0,53,slack',
     '500,0,53,spotify',
-    '500,500,32768,G2MUpdate',
     '500,0,53,wget',
     '500,0,5632,ssh',
-    '500,0,53,nessusd',
     '500,0,80,chrome',
     '500,0,80,com.apple.NRD.UpdateBrainService',
     '500,0,80,electron',
@@ -179,8 +178,8 @@ WHERE
     '500,0,80,http',
     '500,0,80,io.tailscale.ipn.macsys.network-extension',
     '500,0,80,ksfetch',
-    '500,500,53,gitsign',
     '500,0,9,launcher',
+    '500,0,9,snapd',
     '500,500,13568,Code Helper',
     '500,500,20480,Code Helper',
     '500,500,20480,GoogleUpdater',
@@ -192,14 +191,14 @@ WHERE
     '500,500,32768,cloud-sql-proxy',
     '500,500,32768,Code Helper',
     '500,500,32768,Electron',
+    '500,500,32768,G2MUpdate',
     '500,500,32768,GoogleUpdater',
     '500,500,32768,java',
-    '500,99,443,Slack Helper',
     '500,500,32768,ksfetch',
-    '500,0,32768,elastic-endpoint',
     '500,500,32768,melange',
     '500,500,32768,node',
     '500,500,4318,Code Helper (Plugin)',
+    '500,500,443,Acrobat Updater',
     '500,500,443,apk',
     '500,500,443,aws',
     '500,500,443,chainctl',
@@ -224,7 +223,6 @@ WHERE
     '500,500,443,istioctl',
     '500,500,443,ksfetch',
     '500,500,443,kubectl',
-    '500,99,443,Slack',
     '500,500,443,minikube',
     '500,500,443,node',
     '500,500,443,old',
@@ -233,6 +231,7 @@ WHERE
     '500,500,443,syft',
     '500,500,443,wolfictl',
     '500,500,53,Code Helper',
+    '500,500,53,gitsign',
     '500,500,80,cloud_sql_proxy',
     '500,500,80,Code Helper',
     '500,500,80,Code Helper (Plugin)',
@@ -240,7 +239,10 @@ WHERE
     '500,500,80,Google Chrome Helper',
     '500,500,80,GoogleUpdater',
     '500,500,80,ksfetch',
-    '500,500,80,node'
+    '500,500,80,node',
+    '500,99,32768,Slack',
+    '500,99,443,Slack',
+    '500,99,443,Slack Helper'
   )
   AND NOT exception_key LIKE '500,500,443,terraform%'
   AND NOT exception_key LIKE '500,0,%,syncthing'

detection/c2/unexpected-talkers-macos.sql

@@ -227,15 +227,15 @@ WHERE
     )
     AND id_exception_key IN (
       'Apple Mac OS Application Signing,com.microsoft.OneDrive-mac',
-      'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.Reader',
       'Apple Mac OS Application Signing,com.ookla.speedtest-macos',
-      'Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird',
+      'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.AdobeResourceSynchronizer',
+      'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.Reader',
       'Developer ID Application: Bookry Ltd (4259LE8SU5),com.bookry.wavebox.helper',
       'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4),com.brave.Browser.helper',
-      'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.AdobeResourceSynchronizer',
       'Developer ID Application: Cloudflare Inc. (68WVV388M8),CloudflareWARP',
       'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker',
       'Developer ID Application: Epic Games International, S.a.r.l. (96DBZ92D3Y),com.epicgames.EpicGamesLauncher',
+      'Developer ID Application: Epic Games International, S.a.r.l. (96DBZ92D3Y),com.epicgames.UE4EditorServices',
       'Developer ID Application: Fortinet, Inc (AH4XFXJ7DK),fctupdate',
       'Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D),com.googlecode.iterm2',
       'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.Chrome.helper',
@@ -245,6 +245,7 @@ WHERE
       'Developer ID Application: Microsoft Corporation (UBF8T346G9),net.java.openjdk.java',
       'Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.firefox',
       'Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.firefoxdeveloperedition',
+      'Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird',
       'Developer ID Application: Opera Software AS (A2P9LX4JPN),com.operasoftware.Opera.helper',
       'Developer ID Application: Parallels International GmbH (4C6364ACXT),com.parallels.naptd',
       'Developer ID Application: Skype Communications S.a.r.l (AL798K98FX),com.skype.skype.Helper',
@@ -255,7 +256,8 @@ WHERE
       'Developer ID Application: TechSmith Corporation (7TQL462TU8),com.techsmith.snagit.capturehelper2020',
       'Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G),company.thebrowser.browser.helper',
       'Developer ID Application: Valve Corporation (MXGJJ98X76),com.valvesoftware.steam',
-      'Developer ID Application: Vladimir Prelovac (TFVG979488),com.apple.WebKit.Networking'
+      'Developer ID Application: Vladimir Prelovac (TFVG979488),com.apple.WebKit.Networking',
+      'Developer ID Application: Zwift, Inc (C2GM8Y9VFM),ZwiftAppSilicon'
     )
   )
 GROUP BY

detection/evasion/missing-from-disk-macos.sql

@@ -22,6 +22,7 @@ SELECT
   p.cwd,
   p.on_disk,
   p.state,
+  strftime('%s', 'now') - p.start_time AS age,
   pp.on_disk AS parent_on_disk,
   pp.path AS parent_path,
   pp.cmdline AS parent_cmd,
@@ -33,7 +34,7 @@ FROM
   LEFT JOIN hash ON pp.path = hash.path
 WHERE
   p.on_disk != 1 -- false positives from recently spawned processes
-  AND (strftime('%s', 'now') - p.start_time) > 15
+  AND (strftime('%s', 'now') - p.start_time) > 900
   AND p.pid > 0
   AND p.parent != 2 -- kthreadd
   AND p.state != 'Z' -- The kernel no longer has enough tracking information for this alert to be useful

detection/evasion/unexpected-hidden-system-paths.sql

@@ -67,6 +67,7 @@ WHERE
     '/.lesshst',
     '/.mozilla/',
     '/.vol/',
+    '/var/root/.zsh_history',
     '/dev/.mdadm/',
     '/etc/.#sudoers',
     '/etc/.clean',

detection/execution/recently-created-executables-long-lived-macos.sql

@@ -86,28 +86,29 @@ WHERE
         '~/Library/Application Support/BraveSoftware/',
         '~/Library/Application Support/com.elgato.StreamDeck/',
         '~/Library/Application Support/duckly/',
-        '~/Library/Application Support/com.elgato.StreamDeck/',
-        '~/Library/Application Support/Figma/',
-        '~/.vscode/extensions/ms-vscode.cpptools-1.15.4-darwin-arm64/',
-        '~/Library/Application Support/Steam/',
-        '~/Library/Application Support/Zed/',
-        '~/Library/Application Support/WebEx Folder/',
         '/Library/Application Support/EcammLive',
-        '/usr/local/kolide-k2/Kolide.app/Contents/MacOS',
+        '~/Library/Application Support/Figma/',
         '~/Library/Application Support/Foxit Software/',
         '~/Library/Application Support/JetBrains/',
         '~/Library/Application Support/OpenLens',
         '~/Library/Application Support/sourcegraph-sp/',
+        '~/Library/Application Support/Steam/',
+        '~/Library/Application Support/WebEx Folder/',
+        '~/Library/Application Support/Zed/',
         '~/Library/Application Support/Zwift/',
+        '~/Library/Application Support/Zwift',
         '~/Library/Caches/com.mimestream.Mimestream/',
+        '~/Library/Caches/company.thebrowser.Browser/',
         '~/Library/Caches/com.sempliva.Tiles/',
         '~/Library/Caches/JetBrains/',
         '~/Library/Caches/org.gpgtools.updater/',
         '~/Library/Caches/snyk/',
-        '~/projects/go/src/',
-        '~/Library/Caches/company.thebrowser.Browser/',
         '/Library/Developer/Xcode/',
-        '~/.terraform.d/plugin-cache/registry.terraform.io/'
+        '~/.local/share/bob/',
+        '~/projects/go/src/',
+        '~/.terraform.d/plugin-cache/registry.terraform.io/',
+        '/usr/local/kolide-k2/Kolide.app/Contents/MacOS',
+        '~/.vscode/extensions/ms-vscode.cpptools-1.15.4-darwin-arm64/'
       )
       OR dir IN (
         '~/bin',
@@ -152,6 +153,7 @@ WHERE
     'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4)',
     'Developer ID Application: Brother Industries, LTD. (5HCL85FLGW)',
     'Developer ID Application: Bryan Jones (49EYHPJ4Q3)',
+    'Developer ID Application: Zwift, Inc (C2GM8Y9VFM)',
     'Developer ID Application: Canon Inc. (XE2XNRRXZ5)',
     'Developer ID Application: Cisco (DE8Y96K9QP)',
     'Developer ID Application: CodeWeavers Inc. (9C6B7X7Z8E)',

detection/execution/unexpected-execdir-events-macos.sql

@@ -155,6 +155,8 @@ WHERE
     '/Volumes/Slack/Slack.app',
     '/opt/homebrew/Caskroom',
     '/opt/homebrew/Cellar',
+    '/opt/rapid7/ir_agent',
+    '/opt/Elastic/Endpoint',
     '/Library/Elastic/Agent',
     '/opt/homebrew/Library',
     '/private/var/kolide-k2',
@@ -317,6 +319,7 @@ WHERE
     'Developer ID Application: Brother Industries, LTD. (5HCL85FLGW)',
     'Developer ID Application: Canonical Group Limited (X4QN7LTP59)',
     'Developer ID Application: Cisco (DE8Y96K9QP)',
+    'Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
     'Developer ID Application: CodeWeavers Inc. (9C6B7X7Z8E)',
     'Developer ID Application: Canon Inc. (XE2XNRRXZ5)',
     'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',

detection/execution/unexpected-execdir-macos.sql

@@ -141,6 +141,7 @@ WHERE
     '~/Library/Caches/com.mimestream.Mimestream/',
     '~/Library/Caches/com.sempliva.Tiles/',
     '~/.local/share/bob/',
+    '/opt/rapid7/ir_agent',
     '~/anaconda3/Anaconda-Navigator.app/Contents/',
     '~/Library/Services/UE4EditorServices.app/',
     '~/Library/Caches/com.grammarly.ProjectLlama/',
@@ -181,6 +182,7 @@ WHERE
     'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
     'Developer ID Application: Docker Inc (9BNSXJN65R)',
     'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)',
+    'Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z)',
     'Developer ID Application: EnterpriseDB Corporation (26QKX55P9K)',
     'Developer ID Application: Epic Games International, S.a.r.l. (96DBZ92D3Y)',
     'Developer ID Application: Figma, Inc. (T8RA8NE3B7)',
@@ -196,6 +198,7 @@ WHERE
     'Developer ID Application: Objective-See, LLC (VBG97UB4TA)',
     'Developer ID Application: Opal Camera Inc (97Z3HJWCRT)',
     'Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
+    'Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
     'Developer ID Application: Sublime HQ Pty Ltd (Z6D26JE4Y4)',
     'Developer ID Application: TablePlus Inc (3X57WP8E8V)',
     'Developer ID Application: Tenable, Inc. (4B8J598M7U)',