diff --git a/detection/c2/unexpected-dns-traffic-events.sql b/detection/c2/unexpected-dns-traffic-events.sql index 768fce8..ba03734 100644 --- a/detection/c2/unexpected-dns-traffic-events.sql +++ b/detection/c2/unexpected-dns-traffic-events.sql @@ -93,13 +93,13 @@ WHERE AND exception_key NOT LIKE 'Opera Helper,77.111.247.%,53' AND p.name != 'nessusd' -- Local DNS servers and custom clients go here + -- Electron apps + AND p.path NOT LIKE '/Applications/%.app/Contents/MacOS/% Helper' AND p.path NOT IN ( - '/usr/lib/systemd/systemd-resolved', '/Library/Nessus/run/sbin/nessusd', - '/usr/bin/apko', '/opt/google/chrome/chrome', - '/Applications/Slack.app/Contents/Frameworks/Slack Helper.app/Contents/MacOS/Slack Helper', - '/Applications/Spotify.app/Contents/Frameworks/Spotify Helper.app/Contents/MacOS/Spotify Helper' + '/usr/bin/apko', + '/usr/lib/systemd/systemd-resolved' ) -- Chromium apps can send stray DNS packets AND p.path NOT LIKE '/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/%/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper' diff --git a/detection/c2/unexpected-https-client-linux.sql b/detection/c2/unexpected-https-client-linux.sql index 694f01d..1f76540 100644 --- a/detection/c2/unexpected-https-client-linux.sql +++ b/detection/c2/unexpected-https-client-linux.sql @@ -71,6 +71,7 @@ WHERE '0,kmod,0u,0g,depmod', '0,launcher,0u,0g,launcher', '0,launcher,500u,500g,launcher', + '0,ldconfig,0u,0g,ldconfig', '0,nessusd,0u,0g,nessusd', '0,nix,0u,0g,nix', '0,nix,0u,0g,nix-daemon', @@ -91,12 +92,12 @@ WHERE '106,geoclue,0u,0g,geoclue', '500,1password,0u,0g,1password', '500,abrt-action-generate-core-backtrace,0u,0g,abrt-action-gen', + '500,act,0u,0g,act', '500,apk,500u,500g,apk', '500,apko,u,g,apko', '500,apk,u,g,apk', '500,aws,0u,0g,aws', '500,bom,500u,500g,bom', - '500,act,0u,0g,act', '500,Brackets,0u,0g,Brackets', '500,brave,0u,0g,brave', '500,buildkitd,500u,500g,buildkitd', @@ -128,11 +129,13 @@ WHERE '500,flameshot,0u,0g,flameshot', '500,flatpak-oci-authenticator,0u,0g,flatpak-oci-aut', '500,geoclue,0u,0g,geoclue', + '500,gh,0u,0g,gh', '500,git,0u,0g,git', '500,git-remote-http,0u,0g,git-remote-http', '500,gitsign,0u,0g,gitsign', '500,gitsign,500u,0g,gitsign', '500,gitsign,500u,500g,gitsign', + '500,gitsign-credential-cache,500u,500g,gitsign-credent', '500,gjs-console,0u,0g,org.gnome.Maps', '500,gnome-recipes,0u,0g,gnome-recipes', '500,gnome-shell,0u,0g,gnome-shell', @@ -160,10 +163,12 @@ WHERE '500,Keybase,0u,0g,Keybase', '500,ko,500u,500g,ko', '500,ko,u,g,ko', + '500,kpromo,500u,500g,kpromo', '500,krel,500u,500g,krel', '500,kubectl,0u,0g,kubectl', '500,kubectl,500u,500g,kubectl', '500,lens,0u,0g,lens', + '500,limactl,0u,0g,limactl', '500,mconvert,500u,500g,mconvert', '500,melange,u,g,melange', '500,Melvor Idle,500u,500g,exe', @@ -175,10 +180,11 @@ WHERE '500,node,0u,0g,.node2nix-wrapp', '500,node,u,g,node', '500,obs,0u,0g,obs', - '500,obs,u,g,obs', + '500,obs-browser-page,0u,0g,obs-browser-pag', '500,obs-ffmpeg-mux,0u,0g,obs-ffmpeg-mux', '500,obs-ffmpeg-mux,u,g,obs-ffmpeg-mux', '500,obsidian,u,g,obsidian', + '500,obs,u,g,obs', '500,pacman,0u,0g,pacman', '500,php8.1,0u,0g,php', '500,promoter,500u,500g,promoter', @@ -190,17 +196,16 @@ WHERE '500,python3.11,0u,0g,protonvpn', '500,python3.11,0u,0g,prowler', '500,python3,500u,500g,python3', + '500,python.test,500u,500g,python.test', + '500,qemu-system-x86_64,0u,0g,qemu-system-x86', '500,reporter-ureport,0u,0g,reporter-urepor', '500,rpi-imager,0u,0g,rpi-imager', '500,rustup,0u,0g,rustup', - '500,gitsign-credential-cache,500u,500g,gitsign-credent', '500,scoville,500u,500g,scoville', '500,signal-desktop,0u,0g,signal-desktop', - '500,kpromo,500u,500g,kpromo', '500,signal-desktop,u,g,signal-desktop', '500,slack,0u,0g,slack', '500,slack,u,g,slack', - '500,python.test,500u,500g,python.test', '500,slirp4netns,500u,500g,slirp4netns', '500,snap-store,0u,0g,snap-store', '500,spotify,0u,0g,spotify', @@ -208,7 +213,6 @@ WHERE '500,spotify,u,g,spotify', '500,steam,500u,100g,steam', '500,steam,500u,500g,steam', - '500,qemu-system-x86_64,0u,0g,qemu-system-x86', '500,steamwebhelper,500u,100g,steamwebhelper', '500,steamwebhelper,500u,500g,steamwebhelper', '500,step,500u,500g,step', @@ -219,13 +223,11 @@ WHERE '500,terraform,500u,500g,terraform', '500,thunderbird,0u,0g,thunderbird', '500,thunderbird,u,g,thunderbird', - '500,qemu-system-x86_64,0u,0g,qemu-system-x86', '500,todoist,0u,0g,todoist', '500,trivy,0u,0g,trivy', '500,trivy,500u,500g,trivy', '500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr', '500,wget,0u,0g,wget', - '500,limactl,0u,0g,limactl', '500,wolfictl,500u,500g,wolfictl', '500,WPILibInstaller,500u,500g,WPILibInstaller', '500,xmobar,0u,0g,xmobar', @@ -258,5 +260,7 @@ WHERE -- Exclude processes running inside of containers AND NOT p.cgroup_path LIKE '/system.slice/docker-%' AND NOT p.cgroup_path LIKE '/user.slice/user-%.slice/user@%.service/user.slice/nerdctl-%' + -- Tests + AND NOT p.path LIKE '/tmp/go-build%.test' GROUP BY p.cmdline diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql index e879214..4cc275c 100644 --- a/detection/c2/unexpected-talkers-linux.sql +++ b/detection/c2/unexpected-talkers-linux.sql @@ -122,6 +122,7 @@ WHERE '80,6,0,bash,0u,0g,update-ca-trust', '80,6,0,cp,0u,0g,cp', '80,6,0,fc-cache,0u,0g,fc-cache', + '500,syft,0u,0g,syft', '80,6,0,find,0u,0g,find', '80,6,0,gawk,0u,0g,awk', '80,6,0,gpg,0u,0g,gpg', @@ -132,6 +133,7 @@ WHERE '80,6,0,packagekitd,0u,0g,packagekitd', '80,6,0,pacman,0u,0g,pacman', '80,6,0,python3.10,0u,0g,dnf', + '1983,6,500,dleyna-renderer-service,0u,0g,dleyna-renderer', '80,6,0,python3.10,0u,0g,dnf-automatic', '80,6,0,python3.10,0u,0g,yum', '80,6,0,python3.11,0u,0g,dnf', @@ -170,11 +172,15 @@ WHERE '80,6,500,steam,500u,100g,steam', '80,6,500,steam,500u,500g,steam', '80,6,500,steamwebhelper,500u,500g,steamwebhelper', + '80,6,500,python3.11,0u,0g,dnf', '80,6,500,terraform,500u,500g,terraform', '80,6,500,thunderbird,0u,0g,thunderbird', '80,6,500,thunderbird,u,g,thunderbird', + '587,6,500,thunderbird,u,g,thunderbird', '80,6,500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr', '80,6,500,zoom,0u,0g,zoom', + '80,6,500,zoom.real,u,g,zoom.real', + '9418,6,500,git,0u,0g,git', '8080,6,500,brave,0u,0g,brave', '8080,6,500,chrome,0u,0g,chrome', '8080,6,500,firefox,0u,0g,firefox', diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql index c8940d2..a857f23 100644 --- a/detection/c2/unexpected-talkers-macos.sql +++ b/detection/c2/unexpected-talkers-macos.sql @@ -181,6 +181,7 @@ WHERE '443,6,500,apko,a.out,', '443,6,500,aws,37c466-aws,Developer ID Application: AMZN Mobile LLC (94KV3E626L)', '443,6,500,aws,e956a0-aws,Developer ID Application: AMZN Mobile LLC (94KV3E626L)', + '443,6,0,io.tailscale.ipn.macsys.network-extension,io.tailscale.ipn.macsys.network-extension,Developer ID Application: Tailscale Inc. (W5364U7YZB)', '443,6,500,bash,bash,', '443,6,500,BlockBlock Installer,com.objective-see.blockblock.installer,Developer ID Application: Objective-See, LLC (VBG97UB4TA)', '443,6,500,bom,,', diff --git a/detection/collection/high-disk-bytes-written.sql b/detection/collection/high-disk-bytes-written.sql index 463ba59..da96b6c 100644 --- a/detection/collection/high-disk-bytes-written.sql +++ b/detection/collection/high-disk-bytes-written.sql @@ -141,6 +141,7 @@ WHERE 'rustup', 'slack', 'snyk', + 'snyk-macos', 'spotify', 'staticcheck', 'steam', diff --git a/detection/discovery/unexpected-netutil-calls-macos.sql b/detection/discovery/unexpected-netutil-calls-macos.sql index 2aaf322..b1deffb 100644 --- a/detection/discovery/unexpected-netutil-calls-macos.sql +++ b/detection/discovery/unexpected-netutil-calls-macos.sql @@ -101,6 +101,7 @@ WHERE 'netstat,500,IPNExtension,launchd', 'pfctl,0,pia-daemon,launchd', 'ifconfig,500,zsh,stable', + 'netstat,0,io.tailscale.ipn.macsys.network-extension,launchd', 'ifconfig,0,pia-openvpn,pia-daemon', 'ifconfig,0,pia-openvpn,pia-daemon', 'ifconfig,0,pia-daemon,launchd', diff --git a/detection/evasion/empty_root_environ_linux.sql b/detection/evasion/empty_root_environ_linux.sql index 78b1d88..8e29462 100644 --- a/detection/evasion/empty_root_environ_linux.sql +++ b/detection/evasion/empty_root_environ_linux.sql @@ -34,32 +34,33 @@ WHERE AND p.parent NOT IN (0, 2) AND NOT p.path IS NULL AND p.name NOT IN ( + '1Password-Keyri', 'applydeltarpm', 'bwrap', 'crond', 'cupsd', 'dhcpcd', - '1Password-Keyri', - 'modprobe', 'dnf', - 'gdm-x-session', - 'systemd-udevd', - 'gdm-session-wor', - 'systemd-userwor', - 'osqueryi', 'fprintd', + 'gdm-session-wor', + 'gdm-x-session', + 'gpg-agent', + 'modprobe', + 'nginx', + 'osqueryi', + 'realmd', + 'sedispatch', + 'ssh', + 'sshd', 'sudo', 'systemd', - 'gpg-agent', + 'systemd-udevd', 'systemd-userdbd', - 'nginx', - 'sshd', + 'systemd-userwor', 'zfs', - 'ssh', - 'sedispatch', 'zypak-sandbox' ) - AND NOT pp.name IN ('systemd-userdbd', 'crond') + AND NOT pp.name IN ('systemd-userdbd', 'crond', 'systemd') AND NOT ( p.name LIKE 'systemd-%' AND p.parent = 1 diff --git a/detection/evasion/hidden-cwd.sql b/detection/evasion/hidden-cwd.sql index add657e..940fddf 100644 --- a/detection/evasion/hidden-cwd.sql +++ b/detection/evasion/hidden-cwd.sql @@ -137,6 +137,8 @@ WHERE OR dir LIKE '~/%/.config/nvim' OR dir LIKE '~/dev/%/dots/%/.config%' OR dir LIKE '~/%/.git' + OR dir LIKE '/private/tmp/%/.git' + OR dir LIKE '/tmp/%/.git' OR dir LIKE '~/%/.github%' OR dir LIKE '~/%/.docker%' OR dir LIKE '~/%/.vercel%' diff --git a/detection/evasion/missing-from-disk-macos.sql b/detection/evasion/missing-from-disk-macos.sql index 9dd9e9d..a70c5df 100644 --- a/detection/evasion/missing-from-disk-macos.sql +++ b/detection/evasion/missing-from-disk-macos.sql @@ -57,6 +57,7 @@ WHERE OR cmd LIKE '/opt/homebrew/Cellar/%' OR p.path LIKE '/Users/%/Library/Application Support/Steam/Steam.AppBundle/Steam/Contents/MacOS/ipcserver.old' OR p.path LIKE '/opt/homebrew/Cellar/%/bin/%' + OR p.path LIKE '/Users/%/homebrew/Cellar/%' OR p.path LIKE '/private/var/folders/zz/%/T/PKInstallSandboxTrash/%.sandboxTrash/%' OR p.path LIKE '/Users/%/node_modules/.pnpm/%' OR p.path LIKE '/Users/%/homebrew/Cellar/%/bin/%' diff --git a/detection/evasion/parent-missing-from-disk-macos.sql b/detection/evasion/parent-missing-from-disk-macos.sql index 2159dd7..44aae1a 100644 --- a/detection/evasion/parent-missing-from-disk-macos.sql +++ b/detection/evasion/parent-missing-from-disk-macos.sql @@ -70,7 +70,10 @@ WHERE AND pp.path NOT LIKE '/opt/homebrew/Cellar/%' AND pp.path NOT LIKE '%google-cloud-sdk/.install/.backup%' AND pp.path NOT LIKE '/private/var/folders/%/T/PKInstallSandboxTrash/%.sandboxTrash/%' - AND pp.path != "" - AND pp.path != "/sbin/launchd" + AND pp.path NOT IN ( + "", + "/sbin/launchd", + "/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper (Plugin).app/Contents/MacOS/Code Helper (Plugin)" + ) AND pp.on_disk != 1 ); diff --git a/detection/evasion/unexpected-alf-exceptions-macos.sql b/detection/evasion/unexpected-alf-exceptions-macos.sql index b9464b5..967e8e1 100644 --- a/detection/evasion/unexpected-alf-exceptions-macos.sql +++ b/detection/evasion/unexpected-alf-exceptions-macos.sql @@ -67,6 +67,7 @@ WHERE 'Developer ID Application: RescueTime, Inc (FSY4RB8H39),com.rescuetime.RescueTime,/Applications/RescueTime.app/,0', 'Developer ID Application: Sonos, Inc. (2G4LW83Q3E),com.sonos.macController,/Applications/Sonos.app/,501', 'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client,/Applications/Spotify.app/,501', + 'Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension,/Library/SystemExtensions/A30AF854-E980-4345-A658-17000BF66D00/io.tailscale.ipn.macsys.network-extension.systemextension/,0', 'Developer ID Application: VNG ONLINE CO.,LTD (CVB6BX97VM),com.vng.zalo,/Applications/Zalo.app/,501', ',dnsmasq,/opt/homebrew/Cellar/dnsmasq/2.88/sbin/dnsmasq,0', ',iodined-55554944d1ffcb236a84363d9b667be6a1742a17,/usr/local/sbin/iodined,501', @@ -86,6 +87,7 @@ WHERE AND NOT exception_key LIKE ',a.out,/private/var/folders/%/T/GoLand/%,501' AND NOT exception_key LIKE ',a.out,/Users/%/GolandProjects/documentation-code-examples/debuggingTutorial/myApp,501' AND NOT exception_key LIKE ',node,/opt/homebrew/Cellar/nvm/%/versions/node/v%/bin/node,501' + AND NOT exception_key LIKE ',java,/opt/homebrew/Cellar/openjdk/%/libexec/openjdk.jdk/Contents/Home/bin/java,501' AND NOT ( signature.identifier LIKE 'cargo-%' AND ae.path LIKE '/Users/%/.rustup/%' diff --git a/detection/execution/exotic-command-events-linux.sql b/detection/execution/exotic-command-events-linux.sql index 62508cc..fdba9b0 100644 --- a/detection/execution/exotic-command-events-linux.sql +++ b/detection/execution/exotic-command-events-linux.sql @@ -191,6 +191,8 @@ WHERE AND NOT p0_cmd LIKE 'modprobe -ab%' AND NOT p0_cmd LIKE 'modprobe --all%' AND NOT p0_cmd LIKE '%modprobe aufs' + AND NOT p0_cmd LIKE '%touch -r /tmp/cc%.o %' + AND NOT p0_cmd LIKE '%chmod -R 777 /app/%' AND NOT p0_cmd LIKE '%modprobe overlay' AND NOT p0_cmd LIKE '%modprobe nf_nat_netbios_ns' AND NOT p0_cmd LIKE '%modprobe -va%' @@ -198,4 +200,5 @@ WHERE AND NOT p0_cmd LIKE 'tail /%history' AND NOT p0_cmd LIKE '%/usr/bin/cmake%Socket.cpp' AND NOT p0_cmd LIKE '%/usr/bin/cmake%Socket.h' - AND NOT p0_name IN ('cc1', 'compile', 'cmake', 'cc1plus') + AND NOT p0_name IN ('ar', 'cc1', 'compile', 'cmake', 'cc1plus') + AND NOT exception_key IN ('bash,500,ninja,bash') diff --git a/detection/execution/exotic-command-events-macos.sql b/detection/execution/exotic-command-events-macos.sql index 383d325..d616cf6 100644 --- a/detection/execution/exotic-command-events-macos.sql +++ b/detection/execution/exotic-command-events-macos.sql @@ -147,7 +147,11 @@ WHERE ) -- Things that could reasonably happen at boot. AND NOT ( pe.path = '/usr/bin/mkfifo' - AND p0_cmd LIKE '%/org.gpgtools.log.%/fifo' + AND ( + p0_cmd LIKE '%/org.gpgtools.log.%/fifo' + OR p0_cmd LIKE '/var/%/gitstatus.POWERLEVEL9K.%' + OR p0_cmd LIKE '/var/%/p10k.worker.%' + ) ) AND NOT ( p0_cmd LIKE '%csrutil status' diff --git a/detection/execution/sketchy-fetcher-events.sql b/detection/execution/sketchy-fetcher-events.sql index e35739c..6697954 100644 --- a/detection/execution/sketchy-fetcher-events.sql +++ b/detection/execution/sketchy-fetcher-events.sql @@ -98,7 +98,8 @@ WHERE 'se', 'sh', 'so', - 'uk' + 'uk', + 'us' ) -- Or if it matches weird keywords we've seen OR p.cmdline LIKE '%chmod%' diff --git a/detection/execution/unexpected-execdir-events-macos.sql b/detection/execution/unexpected-execdir-events-macos.sql index c796418..222fed5 100644 --- a/detection/execution/unexpected-execdir-events-macos.sql +++ b/detection/execution/unexpected-execdir-events-macos.sql @@ -123,6 +123,7 @@ WHERE '/Library/Application Support/GPGTools', '~/Library/Application Support/JetBrains', '~/Library/Caches/com.knollsoft.Rectangle', + '~/Library/Application Support/zoom.us', '~/Library/Caches/com.mimestream.Mimestream', '~/Library/Caches/snyk', '/Library/Developer/CommandLineTools', @@ -145,23 +146,25 @@ WHERE '~/code/bin', '~/Downloads/google-cloud-sdk/bin', '~/Downloads/protoc/bin', - '/Library/Audio/Plug-Ins/HAL/ACE.driver/Contents/Resources/aceagent.app/Contents/MacOS', '~/go/bin', '~/Library/Application Support/cloud-code/installer/google-cloud-sdk/bin', '~/Library/Application Support/dev.warp.Warp-Stable', '/Library/Application Support/Logitech.localized/LogiOptionsPlus/logioptionsplus_agent.app/Contents/MacOS', '/Library/Application Support/Logitech.localized/Logitech Options.localized/LogiMgrUpdater.app/Contents/Resources', + '/Library/Audio/Plug-Ins/HAL/ACE.driver/Contents/Resources/aceagent.app/Contents/MacOS', '/Library/DropboxHelperTools/Dropbox_u501', '/Library/Filesystems/kbfuse.fs/Contents/Resources', '/Library/Frameworks/Python.framework/Versions/3.10/bin', '/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers.app/Contents/MacOS', '/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateAgent.app/Contents/MacOS', + '/Library/Image Capture/Devices/EPSON Scanner.app/Contents/MacOS', '/Library/Printers/DYMO/Utilities', '/Library/PrivilegedHelperTools', '/Library/TeX/texbin', '~/.local/bin', '~/.magefile', '/node_modules/.bin', + '/opt/homebrew/bin', '/opt/usr/bin', '/opt/X11/bin', '/opt/X11/libexec', @@ -170,7 +173,6 @@ WHERE '/sbin', '/usr/bin', '/usr/lib', - '/opt/homebrew/bin', '/usr/lib/bluetooth', '/usr/lib/cups/notifier', '/usr/libexec', @@ -211,6 +213,7 @@ WHERE AND dir NOT LIKE '/private/tmp/go-build%/exe' AND dir NOT LIKE '/private/tmp/KSInstallAction.%/Install Google Software Update.app/Contents/Helpers' AND dir NOT LIKE '/private/tmp/nix-build-%' + AND dir NOT LIKE '/Library/SystemExtensions/%-%/%.systemextension/Contents/MacOS' AND dir NOT LIKE '/private/tmp/PKInstallSandbox.%/Scripts/com.microsoft.OneDrive.%' AND dir NOT LIKE '/private/var/db/com.apple.xpc.roleaccountd.staging/%.xpc/Contents/MacOS' AND dir NOT LIKE '/private/var/folders/%/d/Wrapper/%.app/%' diff --git a/detection/execution/unexpected-execdir-macos.sql b/detection/execution/unexpected-execdir-macos.sql index 40180a8..ada2f43 100644 --- a/detection/execution/unexpected-execdir-macos.sql +++ b/detection/execution/unexpected-execdir-macos.sql @@ -135,12 +135,13 @@ WHERE AND top3_homedir NOT IN ( '~/Library/Application Support/BraveSoftware/', '~/Library/Application Support/com.elgato.StreamDeck/', - '~/Library/Application Support/Foxit Software/', - '~/Library/Caches/com.mimestream.Mimestream/', '/Library/Application Support/EcammLive', - '/Library/Developer/Xcode/', + '~/Library/Application Support/Foxit Software/', + '~/Library/Application Support/OpenLens', + '~/Library/Caches/com.mimestream.Mimestream/', '~/Library/Caches/com.sempliva.Tiles/', '~/Library/Caches/snyk/', + '/Library/Developer/Xcode/', '~/.terraform.d/plugin-cache/registry.terraform.io/' ) AND dir NOT LIKE '/Applications/%' diff --git a/detection/execution/unexpected-fetcher-parent-events.sql b/detection/execution/unexpected-fetcher-parent-events.sql index a160fc1..1925644 100644 --- a/detection/execution/unexpected-fetcher-parent-events.sql +++ b/detection/execution/unexpected-fetcher-parent-events.sql @@ -110,7 +110,7 @@ WHERE AND NOT ( pe.euid > 500 AND p1_name = 'ruby' - AND p1_cmd LIKE '%/opt/homebrew/Library/Homebrew/brew.rb%' + AND p1_cmd LIKE '%/Homebrew/brew.rb%' ) AND NOT ( pe.euid > 500 diff --git a/detection/execution/unexpected-fetcher-parents.sql b/detection/execution/unexpected-fetcher-parents.sql index c822b33..db3e466 100644 --- a/detection/execution/unexpected-fetcher-parents.sql +++ b/detection/execution/unexpected-fetcher-parents.sql @@ -50,6 +50,7 @@ WHERE -- NOTE: The remainder of this query is synced with unexpected-fetcher-par 'curl,500,bash,ShellLauncher', 'curl,500,Slack,launchd', 'curl,500,bash,zsh', + 'curl,0,09-timezone,nm-dispatcher', 'curl,500,env,env', 'curl,500,fish,gnome-terminal-', 'curl,500,Slack,launchd', diff --git a/detection/execution/unexpected-root-signer-macos.sql b/detection/execution/unexpected-root-signer-macos.sql index 8eb98f5..a607568 100644 --- a/detection/execution/unexpected-root-signer-macos.sql +++ b/detection/execution/unexpected-root-signer-macos.sql @@ -89,6 +89,7 @@ WHERE -- I'm not too thrilled to have this as an exception, to be honest. 'Developer ID Application: Private Internet Access, Inc. (5357M5NW9W)', 'Developer ID Application: Sanford, L.P. (N3S6676K3E)', + 'Developer ID Application: Tailscale Inc. (W5364U7YZB)', 'Software Signing' ) AND NOT ( diff --git a/detection/execution/unexpected-security-framework-program-macos.sql b/detection/execution/unexpected-security-framework-program-macos.sql index 74acefb..9cc8f22 100644 --- a/detection/execution/unexpected-security-framework-program-macos.sql +++ b/detection/execution/unexpected-security-framework-program-macos.sql @@ -100,6 +100,7 @@ WHERE '500,GitterHelperApp,com.troupe.gitter.mac.GitterHelperApp,Developer ID Application: Troupe Technology Limited (A86QBWJ43W)', '500,gopls,a.out,', '500,gopls,gopls,', + '500,dive,a.out,', '500,gpg-agent,gpg-agent,', '500,InternalFiltersXPC,com.apple.InternalFiltersXPC,Apple Mac OS Application Signing', '500,ipcserver,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)', @@ -115,6 +116,7 @@ WHERE '500,Mattermost,Mattermost.Desktop,Apple Mac OS Application Signing', '500,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)', '500,PrinterProxy,com.apple.print.PrinterProxy,', + '500,BloomRPC Helper,,', '500,registry-redirect,a.out,', '500,Runner.Listener,apphost-55554944a938bab90f04347d83659c53dd1197d6,', '500,rust-analyzer,rust_analyzer-d11ae4e1bae4360d,', diff --git a/detection/exfil/high_disk_bytes_read.sql b/detection/exfil/high_disk_bytes_read.sql index 5b355a4..f167e86 100644 --- a/detection/exfil/high_disk_bytes_read.sql +++ b/detection/exfil/high_disk_bytes_read.sql @@ -96,6 +96,7 @@ WHERE '/usr/bin/udevadm', '/usr/libexec/aned', '/usr/libexec/coreduetd', + '/usr/libexec/diskmanagementd', '/usr/bin/update-notifier', '/usr/libexec/flatpak-system-helper', '/usr/libexec/logd', diff --git a/detection/initial_access/sketchy-mounted-diskimage.sql b/detection/initial_access/sketchy-mounted-diskimage.sql index 7b2135b..5ffe376 100644 --- a/detection/initial_access/sketchy-mounted-diskimage.sql +++ b/detection/initial_access/sketchy-mounted-diskimage.sql @@ -111,6 +111,7 @@ WHERE file.symlink = 1 AND magic.data != 'symbolic link to /Applications' AND magic.data NOT LIKE 'symbolic link to /Users/%/My Drive' + AND magic.data NOT LIKE 'symbolic link to /Library/Application Support/Apple/Safari/SafariForWebKitDevelopment' ) ) GROUP BY diff --git a/detection/initial_access/unexpected-shell-parent-events.sql b/detection/initial_access/unexpected-shell-parent-events.sql index d6548b0..21e5dae 100644 --- a/detection/initial_access/unexpected-shell-parent-events.sql +++ b/detection/initial_access/unexpected-shell-parent-events.sql @@ -117,6 +117,7 @@ WHERE 'gnome-terminal-server', 'go', 'goland', + 'mc', 'gopls', 'helm', 'HP Diagnose & Fix', @@ -152,8 +153,10 @@ WHERE 'sh', 'ShellLauncher', 'skhd', + 'su', 'snyk', 'sshd', + 'obs', 'stable', 'Stream Deck', 'sudo', @@ -164,6 +167,8 @@ WHERE 'terraform-ls', 'test2json', 'tmux', + 'snyk-macos', + 'ression-arm64', 'tmux:server', 'update-notifier', 'vi', @@ -253,6 +258,7 @@ WHERE 'sh,500,Google Drive,launchd', 'dash,0,snapd,systemd', 'bash,500,xdg-desktop-portal,systemd', + 'zsh,500,old,old', 'sh,500,snyk-macos,snyk', 'sh,500,ssh,mosh-client', 'sh,500,updater,Foxit PDF Reader', diff --git a/detection/initial_access/unexpected-shell-parents.sql b/detection/initial_access/unexpected-shell-parents.sql index 9e9e425..b1beed6 100644 --- a/detection/initial_access/unexpected-shell-parents.sql +++ b/detection/initial_access/unexpected-shell-parents.sql @@ -105,6 +105,7 @@ WHERE 'ssh', 'sshd', 'steam_osx', + 'LogiTune', 'swift', 'systemd', 'terminator', @@ -161,6 +162,7 @@ WHERE AND NOT p.cmdline IN ( -- npm run server 'sh -c -- exec-bin node_modules/.bin/hugo/hugo server', + '/bin/sh -c ioreg -rd1 -c IOPlatformExpertDevice', "sh -c acpi -b | grep -v 'unavailable'", 'sh -c xcode-select --print-path >/dev/null 2>&1 && xcrun --sdk macosx --show-sdk-path 2>/dev/null', -- Brother printer diff --git a/detection/initial_access/unexpected-volume-contents.sql b/detection/initial_access/unexpected-volume-contents.sql index 4190855..0cab201 100644 --- a/detection/initial_access/unexpected-volume-contents.sql +++ b/detection/initial_access/unexpected-volume-contents.sql @@ -80,6 +80,7 @@ WHERE '.disk_label_2x', '.DS_Store', '.file', + 'LogiPresentation Installer.app', '.file-revisions-by-id', '._Id.txt', '.iotest', @@ -95,6 +96,7 @@ WHERE ) AND authority NOT IN ( 'Developer ID Application: Google LLC (EQHXZ8M8AV)', + 'Developer ID Application: Logitech Inc. (QED4VVPZWA)', 'Developer ID Application: Adobe Inc. (JQ525L2MZD)' ) -- Unsigned programs here AND trimpath NOT IN ( diff --git a/detection/persistence/unexpected-active-systemd-units.sql b/detection/persistence/unexpected-active-systemd-units.sql index 6f2307a..ede7d71 100644 --- a/detection/persistence/unexpected-active-systemd-units.sql +++ b/detection/persistence/unexpected-active-systemd-units.sql @@ -127,6 +127,7 @@ WHERE 'dnf-automatic-install.service,dnf automatic install updates,,225', 'dnf-automatic-install.timer,dnf-automatic-install timer,,225', 'dnf-makecache.service,dnf makecache,,225', + 'dnf-makecache.service,dnf makecache,,450', 'dnf-makecache.timer,dnf makecache --timer,,225', 'docker.service,Docker Application Container Engine,,1125', 'docker.service,Docker Application Container Engine,,1350', @@ -142,6 +143,7 @@ WHERE 'firewall.service,Firewall,,1350', 'flatpak-system-helper.service,flatpak system helper,,225', 'fprintd.service,Fingerprint Authentication Daemon,,900', + 'fprintd.service,Fingerprint Authentication Daemon,,675', 'fstrim.service,Discard unused blocks on filesystems from /etc/fstab,,225', 'fstrim.timer,Discard unused blocks once a week,,225', 'fwupd-refresh.service,Refresh fwupd metadata and update motd,fwupd-refresh,225', @@ -214,12 +216,15 @@ WHERE 'network-interfaces.target,All Network Interfaces (deprecated),,0', 'network-local-commands.service,Extra networking commands.,,1350', 'NetworkManager-dispatcher.service,Network Manager Script Dispatcher Service,,675', + 'NetworkManager-dispatcher.service,Network Manager Script Dispatcher Service,,450', 'NetworkManager.service,Network Manager,,1125', + 'nvidia-suspend.service,NVIDIA system suspend actions,,225', 'NetworkManager.service,Network Manager,,1350', 'NetworkManager-wait-online.service,Network Manager Wait Online,,1125', 'network-online.target,Network is Online,,450', 'network-pre.target,Network (Pre),,450', 'network-pre.target,Preparation for Network,,450', + 'sleep.target,Sleep,,450', 'network-setup.service,Networking Setup,,1350', 'network.target,Network,,225', 'network.target,Network,,450', diff --git a/detection/persistence/unexpected-device.sql b/detection/persistence/unexpected-device.sql index d66e573..f829c03 100644 --- a/detection/persistence/unexpected-device.sql +++ b/detection/persistence/unexpected-device.sql @@ -11,215 +11,227 @@ -- tags: persistent filesystem state -- platform: linux SELECT -- Remove numerals from device names - -- Ugly, but better than dealing with multiple rounds of nesting COALESCE + REGEX_MATCH - DISTINCT REPLACE( + -- Ugly, but better than dealing with multiple rounds of nesting COALESCE + REGEX_MATCH + DISTINCT REPLACE( + REPLACE( + REPLACE( REPLACE( + REPLACE( REPLACE( - REPLACE( - REPLACE( - REPLACE( - REPLACE( - REPLACE( - REPLACE(REPLACE(path, "0", ""), "1", ""), - "2", - "" - ), - "3", - "" - ), - "4", - "" - ), - "5", - "" - ), - "6", - "" - ), - "7", + REPLACE( + REPLACE(REPLACE(REPLACE(path, "0", ""), "1", ""), "2", ""), + "3", "" + ), + "4", + "" ), - "8", + "5", "" + ), + "6", + "" ), - "9", + "7", "" - ) AS path_expr, - file.* -FROM file -WHERE ( - path LIKE '/dev/%' - OR directory LIKE '/dev/%' - ) - AND path_expr NOT IN ( - '/dev/acpi_thermal_rel', - '/dev/autofs', - '/dev/block/', - '/dev/block/:', - '/dev/bsg/', - '/dev/bsg/:::', - '/dev/btrfs-control', - '/dev/bus/', - '/dev/bus/usb', - '/dev/cdrom', - '/dev/char/', - '/dev/char/:', - '/dev/console', - '/dev/core', - '/dev/cpu/', - '/dev/cpu_dma_latency', - '/dev/cpu/microcode', - '/dev/cros_ec', - '/dev/cuse', - '/dev/disk/', - '/dev/disk/by-diskseq', - '/dev/disk/by-id', - '/dev/disk/by-label', - '/dev/disk/by-partlabel', - '/dev/disk/by-partuuid', - '/dev/disk/by-path', - '/dev/disk/by-uuid', - '/dev/dm-', - '/dev/dma_heap/', - '/dev/dma_heap/system', - '/dev/dri/', - '/dev/dri/by-path', - '/dev/dri/card', - '/dev/dri/renderD', - '/dev/drm_dp_aux', - '/dev/dvd', - '/dev/ecryptfs', - '/dev/fb', - '/dev/fd/', - '/dev/full', - '/dev/fuse', - '/dev/gpiochip', - '/dev/hidraw', - '/dev/HID-SENSOR-e..auto', - '/dev/hpet', - '/dev/hugepages/', - '/dev/hugepages/libvirt', - '/dev/hwrng', - '/dev/ic-', - '/dev/iio:device', - '/dev/initctl', - '/dev/input/', - '/dev/input/by-id', - '/dev/input/by-path', - '/dev/input/event', - '/dev/input/js', - '/dev/input/mice', - '/dev/input/mouse', - '/dev/kfd', - '/dev/kmsg', - '/dev/kvm', - '/dev/log', - '/dev/loop', - '/dev/loop-control', - '/dev/lp', - '/dev/mapper/', - '/dev/mapper/control', - '/dev/mcelog', - '/dev/media', - '/dev/mei', - '/dev/mem', - '/dev/mqueue/', - '/dev/mtd', - '/dev/mtdro', - '/dev/net/', - '/dev/net/tun', - '/dev/ngn', - '/dev/null', - '/dev/nvidia', - '/dev/nvidia-caps/', - '/dev/nvidia-caps/nvidia-cap', - '/dev/nvidiactl', - '/dev/nvidia-modeset', - '/dev/nvidia-uvm', - '/dev/nvidia-uvm-tools', - '/dev/nvme', - '/dev/nvmen', - '/dev/nvmenp', - '/dev/nvram', - '/dev/port', - '/dev/ppp', - '/dev/pps', - '/dev/psaux', - '/dev/ptmx', - '/dev/ptp', - '/dev/pts/', - '/dev/pts/ptmx', - '/dev/random', - '/dev/rfkill', - '/dev/rpool/', - '/dev/rpool/keystore', - '/dev/rtc', - '/dev/sda', - '/dev/sg', - '/dev/shm/', - '/dev/snapshot', - '/dev/snd/', - '/dev/snd/by-id', - '/dev/snd/by-path', - '/dev/snd/controlC', - '/dev/snd/hwCD', - '/dev/snd/pcmCDc', - '/dev/snd/pcmCDp', - '/dev/snd/seq', - '/dev/snd/timer', - '/dev/sr', - '/dev/stderr', - '/dev/stdin', - '/dev/stdout', - '/dev/tpm', - '/dev/tpmrm', - '/dev/tty', - '/dev/ttyprintk', - '/dev/ttyS', - '/dev/udmabuf', - '/dev/uhid', - '/dev/uinput', - '/dev/urandom', - '/dev/usb/', - '/dev/usb/hiddev', - '/dev/usbmon', - '/dev/userfaultfd', - '/dev/userio', - '/dev/vboxdrv', - '/dev/vboxdrvu', - '/dev/vboxnetctl', - '/dev/vboxusb/', - '/dev/vcs', - '/dev/vcsa', - '/dev/vcsu', - '/dev/vda', - '/dev/vfio/', - '/dev/vfio/vfio', - '/dev/vg/', - '/dev/vga_arbiter', - '/dev/vg/root', - '/dev/vg/swap', - '/dev/vgubuntu/', - '/dev/vgubuntu/root', - '/dev/vgubuntu/swap_', - '/dev/vhci', - '/dev/vhost-net', - '/dev/vhost-vsock', - '/dev/video', - '/dev/vl/', - '/dev/vl/by-id', - '/dev/vl/by-path', - '/dev/watchdog', - '/dev/wmi/', - '/dev/wmi/dell-smbios', - '/dev/zd', - '/dev/zero', - '/dev/zfs', - '/dev/zram', - '/dev/zvol/', - '/dev/zvol/rpool', - '/dev/vlloopback' - ) - AND NOT path LIKE '/dev/mapper/%' - AND NOT path LIKE '/dev/shm/u%-Shm_%' - AND NOT path LIKE '/dev/shm/u%-ValveIPC%' \ No newline at end of file + ), + "8", + "" + ), + "9", + "" + ) AS path_expr, + file.* +FROM + file +WHERE + ( + path LIKE '/dev/%' + OR directory LIKE '/dev/%' + ) + AND path_expr NOT IN ( + '/dev/acpi_thermal_rel', + '/dev/autofs', + '/dev/block/', + '/dev/block/:', + '/dev/bsg/', + '/dev/bsg/:::', + '/dev/btrfs-control', + '/dev/bus/', + '/dev/bus/usb', + '/dev/cdrom', + '/dev/char/', + '/dev/char/:', + '/dev/console', + '/dev/core', + '/dev/cpu/', + '/dev/cpu_dma_latency', + '/dev/cpu/microcode', + '/dev/cros_ec', + '/dev/cuse', + '/dev/disk/', + '/dev/disk/by-diskseq', + '/dev/disk/by-id', + '/dev/disk/by-label', + '/dev/disk/by-partlabel', + '/dev/disk/by-partuuid', + '/dev/disk/by-path', + '/dev/disk/by-uuid', + '/dev/dm-', + '/dev/dma_heap/', + '/dev/dma_heap/system', + '/dev/dmmidi', + '/dev/dri/', + '/dev/dri/by-path', + '/dev/dri/card', + '/dev/dri/renderD', + '/dev/drm_dp_aux', + '/dev/dvd', + '/dev/ecryptfs', + '/dev/fb', + '/dev/fd/', + '/dev/full', + '/dev/fuse', + '/dev/gpiochip', + '/dev/hidraw', + '/dev/HID-SENSOR-e..auto', + '/dev/hpet', + '/dev/hugepages/', + '/dev/hugepages/libvirt', + '/dev/hwrng', + '/dev/ic-', + '/dev/iio:device', + '/dev/initctl', + '/dev/input/', + '/dev/input/by-id', + '/dev/input/by-path', + '/dev/input/event', + '/dev/input/js', + '/dev/input/mice', + '/dev/input/mouse', + '/dev/kfd', + '/dev/kmsg', + '/dev/kvm', + '/dev/log', + '/dev/loop', + '/dev/loop-control', + '/dev/lp', + '/dev/mapper/', + '/dev/mapper/control', + '/dev/mcelog', + '/dev/md', + '/dev/md/', + '/dev/md/ssraid', + '/dev/media', + '/dev/mei', + '/dev/mem', + '/dev/midi', + '/dev/mqueue/', + '/dev/mtd', + '/dev/mtdro', + '/dev/net/', + '/dev/net/tun', + '/dev/ngn', + '/dev/null', + '/dev/nvidia', + '/dev/nvidia-caps/', + '/dev/nvidia-caps/nvidia-cap', + '/dev/nvidiactl', + '/dev/nvidia-modeset', + '/dev/nvidia-uvm', + '/dev/nvidia-uvm-tools', + '/dev/nvme', + '/dev/nvmen', + '/dev/nvmenp', + '/dev/nvram', + '/dev/port', + '/dev/ppp', + '/dev/pps', + '/dev/psaux', + '/dev/ptmx', + '/dev/ptp', + '/dev/pts/', + '/dev/pts/ptmx', + '/dev/random', + '/dev/rfkill', + '/dev/rpool/', + '/dev/rpool/keystore', + '/dev/rtc', + '/dev/sda', + '/dev/sdb', + '/dev/serial/', + '/dev/serial/by-id', + '/dev/serial/by-path', + '/dev/sg', + '/dev/sgx_provision', + '/dev/sgx_vepc', + '/dev/shm/', + '/dev/shm/libpod_rootless_lock_', + '/dev/snapshot', + '/dev/snd/', + '/dev/snd/by-id', + '/dev/snd/by-path', + '/dev/snd/controlC', + '/dev/snd/hwCD', + '/dev/snd/midiCD', + '/dev/snd/pcmCDc', + '/dev/snd/pcmCDp', + '/dev/snd/seq', + '/dev/snd/timer', + '/dev/sr', + '/dev/stderr', + '/dev/stdin', + '/dev/stdout', + '/dev/tpm', + '/dev/tpmrm', + '/dev/tty', + '/dev/ttyACM', + '/dev/ttyprintk', + '/dev/ttyS', + '/dev/udmabuf', + '/dev/uhid', + '/dev/uinput', + '/dev/urandom', + '/dev/usb/', + '/dev/usb/hiddev', + '/dev/usbmon', + '/dev/userfaultfd', + '/dev/userio', + '/dev/vboxdrv', + '/dev/vboxdrvu', + '/dev/vboxnetctl', + '/dev/vboxusb/', + '/dev/vcs', + '/dev/vcsa', + '/dev/vcsu', + '/dev/vda', + '/dev/vfio/', + '/dev/vfio/vfio', + '/dev/vg/', + '/dev/vga_arbiter', + '/dev/vg/root', + '/dev/vg/swap', + '/dev/vgubuntu/', + '/dev/vgubuntu/root', + '/dev/vgubuntu/swap_', + '/dev/vhci', + '/dev/vhost-net', + '/dev/vhost-vsock', + '/dev/video', + '/dev/vl/', + '/dev/vl/by-id', + '/dev/vl/by-path', + '/dev/vlloopback', + '/dev/watchdog', + '/dev/wmi/', + '/dev/wmi/dell-smbios', + '/dev/zd', + '/dev/zero', + '/dev/zfs', + '/dev/zram', + '/dev/zvol/', + '/dev/zvol/rpool' + ) + AND NOT path LIKE '/dev/mapper/%' + AND NOT path LIKE '/dev/shm/u%-Shm_%' + AND NOT path LIKE '/dev/shm/u%-ValveIPC%' diff --git a/detection/persistence/unexpected-launchd-program-arguments.sql b/detection/persistence/unexpected-launchd-program-arguments.sql index 87fc953..3b243a3 100644 --- a/detection/persistence/unexpected-launchd-program-arguments.sql +++ b/detection/persistence/unexpected-launchd-program-arguments.sql @@ -40,6 +40,7 @@ WHERE 'Developer ID Application: Google, Inc. (EQHXZ8M8AV)', 'Developer ID Application: Keybase, Inc. (99229SGT5K)', 'Developer ID Application: Kolide Inc (YZ3EM74M78)', + 'Developer ID Application: Kolide, Inc (X98UFR7HA3)', 'Developer ID Application: Logitech Inc. (QED4VVPZWA)', 'Developer ID Application: Fumihiko Takayama (G43BCU2T37)', 'Developer ID Application: MacPaw Inc. (S8EX82NJP6)', diff --git a/detection/persistence/unexpected-launchd-program-macos.sql b/detection/persistence/unexpected-launchd-program-macos.sql index 62f9e58..d0526ec 100644 --- a/detection/persistence/unexpected-launchd-program-macos.sql +++ b/detection/persistence/unexpected-launchd-program-macos.sql @@ -37,7 +37,8 @@ WHERE 'Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R)', 'Developer ID Application: Oracle America, Inc. (VB5E2TV963)', 'Developer ID Application: Valve Corporation (MXGJJ98X76)', - 'Developer ID Application: Wireshark Foundation, Inc. (7Z6EMTD2C6)' + 'Developer ID Application: Wireshark Foundation, Inc. (7Z6EMTD2C6)', + 'Software Signing' ) AND program NOT IN ('/usr/local/MacGPG2/libexec/shutdown-gpg-agent') AND NOT ( diff --git a/detection/persistence/unexpected-listening-port-linux.sql b/detection/persistence/unexpected-listening-port-linux.sql index 0eb03fc..3ff4fe8 100644 --- a/detection/persistence/unexpected-listening-port-linux.sql +++ b/detection/persistence/unexpected-listening-port-linux.sql @@ -117,6 +117,7 @@ WHERE '5432,6,70,postgres', '546,17,500,dhcpcd', '5556,6,500,dex', + '5556,6,500,openshot-qt', '5558,6,500,dex', '58,255,0,dhcpcd', '58,255,0,NetworkManager', diff --git a/detection/persistence/unexpected-listening-port-macos.sql b/detection/persistence/unexpected-listening-port-macos.sql index 3239c5c..1da10b8 100644 --- a/detection/persistence/unexpected-listening-port-macos.sql +++ b/detection/persistence/unexpected-listening-port-macos.sql @@ -62,12 +62,14 @@ WHERE '138,17,222,netbiosd,Software Signing', '16587,6,500,RescueTime,Developer ID Application: RescueTime, Inc (FSY4RB8H39)', '17500,6,500,Dropbox,Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)', + '1834,6,500,Camera Hub,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', '2112,6,500,fake,', '2112,6,500,rekor-server,', '2112,6,500,timestamp-server,', '22000,6,500,syncthing,', '22,6,0,launchd,Software Signing', '24678,6,500,node,', + '28197,6,500,Stream Deck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', '2968,6,500,EEventManager,Developer ID Application: Seiko Epson Corporation (TXAEAV5RN4)', '33060,6,74,mysqld,Developer ID Application: Oracle America, Inc. (VB5E2TV963)', '3306,6,500,mariadbd,', @@ -108,7 +110,6 @@ WHERE '53,17,65,mDNSResponder,Software Signing', '53,6,500,dnsmasq,', '53,6,65,mDNSResponder,Software Signing', - '28197,6,500,Stream Deck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', '546,17,0,configd,Software Signing', '547,17,500,dhcp6d,Software Signing', '5900,6,0,launchd,Software Signing', @@ -119,8 +120,6 @@ WHERE '67,17,0,bootpd,Software Signing', '67,17,0,launchd,Software Signing', '68,17,0,configd,Software Signing', - '28197,6,500,Stream Deck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', - '1834,6,500,Camera Hub,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', '7000,6,500,ControlCenter,Software Signing', '80,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)', '8770,6,500,sharingd,Software Signing', diff --git a/detection/persistence/unexpected-uid0-daemon-linux.sql b/detection/persistence/unexpected-uid0-daemon-linux.sql index 83804b8..54130fb 100644 --- a/detection/persistence/unexpected-uid0-daemon-linux.sql +++ b/detection/persistence/unexpected-uid0-daemon-linux.sql @@ -101,13 +101,13 @@ WHERE 'containerd-shim,/usr/bin/containerd-shim-runc-v2,0,system.slice,containerd.service,0755', 'containerd-shim,/usr/bin/containerd-shim-runc-v2,0,system.slice,docker.service,0755', 'containerd,/usr/bin/containerd,0,system.slice,containerd.service,0755', + 'yum,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755', 'containerd,/usr/bin/containerd,0,system.slice,docker.service,0755', 'crond,/usr/bin/crond,0,system.slice,cronie.service,0755', 'crond,/usr/sbin/crond,0,system.slice,crond.service,0755', 'cron,/usr/sbin/cron,0,system.slice,cron.service,0755', 'cups-browsed,/usr/sbin/cups-browsed,0,system.slice,cups-browsed.service,0755', 'cupsd,/usr/sbin/cupsd,0,system.slice,cups.service,0755', - 'gdm-session-wor,/usr/libexec/gdm-session-worker,0,user.slice,user-42.slice,0755', 'dhclient,/usr/sbin/dhclient,0,system.slice,networking.service,0755 p0_cgroup:/system.slice/networking.service', 'dhcpcd,/nix/store/__VERSION__/bin/dhcpcd,0,system.slice,dhcpcd.service,0555', 'dnf,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755', @@ -130,6 +130,7 @@ WHERE 'fwupd,/usr/lib/fwupd/fwupd,0,system.slice,fwupd.service,0755', 'gdm3,/usr/sbin/gdm3,0,system.slice,gdm.service,0755', 'gdm-session-wor,/usr/libexec/gdm-session-worker,0,user.slice,user-1000.slice,0755', + 'gdm-session-wor,/usr/libexec/gdm-session-worker,0,user.slice,user-42.slice,0755', 'gdm-session-wor,/usr/lib/gdm-session-worker,0,user.slice,user-1000.slice,0755', 'gdm-session-wor,/usr/lib/gdm-session-worker,0,user.slice,user-120.slice,0755', 'gdm,/usr/bin/gdm,0,system.slice,gdm.service,0755', @@ -147,6 +148,7 @@ WHERE 'lightdm,/nix/store/__VERSION__/bin/lightdm,0,user.slice,user-1000.slice,0555', 'lightdm,/usr/bin/lightdm,0,system.slice,lightdm.service,0755', 'lightdm,/usr/bin/lightdm,0,user.slice,user-1000.slice,0755', + 'lightdm,/usr/bin/lightdm,0,user.slice,user-974.slice,0755', 'lima-guestagent,/usr/local/bin/lima-guestagent,0,system.slice,lima-guestagent.service,0755', 'low-memory-moni,/usr/libexec/low-memory-monitor,0,system.slice,low-memory-monitor.service,0755', 'mcelog,/usr/sbin/mcelog,0,system.slice,mcelog.service,0755', @@ -188,7 +190,6 @@ WHERE 'sshd,/usr/sbin/sshd,0,system.slice,sshd.service,0755', 'sshd,/usr/sbin/sshd,0,system.slice,ssh.service,0755', 'sshd,/usr/sbin/sshd,0,user.slice,user-1000.slice,0755', - 'flatpak-system-,/usr/lib/flatpak-system-helper,0,system.slice,flatpak-system-helper.service,0755', 'ssh,/nix/store/__VERSION__/bin/ssh,0,system.slice,znapzend.service,0555', 'sssd_kcm,/usr/libexec/sssd/sssd_kcm,0,system.slice,sssd-kcm.service,0755', 'sudo,/usr/bin/sudo,1000,user.slice,user-1000.slice,4111', diff --git a/detection/persistence/unexpected-uid0-daemon-macos.sql b/detection/persistence/unexpected-uid0-daemon-macos.sql index 16b3ef7..56cc473 100644 --- a/detection/persistence/unexpected-uid0-daemon-macos.sql +++ b/detection/persistence/unexpected-uid0-daemon-macos.sql @@ -67,7 +67,6 @@ WHERE -- Focus on longer-running programs '/Library/Application Support/VMware/VMware Fusion/Services/Contents/Library/vmnet-natd', '/Library/Application Support/VMware/VMware Fusion/Services/Contents/Library/vmware-usbarbitrator', '/Applications/VMware Fusion.app/Contents/Library/vmware-vmx', - '/bin/bash', '/usr/sbin/sshd', '/usr/libexec/trustdFileHelper', @@ -91,6 +90,7 @@ WHERE -- Focus on longer-running programs '/Library/PrivilegedHelperTools/com.docker.vmnetd', '/Library/PrivilegedHelperTools/com.macpaw.CleanMyMac4.Agent', '/Library/PrivilegedHelperTools/keybase.Helper', + '/Library/SystemExtensions/CC9A335C-A6D0-4C87-B902-45EBDF4BFD85/com.google.one.NetworkExtension.systemextension/Contents/MacOS/com.google.one.NetworkExtension', '/Library/SystemExtensions/2DA71D8A-7905-4012-A7D5-0B246D5AA77B/at.obdev.littlesnitch.networkextension.systemextension/Contents/MacOS/at.obdev.littlesnitch.networkextension', '/opt/homebrew/Cellar/telepresence-arm64/2.7.6/bin/telepresence', '/sbin/launchd', diff --git a/detection/privesc/unexpected-elevated-children-events_linux.sql b/detection/privesc/unexpected-elevated-children-events_linux.sql index c30ffb7..95044ff 100644 --- a/detection/privesc/unexpected-elevated-children-events_linux.sql +++ b/detection/privesc/unexpected-elevated-children-events_linux.sql @@ -13,7 +13,6 @@ -- interval: 600 SELECT file.mode AS p0_binary_mode, - pe.cmdline_size AS p0_cmd_size, -- Child pe.path AS p0_path, REGEX_MATCH (pe.path, '.*/(.*)', 1) AS p0_name, diff --git a/detection/privesc/unexpected-elevated-children-events_macos.sql b/detection/privesc/unexpected-elevated-children-events_macos.sql index 539ebba..656b509 100644 --- a/detection/privesc/unexpected-elevated-children-events_macos.sql +++ b/detection/privesc/unexpected-elevated-children-events_macos.sql @@ -87,18 +87,19 @@ WHERE AND p1_path NOT IN ( '/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mdworker_shared', '/usr/libexec/PerfPowerServicesExtended', + '/System/Library/PrivateFrameworks/AOSKit.framework/Versions/A/XPCServices/com.apple.iCloudHelper.xpc/Contents/MacOS/com.apple.iCloudHelper', '/usr/bin/login', '/usr/bin/su', '/usr/bin/sudo', + '/usr/libexec/mdmclient', '/usr/local/bin/doas' ) -- Exclude weird bad data we've seen due to badly recorded macOS parent/child relationships, fixable by reboot - AND NOT ( - p0_cmd IN ( - '/usr/sbin/cupsd -l', - '/usr/libexec/mdmclient daemon', - '/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker_shared -s mdworker -c MDSImporterWorker -m com.apple.mdworker.shared' - ) + AND NOT p0_cmd IN ( + '/usr/sbin/cupsd -l', + '/usr/libexec/PerfPowerServicesExtended', + '/usr/libexec/mdmclient daemon', + '/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker_shared -s mdworker -c MDSImporterWorker -m com.apple.mdworker.shared' ) AND NOT ( pe.euid = 262 -- core media helper id diff --git a/detection/privesc/unexpected-privileged-containers.sql b/detection/privesc/unexpected-privileged-containers.sql index 4c41747..857dc24 100644 --- a/detection/privesc/unexpected-privileged-containers.sql +++ b/detection/privesc/unexpected-privileged-containers.sql @@ -31,6 +31,7 @@ WHERE 'distroless.dev/melange', 'docker.io/rancher/k3s', 'gcr.io/k8s-minikube/kicbase', + 'ghcr.io/wolfi-dev/sdk', 'kindest/node', 'moby/buildkit', 'wolfi' diff --git a/policy/gcp-service-account-keys-mdfind.sql b/policy/gcp-service-account-keys-mdfind.sql index 61dc1e8..328513f 100644 --- a/policy/gcp-service-account-keys-mdfind.sql +++ b/policy/gcp-service-account-keys-mdfind.sql @@ -14,7 +14,8 @@ FROM LEFT JOIN file ON mdfind.path = file.path LEFT JOIN users u ON file.uid = u.uid LEFT JOIN hash ON mdfind.path = hash.path - LEFT JOIN extended_attributes ea ON mdfind.path = ea.path AND ea.key = 'where_from' + LEFT JOIN extended_attributes ea ON mdfind.path = ea.path + AND ea.key = 'where_from' LEFT JOIN magic ON mdfind.path = magic.path LEFT JOIN signature ON mdfind.path = signature.path WHERE @@ -22,6 +23,9 @@ WHERE AND file.filename LIKE "%-%-%.json" AND file.directory NOT LIKE '%/go/pkg/%' AND file.directory NOT LIKE '%/go/src/%' + AND NOT file.directory LIKE '%/aws-sdk/apis' + AND NOT file.directory LIKE '%/testdata/%' + AND NOT file.directory LIKE '%/schemas' AND file.directory NOT LIKE '/Users/%/Library/Application Support/%' AND file.directory NOT LIKE '%demo' AND file.size BETWEEN 2311 AND 2385 @@ -33,5 +37,6 @@ WHERE REPLACE(LOWER(TRIM(u.description)), " ", "-") ) == 1 -- Common filenames that are non-controversial - AND file.filename NOT IN ('service-account-file.json') -GROUP BY file.path + AND NOT file.filename IN ('service-account-file.json') +GROUP BY + file.path diff --git a/policy/unexpected-rsa-keys.sql b/policy/unexpected-rsa-keys.sql index b9ae6d8..8eb5929 100644 --- a/policy/unexpected-rsa-keys.sql +++ b/policy/unexpected-rsa-keys.sql @@ -44,4 +44,4 @@ WHERE REPLACE(LOWER(TRIM(description)), " ", "-") ) == 1 -- Common filenames that are non-controversial - AND file.filename NOT IN ('local-melange.rsa', 'melange.rsa') + AND NOT file.filename LIKE '%melange.rsa%'