osquery-defense-kit/detection/evasion/unexpected-alf-exceptions-m...

128 lines
5.6 KiB
SQL

-- macOS application layer firewall (ALF) service exceptions.
--
-- false positives:
-- * locally built software
--
-- tags: persistent state filesystem
-- platform: darwin
SELECT
ae.path,
ae.state,
file.mtime,
file.ctime,
file.uid,
file.directory,
file.size,
file.type,
hash.sha256,
signature.identifier,
signature.authority,
CONCAT (
signature.authority,
',',
signature.identifier,
',',
ae.path,
',',
MIN(file.uid, 501)
) AS exception_key
FROM
alf_exceptions ae
LEFT JOIN file ON ae.path = file.path
LEFT JOIN hash ON ae.path = hash.path
LEFT JOIN signature ON ae.path = signature.path
WHERE -- Filter out stock exceptions to decrease overhead
ae.path NOT IN (
'/System/Library/CoreServices/UniversalControl.app/',
'/System/Library/PrivateFrameworks/Admin.framework/Versions/A/Resources/readconfig',
'/System/Library/PrivateFrameworks/EmbeddedOSInstall.framework/Versions/A/XPCServices/EmbeddedOSInstallService.xpc/',
'/usr/bin/nmblookup',
'/usr/libexec/bootpd',
'/usr/libexec/configd',
'/usr/libexec/discoveryd',
'/usr/libexec/xartstorageremoted',
'/usr/sbin/mDNSResponder',
'/usr/sbin/racoon'
) -- Ignore files that ahve already been removed
AND file.filename NOT NULL
AND exception_key NOT IN (
',a.out,/private/tmp/learning-labs-static/server,501',
',a.out,/Users/amouat/proj/learning-labs-static/server,501',
',a.out,/Users/dlorenc/.wash/downloads/nats-server,501',
'Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension,/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/,0',
'Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension,/Applications/Tailscale.localized/Tailscale.app/Contents/PlugIns/IPNExtension.appex/,0',
',deskflow-server,/Applications/Deskflow.app/Contents/MacOS/deskflow-server,501',
'Developer ID Application: Adguard Software Limited (TC3Q7MAJXF),com.adguard.mac.adguard.network-extension,/Library/SystemExtensions/AD3BCA34-237A-4135-B7A4-0F7477D9144C/com.adguard.mac.adguard.network-extension.systemextension/,0',
'Developer ID Application: Python Software Foundation (BMM5U3QVKW),org.python.python,/Library/Frameworks/Python.framework/Versions/3.11/Resources/Python.app/,0',
'Developer ID Application: Python Software Foundation (BMM5U3QVKW),org.python.python,/Library/Frameworks/Python.framework/Versions/3.12/Resources/Python.app/,0',
'Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension,/Library/SystemExtensions/A30AF854-E980-4345-A658-17000BF66D00/io.tailscale.ipn.macsys.network-extension.systemextension/,0',
'/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/',
',,/Users/cpanato/code/src/github.com/sigstore/docs/node_modules/.bin/hugo/hugo,501'
)
-- Signed
AND NOT exception_key LIKE 'Developer ID Application:%,/Applications/%.app/,501'
-- Unsigned
AND NOT exception_key LIKE ',,/Applications/%.app/,'
-- Locally compiled
AND NOT exception_key LIKE ',a.out,/Users/%,501'
-- Homebrew
AND NOT exception_key LIKE ',%,/opt/homebrew/Cellar/%,501'
-- Nix
AND NOT exception_key LIKE ',%,/nix/store/%,0'
AND NOT exception_key LIKE ',%,/nix/store/%,501'
-- Apple (root)
AND NOT exception_key LIKE 'Software Signing,com.apple.%,0'
-- App Store
AND NOT exception_key LIKE 'Apple Mac OS Application Signing,%,/Applications/%.app/,0'
-- Other weirdo apps
AND NOT exception_key LIKE 'Developer ID Application: Cypress.Io, Inc. (7D655LWGLY),com.electron.cypress,/Users/%/Library/Caches/Cypress/%/Cypress.app/,501'
AND NOT exception_key LIKE 'Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension,/Library/SystemExtensions/%'
AND NOT exception_key LIKE 'Developer ID Application: The Foundry (82R497YNSK),org.python.python,/Applications/Nuke%/Contents/Frameworks/Python.framework/Versions/%/Resources/Python.app/,501'
AND NOT signature.authority IN (
'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)',
'Developer ID Application: The Foundry (82R497YNSK)',
'Developer ID Application: Docker Inc (9BNSXJN65R)',
'Developer ID Application: OpenAI, L.L.C. (2DC432GLL2)'
)
AND NOT (
signature.identifier LIKE 'fake-%'
AND ae.path LIKE '%/exe/fake'
)
AND NOT (
signature.identifier = 'nix'
AND ae.path LIKE '/nix/store/%-nix-%/bin/nix'
)
AND NOT (
ae.path LIKE '/Users/%/Library/Application%20Support/Steam/Steam.AppBundle/Steam/'
)
AND NOT (
signature.authority = ''
AND signature.identifier = 'org.chromium.Chromium'
AND ae.path LIKE '/Users/%/Library/pnpm/global/%/.pnpm/carlo@%/node_modules/carlo/lib/.local-data/mac-%/chrome-mac/Chromium.app/'
)
-- End user tools
AND NOT (
(
signature.identifier = 'a.out'
OR signature.identifier LIKE '%-%'
)
AND file.uid > 500
AND (
file.directory LIKE '/opt/homebrew/Cellar/%/bin'
OR file.directory LIKE '/Users/%/bin'
OR file.directory LIKE '/Users/%/code/%'
OR file.directory LIKE '/Users/%/src/%'
OR file.directory LIKE '/Users/%/gh/%'
OR file.directory LIKE '/Users/%/debug/%'
OR file.directory LIKE '/Users/%/target/%'
OR file.directory LIKE '/Users/%/tmp/%'
OR file.directory LIKE '/Users/%/sigstore/%'
OR file.directory LIKE '/Users/%/node_modules/.bin/%'
OR file.directory LIKE '/Users/%/git/%'
OR file.directory LIKE '/Users/%/%-cli'
OR file.directory LIKE '/private/var/folders/%/T/go-build%/exe'
)
)
GROUP BY
exception_key