osquery-defense-kit/net/unexpected-talkers-macos.sql

307 lines
11 KiB
SQL

SELECT protocol,
s.local_port,
s.remote_port,
s.remote_address,
p.name,
p.path,
p.cmdline AS child_cmd,
p.cwd,
s.pid,
p.parent AS parent_pid,
pp.path AS parent_path,
pp.cmdline AS parent_cmd,
hash.sha256,
CONCAT (
MIN(s.remote_port, 32768),
",",
protocol,
",",
MIN(p.uid, 500),
",",
p.name,
",",
signature.identifier,
",",
signature.authority
) AS exception_key
FROM process_open_sockets s
LEFT JOIN processes p ON s.pid = p.pid
LEFT JOIN processes pp ON pp.pid = p.parent
LEFT JOIN hash ON p.path = hash.path
LEFT JOIN signature ON p.path = signature.path
WHERE protocol > 0
AND s.remote_port > 0
AND s.remote_address NOT IN ("127.0.0.1", "::ffff:127.0.0.1", "::1")
AND s.remote_address NOT LIKE "fe80:%"
AND s.remote_address NOT LIKE "127.%"
AND s.remote_address NOT LIKE "192.168.%"
AND s.remote_address NOT LIKE "172.1%"
AND s.remote_address NOT LIKE "172.2%"
AND s.remote_address NOT LIKE "172.30.%"
AND s.remote_address NOT LIKE "172.31.%"
AND s.remote_address NOT LIKE "::ffff:172.%"
AND s.remote_address NOT LIKE "10.%"
AND s.remote_address NOT LIKE "::ffff:10.%"
AND s.remote_address NOT LIKE "fc00:%"
AND s.state != "LISTEN" -- Ignore most common application paths
AND p.path NOT LIKE "/Applications/%.app/Contents/%"
AND p.path NOT LIKE "/Library/Apple/System/Library/%"
AND p.path NOT LIKE "/Library/Application Support/%/Contents/%"
AND p.path NOT LIKE "/System/Applications/%"
AND p.path NOT LIKE "/System/Library/%"
AND p.path NOT LIKE "/Users/%/Library/%.app/Contents/MacOS/%"
AND p.path NOT LIKE "/System/%"
AND p.path NOT LIKE "/opt/homebrew/Cellar/%/bin/%"
AND p.path NOT LIKE "/usr/libexec/%"
AND p.path NOT LIKE "/usr/sbin/%"
AND p.path NOT LIKE "/private/var/folders/%/go-build%/%"
AND NOT (
remote_port = 53
AND protocol IN (6, 17)
AND p.name IN (
"1password",
"Acrobat Update Helper",
"chainctl",
"cloud_sql_proxy",
"Code Helper",
"com.apple.MobileSoftwareUpdate.UpdateBrainService",
"cosign",
"crc",
"curl",
"dig",
"Evernote Helper",
"figma_agent",
"gh",
"git-remote-http",
"gitsign",
"go",
"grafana-server",
"grype",
"host",
"htop",
"istioctl",
"k6",
"k9s",
"ko",
"launcher",
"ngrok",
"nix",
"node",
"obs",
"obs-browser-page",
"obs-ffmpeg-mux",
"obsidian",
"opera",
"ping",
"Python",
"python3.10",
"Reflect",
"Reflect Helper",
"ruby",
"sample",
"ssh",
"steam_osx",
"syncthing",
"tailscaled",
"terraform",
"tkn",
"traceroute",
"vcluster",
"wget",
"whois",
"zoom"
)
)
AND NOT exception_key IN (
"22,6,500,Cyberduck,ch.sudo.cyberduck,Developer ID Application: David Kocher (G69SCX94XU)",
"22,6,500,ssh,,",
"22,6,500,ssh,com.apple.openssh,Software Signing",
"22,6,500,ssh,ssh,",
"22,6,500,ssh,ssh-55554944fbf65684ab9b37c2bad3a27ef78b23f4,",
"30004,6,500,java,net.java.openjdk.java,Developer ID Application: Microsoft Corporation (UBF8T346G9)",
"30011,6,500,java,net.java.openjdk.java,Developer ID Application: Microsoft Corporation (UBF8T346G9)",
"32768,6,500,java,net.java.openjdk.java,Developer ID Application: Oracle America, Inc. (VB5E2TV963)",
"3307,6,500,cloud_sql_proxy,a.out,",
"43,6,500,DropboxMacUpdate,com.dropbox.DropboxMacUpdate,Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)",
"443,17,500,Code Helper,com.microsoft.VSCode.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)",
"443,17,500,Evernote Helper,com.evernote.Evernote.helper,Apple Mac OS Application Signing",
"443,17,500,Reflect Helper,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)",
"443,17,500,Slack Helper,,",
"443,6,0,com.apple.MobileSoftwareUpdate.UpdateBrainService,com.apple.MobileSoftwareUpdate.UpdateBrainService,Software Signing",
"443,6,0,Install,com.adobe.Install,Developer ID Application: Adobe Inc. (JQ525L2MZD)",
"443,6,0,launcher,launcher,Developer ID Application: Kolide Inc (YZ3EM74M78)",
"443,6,0,nessusd,nessusd,Developer ID Application: Tenable, Inc. (4B8J598M7U)",
"443,6,0,nix,nix,",
"443,6,0,OneDrivePkgTelemetry,com.microsoft.OneDrivePkgTelemetry,Developer ID Application: Microsoft Corporation (UBF8T346G9)",
"443,6,0,Setup,com.adobe.acc.Setup,Developer ID Application: Adobe Inc. (JQ525L2MZD)",
"443,6,500,,,",
"443,6,500,Acrobat Update Helper,com.adobe.ARMDCHelper,Developer ID Application: Adobe Inc. (JQ525L2MZD)",
"443,6,500,bash,bash,",
"443,6,500,chainctl,,",
"443,6,500,chainctl,a.out,",
"443,6,500,chainctl_Darwin_arm64,a.out,",
"443,6,500,civo,a.out,",
"443,6,500,cloud_sql_proxy,a.out,",
"443,6,500,Code Helper,com.microsoft.VSCode.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)",
"443,6,500,Code Helper (Renderer),com.github.Electron.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)",
"443,6,500,cosign,,",
"443,6,500,cosign,a.out,",
"443,6,500,crane,,",
"443,6,500,crane,a.out,",
"443,6,500,ctclient,a.out,",
"443,6,500,curl,com.apple.curl,Software Signing",
"443,6,500,docker-credential-gcr,a.out,",
"443,6,500,Electron,com.microsoft.VSCode,Developer ID Application: Microsoft Corporation (UBF8T346G9)",
"443,6,500,emacs-28.2,emacs-28.2,",
"443,6,500,Evernote Helper,com.evernote.Evernote.helper,Apple Mac OS Application Signing",
"443,6,500,figma_agent,com.figma.agent,Developer ID Application: Figma, Inc. (T8RA8NE3B7)",
"443,6,500,gh,a.out,",
"443,6,500,gh,gh,",
"443,6,500,git,com.apple.git,Software Signing",
"443,6,500,git,git,",
"443,6,500,git-remote-http,com.apple.git-remote-http,Software Signing",
"443,6,500,git-remote-http,git-remote-http-5555494493930c47f9d9385e94cdee8b19968153,",
"443,6,500,git-remote-http,git-remote-http-55554944ce011d0e889a3cf58e5ac97ac15728f3,",
"443,6,500,git-remote-http,git-remote-http-55554944e5dca79a2b44332e941af547708b0c68,",
"443,6,500,gitsign,,",
"443,6,500,gitsign,a.out,",
"443,6,500,gitsign,gitsign,",
"443,6,500,go,a.out,",
"443,6,500,go,org.golang.go,Developer ID Application: Google LLC (EQHXZ8M8AV)",
"443,6,500,helm,a.out,",
"443,6,500,istioctl,a.out,",
"443,6,500,java,net.java.openjdk.java,Developer ID Application: Microsoft Corporation (UBF8T346G9)",
"443,6,500,java,net.java.openjdk.java,Developer ID Application: Oracle America, Inc. (VB5E2TV963)",
"443,6,500,ko,a.out,",
"443,6,500,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV)",
"443,6,500,kubectl,,",
"443,6,500,kubectl,a.out,",
"443,6,500,limactl,,",
"443,6,500,main,a.out,",
"443,6,500,melange,a.out,",
"443,6,500,minikube,,",
"443,6,500,ngrok,darwin_amd64,Developer ID Application: ngrok LLC (TEX8MHRDQ9)",
"443,6,500,nix,nix,",
"443,6,500,node,node,Developer ID Application: Node.js Foundation (HX7739G8FX)",
"443,6,500,OneDriveStandaloneUpdater,com.microsoft.OneDriveStandaloneUpdater,Developer ID Application: Microsoft Corporation (UBF8T346G9)",
"443,6,500,prober,a.out,",
"443,6,500,pulumi-resource-gcp,a.out,",
"443,6,500,pulumi-resource-github,a.out,",
"443,6,500,python2.7,python2.7,",
"443,6,500,python3.10,python3.10,",
"443,6,500,Python,com.apple.python3,Software Signing",
"443,6,500,Python,org.python.python,",
"443,6,500,Python,Python,",
"443,6,500,Reflect,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)",
"443,6,500,Reflect Helper,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)",
"443,6,500,sample,com.apple.dt.SamplingTools.sample,Software Signing",
"443,6,500,scorecard-darwin-amd64,,",
"443,6,500,Slack Helper,,",
"443,6,500,Slack Helper,com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing",
"443,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)",
"443,6,500,step,step,",
"443,6,500,syft,syft,Developer ID Application: ANCHORE, INC. (9MJHKYX5AT)",
"443,6,500,terraform-ls,terraform-ls,Developer ID Application: Hashicorp, Inc. (D38WU7D763)",
"443,6,500,terraform,terraform,Developer ID Application: Hashicorp, Inc. (D38WU7D763)",
"443,6,500,vegeta,a.out,",
"443,6,500,vim,vim,",
"443,6,500,zoom.us,us.zoom.xos,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)",
"443,6,500,zsh,com.apple.zsh,Software Signing",
"53,17,500,docker-credential-gcr,a.out,",
"6000,6,500,ssh,,",
"6000,6,500,ssh,com.apple.openssh,Software Signing",
"6000,6,500,ssh,ssh-55554944fbf65684ab9b37c2bad3a27ef78b23f4,",
"80,6,0,com.apple.MobileSoftwareUpdate.UpdateBrainService,com.apple.MobileSoftwareUpdate.UpdateBrainService,Software Signing",
"80,6,500,curl,com.apple.curl,Software Signing",
"80,6,500,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV)",
"80,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)",
"80,6,500,webhook.test,a.out,"
) -- nix-shell infects children with open connections
AND NOT (
parent_cmd LIKE "%/tmp/nix-shell%"
AND remote_port = 443
AND protocol = 6
) -- These programs would normally never make an outgoing connection, but thanks to Nix, it can happen.
AND NOT (
(
remote_address LIKE "151.101.%"
OR remote_address LIKE "140.82.%"
)
AND remote_port = 443
AND protocol = 6
AND parent_path LIKE "/nix/%/bash"
) -- More complicated patterns go here
AND NOT (
p.name = "syncthing"
AND (
remote_port IN (53, 80, 88, 110, 443, 587, 993)
OR remote_port > 1024
)
)
AND NOT (
p.name IN (
"Google Chrome Helper",
"Brave Browser Helper",
"Chromium Helper",
"Opera Helper"
)
AND remote_port IN (
53,
443,
80,
8009,
8080,
8888,
8443,
5228,
32211,
53,
10001,
3478,
19305,
19306,
5004,
9000,
19307,
19308,
19309
)
)
AND NOT (
p.name IN ("Mail", "thunderbird", "Spark", "Notes")
AND remote_port IN (53, 143, 443, 587, 465, 585, 993)
)
AND NOT (
parent_path = "/Applications/Minecraft.app/Contents/MacOS/launcher"
AND remote_port > 30000
)
AND NOT (
p.name IN ("Spotify Helper", "Spotify")
AND remote_port IN (53, 443, 8009, 4070, 32211)
)
AND NOT (
remote_port IN (53, 443)
AND p.name LIKE "terraform-provider-%"
)
AND NOT (
remote_port IN (53, 443)
AND p.name LIKE "kubectl.%"
)
AND NOT (
p.cmdline LIKE "%google-cloud-sdk/lib/gcloud.py%"
AND remote_port IN (80, 443, 53)
) -- Slack update?
AND NOT (
p.path = ""
AND pp.cmdline LIKE "%/Slack"
) -- Process name is sometimes empty here?
AND NOT (
p.cmdline = "/Applications/Craft.app/Contents/MacOS/Craft"
AND remote_port = 443
AND protocol = 6
)
AND NOT (
remote_port IN (53, 443)
AND p.path LIKE "/private/var/folders/%/T/GoLand/%"
)
GROUP BY s.pid