From 6fe74680a0e20c1eae289ac617c6409ff59d300f Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Fri, 28 Jun 2024 10:08:04 -0400 Subject: [PATCH] fpr: June 28 - final rule tuning --- detection/c2/unexpected-dns-traffic.sql | 1 + detection/c2/unexpected-https-linux.sql | 3 + detection/c2/unexpected-https-macos.sql | 28 ++-- detection/c2/unexpected-talkers-linux.sql | 2 + .../unexpected-dev-opener-linux.sql | 18 ++- detection/evasion/hidden-executable.sql | 1 + .../evasion/unexpected-ld-so-files-linux.sql | 9 +- .../unexpected-tmp-executables-linux.sql | 22 ++-- .../unexpected-user-executables-macos.sql | 8 ++ .../unexpected-user-shared-entries.sql | 2 + .../execution/unexpected-env-values-macos.sql | 2 + .../unexpected-gatekeeper-approvals-macos.sql | 1 + ...ected-security-framework-program-macos.sql | 122 +++++++++--------- ...yara-unexpected-rust-http-exec-process.sql | 12 +- .../unexpected-shell-parent-events.sql | 2 + .../unexpected-shell-parents.sql | 2 + .../listening-from-unusual-location.sql | 6 + .../unexpected-listening-port-macos.sql | 1 + 18 files changed, 144 insertions(+), 98 deletions(-) diff --git a/detection/c2/unexpected-dns-traffic.sql b/detection/c2/unexpected-dns-traffic.sql index 0bb6fd89..19da7d70 100644 --- a/detection/c2/unexpected-dns-traffic.sql +++ b/detection/c2/unexpected-dns-traffic.sql @@ -94,6 +94,7 @@ WHERE '/usr/sbin/mDNSResponder' ) AND p.path NOT LIKE '/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/%/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper' + AND p.path NOT LIKE '%/podman/gvproxy' -- Workaround for the GROUP_CONCAT subselect adding a blank ent -- Workaround for the GROUP_CONCAT subselect adding a blank ent GROUP BY diff --git a/detection/c2/unexpected-https-linux.sql b/detection/c2/unexpected-https-linux.sql index 2c8e40af..a35f2073 100644 --- a/detection/c2/unexpected-https-linux.sql +++ b/detection/c2/unexpected-https-linux.sql @@ -109,6 +109,7 @@ WHERE '0,.tailscaled-wrapped,0u,0g,.tailscaled-wra', '0,velociraptor,0u,0g,velociraptor_cl', '0,yay,0u,0g,yay', + '500,python3.11,u,g,pip', '105,http,0u,0g,https', '106,geoclue,0u,0g,geoclue', '115,geoclue,0u,0g,geoclue', @@ -116,6 +117,7 @@ WHERE '128,fwupdmgr,0u,0g,fwupdmgr', '129,fwupdmgr,0u,0g,fwupdmgr', '42,http,0u,0g,https', + '500,podman,0u,0g,podman', '500,1password,0u,0g,1password', '500,abrt-action-generate-core-backtrace,0u,0g,abrt-action-gen', '500,act,0u,0g,act', @@ -330,6 +332,7 @@ WHERE AND NOT exception_key LIKE '500,node,0u,0g,npm exec %' AND NOT exception_key LIKE '500,node,0u,0g,npm install %' AND NOT exception_key LIKE '500,python3.%,0u,0g,pip' + AND NOT exception_key LIKE '500,python3%,u,g,pip' AND NOT exception_key LIKE '500,cosign-%,500u,500g,cosign-%' AND NOT exception_key LIKE '500,terraform-provider-%,500u,500g,terraform-provi' AND NOT ( diff --git a/detection/c2/unexpected-https-macos.sql b/detection/c2/unexpected-https-macos.sql index ef5be7eb..82da9c1e 100644 --- a/detection/c2/unexpected-https-macos.sql +++ b/detection/c2/unexpected-https-macos.sql @@ -142,17 +142,9 @@ WHERE ) AND NOT alt_exception_key IN ( '0,velociraptor,velociraptor,0u,0g', - '500,java,java,0u,0g', - '500,pulumi-resource-github,pulumi-resource-github,500u,20g', '0,velociraptor,velociraptor,0u,80g', - '500,taplo,taplo,500u,20g', - '500,nodegizmo,nodegizmo,500u,20g', - '500,docker-scout,docker-scout,500u,20g', '500,apko,apko,0u,0g', '500,apko,apko,500u,20g', - '500,wolfibump,wolfibump,500u,20g', - '500,wolfictl,wolfictl,0u,0g', - '500,istioctl,istioctl,500u,20g', '500,aws,aws,0u,0g', '500,cargo,cargo,500u,80g', '500,chainctl,chainctl,0u,0g', @@ -161,28 +153,38 @@ WHERE '500,cilium,cilium,500u,123g', '500,cloud-sql-proxy,cloud-sql-proxy,500u,20g', '500,cosign,cosign,0u,500g', - '500,snyk-macos-arm64,snyk-macos-arm64,500u,20g', '500,cosign,cosign,500u,20g', '500,cosign,cosign,500u,80g', - '500,git-credential-osxkeychain,git-credential-osxkeychain,500u,80g', '500,cpu,cpu,500u,20g', '500,crane,crane,0u,500g', '500,crane,crane,500u,80g', + '500,docker-scout,docker-scout,500u,20g', '500,gh-dash,gh-dash,500u,20g', + '500,git-credential-osxkeychain,git-credential-osxkeychain,500u,80g', '500,git,git,0u,500g', - '500,taplo-full-darwin-aarch64,taplo-full-darwin-aarch64,500u,20g', '500,git-remote-http,git-remote-http,500u,20g', '500,git-remote-http,git-remote-http,500u,80g', - '500,istioctl,istioctl,,a.out', '500,gitsign,gitsign,500u,20g', '500,go,go,500u,80g', - '500,vexi,vexi,500u,20g', + '500,hugo,hugo,500u,20g', + '500,istioctl,istioctl,500u,20g', + '500,istioctl,istioctl,,a.out', + '500,java,java,0u,0g', '500,.man-wrapped,.man-wrapped,0u,500g', + '500,nodegizmo,nodegizmo,500u,20g', '500,pprof,pprof,500u,80g', '500,pulumi-resource-gcp,pulumi-resource-gcp,500u,20g', + '500,pulumi-resource-github,pulumi-resource-github,500u,20g', '500,sdaudioswitch,sdaudioswitch,500u,20g', '500,sdzoomplugin,sdzoomplugin,500u,20g', + '500,session-manager-plugin,session-manager-plugin,0u,0g', + '500,snyk-macos-arm64,snyk-macos-arm64,500u,20g', + '500,taplo-full-darwin-aarch64,taplo-full-darwin-aarch64,500u,20g', + '500,taplo,taplo,500u,20g', + '500,vexi,vexi,500u,20g', '500,vim,vim,0u,500g', + '500,wolfibump,wolfibump,500u,20g', + '500,wolfictl,wolfictl,0u,0g', '500,wolfictl,wolfictl,500u,20g' ) AND NOT s.authority IN ( diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql index 21e9af6f..a9f5a765 100644 --- a/detection/c2/unexpected-talkers-linux.sql +++ b/detection/c2/unexpected-talkers-linux.sql @@ -84,6 +84,7 @@ WHERE AND exception_key = '32768,6,%,sshd,0u,0g,sshd' ) AND NOT exception_key IN ( + '123,17,500,chronyd,0u,0g,chronyd', '4070,6,500,spotify,u,g,spotify', '8000,6,500,brave,0u,0g,brave', '8000,6,500,chrome,0u,0g,chrome', @@ -93,6 +94,7 @@ WHERE '80,6,0,kmod,0u,0g,depmod', '80,6,0,kubelet,u,g,kubelet', '80,6,0,ldconfig,0u,0g,ldconfig', + '80,6,0,NetworkManager,0u,0g,NetworkManager', '80,6,0,packagekitd,0u,0g,packagekitd', '80,6,0,pacman,0u,0g,pacman', '80,6,0,pdftex,0u,0g,pdftex', diff --git a/detection/credentials/unexpected-dev-opener-linux.sql b/detection/credentials/unexpected-dev-opener-linux.sql index 946001a3..801e3686 100644 --- a/detection/credentials/unexpected-dev-opener-linux.sql +++ b/detection/credentials/unexpected-dev-opener-linux.sql @@ -91,6 +91,7 @@ WHERE AND pof.path NOT IN ( '/dev/dri/card0', '/dev/dri/card1', + '/dev/dri/card2', '/dev/dri/renderD128', '/dev/dri/renderD129', '/dev/fuse', @@ -126,6 +127,7 @@ WHERE '/dev/input,acpid', '/dev/input,gnome-shell', '/dev/input,Hyprland', + '/dev/input,kwin_wayland', '/dev/input,systemd', '/dev/input,systemd-logind', '/dev/input,thermald', @@ -174,13 +176,13 @@ WHERE '/dev/hidraw,chrome', '/dev/hvc,agetty', '/dev/hwrng,rngd', - '/dev/input/event,Xorg', '/dev/input/event,thermald', '/dev/input/event,touchegg', - '/dev/kmsg,_k3s-inner', + '/dev/input/event,Xorg', '/dev/kmsg,bpfilter_umh', '/dev/kmsg,dmesg', '/dev/kmsg,k3s', + '/dev/kmsg,_k3s-inner', '/dev/kmsg,kubelet', '/dev/kmsg,systemd', '/dev/kmsg,systemd-coredump', @@ -190,10 +192,10 @@ WHERE '/dev/mapper/control,gpartedbin', '/dev/mapper/control,multipathd', '/dev/mcelog,mcelog', - '/dev/media,pipewire', - '/dev/media,wireplumber', '/dev/media0,pipewire', '/dev/media0,wireplumber', + '/dev/media,pipewire', + '/dev/media,wireplumber', '/dev/net/tun,openvpn', '/dev/net/tun,qemu-system-x86_64', '/dev/net/tun,slirp4netns', @@ -201,17 +203,18 @@ WHERE '/dev/sda,ntfs-3g', '/dev/shm/envoy_shared_memory_1,envoy', '/dev/tpmrm,launcher', - '/dev/tty,Xorg', '/dev/tty,agetty', '/dev/tty,gdm-wayland-session', '/dev/tty,gdm-x-session', '/dev/tty,systemd-logind', + '/dev/tty,Xorg', '/dev/uhid,bluetoothd', '/dev/uinput,bluetoothd', '/dev/usb/hiddev,apcupsd', '/dev/usb/hiddev,upowerd', '/dev/vhost-net,qemu-system-x86_64', '/dev/vhost-vsock,qemu-system-x86_64', + '/dev/video0,chrome', '/dev/video,brave', '/dev/video,cheese', '/dev/video,chrome', @@ -229,7 +232,6 @@ WHERE '/dev/video,wireplumber', '/dev/video,zoom', '/dev/video,zoom.real', - '/dev/video0,chrome', '/dev/wwan0mbim,mbim-proxy', '/dev/zfs,', '/dev/zfs,zed', @@ -248,6 +250,10 @@ WHERE AND p0.name LIKE "solaar%" AND p0.path LIKE '/usr/bin/python%' ) + AND NOT ( + pof.path LIKE "/dev/input/event%" + AND p0.name = "openrazer-daemo" + ) AND NOT ( pof.path LIKE '/dev/bus/usb/%' AND p0.name IN ( diff --git a/detection/evasion/hidden-executable.sql b/detection/evasion/hidden-executable.sql index df05c723..60bba6c6 100644 --- a/detection/evasion/hidden-executable.sql +++ b/detection/evasion/hidden-executable.sql @@ -54,6 +54,7 @@ WHERE AND NOT f.directory LIKE '%/.config/nvm/%/bin' AND NOT f.directory LIKE '%/.cursor/%' AND NOT f.directory LIKE '%/.deno/bin' + AND NOT f.directory LIKE '%/.devpod/contexts/%' AND NOT f.directory LIKE '%/.linuxbrew/Cellar/%/bin' AND NOT f.directory LIKE '%/.docker/cli-plugins' AND NOT f.directory LIKE '%/.fig/bin' diff --git a/detection/evasion/unexpected-ld-so-files-linux.sql b/detection/evasion/unexpected-ld-so-files-linux.sql index b8fb5b31..c09a7d1f 100644 --- a/detection/evasion/unexpected-ld-so-files-linux.sql +++ b/detection/evasion/unexpected-ld-so-files-linux.sql @@ -29,26 +29,25 @@ WHERE AND file.filename NOT IN ('.', '..') AND exception_key NOT IN ( '/etc/ld.so.conf,0644,117,dad04a370e488aa85fb0a813a5c83cf6fd981ce01883fc59685447b092de84b5', + '/etc/ld.so.conf,0644,154,785c6c3614a27ae6115a27c1ca55bbf333654780997c4ba7e181172b021d1bf3', '/etc/ld.so.conf,0644,28,239c865e4c0746a01f82b03d38d620853bab2a2ba8e81d6f5606c503e0ea379f', '/etc/ld.so.conf,0644,34,d4b198c463418b493208485def26a6f4c57279467b9dfa491b70433cedb602e8', - '/etc/ld.so.conf.d/homebrew.conf,0644,33,f4972e79fa4966d9976487a5b5d4152c4cd7020b236b173ad1f2a3d2fa86f74a', - '/etc/ld.so.conf,0644,154,785c6c3614a27ae6115a27c1ca55bbf333654780997c4ba7e181172b021d1bf3', '/etc/ld.so.conf.d/000_cuda.conf,0644,41,a9327cff9435220eac872cffedc7f6144d915bdcb70d985304c72f4c3cb9a7d3', '/etc/ld.so.conf.d/989_cuda-11.conf,0644,44,915b1ed4caa95cf65a62a74d8255c5ef80ef864cc2767933c85e240a78957167', - '/etc/ld.so.conf.d/llvm16-x86_64.conf,0644,22,3ddda874af4dd14e9e873da09d082031abfacd4b5094982c28f53e1fd50a5fe3', '/etc/ld.so.conf.d/bind-export-x86_64.conf,0644,26,efeec53def06657c947f064463d5ebdb68f7c6f9e40cc2e72fc11c263484942e', '/etc/ld.so.conf.d/cuda.conf,0644,66,a65f7d96e2447eb40b1be9586b90eb0bd776a8938c93d21f9606d2880b548b28', '/etc/ld.so.conf.d/dyninst-x86_64.conf,0644,19,a4c740c1f59176d816ba18d429ba823317d3db416accf6d79a9cb0ac845d9d50', + '/etc/ld.so.conf.d/fakechroot-x86_64-linux-gnu.conf,0644,37,b31d4e51d547996eaad550223d078701016504cdf6571abd2b37ece9db3caac7', '/etc/ld.so.conf.d/fakeroot.conf,0644,21,564c4c4d369d005702d825d34edc5e5568cb1ab6ee1b19fa03d0d672fb8b3aee', '/etc/ld.so.conf.d/fakeroot-x86_64-linux-gnu.conf,0644,38,af7edc777dd224bade078ba540538444db69856533c02e18a7f9fbbdd23bd181', '/etc/ld.so.conf.d/gds-11-8.conf,0644,46,2b48cb0abd03ff1d8926eca02a71540f4ee00ebccad5515e4d28a542dae8438a', + '/etc/ld.so.conf.d/homebrew.conf,0644,33,f4972e79fa4966d9976487a5b5d4152c4cd7020b236b173ad1f2a3d2fa86f74a', '/etc/ld.so.conf.d/i386-linux-gnu.conf,0644,168,023231b8d6d21a7f4b1a59b875576604395041c814c0fd640d4a1d3d29455e6a', '/etc/ld.so.conf.d/intel-oneapi-compiler-dpcpp-cpp-runtime.conf,0644,48,c0c6efda46a86b0d0cbc620b910cec4ba455d09a2bc7a39adf45ce113093366d', '/etc/ld.so.conf.d/intel-oneapi-compiler-dpcpp-cpp-runtime.conf,0644,92,c4f62f0bfed45e548755c60b5e012e79c9062bb2a993c041db661951eb994476', '/etc/ld.so.conf.d/intel-oneapi-compiler-dpcpp-cpp-runtime-libs.conf,0644,44,9f123b367c8afdcd116047d24f91339a95724d6f6cd189967696d2eb8eda63b4', '/etc/ld.so.conf.d/intel-oneapi-compiler-shared-opencl-cpu.conf,0644,92,c4f62f0bfed45e548755c60b5e012e79c9062bb2a993c041db661951eb994476', '/etc/ld.so.conf.d/intel-oneapi-compiler-shared-runtime.conf,0644,157,0b4a1c81fcab2d345f99e0187f29cf28f085ae67bf42c86d7b509c06b345186e', - '/etc/ld.so.conf.d/fakechroot-x86_64-linux-gnu.conf,0644,37,b31d4e51d547996eaad550223d078701016504cdf6571abd2b37ece9db3caac7', '/etc/ld.so.conf.d/intel-oneapi-compiler-shared-runtime.conf,0644,92,c4f62f0bfed45e548755c60b5e012e79c9062bb2a993c041db661951eb994476', '/etc/ld.so.conf.d/intel-oneapi-compiler-shared-runtime-libs.conf,0644,65,0e9c472578fe009314f02ab64613fc41114f4d07cfd3a805191a5b755d780a43', '/etc/ld.so.conf.d/intel-oneapi-openmp.conf,0644,155,160358af96f4a1a92e624fa84a1776d45c1a2c4695c8b96070374f6d66bf6061', @@ -61,6 +60,8 @@ WHERE '/etc/ld.so.conf.d/libiscsi-x86_64.conf,0644,17,fa3839c3cb893d3a589a020a0a9a010de1332b8385ee8139660e2da8bcc932a3', '/etc/ld.so.conf.d/llvm13-x86_64.conf,0644,22,4da62e9ec76b030c527e2ea87ccfab1baeff7d0f9092f980231e49961bb97de0', '/etc/ld.so.conf.d/llvm15-x86_64.conf,0644,22,30e995961d9e382d287469acce7e168d15811356bf20971fc17bb582a8d62afa', + '/etc/ld.so.conf.d/llvm16-x86_64.conf,0644,22,3ddda874af4dd14e9e873da09d082031abfacd4b5094982c28f53e1fd50a5fe3', + '/etc/ld.so.conf.d/llvm17-x86_64.conf,0644,22,3aceee0a4efb8cc2b0f981035cdbb6f28be48634f72f9b6fb98c1e282d32347c', '/etc/ld.so.conf.d/mariadb-x86_64.conf,0644,17,598466b4954bc66c6f45f1f119211b0698d4a549f6c01b5d9a933a2511b82626', '/etc/ld.so.conf.d/mingw64-hostlib.conf,0644,29,df1b65371bead6dddc703346f56dde023e22d52d9f071a3b646beaaec75a53c9', '/etc/ld.so.conf.d/nessus.conf,0644,16,5a9dc65a4a0daa50ce9dd70ff3973fcceef9660cc3fdf5bb0beec8e0b6c57708', diff --git a/detection/evasion/unexpected-tmp-executables-linux.sql b/detection/evasion/unexpected-tmp-executables-linux.sql index 59adc059..3df2cbbc 100644 --- a/detection/evasion/unexpected-tmp-executables-linux.sql +++ b/detection/evasion/unexpected-tmp-executables-linux.sql @@ -43,12 +43,14 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f AND ( file.path LIKE '%/go-build%' OR file.directory LIKE '/tmp/%/out' + OR file.path IN ('/tmp/mkinitramfs', '/tmp/mission') OR file.path LIKE '%/bin/%' + OR file.path LIKE "%/bin/bash" + OR file.path LIKE "%/bin/busybox" OR file.path LIKE '%/checkout/%' OR file.path LIKE '%/ci/%' - OR file.path LIKE '%/Rakefile' + OR file.path LIKE '%/configure' OR file.path LIKE '%/debug/%' - OR file.path LIKE '/tmp/ko%/out' OR file.path LIKE '%/dist/%' OR file.path LIKE '%/flow/%.npmzS_cacachezStmpzSgit-clone%' OR file.path LIKE '%/git/%' @@ -56,27 +58,27 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f OR file.path LIKE '%/go.%.sum' OR file.path LIKE "%/%/gradlew" OR file.path LIKE '%/guile-%/guile-%' - OR file.path LIKE '%/melange-guest-%' + OR file.path LIKE '%integration_test%' OR file.path LIKE '%/ko/%' OR file.path LIKE '%/kots/%' OR file.path LIKE "%/lib/%.so" - OR file.path LIKE '/tmp/GoLand/___go_build_%_go' OR file.path LIKE "%/lib/%.so.%" - OR file.path LIKE '%/configure' - OR file.path LIKE '%integration_test%' - OR file.path LIKE '%test_script' OR file.path LIKE "%/melange%" - OR file.path LIKE "%/bin/busybox" - OR file.path LIKE "%/bin/bash" - OR file.path LIKE "/tmp/lima/%" + OR file.path LIKE '%/melange-guest-%' OR file.path LIKE '%/pdf-tools/%' + OR file.path LIKE '%/Rakefile' OR file.path LIKE '%-release%/%' OR file.path LIKE '%/site-packages/markupsafe/_speedups.cpython-%' OR file.path LIKE '%/src/%' OR file.path LIKE '%/target/%' OR file.path LIKE '%/terraformer/%' + OR file.path LIKE '%test_script' OR file.path LIKE '%/tmp/epdf%' + OR file.path LIKE '/tmp/GoLand/___go_build_%_go' + OR file.path LIKE '/tmp/ko%/out' + OR file.path LIKE "/tmp/lima/%" OR file.path LIKE '/tmp/lima/%/out/%' + OR file.path LIKE '/tmp/wolfi%' ) ) AND NOT ( diff --git a/detection/evasion/unexpected-user-executables-macos.sql b/detection/evasion/unexpected-user-executables-macos.sql index d9a23495..60b4814f 100644 --- a/detection/evasion/unexpected-user-executables-macos.sql +++ b/detection/evasion/unexpected-user-executables-macos.sql @@ -22,6 +22,7 @@ SELECT f.size, hash.sha256, REPLACE(f.directory, u.directory, '~') AS homedir, + REPLACE(f.path, u.directory, '~') AS homepath, RTRIM( COALESCE( REGEX_MATCH ( @@ -199,6 +200,13 @@ WHERE '~/Library/helm', '~/Library/pnpm' ) + AND NOT homepath IN ( + '~/Library/Assistant/SiriAnalytics.db', + '~/Library/Calendars/Calendar.sqlitedb-wal', + '~/Library/Finance/finance_cloud.db', + '~/Library/Finance/finance_cloud.db-wal', + '~/Library/HTTPStorages/com.apple.AddressBookSourceSync' + ) AND NOT f.directory LIKE '/Users/%/.docker/cli-plugins' AND NOT f.directory LIKE '/Users/%/.nix-profile/bin' AND NOT f.path LIKE '/Users/%/Library/Fonts/%.ttf' diff --git a/detection/evasion/unexpected-user-shared-entries.sql b/detection/evasion/unexpected-user-shared-entries.sql index 3ad59d78..b465c354 100644 --- a/detection/evasion/unexpected-user-shared-entries.sql +++ b/detection/evasion/unexpected-user-shared-entries.sql @@ -48,6 +48,7 @@ WHERE '/Users/Shared/.betamigrated', '/Users/Shared/.com.intego.reporting.plist', '/Users/Shared/.DS_Store', + '/Users/Shared/Plugin Loading.log', '/Users/Shared/.ks.intego_metrics_2.plist', '/Users/Shared/.localized', '/Users/Shared/.userfonts.cachedb', @@ -67,6 +68,7 @@ WHERE '/Users/Shared/CleanMyMac X Menu', '/Users/Shared/LGHUB', '/Users/Shared/logi', + '/Users/Shared/AdobeInstalledCodecsTier2', '/Users/Shared/LogioptionsPlus', '/Users/Shared/LogiOptionsPlus', '/Users/Shared/.logishrd', diff --git a/detection/execution/unexpected-env-values-macos.sql b/detection/execution/unexpected-env-values-macos.sql index 116cd6f4..1dba8c72 100644 --- a/detection/execution/unexpected-env-values-macos.sql +++ b/detection/execution/unexpected-env-values-macos.sql @@ -41,8 +41,10 @@ WHERE -- This time should match the interval AND NOT pe.value LIKE '/opt/homebrew/Cellar/r/4.%/lib/R/lib/libR.dylib' AND NOT pe.value LIKE '%/libsamply_mac_preload.dylib' AND NOT pe.value LIKE '%/Steam/Steam.AppBundle/Steam/Contents/MacOS/steamloader.dylib:%/Steam/Steam.AppBundle/Steam/Contents/MacOS/gameoverlayrenderer.dylib' + AND NOT pe.value LIKE '%//libtrace.dylib' ) OR ( key = 'DYLD_FRAMEWORK_PATH' -- sort of obsolete, but may affect SIP abusers AND NOT pe.value LIKE '%/IDLE.app/%' + AND NOT pe.value = '/System/Library/Frameworks' ) diff --git a/detection/execution/unexpected-gatekeeper-approvals-macos.sql b/detection/execution/unexpected-gatekeeper-approvals-macos.sql index 8d2a33f1..82b4411e 100644 --- a/detection/execution/unexpected-gatekeeper-approvals-macos.sql +++ b/detection/execution/unexpected-gatekeeper-approvals-macos.sql @@ -37,6 +37,7 @@ WHERE AND gap.path NOT LIKE '/Users/%/rekor-cli' AND gap.path NOT LIKE '/Users/%/trivy' AND gap.path NOT LIKE '/usr/local/bin/%' + AND gap.path NOT LIKE '/Users/%/Downloads/openresty%/bundle/install' AND signature.authority != 'Developer ID Application: Jamie Zawinski (4627ATJELP)' GROUP BY gap.requirement diff --git a/detection/execution/unexpected-security-framework-program-macos.sql b/detection/execution/unexpected-security-framework-program-macos.sql index e0033813..e03f8b2d 100644 --- a/detection/execution/unexpected-security-framework-program-macos.sql +++ b/detection/execution/unexpected-security-framework-program-macos.sql @@ -80,137 +80,139 @@ WHERE AND exception_key NOT IN ( '0,ir_agent,bootstrap,Developer ID Application: Rapid7 LLC (UL6CGN7MAL)', '0,ir_agent,ir_agent,Developer ID Application: Rapid7 LLC (UL6CGN7MAL)', - '0,rapid7_endpoint_broker,rapid7_endpoint_broker,Developer ID Application: Rapid7 LLC (UL6CGN7MAL)', '0,nix,nix,', - '500,dfu-discovery,a.out,', '0,osqueryd,io.osquery.agent,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)', '0,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)', + '0,rapid7_endpoint_broker,rapid7_endpoint_broker,Developer ID Application: Rapid7 LLC (UL6CGN7MAL)', '0,velociraptor,a.out,', - '500,.cargo-wrapped,.cargo-wrapped,', - '500,serial-discovery,a.out,', + '500,AeroSpace,bobko.aerospace,aerospace-codesign-certificate', '500,Android File Transfer Agent,com.google.android.mtpagent,Developer ID Application: Google, Inc. (EQHXZ8M8AV)', '500,AppleMusic,AppleMusic,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', + '500,bash,bash,', + '500,bash,com.apple.bash,Software Signing', '500,Bazecor Helper,,', - '500,python,,', + '500,Bitwarden,com.bitwarden.desktop,Apple Mac OS Application Signing', + '500,Bitwarden Helper,com.bitwarden.desktop.helper,Apple Mac OS Application Signing', '500,Bitwarden Helper (GPU),com.bitwarden.desktop.helper.GPU,Apple Mac OS Application Signing', '500,Bitwarden Helper (Renderer),com.bitwarden.desktop.helper.Renderer,Apple Mac OS Application Signing', - '500,Bitwarden Helper,com.bitwarden.desktop.helper,Apple Mac OS Application Signing', - '500,Bitwarden,com.bitwarden.desktop,Apple Mac OS Application Signing', '500,BloomRPC Helper,,', - '500,monorail,,', - '500,Chromium,Chromium,', - '500,clangd,,', - '500,GoLinks Extension,com.golinks.golinks-app.safari-app-extension,Apple Mac OS Application Signing', - '500,CopyClip,com.fiplab.clipboard,Apple Mac OS Application Signing', - '500,Divvy,com.mizage.Divvy,Apple Mac OS Application Signing', - '500,Duckly Helper (Renderer),Electron Helper (Renderer),', - '500,Duckly Helper,Electron Helper,', - '500,Duckly,Electron,', - '500,Emacs-arm64-11,Emacs-arm64-11,Developer ID Application: Galvanix (5BRAQAFB8B)', - '500,Evernote Helper (GPU),com.evernote.Evernote.helper.GPU,Apple Mac OS Application Signing', - '500,Evernote Helper (Renderer),com.evernote.Evernote.helper.Renderer,Apple Mac OS Application Signing', - '500,Evernote Helper,com.evernote.Evernote.helper,Apple Mac OS Application Signing', - '500,Evernote,com.evernote.Evernote,Apple Mac OS Application Signing', - '500,Final Cut Pro,com.apple.FinalCut,Apple Mac OS Application Signing', - '500,GitterHelperApp,com.troupe.gitter.mac.GitterHelperApp,Developer ID Application: Troupe Technology Limited (A86QBWJ43W)', - '500,Grammarly Safari Extension,com.grammarly.safari.extension.ext2,Apple Mac OS Application Signing', - '500,Grammarly for Safari,com.grammarly.safari.extension,Apple Mac OS Application Signing', - '500,InternalFiltersXPC,com.apple.InternalFiltersXPC,Apple Mac OS Application Signing', - '500,Magnet,com.crowdcafe.windowmagnet,Apple Mac OS Application Signing', - '500,Mattermost Helper (GPU),Mattermost.Desktop.helper.GPU,Apple Mac OS Application Signing', - '500,Mattermost Helper (Renderer),Mattermost.Desktop.helper.Renderer,Apple Mac OS Application Signing', - '500,Mattermost Helper,Mattermost.Desktop.helper,Apple Mac OS Application Signing', - '500,Mattermost,Mattermost.Desktop,Apple Mac OS Application Signing', - '500,OOPProResRawService,com.apple.videoapps.OOPProResRawService,Apple Mac OS Application Signing', - '500,PrinterProxy,com.apple.print.PrinterProxy,', - '500,Runner.Listener,apphost-55554944a938bab90f04347d83659c53dd1197d6,', - '500,Slack Helper (GPU),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing', - '500,Slack Helper (Plugin),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing', - '500,Slack Helper (Renderer),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing', - '500,Slack Helper,com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing', - '500,Slack,com.tinyspeck.slackmacgap,Apple Mac OS Application Signing', - '500,Speedtest,com.ookla.speedtest-macos,Apple Mac OS Application Signing', - '500,Steam Helper,com.valvesoftware.steam.helper,Developer ID Application: Valve Corporation (MXGJJ98X76)', - '500,Telegram,ru.keepcoder.Telegram,Apple Mac OS Application Signing', - '500,Todoist Helper (GPU),com.todoist.mac.Todoist.helper.GPU,Apple Mac OS Application Signing', - '500,Todoist Helper (Renderer),com.todoist.mac.Todoist.helper.Renderer,Apple Mac OS Application Signing', - '500,Todoist Helper,com.todoist.mac.Todoist.helper,Apple Mac OS Application Signing', - '500,Todoist,com.todoist.mac.Todoist,Apple Mac OS Application Signing', - '500,TwitchStudioStreamDeck,TwitchStudioStreamDeck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', - '500,J8RPQ294UB.com.skitch.SkitchHelper,J8RPQ294UB.com.skitch.SkitchHelper,Apple Mac OS Application Signing', - '500,WinAppHelper,,', - '500,WinAppHelper,WinAppHelper,', - '500,bash,bash,', - '500,bash,com.apple.bash,Software Signing', '500,bufls,a.out,', + '500,.cargo-wrapped,.cargo-wrapped,', '500,chainctl,a.out,', + '500,Chromium,Chromium,', + '500,clangd,,', '500,clangd,clangd,', '500,cloud-sql-proxy,a.out,', - '500,cloud-sql-proxy.darwin.arm64,a.out,', '500,cloud_sql_proxy,a.out,', + '500,cloud-sql-proxy.darwin.arm64,a.out,', '500,copilot-agent-macos-arm64,copilot-agent-macos-arm64-5555494405ae226b796431f588804b65cad1040e,', + '500,CopyClip,com.fiplab.clipboard,Apple Mac OS Application Signing', '500,cosign,a.out,', '500,cpu,cpu-555549441132dc6b7af538428ce3359ae94eab37,', '500,crane,a.out,', - '500,nvim,,', - '500,J8RPQ294UB.com.skitch.SkitchHelper,J8RPQ294UB.com.skitch.SkitchHelper,Developer ID Application: Skitch Inc (J8RPQ294UB)', - '500,AeroSpace,bobko.aerospace,aerospace-codesign-certificate', '500,debug.test,a.out,', + '500,dfu-discovery,a.out,', '500,dive,a.out,', + '500,Divvy,com.mizage.Divvy,Apple Mac OS Application Signing', '500,dlv,a.out,', '500,docker,a.out,', + '500,Duckly,Electron,', + '500,Duckly Helper,Electron Helper,', + '500,Duckly Helper (Renderer),Electron Helper (Renderer),', + '500,Emacs-arm64-11,Emacs-arm64-11,Developer ID Application: Galvanix (5BRAQAFB8B)', '500,epdfinfo,epdfinfo,', '500,esbuild,,', '500,esbuild,a.out,', + '500,Evernote,com.evernote.Evernote,Apple Mac OS Application Signing', + '500,Evernote Helper,com.evernote.Evernote.helper,Apple Mac OS Application Signing', + '500,Evernote Helper (GPU),com.evernote.Evernote.helper.GPU,Apple Mac OS Application Signing', + '500,Evernote Helper (Renderer),com.evernote.Evernote.helper.Renderer,Apple Mac OS Application Signing', '500,fake,a.out,', + '500,Final Cut Pro,com.apple.FinalCut,Apple Mac OS Application Signing', '500,git,git,', '500,gitsign,a.out,', '500,gitsign-credential-cache,a.out,', + '500,GitterHelperApp,com.troupe.gitter.mac.GitterHelperApp,Developer ID Application: Troupe Technology Limited (A86QBWJ43W)', '500,gke-gcloud-auth-plugin,a.out,', '500,go,a.out,', + '500,GoLinks Extension,com.golinks.golinks-app.safari-app-extension,Apple Mac OS Application Signing', '500,gopls,a.out,', '500,gopls,gopls,', '500,gpg-agent,gpg-agent,', + '500,Grammarly for Safari,com.grammarly.safari.extension,Apple Mac OS Application Signing', + '500,Grammarly Safari Extension,com.grammarly.safari.extension.ext2,Apple Mac OS Application Signing', '500,hugo,a.out,', + '500,InternalFiltersXPC,com.apple.InternalFiltersXPC,Apple Mac OS Application Signing', '500,ipcserver,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)', '500,ipcserver.old,,', + '500,J8RPQ294UB.com.skitch.SkitchHelper,J8RPQ294UB.com.skitch.SkitchHelper,Apple Mac OS Application Signing', + '500,J8RPQ294UB.com.skitch.SkitchHelper,J8RPQ294UB.com.skitch.SkitchHelper,Developer ID Application: Skitch Inc (J8RPQ294UB)', '500,k9s,a.out,', '500,keyboxd,keyboxd,', '500,ko,,', '500,ko,a.out,', '500,kubectl,a.out,', '500,lua-language-server,lua-language-server,', + '500,Magnet,com.crowdcafe.windowmagnet,Apple Mac OS Application Signing', '500,mattermost,a.out,', + '500,Mattermost Helper (GPU),Mattermost.Desktop.helper.GPU,Apple Mac OS Application Signing', + '500,Mattermost Helper,Mattermost.Desktop.helper,Apple Mac OS Application Signing', + '500,Mattermost Helper (Renderer),Mattermost.Desktop.helper.Renderer,Apple Mac OS Application Signing', + '500,Mattermost,Mattermost.Desktop,Apple Mac OS Application Signing', '500,melange,a.out,', '500,melange-run,a.out,', + '500,monday.com,com.monday.desktop,Apple Mac OS Application Signing', + '500,monday.com Helper,com.monday.desktop.helper,Apple Mac OS Application Signing', '500,monday.com Helper (GPU),com.monday.desktop.helper.GPU,Apple Mac OS Application Signing', '500,monday.com Helper (Renderer),com.monday.desktop.helper.Renderer,Apple Mac OS Application Signing', - '500,monday.com Helper,com.monday.desktop.helper,Apple Mac OS Application Signing', - '500,monday.com,com.monday.desktop,Apple Mac OS Application Signing', + '500,monorail,,', '500,monorail,a.out,', + '500,nvim,,', '500,nvim,nvim,', + '500,OOPProResRawService,com.apple.videoapps.OOPProResRawService,Apple Mac OS Application Signing', '500,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)', '500,plugin-darwin-arm64,a.out,', + '500,PrinterProxy,com.apple.print.PrinterProxy,', + '500,python,,', '500,registry,a.out,', '500,registry-redirect,a.out,', + '500,ruff,,', + '500,Runner.Listener,apphost-55554944a938bab90f04347d83659c53dd1197d6,', '500,rust-analyzer,rust_analyzer-d11ae4e1bae4360d,', '500,scdaemon,scdaemon,', '500,sdaudioswitch,,', '500,sdaudioswitch,sdaudioswitch,', + '500,sdmicmute,,', + '500,sdmicmute,sdmicmute,', '500,sdzoomplugin,,', + '500,serial-discovery,a.out,', + '500,Slack,com.tinyspeck.slackmacgap,Apple Mac OS Application Signing', + '500,Slack Helper,com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing', + '500,Slack Helper (GPU),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing', + '500,Slack Helper (Plugin),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing', + '500,Slack Helper (Renderer),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing', '500,snyk-ls_darwin_arm64,a.out,', + '500,Speedtest,com.ookla.speedtest-macos,Apple Mac OS Application Signing', '500,ssh,ssh,', + '500,Steam Helper,com.valvesoftware.steam.helper,Developer ID Application: Valve Corporation (MXGJJ98X76)', '500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)', '500,stern,a.out,', '500,syncthing,syncthing,', + '500,Telegram,ru.keepcoder.Telegram,Apple Mac OS Application Signing', '500,testing,com.yourcompany.testing,', -- Xcode iPhone emulator '500,tflint,a.out,', '500,tflint-ruleset-aws,a.out,', '500,tflint-ruleset-google,a.out,', '500,timestamp-server,a.out,', + '500,Todoist,com.todoist.mac.Todoist,Apple Mac OS Application Signing', + '500,Todoist Helper,com.todoist.mac.Todoist.helper,Apple Mac OS Application Signing', + '500,Todoist Helper (GPU),com.todoist.mac.Todoist.helper.GPU,Apple Mac OS Application Signing', + '500,Todoist Helper (Renderer),com.todoist.mac.Todoist.helper.Renderer,Apple Mac OS Application Signing', + '500,TwitchStudioStreamDeck,TwitchStudioStreamDeck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', '500,vim,,', - '500,ruff,,', - '500,vim,vim,' + '500,vim,vim,', + '500,WinAppHelper,,', + '500,WinAppHelper,WinAppHelper,' ) AND NOT ( exception_key LIKE '500,%,a.out,' diff --git a/detection/exfil/yara-unexpected-rust-http-exec-process.sql b/detection/exfil/yara-unexpected-rust-http-exec-process.sql index 5057d70a..ef8f1aa9 100644 --- a/detection/exfil/yara-unexpected-rust-http-exec-process.sql +++ b/detection/exfil/yara-unexpected-rust-http-exec-process.sql @@ -59,14 +59,16 @@ WHERE }' AND yara.count > 0 AND p0.name NOT IN ( - 'old', + 'Cody', 'deno', - 'stable', + 'DevPod', + 'fig-darwin-universal', 'figma_agent', 'nvim', + 'old', 'sg-nvim-agent', - 'Cody', - 'fig-darwin-universal', - 'wezterm-gui' + 'stable', + 'wezterm-gui', + 'zed' ) AND p0.name NOT LIKE 'cody-engine-%' diff --git a/detection/initial_access/unexpected-shell-parent-events.sql b/detection/initial_access/unexpected-shell-parent-events.sql index de9c967f..8f57676e 100644 --- a/detection/initial_access/unexpected-shell-parent-events.sql +++ b/detection/initial_access/unexpected-shell-parent-events.sql @@ -189,7 +189,9 @@ WHERE 'xargs', 'xcrun', 'xfce4-terminal', + 'xinit', 'Xorg', + 'xterm', 'yay', 'yum', 'zed', diff --git a/detection/initial_access/unexpected-shell-parents.sql b/detection/initial_access/unexpected-shell-parents.sql index c3bc76a2..8527f284 100644 --- a/detection/initial_access/unexpected-shell-parents.sql +++ b/detection/initial_access/unexpected-shell-parents.sql @@ -65,6 +65,7 @@ WHERE 'clang-11', 'code', 'Code Helper (Renderer)', + 'Microsoft.VisualStudio.Reliability.Monitor', 'Code - Insiders Helper', 'Code - Insiders Helper (Renderer)', 'collect2', @@ -88,6 +89,7 @@ WHERE 'LogiMgrDaemon', 'gephi', 'git', + 'terraform', 'git-remote-http', 'git-remote-https', 'gnome-session-b', diff --git a/detection/persistence/listening-from-unusual-location.sql b/detection/persistence/listening-from-unusual-location.sql index 36c5e15b..8fea647d 100644 --- a/detection/persistence/listening-from-unusual-location.sql +++ b/detection/persistence/listening-from-unusual-location.sql @@ -77,6 +77,7 @@ WHERE 'controller', 'docker-proxy', 'hugo', + 'gopls', 'limactl', 'qemu-system-aarch64', 'crane', @@ -89,6 +90,11 @@ WHERE AND lp.port > 1024 and lp.protocol = 6 ) + AND NOT ( + p0.name = "ssh" + AND homecwd LIKE '/tmp/%' + AND lp.address IN ("127.0.0.1", "::1") + ) -- Overly broad, but prevents a lot of false positives AND NOT homepath LIKE "~/.%" AND NOT homecwd LIKE "~/.%" diff --git a/detection/persistence/unexpected-listening-port-macos.sql b/detection/persistence/unexpected-listening-port-macos.sql index fcd52d0c..74c935ab 100644 --- a/detection/persistence/unexpected-listening-port-macos.sql +++ b/detection/persistence/unexpected-listening-port-macos.sql @@ -146,6 +146,7 @@ WHERE '49152,6,65,mDNSResponder,Software Signing', '5000,6,500,ControlCenter,Software Signing', '5001,6,500,crane,', + '25565,6,500,java,', '5001,6,500,gvproxy,', '5060,6,500,CommCenter,Software Signing', '53,17,500,dnsmasq,',