Skip to content

Commit

Permalink
Merge pull request #328 from tstromberg/fpr-oct24
Browse files Browse the repository at this point in the history 
fpr: osquery release spam
  • Loading branch information
@tstromberg
tstromberg authored Oct 24, 2023
2 parents 5cc769c + 9e6df92 commit 7b76585
Show file tree
Hide file tree
Showing 5 changed files with 90 additions and 84 deletions.
1 change: 1 addition & 0 deletions detection/evasion/unexpected-etc-executables.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,7 @@ WHERE
AND file.path NOT IN (
'/etc/cloud/clean.d/99-installer',
'/etc/grub2-efi.cfg',
'/etc/cloud/clean.d/99-installer-use-networkmanager',
'/etc/grub2.cfg',
'/etc/hibernate.sh',
'/etc/libpaper.d/texlive-base',
Expand Down
70 changes: 37 additions & 33 deletions detection/evasion/unexpected-user-executables-macos.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -118,60 +118,64 @@ WHERE
magic.data IS NOT NULL
AND magic.data LIKE "%shell script%"
)
AND NOT (
magic.data IS NULL
AND file.size < 50000
)
AND NOT homedir LIKE '~/%/bin'
AND NOT homedir LIKE '~/%/shims'
AND NOT homedir LIKE '~/%/plugins'
AND NOT homedir LIKE '/Users/%/.provisio'
AND NOT homedir IN (
'~/.amplify/bin',
'~/.asdf/shims',
'~/.bazel/bin',
'~/.bin',
'~/.fzf',
'~/.fzf/bin',
'~/.venv/bin',
'~/.fig/bin',
'~/.zsh_snap/zsh-snap',
'~/.zed/gopls',
'~/.cache/gitstatus',
'~/.config/kn',
'~/.asdf/shims',
'~/.amplify/bin',
'~/.emacs.d/backups',
'~/.rbenv/shims',
'~/.config/nvim.bak',
'~/.bazel/bin',
'~/.pulumi-dev/bin',
'~/.gvm/bin',
'~/.emacs.d.bak/bin',
'~/.docker/cli-plugins',
'~/.zsh_snap/zsh-autocomplete',
'~/.cache/gitstatus',
'~/.wrangler/bin',
'~/.provisio',
'~/.pyenv/shims',
'~/Library/ApplicationSupport/iTerm2',
'~/.emacs.d/backups',
'~/.emacs.d.bak/bin',
'~/.fig/bin',
'~/.fzf',
'~/.fzf/bin',
'~/.gvm/bin',
'~/.kn/plugins',
'~/.kuberlr/darwin-amd64',
'/Users/Shared/logitune',
'~/Library/ApplicationSupport/iTerm2',
'~/Library/Dropbox/DropboxMacUpdate.app/Contents/MacOS',
'~/.oh-my-zsh/tools',
'~/Library/Dropbox/DropboxMacUpdate.app/Contents/MacOS'
'~/.provisio',
'~/.pulumi-dev/bin',
'~/.pyenv/shims',
'~/.rbenv/shims',
'/Users/Shared/logitune',
'~/.venv/bin',
'~/.wrangler/bin',
'~/.zed/gopls',
'~/.zsh_snap/zsh-autocomplete',
'~/.zsh_snap/zsh-snap'
)
AND NOT top2_homedir IN (
'~/.iterm2',
'~/Library/Application Support',
'/Users/Shared/LGHUB/cache',
'~/Library/Caches',
'~/Library/helm',
'~/Library/pnpm',
'~/Library/Printers',
'~/Library/Python',
'~/Library/QuickLook',
'~/Library/pnpm',
'/Users/Shared/Red Giant/Uninstall',
'~/Library/Thunderbird',
'~/Library/helm',
'~/Library/Screen Savers',
'~/Library/Services',
'~/Library/Thunderbird',
'~/.magefile',
'~/.nvm',
'~/.terraform.d',
'~/.terraform.versions',
'~/.iterm2',
'/Users/Shared/LGHUB/cache',
'/Users/Shared/LogiOptionsPlus/cache',
'~/Library/Screen Savers',
'~/Library/Python',
'~/Library/Caches',
'~/.magefile',
'~/.nvm'
'/Users/Shared/Red Giant/Uninstall'
)
GROUP BY
f.path
95 changes: 48 additions & 47 deletions detection/execution/unexpected-security-framework-program-macos.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,118 +79,119 @@ WHERE
AND pmm.path LIKE '%Security.framework%'
AND exception_key NOT IN (
'0,nix,nix,',
'0,osqueryd,io.osquery.agent,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
'0,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
'0,velociraptor,a.out,',
'500,monday.com Helper (GPU),com.monday.desktop.helper.GPU,Apple Mac OS Application Signing',
'500,clangd,clangd,',
'500,.cargo-wrapped,.cargo-wrapped,',
'500,Android File Transfer Agent,com.google.android.mtpagent,Developer ID Application: Google, Inc. (EQHXZ8M8AV)',
'500,AppleMusic,AppleMusic,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
'500,bash,bash,',
'500,bash,com.apple.bash,Software Signing',
'500,Bazecor Helper,,',
'500,Bitwarden,com.bitwarden.desktop,Apple Mac OS Application Signing',
'500,Bitwarden Helper,com.bitwarden.desktop.helper,Apple Mac OS Application Signing',
'500,Bitwarden Helper (GPU),com.bitwarden.desktop.helper.GPU,Apple Mac OS Application Signing',
'500,Bitwarden Helper (Renderer),com.bitwarden.desktop.helper.Renderer,Apple Mac OS Application Signing',
'500,Bitwarden Helper,com.bitwarden.desktop.helper,Apple Mac OS Application Signing',
'500,Bitwarden,com.bitwarden.desktop,Apple Mac OS Application Signing',
'500,BloomRPC Helper,,',
'500,CopyClip,com.fiplab.clipboard,Apple Mac OS Application Signing',
'500,Divvy,com.mizage.Divvy,Apple Mac OS Application Signing',
'500,Duckly Helper (Renderer),Electron Helper (Renderer),',
'500,Duckly Helper,Electron Helper,',
'500,Duckly,Electron,',
'500,Emacs-arm64-11,Emacs-arm64-11,Developer ID Application: Galvanix (5BRAQAFB8B)',
'500,Evernote Helper (Renderer),com.evernote.Evernote.helper.Renderer,Apple Mac OS Application Signing',
'500,Evernote Helper,com.evernote.Evernote.helper,Apple Mac OS Application Signing',
'500,Evernote,com.evernote.Evernote,Apple Mac OS Application Signing',
'500,Final Cut Pro,com.apple.FinalCut,Apple Mac OS Application Signing',
'500,GitterHelperApp,com.troupe.gitter.mac.GitterHelperApp,Developer ID Application: Troupe Technology Limited (A86QBWJ43W)',
'500,Grammarly Safari Extension,com.grammarly.safari.extension.ext2,Apple Mac OS Application Signing',
'500,Grammarly for Safari,com.grammarly.safari.extension,Apple Mac OS Application Signing',
'500,InternalFiltersXPC,com.apple.InternalFiltersXPC,Apple Mac OS Application Signing',
'500,Magnet,com.crowdcafe.windowmagnet,Apple Mac OS Application Signing',
'500,Mattermost Helper (GPU),Mattermost.Desktop.helper.GPU,Apple Mac OS Application Signing',
'500,Mattermost Helper (Renderer),Mattermost.Desktop.helper.Renderer,Apple Mac OS Application Signing',
'500,Mattermost Helper,Mattermost.Desktop.helper,Apple Mac OS Application Signing',
'500,Mattermost,Mattermost.Desktop,Apple Mac OS Application Signing',
'500,OOPProResRawService,com.apple.videoapps.OOPProResRawService,Apple Mac OS Application Signing',
'500,PrinterProxy,com.apple.print.PrinterProxy,',
'500,Runner.Listener,apphost-55554944a938bab90f04347d83659c53dd1197d6,',
'500,Slack Helper (GPU),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
'500,Slack Helper (Plugin),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
'500,Slack Helper (Renderer),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
'500,Slack Helper,com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
'500,Slack,com.tinyspeck.slackmacgap,Apple Mac OS Application Signing',
'500,Steam Helper,com.valvesoftware.steam.helper,Developer ID Application: Valve Corporation (MXGJJ98X76)',
'500,Telegram,ru.keepcoder.Telegram,Apple Mac OS Application Signing',
'500,Todoist Helper (GPU),com.todoist.mac.Todoist.helper.GPU,Apple Mac OS Application Signing',
'500,Todoist Helper (Renderer),com.todoist.mac.Todoist.helper.Renderer,Apple Mac OS Application Signing',
'500,Todoist Helper,com.todoist.mac.Todoist.helper,Apple Mac OS Application Signing',
'500,Todoist,com.todoist.mac.Todoist,Apple Mac OS Application Signing',
'500,TwitchStudioStreamDeck,TwitchStudioStreamDeck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
'500,WinAppHelper,,',
'500,WinAppHelper,WinAppHelper,',
'500,bash,bash,',
'500,bash,com.apple.bash,Software Signing',
'500,bufls,a.out,',
'500,.cargo-wrapped,.cargo-wrapped,',
'500,chainctl,a.out,',
'500,Chromium,Chromium,',
'500,clangd,clangd,',
'500,cloud-sql-proxy,a.out,',
'500,cloud-sql-proxy.darwin.arm64,a.out,',
'500,cloud_sql_proxy,a.out,',
'500,cloud-sql-proxy.darwin.arm64,a.out,',
'500,copilot-agent-macos-arm64,copilot-agent-macos-arm64-5555494405ae226b796431f588804b65cad1040e,',
'500,CopyClip,com.fiplab.clipboard,Apple Mac OS Application Signing',
'500,cosign,a.out,',
'500,cpu,cpu-555549441132dc6b7af538428ce3359ae94eab37,',
'500,crane,a.out,',
'500,debug.test,a.out,',
'500,dive,a.out,',
'500,Divvy,com.mizage.Divvy,Apple Mac OS Application Signing',
'500,dlv,a.out,',
'500,docker,a.out,',
'500,Duckly,Electron,',
'500,Duckly Helper,Electron Helper,',
'500,Duckly Helper (Renderer),Electron Helper (Renderer),',
'500,Emacs-arm64-11,Emacs-arm64-11,Developer ID Application: Galvanix (5BRAQAFB8B)',
'500,epdfinfo,epdfinfo,',
'500,esbuild,,',
'500,esbuild,a.out,',
'500,Evernote,com.evernote.Evernote,Apple Mac OS Application Signing',
'500,Evernote Helper,com.evernote.Evernote.helper,Apple Mac OS Application Signing',
'500,Evernote Helper (Renderer),com.evernote.Evernote.helper.Renderer,Apple Mac OS Application Signing',
'500,fake,a.out,',
'500,Final Cut Pro,com.apple.FinalCut,Apple Mac OS Application Signing',
'500,git,git,',
'500,gitsign,a.out,',
'500,gitsign-credential-cache,a.out,',
'500,GitterHelperApp,com.troupe.gitter.mac.GitterHelperApp,Developer ID Application: Troupe Technology Limited (A86QBWJ43W)',
'500,gke-gcloud-auth-plugin,a.out,',
'500,go,a.out,',
'500,gopls,a.out,',
'500,gopls,gopls,',
'500,gpg-agent,gpg-agent,',
'500,Grammarly for Safari,com.grammarly.safari.extension,Apple Mac OS Application Signing',
'500,Grammarly Safari Extension,com.grammarly.safari.extension.ext2,Apple Mac OS Application Signing',
'500,hugo,a.out,',
'500,InternalFiltersXPC,com.apple.InternalFiltersXPC,Apple Mac OS Application Signing',
'500,ipcserver,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
'500,ipcserver.old,,',
'500,k9s,a.out,',
'500,ko,,',
'500,ko,a.out,',
'500,kubectl,a.out,',
'500,lua-language-server,lua-language-server,',
'500,Magnet,com.crowdcafe.windowmagnet,Apple Mac OS Application Signing',
'500,mattermost,a.out,',
'500,Mattermost Helper (GPU),Mattermost.Desktop.helper.GPU,Apple Mac OS Application Signing',
'500,Mattermost Helper,Mattermost.Desktop.helper,Apple Mac OS Application Signing',
'500,Mattermost Helper (Renderer),Mattermost.Desktop.helper.Renderer,Apple Mac OS Application Signing',
'500,Mattermost,Mattermost.Desktop,Apple Mac OS Application Signing',
'500,melange,a.out,',
'500,melange-run,a.out,',
'500,monday.com Helper (Renderer),com.monday.desktop.helper.Renderer,Apple Mac OS Application Signing',
'500,monday.com Helper,com.monday.desktop.helper,Apple Mac OS Application Signing',
'500,monday.com Helper (GPU),com.monday.desktop.helper.GPU,Apple Mac OS Application Signing',
'500,monday.com Helper (Renderer),com.monday.desktop.helper.Renderer,Apple Mac OS Application Signing',
'500,monorail,a.out,',
'500,OOPProResRawService,com.apple.videoapps.OOPProResRawService,Apple Mac OS Application Signing',
'500,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
'500,plugin-darwin-arm64,a.out,',
'500,PrinterProxy,com.apple.print.PrinterProxy,',
'500,registry,a.out,',
'500,registry-redirect,a.out,',
'500,Runner.Listener,apphost-55554944a938bab90f04347d83659c53dd1197d6,',
'500,rust-analyzer,rust_analyzer-d11ae4e1bae4360d,',
'500,scdaemon,scdaemon,',
'500,Chromium,Chromium,',
'500,sdaudioswitch,,',
'500,sdaudioswitch,sdaudioswitch,',
'500,sdzoomplugin,,',
'500,Slack,com.tinyspeck.slackmacgap,Apple Mac OS Application Signing',
'500,Slack Helper,com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
'500,Slack Helper (GPU),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
'500,Slack Helper (Plugin),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
'500,Slack Helper (Renderer),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
'500,snyk-ls_darwin_arm64,a.out,',
'500,ssh,ssh,',
'500,Steam Helper,com.valvesoftware.steam.helper,Developer ID Application: Valve Corporation (MXGJJ98X76)',
'500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
'500,stern,a.out,',
'500,syncthing,syncthing,',
'500,Telegram,ru.keepcoder.Telegram,Apple Mac OS Application Signing',
'500,testing,com.yourcompany.testing,', -- Xcode iPhone emulator
'500,tflint,a.out,',
'500,tflint-ruleset-aws,a.out,',
'500,tflint-ruleset-google,a.out,',
'500,timestamp-server,a.out,',
'500,Todoist,com.todoist.mac.Todoist,Apple Mac OS Application Signing',
'500,Todoist Helper,com.todoist.mac.Todoist.helper,Apple Mac OS Application Signing',
'500,Todoist Helper (GPU),com.todoist.mac.Todoist.helper.GPU,Apple Mac OS Application Signing',
'500,Todoist Helper (Renderer),com.todoist.mac.Todoist.helper.Renderer,Apple Mac OS Application Signing',
'500,TwitchStudioStreamDeck,TwitchStudioStreamDeck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
'500,vim,,',
'500,vim,vim,'
'500,vim,vim,',
'500,WinAppHelper,,',
'500,WinAppHelper,WinAppHelper,'
)
AND NOT (
exception_key LIKE '500,%,a.out,'
Expand Down
4 changes: 2 additions & 2 deletions detection/exfil/yara-unexpected-go-crypt-exec-process.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
-- * https://github.com/Neo23x0/signature-base/blob/master/yara/pua_cryptocoin_miner.yar
--
-- tags: persistent
-- interval: 7200
-- interval: 3600
-- platform: posix
SELECT
yara.*,
Expand Down Expand Up @@ -42,7 +42,7 @@ FROM
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE
p0.start_time > (strftime('%s', 'now') - 7200)
p0.start_time > (strftime('%s', 'now') - 3600)
AND yara.sigrule = '
rule cryptexec {
strings:
Expand Down
4 changes: 2 additions & 2 deletions detection/persistence/yara-libtomcrypt-process.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
-- * https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game
--
-- tags: persistent
-- interval: 86400
-- interval: 3600
-- platform: posix
SELECT
yara.strings,
Expand Down Expand Up @@ -42,7 +42,7 @@ FROM
LEFT JOIN processes p2 ON p1.parent = p2.pid
LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
WHERE
p0.start_time > (strftime('%s', 'now') - 7200)
p0.start_time > (strftime('%s', 'now') - 3600)
AND
yara.sigrule = '
rule redflags {
Expand Down

0 comments on commit 7b76585

Please sign in to comment.