Merge pull request #325 from tstromberg/fpr-oct2

fpr: containerd, hyper, Docker, Chromium, spotify, busycal

detection/c2/unexpected-talker-events.sql

@@ -11,7 +11,7 @@ SELECT
   s.family,
   s.path,
   s.fd,
-  REPLACE("::ffff:", "", s.remote_address),
+  REPLACE(s.remote_address, "::ffff:", "") AS remote_address,
   s.remote_port,
   s.local_port,
   COALESCE(REGEX_MATCH (s.path, '.*/(.*)', 1), s.path) AS basename,
@@ -103,6 +103,8 @@ WHERE
   AND NOT exception_key IN (
     '500,0,110,syncthing',
     '500,0,123,sntp',
+    '500,0,53,spotify',
+    '500,0,1234,spotify',
     '500,0,20480,io.tailscale.ipn.macsys.network-extension',
     '500,0,22,ssh',
     '500,0,31488,sntp',
@@ -131,6 +133,7 @@ WHERE
     '500,0,443,ssh',
     '500,500,53,Code Helper',
     '500,0,43,whois',
+    '500,0,443,spotify',
     '500,0,443,syncthing',
     '500,0,443,velociraptor',
     '500,0,443,wget',

detection/evasion/old-binaries-running.sql

@@ -56,6 +56,7 @@ WHERE
     '/usr/bin/sshfs',
     '/usr/bin/xclip',
     '/usr/bin/xss-lock',
+    '/usr/bin/i3lock',
     '/usr/local/bin/dive'
   )
   AND p.name NOT IN (

detection/evasion/unexpected-alf-exceptions-macos.sql

@@ -64,6 +64,7 @@ WHERE
     '/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/',
     'Apple Mac OS Application Signing,com.anydo.mac,/Applications/Anydo.app/,0',
     'Apple Mac OS Application Signing,com.apple.garageband10,/Applications/GarageBand.app/,0',
+    'Apple Mac OS Application Signing,com.busymac.busycal3,/Applications/BusyCal.app/,0',
     'Apple Mac OS Application Signing,com.joeallen.teleprompter.mac,/Applications/Teleprompter.app/,0',
     'Apple Mac OS Application Signing,com.utmapp.QEMULauncher,/Applications/UTM.app/Contents/XPCServices/QEMUHelper.xpc/Contents/MacOS/QEMULauncher.app/,0',
     'Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension,/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/,0',
@@ -73,6 +74,7 @@ WHERE
     'Developer ID Application: Brother Industries, LTD. (5HCL85FLGW),com.brother.utility.WorkflowAppControlServer,/Library/Printers/Brother/Utilities/Server/WorkflowAppControl.app/,0',
     'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5),com.elgato.WaveLink,/Applications/WaveLink.app/,0',
     'Developer ID Application: Cypress.Io, Inc. (7D655LWGLY),com.electron.cypress,/Users/garrying/Library/Caches/Cypress/12.9.0/Cypress.app/,501',
+    'Developer ID Application: DBeaver Corporation (42B6MDKMW8),org.jkiss.dbeaver.core.product,/Applications/DBeaver.app/,501',
     'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK),com.getdropbox.dropbox,/Applications/Dropbox.app/,501',
     'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland,/Applications/GoLand.app/,501',
     'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.pycharm,/Applications/PyCharm.app/,501',
@@ -81,7 +83,6 @@ WHERE
     'Developer ID Application: RescueTime, Inc (FSY4RB8H39),com.rescuetime.RescueTime,/Applications/RescueTime.app/,0',
     'Developer ID Application: Sonos, Inc. (2G4LW83Q3E),com.sonos.macController,/Applications/Sonos.app/,501',
     'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client,/Applications/Spotify.app/,501',
-    'Developer ID Application: DBeaver Corporation (42B6MDKMW8),org.jkiss.dbeaver.core.product,/Applications/DBeaver.app/,501',
     'Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension,/Library/SystemExtensions/A30AF854-E980-4345-A658-17000BF66D00/io.tailscale.ipn.macsys.network-extension.systemextension/,0',
     'Developer ID Application: VNG ONLINE CO.,LTD (CVB6BX97VM),com.vng.zalo,/Applications/Zalo.app/,501',
     'Developer ID Application: Voicemod Sociedad Limitada. (S2MC4XQDSM),net.voicemod.desktop,/Applications/Voicemod.app/,0',

detection/execution/exotic-command-events-macos.sql

@@ -209,6 +209,7 @@ WHERE
     'yara,500,bash,fish',
     'ssh,500,limactl.ventura,launchd',
     'git,500,zsh,login',
+    'bat,500,zsh,login',
     'git,500,zsh,goland',
     'sh,0,Ecamm Live,launchd',
     'cat,500,zsh,login'

detection/execution/unexpected-execdir-events-macos.sql

@@ -258,7 +258,10 @@ WHERE
   ) -- Locally built executables
   AND NOT (
     s.identifier = 'a.out'
-    AND dir LIKE '~/%'
+    AND (
+      dir LIKE '~/%'
+      OR dir LIKE '/Users/%'
+    )
     AND p1_name IN ('fish', 'sh', 'bash', 'zsh', 'terraform', 'code')
   )
   AND NOT (

detection/execution/unexpected-security-framework-program-macos.sql

@@ -96,6 +96,9 @@ WHERE
     '500,Duckly Helper,Electron Helper,',
     '500,Duckly,Electron,',
     '500,Emacs-arm64-11,Emacs-arm64-11,Developer ID Application: Galvanix (5BRAQAFB8B)',
+    '500,Evernote Helper (Renderer),com.evernote.Evernote.helper.Renderer,Apple Mac OS Application Signing',
+    '500,Evernote Helper,com.evernote.Evernote.helper,Apple Mac OS Application Signing',
+    '500,Evernote,com.evernote.Evernote,Apple Mac OS Application Signing',
     '500,Final Cut Pro,com.apple.FinalCut,Apple Mac OS Application Signing',
     '500,GitterHelperApp,com.troupe.gitter.mac.GitterHelperApp,Developer ID Application: Troupe Technology Limited (A86QBWJ43W)',
     '500,Grammarly Safari Extension,com.grammarly.safari.extension.ext2,Apple Mac OS Application Signing',
@@ -126,8 +129,6 @@ WHERE
     '500,bash,bash,',
     '500,bash,com.apple.bash,Software Signing',
     '500,bufls,a.out,',
-    '500,timestamp-server,a.out,',
-    '500,docker,a.out,',
     '500,chainctl,a.out,',
     '500,cloud-sql-proxy,a.out,',
     '500,cloud-sql-proxy.darwin.arm64,a.out,',
@@ -137,18 +138,17 @@ WHERE
     '500,cpu,cpu-555549441132dc6b7af538428ce3359ae94eab37,',
     '500,crane,a.out,',
     '500,debug.test,a.out,',
-    '500,gke-gcloud-auth-plugin,a.out,',
     '500,dive,a.out,',
-    '500,monday.com Helper (Renderer),com.monday.desktop.helper.Renderer,Apple Mac OS Application Signing',
-    '500,Divvy,com.mizage.Divvy,Apple Mac OS Application Signing',
     '500,dlv,a.out,',
+    '500,docker,a.out,',
     '500,epdfinfo,epdfinfo,',
     '500,esbuild,,',
     '500,esbuild,a.out,',
     '500,fake,a.out,',
     '500,git,git,',
     '500,gitsign,a.out,',
     '500,gitsign-credential-cache,a.out,',
+    '500,gke-gcloud-auth-plugin,a.out,',
     '500,go,a.out,',
     '500,gopls,a.out,',
     '500,gopls,gopls,',
@@ -164,6 +164,7 @@ WHERE
     '500,mattermost,a.out,',
     '500,melange,a.out,',
     '500,melange-run,a.out,',
+    '500,monday.com Helper (Renderer),com.monday.desktop.helper.Renderer,Apple Mac OS Application Signing',
     '500,monday.com Helper,com.monday.desktop.helper,Apple Mac OS Application Signing',
     '500,monorail,a.out,',
     '500,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
@@ -172,6 +173,7 @@ WHERE
     '500,registry-redirect,a.out,',
     '500,rust-analyzer,rust_analyzer-d11ae4e1bae4360d,',
     '500,scdaemon,scdaemon,',
+    '500,Chromium,Chromium,',
     '500,sdaudioswitch,,',
     '500,sdaudioswitch,sdaudioswitch,',
     '500,sdzoomplugin,,',
@@ -184,6 +186,7 @@ WHERE
     '500,tflint,a.out,',
     '500,tflint-ruleset-aws,a.out,',
     '500,tflint-ruleset-google,a.out,',
+    '500,timestamp-server,a.out,',
     '500,vim,,',
     '500,vim,vim,'
   )

detection/initial_access/sketchy-mounted-diskimage.sql

@@ -97,7 +97,6 @@ WHERE
     OR (
       (
         vol_name LIKE "Install%"
-
         -- The rest are synced with sketchy-download-names
         OR vol_name LIKE "%.app%"
         OR vol_name LIKE "%AnyDesk%"
@@ -174,6 +173,8 @@ WHERE
       -- emacs
       AND magic.data NOT LIKE 'symbolic link to bin-x86%'
       AND magic.data NOT LIKE 'symbolic link to /Users/%/My Drive'
+      -- Docker
+      AND magic.data NOT LIKE 'cannot open%'
     )
   )
 GROUP BY

detection/initial_access/unexpected-shell-parents.sql

@@ -157,6 +157,7 @@ WHERE
   AND p1_path NOT IN (
     '/Applications/Docker.app/Contents/MacOS/Docker',
     '/Applications/Docker.app/Contents/MacOS/install',
+    '/Applications/Hyper.app/Contents/MacOS/Hyper',
     '/Applications/Visual Studio Code.app/Contents/MacOS/Electron',
     '/Applications/Docker.app/Contents/Resources/bin/com.docker.cli',
     '/Applications/Docker.app/Contents/Resources/bin/docker-credential-desktop',

detection/persistence/yara-suspicious-strings-process-linux.sql

@@ -43,8 +43,7 @@ FROM
   LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
 WHERE
   p0.start_time > (strftime('%s', 'now') - 7200)
-  AND
-  yara.sigrule = '    
+  AND yara.sigrule = '    
     rule redflags {
     strings:
         $bash_history = ".bash_history"
@@ -90,6 +89,7 @@ WHERE
     '/usr/bin/sudo',
     '/usr/bin/bash',
     '/usr/bin/containerd-shim-runc-v2',
+    '/bin/containerd-shim-runc-v2',
     '/usr/bin/docker-proxy',
     '/usr/bin/fish',
     '/usr/bin/gnome-software',
@@ -102,7 +102,7 @@ WHERE
     '/usr/bin/udevadm',
     '/usr/bin/update-notifier',
     '/usr/bin/Xwayland',
-    '/usr/lib/bluetooth/bluetoothd',    
+    '/usr/lib/bluetooth/bluetoothd',
     '/usr/lib/bluetooth/obexd',
     '/usr/libexec/accounts-daemon',
     '/usr/libexec/bluetooth/bluetoothd',
@@ -123,4 +123,4 @@ WHERE
     '/usr/sbin/NetworkManager',
     '/usr/sbin/rsyslogd',
     '/usr/sbin/smartd'
-  )
+  )