From 229a32a61e217c348dce91b68d19e8748a3b41a3 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Tue, 9 Jan 2024 16:14:00 -0500 Subject: [PATCH 1/2] fpr: sourcegraph,phantombuster,iterm,cody,stickers --- .../c2/unexpected-dns-traffic-events.sql | 1 + detection/c2/unexpected-https-linux.sql | 2 + detection/c2/unexpected-https-macos.sql | 1 + detection/c2/unexpected-talker-events.sql | 3 ++ detection/c2/unexpected-talkers-linux.sql | 1 + detection/c2/unexpected-talkers-macos.sql | 2 +- .../evasion/executables-from-the-future.sql | 4 ++ detection/evasion/hidden-cwd-events-linux.sql | 1 + detection/evasion/hidden-cwd.sql | 12 +++-- detection/evasion/hidden-home-library-dir.sql | 2 + .../unexpected-alf-exceptions-macos.sql | 6 ++- .../evasion/unusual-process-name-macos.sql | 2 + .../unexpected-execdir-events-macos.sql | 1 + .../execution/unexpected-sysutils-macos.sql | 1 + detection/exfil/high_disk_bytes_read.sql | 2 + ...yara-recently-downloaded-go-crypt-exec.sql | 11 ++-- .../unexpected-shell-parent-events.sql | 1 + .../unexpected-chrome-extensions.sql | 1 + .../unexpected-listening-port-macos.sql | 51 +++++++++---------- .../unexpected-privileged-containers.sql | 2 + 20 files changed, 68 insertions(+), 39 deletions(-) diff --git a/detection/c2/unexpected-dns-traffic-events.sql b/detection/c2/unexpected-dns-traffic-events.sql index 8a2c3c77..4ce54311 100644 --- a/detection/c2/unexpected-dns-traffic-events.sql +++ b/detection/c2/unexpected-dns-traffic-events.sql @@ -80,6 +80,7 @@ WHERE 'Telegram,8.8.8.8,53', 'com.docker.vpnkit,8.8.8.8,53', 'Meeting Center,8.8.8.8,53', + 'nuclei,1.0.0.1,53', 'limactl,8.8.8.8,53', 'signal-desktop,8.8.8.8,53', 'slack,8.8.8.8,53', diff --git a/detection/c2/unexpected-https-linux.sql b/detection/c2/unexpected-https-linux.sql index acf2d0d1..c8e31f60 100644 --- a/detection/c2/unexpected-https-linux.sql +++ b/detection/c2/unexpected-https-linux.sql @@ -63,6 +63,8 @@ WHERE '0,elastic-endpoint,0u,0g,elastic-endpoin', '0,bash,0u,0g,bash', '0,filebeat,0u,0g,filebeat', + '500,gobuster,500u,500g,gobuster', + '500,nuclei,500u,500g,nuclei', '0,bash,0u,0g,mkinitcpio', '0,bash,0u,0g,sh', '0,chainctl,0u,0g,chainctl', diff --git a/detection/c2/unexpected-https-macos.sql b/detection/c2/unexpected-https-macos.sql index 3616059c..30e8109f 100644 --- a/detection/c2/unexpected-https-macos.sql +++ b/detection/c2/unexpected-https-macos.sql @@ -182,6 +182,7 @@ WHERE '500,nodegizmo,nodegizmo,500u,20g', '500,apko,apko,0u,0g', '500,apko,apko,500u,20g', + '500,wolfibump,wolfibump,500u,20g', '500,wolfictl,wolfictl,0u,0g', '500,istioctl,istioctl,500u,20g', '500,aws,aws,0u,0g', diff --git a/detection/c2/unexpected-talker-events.sql b/detection/c2/unexpected-talker-events.sql index 282061b4..df1a0dd5 100644 --- a/detection/c2/unexpected-talker-events.sql +++ b/detection/c2/unexpected-talker-events.sql @@ -194,7 +194,9 @@ WHERE '500,500,32768,Electron', '500,500,32768,GoogleUpdater', '500,500,32768,java', + '500,99,443,Slack Helper', '500,500,32768,ksfetch', + '500,0,32768,elastic-endpoint', '500,500,32768,melange', '500,500,32768,node', '500,500,4318,Code Helper (Plugin)', @@ -249,6 +251,7 @@ WHERE AND NOT p0_path LIKE '/Users/%/go/%' AND NOT p0_path LIKE '/Users/%/src/%' AND NOT p0_path LIKE '/Users/%/dev/%' + AND NOT p0_path LIKE '/System/%' AND NOT p0_path LIKE '/private/var/folders/%/T/AppTranslocation/%/%.app/Contents/MacOS/%' AND NOT ( basename = "Python" diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql index fc219a7f..8f477889 100644 --- a/detection/c2/unexpected-talkers-linux.sql +++ b/detection/c2/unexpected-talkers-linux.sql @@ -233,6 +233,7 @@ WHERE '9999,6,500,firefox,0u,0g,firefox' ) AND NOT exception_key LIKE '80,6,500,terraform_1.1.5,500u,500g,terraform' + AND NOT exception_key LIKE '%,6,500,nuclei,500u,500g,nuclei' AND NOT ( p.name = 'java' AND p.cmdline LIKE '/home/%/.local/share/JetBrains/Toolbox/%' diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql index 699368c0..95e3c765 100644 --- a/detection/c2/unexpected-talkers-macos.sql +++ b/detection/c2/unexpected-talkers-macos.sql @@ -210,7 +210,7 @@ WHERE ) AND NOT ( exception_key LIKE '500,6,%,syncthing,syncthing,Developer ID Application: Jakob Borg (LQE5SYM783),syncthing' - AND remote_port > 79 + AND remote_port > 24 ) AND NOT ( alt_exception_key = '500,6,80,main,main,500u,20g' diff --git a/detection/evasion/executables-from-the-future.sql b/detection/evasion/executables-from-the-future.sql index b4e7c72b..050b270f 100644 --- a/detection/evasion/executables-from-the-future.sql +++ b/detection/evasion/executables-from-the-future.sql @@ -22,6 +22,10 @@ SELECT f.mtime > (strftime('%s', 'now') + 43200) AS mtime_newer, f.ctime > (strftime('%s', 'now') + 43200) AS ctime_newer, f.btime > (strftime('%s', 'now') + 43200) AS btime_newer, + f.mtime - strftime('%s', 'now') AS mtime_diff, + f.ctime - strftime('%s', 'now') AS ctime_diff, + f.btime - strftime('%s', 'now') AS btime_diff, + strftime('%s', 'now') AS current_time, hash.sha256 AS child_hash256, pp.path AS parent_path, pp.cmdline AS parent_cmd, diff --git a/detection/evasion/hidden-cwd-events-linux.sql b/detection/evasion/hidden-cwd-events-linux.sql index eeb042e1..bce7407e 100644 --- a/detection/evasion/hidden-cwd-events-linux.sql +++ b/detection/evasion/hidden-cwd-events-linux.sql @@ -68,6 +68,7 @@ WHERE '.kotlin', '.npm', '.git', + '.linuxbrew', '.gimme', '.vscode', '.vim', diff --git a/detection/evasion/hidden-cwd.sql b/detection/evasion/hidden-cwd.sql index 542ac953..67f1c689 100644 --- a/detection/evasion/hidden-cwd.sql +++ b/detection/evasion/hidden-cwd.sql @@ -75,16 +75,17 @@ WHERE WHERE cwd LIKE '%/.%' AND NOT name IN ( + 'apfsd', 'bindfs', - 'vim', + 'code', + 'Code Helper', 'find', + 'git', + 'gitsign', 'nvim', 'terraform', - 'code', 'updatedb', - 'git', - 'gitsign', - 'Code Helper' + 'vim' ) AND NOT cgroup_path LIKE '/system.slice/docker-%' AND NOT cgroup_path LIKE '/system.slice/system.slice:docker:%' @@ -105,6 +106,7 @@ WHERE 'fish,~/.local/share', 'rustc,/home/build/.cargo', 'fish,~/.Trash', + 'Arduino IDE Helper,/private/var/folders', 'git,~/.local/share', 'fileproviderd,~/Library/Mobile Documents', 'java,/home/build/.gradle', diff --git a/detection/evasion/hidden-home-library-dir.sql b/detection/evasion/hidden-home-library-dir.sql index 2d3e8b53..894a0230 100644 --- a/detection/evasion/hidden-home-library-dir.sql +++ b/detection/evasion/hidden-home-library-dir.sql @@ -43,6 +43,7 @@ WHERE '~/Library/Finance/.finance_cloud_SUPPORT/_EXTERNAL_DATA', '~/Library/Finance/.finance_dropbox_SUPPORT/_EXTERNAL_DATA', '~/Library/Finance/.finance_local_SUPPORT/_EXTERNAL_DATA', + '~/Library/Stickers/.stickers_SUPPORT/_EXTERNAL_DATA', '~/Library/GroupContainersAlias/.SiriTodayViewExtension', '~/Library/GroupContainersAlias/.SiriTodayViewExtension/Library', '~/Library/Group Containers/.SiriTodayViewExtension', @@ -55,3 +56,4 @@ WHERE ) AND NOT homedir LIKE '~/Library/.icedove/%' AND NOT homedir LIKE '~/Library/Mobile Documents/.Trash%' + AND NOT homedir LIKE '~/Library/%/.%_SUPPORT/_EXTERNAL_DATA' diff --git a/detection/evasion/unexpected-alf-exceptions-macos.sql b/detection/evasion/unexpected-alf-exceptions-macos.sql index 8a043153..79c3fb03 100644 --- a/detection/evasion/unexpected-alf-exceptions-macos.sql +++ b/detection/evasion/unexpected-alf-exceptions-macos.sql @@ -62,6 +62,7 @@ WHERE ',,/Applications/ProtonMail%20Bridge.app/,', ',,/Applications/Visual%20Studio%20Code.app/,', ',,/Applications/Visual%20Studio%20Code.app/Contents/Frameworks/Code%20Helper.app/,', + 'Developer ID Application: Any.DO inc. (FW4RAPJ9FF),com.anydo.mac,/Applications/Anydo.app/,501', 'Developer ID Application: Bearly Inc (NK6K4BACCF),com.bearly.app,/Applications/Bearly.app/,501', 'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.sketch3,/Applications/Sketch.app/,501', 'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.SketchMirrorHelper,/Applications/Sketch.app/Contents/XPCServices/SketchMirrorHelper.xpc/,501', @@ -77,6 +78,7 @@ WHERE 'Developer ID Application: Loom, Inc (QGD2ZPXZZG),com.loom.desktop,/Applications/Loom.app/,501', 'Developer ID Application: Opentest, Inc. (QGD2ZPXZZG),com.loom.desktop,/Applications/Loom.app/,501', 'Developer ID Application: Postdot Technologies, Inc (H7H8Q7M5CK),com.postmanlabs.mac,/Applications/Postman.app/,501', + 'Developer ID Application: Raycast Technologies Inc (SY64MV22J9),com.raycast.macos,/Applications/Raycast.app/,501', 'Developer ID Application: RescueTime, Inc (FSY4RB8H39),com.rescuetime.RescueTime,/Applications/RescueTime.app/,0', 'Developer ID Application: Sonos, Inc. (2G4LW83Q3E),com.sonos.macController,/Applications/Sonos.app/,501', 'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client,/Applications/Spotify.app/,501', @@ -88,6 +90,7 @@ WHERE ',java,/opt/homebrew/Cellar/openjdk/19/libexec/openjdk.jdk/Contents/Home/bin/java,501', ',org.python.python,/opt/homebrew/Cellar/python@3.10/3.10.9/Frameworks/Python.framework/Versions/3.10/Resources/Python.app/,501', ',org.python.python,/opt/homebrew/Cellar/python@3.11/3.11.2_1/Frameworks/Python.framework/Versions/3.11/Resources/Python.app/,501', + ',org.python.python,/opt/homebrew/Cellar/python@3.12/3.12.1/Frameworks/Python.framework/Versions/3.12/Resources/Python.app/,501', 'Software Signing,com.apple.audio.InfoHelper,/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.InfoHelper.xpc/,0', 'Software Signing,com.apple.controlcenter,/System/Library/CoreServices/ControlCenter.app/,0', 'Software Signing,com.apple.Music,/System/Applications/Music.app/,0', @@ -96,8 +99,7 @@ WHERE 'Software Signing,com.apple.WebKit.Networking,/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/,0', 'Software Signing,com.apple.WebKit.Networking,/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/,0', 'Software Signing,com.apple.xartstorageremoted,/usr/libexec/xartstorageremoted,0', - '/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/', - ',,/usr/local/sbin/iodined,501' + '/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/' ) AND NOT exception_key LIKE ',a.out,/Users/%/dev/%,501' AND NOT exception_key LIKE ',org.python.python,/opt/homebrew/Cellar/python@%/Frameworks/Python.framework/Versions/3.11/Resources/Python.app/,501' diff --git a/detection/evasion/unusual-process-name-macos.sql b/detection/evasion/unusual-process-name-macos.sql index f778fb1d..788d420f 100644 --- a/detection/evasion/unusual-process-name-macos.sql +++ b/detection/evasion/unusual-process-name-macos.sql @@ -107,4 +107,6 @@ WHERE ) -- example: 85C27NK92C.com.flexibits.fantastical2.mac.helper AND NOT pname LIKE "%.com.flexibits.fantastical2.mac.helper" + AND NOT pname LIKE 'cody-engine-%' + AND NOT pname LIKE '%-macos-arm64' AND NOT s.authority IN ("Software Signing","Apple Mac OS Application Signing") diff --git a/detection/execution/unexpected-execdir-events-macos.sql b/detection/execution/unexpected-execdir-events-macos.sql index ed2a81a3..f2641d82 100644 --- a/detection/execution/unexpected-execdir-events-macos.sql +++ b/detection/execution/unexpected-execdir-events-macos.sql @@ -313,6 +313,7 @@ WHERE 'Apple Mac OS Application Signing', 'Developer ID Application: Azul Systems, Inc. (TDTHCUPYFR)', 'Developer ID Application: Adobe Inc. (JQ525L2MZD)', + 'Developer ID Application: Rogue Amoeba Software, LLC (7266XEXAPM)', 'Developer ID Application: Brother Industries, LTD. (5HCL85FLGW)', 'Developer ID Application: Canonical Group Limited (X4QN7LTP59)', 'Developer ID Application: Cisco (DE8Y96K9QP)', diff --git a/detection/execution/unexpected-sysutils-macos.sql b/detection/execution/unexpected-sysutils-macos.sql index 60f1ab02..7d4f7b20 100644 --- a/detection/execution/unexpected-sysutils-macos.sql +++ b/detection/execution/unexpected-sysutils-macos.sql @@ -112,6 +112,7 @@ WHERE 'system_profiler,500,bash,launchd', 'system_profiler,500,Ultimate,launchd', 'system_profiler,500,steam_osx,launchd', + 'ioreg,500,bash,Alfred Preferences', 'system_profiler,500,bash,logioptionsplus_agent', 'system_profiler,0,launcher,launchd' ) diff --git a/detection/exfil/high_disk_bytes_read.sql b/detection/exfil/high_disk_bytes_read.sql index 23577be6..c70616d6 100644 --- a/detection/exfil/high_disk_bytes_read.sql +++ b/detection/exfil/high_disk_bytes_read.sql @@ -163,6 +163,8 @@ WHERE '/usr/sbin/spindump', '/usr/sbin/systemstats' ) + AND NOT p0.path LIKE '/Library/SystemExtensions/%/io.kandji.KandjiAgent.ESF-Extension.systemextension/Contents/MacOS/io.kandji.KandjiAgent.ESF-Extension' + AND NOT ( p0.name = 'bindfs' AND p0.cmdline LIKE 'bindfs%-o fsname=%' diff --git a/detection/exfil/yara-recently-downloaded-go-crypt-exec.sql b/detection/exfil/yara-recently-downloaded-go-crypt-exec.sql index e436bb8a..e48c8224 100644 --- a/detection/exfil/yara-recently-downloaded-go-crypt-exec.sql +++ b/detection/exfil/yara-recently-downloaded-go-crypt-exec.sql @@ -33,12 +33,13 @@ WHERE AND yara.sigrule = ' rule cryptexec { strings: - $cbc = "crypto/cipher.newCBC" ascii - $aes = "crypto/aes.newCipher" - $run = "os/exec.(*Cmd).Run" ascii - $exec = "os/exec.Command" ascii + $s_cbc = "crypto/cipher.newCBC" ascii + $s_aes = "crypto/aes.newCipher" + $s_run = "os/exec.(*Cmd).Run" ascii + $s_exec = "os/exec.Command" ascii + $not_analysis = "Dynamic Section" condition: - 3 of them + 3 of ($s*) and none of ($not*) }' AND yara.count > 0 AND file.path NOT LIKE '/Users/%/Downloads/chainctl%' diff --git a/detection/initial_access/unexpected-shell-parent-events.sql b/detection/initial_access/unexpected-shell-parent-events.sql index b96e86e6..78f155c8 100644 --- a/detection/initial_access/unexpected-shell-parent-events.sql +++ b/detection/initial_access/unexpected-shell-parent-events.sql @@ -192,6 +192,7 @@ WHERE 'zsh' ) OR p1_name LIKE 'terraform-provider-%' + OR p1_name LIKE 'iTermServer-%' -- Do not add shells to this list if you want your query to detect -- bad programs that were started from a shell. OR p2_name IN ('env', 'git') diff --git a/detection/persistence/unexpected-chrome-extensions.sql b/detection/persistence/unexpected-chrome-extensions.sql index ee1701c7..a6d52c7a 100644 --- a/detection/persistence/unexpected-chrome-extensions.sql +++ b/detection/persistence/unexpected-chrome-extensions.sql @@ -226,6 +226,7 @@ WHERE 'true,,Todoist for Gmail,clgenfnodoocmhnlnpknojdbjjnmecff', 'true,,Cisco Umbrella Chromebook client (Ext),jcdhmojfecjfmbdpchihbeilohgnbdci', 'true,,Media Hint,akipcefbjlmpbcejgdaopmmidpnjlhnb', + 'true,,PhantomBuster,mdlnjfcpdiaclglfbdkbleiamdafilil', 'true,,uBlock,epcnnfbjfcgphgdmggkamkmgojdagdnn', 'true,,writeGPT - ChatGPT Prompt Engineer Assistant,dflcdbibjghipieemcligeelbmackgco', 'true,Adaware,Safe Torrent Scanner,aegnopegbbhjeeiganiajffnalhlkkjb', diff --git a/detection/persistence/unexpected-listening-port-macos.sql b/detection/persistence/unexpected-listening-port-macos.sql index e3e966f3..5fcff072 100644 --- a/detection/persistence/unexpected-listening-port-macos.sql +++ b/detection/persistence/unexpected-listening-port-macos.sql @@ -54,7 +54,6 @@ WHERE AND NOT exception_key IN ( '10011,6,0,launchd,Software Signing', '10011,6,0,webfilterproxyd,Software Signing', - '22000,6,500,syncthing,Developer ID Application: Kastelo AB (LQE5SYM783)', '1024,6,0,systemmigrationd,Software Signing', '1313,6,500,hugo,', '1338,6,500,registry,', @@ -64,13 +63,15 @@ WHERE '138,17,222,netbiosd,Software Signing', '16587,6,500,RescueTime,Developer ID Application: RescueTime, Inc (FSY4RB8H39)', '17500,6,500,Dropbox,Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)', + '1824,6,500,WaveLink,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', '1834,6,500,Camera Hub,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', '2112,6,500,fake,', '2112,6,500,rekor-server,', '2112,6,500,timestamp-server,', - '22,6,0,launchd,Software Signing', '22000,6,500,syncthing,', '22000,6,500,syncthing,Developer ID Application: Jakob Borg (LQE5SYM783)', + '22000,6,500,syncthing,Developer ID Application: Kastelo AB (LQE5SYM783)', + '22,6,0,launchd,Software Signing', '2345,6,500,dlv,', '24678,6,500,node,', '24802,6,500,synergy-service,Developer ID Application: Symless Ltd (4HX897Y6GJ)', @@ -78,14 +79,10 @@ WHERE '28197,6,500,Stream Deck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', '28198,6,500,Stream Deck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', '2968,6,500,EEventManager,Developer ID Application: Seiko Epson Corporation (TXAEAV5RN4)', - '3080,6,500,sourcegraph-backend,Developer ID Application: SOURCEGRAPH INC (74A5FJ7P96)', - '3090,6,500,sourcegraph-backend,Developer ID Application: SOURCEGRAPH INC (74A5FJ7P96)', - '3180,6,500,sourcegraph-backend,Developer ID Application: SOURCEGRAPH INC (74A5FJ7P96)', - '3181,6,500,sourcegraph-backend,Developer ID Application: SOURCEGRAPH INC (74A5FJ7P96)', - '3182,6,500,sourcegraph-backend,Developer ID Application: SOURCEGRAPH INC (74A5FJ7P96)', + '33060,6,74,mysqld,Developer ID Application: Oracle America, Inc. (VB5E2TV963)', '3306,6,500,mariadbd,', '3306,6,74,mysqld,Developer ID Application: Oracle America, Inc. (VB5E2TV963)', - '33060,6,74,mysqld,Developer ID Application: Oracle America, Inc. (VB5E2TV963)', + '33333,6,500,Ultimate,', '3400,6,500,Sonos,Developer ID Application: Sonos, Inc. (2G4LW83Q3E)', '41949,6,500,IPNExtension,Apple Mac OS Application Signing', '43398,6,500,IPNExtension,Apple Mac OS Application Signing', @@ -98,33 +95,34 @@ WHERE '49152,6,0,launchd,Software Signing', '49152,6,0,remoted,Software Signing', '49152,6,0,remotepairingdeviced,Software Signing', + '49152,6,500,CaptureCoreService,Developer ID Application: Capture One A/S (5WTDB5F65L)', + '49152,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)', + '49152,6,500,com.docker.supervisor,Developer ID Application: Docker Inc (9BNSXJN65R)', + '49152,6,500,dbeaver,Developer ID Application: DBeaver Corporation (42B6MDKMW8)', '49152,6,500,EcammLiveRemoteXPCServer,Developer ID Application: Ecamm Network, LLC (5EJH68M642)', '49152,6,500,GarageBand,Apple Mac OS Application Signing', '49152,6,500,IPNExtension,Apple Mac OS Application Signing', + '49152,6,500,java,Developer ID Application: Eclipse Foundation, Inc. (JCDTMS22B4)', + '49152,6,500,java,Developer ID Application: Oracle America, Inc. (VB5E2TV963)', + '49152,6,500,jetbrains-toolbox,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)', '49152,6,500,LogiMgrDaemon,Developer ID Application: Logitech Inc. (QED4VVPZWA)', + '49152,6,500,logioptionsplus_agent,Developer ID Application: Logitech Inc. (QED4VVPZWA)', '49152,6,500,Luna Display,Developer ID Application: Astro HQ LLC (8356ZZ8Y5K)', '49152,6,500,Music,Software Signing', + '49152,6,500,node,', + '49152,6,500,qemu-system-aarch64,', + '49152,6,500,rapportd,Software Signing', '49152,6,500,Resolve,Developer ID Application: Blackmagic Design Inc (9ZGFBWLSYP)', - '49152,6,500,Signal Helper (Renderer),Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR)', '49152,6,500,Signal,Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR)', + '49152,6,500,Signal Helper (Renderer),Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR)', '49152,6,500,Sketch,Developer ID Application: Bohemian Coding (WUGMZZ5K46)', '49152,6,500,SketchMirrorHelper,Developer ID Application: Bohemian Coding (WUGMZZ5K46)', '49152,6,500,Spotify,Developer ID Application: Spotify (2FNC3A47ZF)', '49152,6,500,Stream Deck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', - '49152,6,500,Webcam-desktop,Developer ID Application: Shenzhen Arashi Vision Co., Ltd. (847R5ZLN8S)', - '49152,6,500,WorkflowAppControl,Developer ID Application: Brother Industries, LTD. (5HCL85FLGW)', - '49152,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)', - '49152,6,500,com.docker.supervisor,Developer ID Application: Docker Inc (9BNSXJN65R)', - '49152,6,500,java,Developer ID Application: Eclipse Foundation, Inc. (JCDTMS22B4)', - '49152,6,500,java,Developer ID Application: Oracle America, Inc. (VB5E2TV963)', - '49152,6,500,jetbrains-toolbox,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)', - '49152,6,500,logioptionsplus_agent,Developer ID Application: Logitech Inc. (QED4VVPZWA)', - '49152,6,500,node,', - '49152,6,500,qemu-system-aarch64,', - '33333,6,500,Ultimate,', - '49152,6,500,rapportd,Software Signing', '49152,6,500,telepresence,', '49152,6,500,vpnkit-bridge,Developer ID Application: Docker Inc (9BNSXJN65R)', + '49152,6,500,Webcam-desktop,Developer ID Application: Shenzhen Arashi Vision Co., Ltd. (847R5ZLN8S)', + '49152,6,500,WorkflowAppControl,Developer ID Application: Brother Industries, LTD. (5HCL85FLGW)', '5000,6,500,ControlCenter,Software Signing', '5001,6,500,crane,', '5001,6,500,gvproxy,', @@ -137,7 +135,6 @@ WHERE '546,17,0,configd,Software Signing', '547,17,500,dhcp6d,Software Signing', '5900,6,0,launchd,Software Signing', - '8125,6,500,Brackets-node,Developer ID Application: CORE.AI SCIENTIFIC TECHNOLOGIES PRIVATE LIMITED (8F632A866K)', '5900,6,0,screensharingd,Software Signing', '5990,6,500,goland,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)', '6000,6,500,X11.bin,Developer ID Application: Apple Inc. - XQuartz (NA574AWV7E)', @@ -146,17 +143,16 @@ WHERE '67,17,0,launchd,Software Signing', '68,17,0,configd,Software Signing', '7000,6,500,ControlCenter,Software Signing', + '7265,6,500,Raycast,Developer ID Application: Raycast Technologies Inc (SY64MV22J9)', '80,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)', '80,6,500,limactl,', '8081,6,500,crane,', - '81,6,500,nginx,', '8123,6,500,Brackets-node,Developer ID Application: CORE.AI SCIENTIFIC TECHNOLOGIES PRIVATE LIMITED (8F632A866K)', + '8125,6,500,Brackets-node,Developer ID Application: CORE.AI SCIENTIFIC TECHNOLOGIES PRIVATE LIMITED (8F632A866K)', + '81,6,500,nginx,', '8770,6,500,sharingd,Software Signing', '8771,6,500,sharingd,Software Signing', '88,17,0,kdc,Software Signing', - '49152,6,500,dbeaver,Developer ID Application: DBeaver Corporation (42B6MDKMW8)', - '88,6,0,kdc,Software Signing', - '49152,6,500,CaptureCoreService,Developer ID Application: Capture One A/S (5WTDB5F65L)', '8828,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)', '8829,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)', '8830,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)', @@ -165,9 +161,12 @@ WHERE '8833,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)', '8834,6,0,nessusd,Developer ID Application: Tenable, Inc. (4B8J598M7U)', '8834,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)', + '88,6,0,kdc,Software Signing', '8888,6,500,otel-desktop-viewer,', '9101,6,500,github_actions_exporter,' ) + AND NOT exception_key LIKE '3%,6,500,sourcegraph-backend,Developer ID Application: SOURCEGRAPH INC (74A5FJ7P96)' + AND NOT exception_key LIKE '88%,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)' AND NOT ( signature.authority = 'Developer ID Application: Linear Orbit, Inc. (7VZ2S3V9RV)' AND lp.port > 1024 diff --git a/detection/privesc/unexpected-privileged-containers.sql b/detection/privesc/unexpected-privileged-containers.sql index 26b8a0df..041d36e5 100644 --- a/detection/privesc/unexpected-privileged-containers.sql +++ b/detection/privesc/unexpected-privileged-containers.sql @@ -32,6 +32,7 @@ WHERE 'cgr.dev/chainguard/wolfi-base', 'distroless.dev/melange', 'docker.io/rancher/k3s', + 'ghcr.io/wolfi-dev/sdk@sha256', 'cgr.dev/chainguard-private/python', 'gcr.io/k8s-minikube/kicbase', 'ghcr.io/wolfi-dev/sdk', @@ -42,5 +43,6 @@ WHERE 'wolfi' ) AND image NOT LIKE 'ghcr.io/k3d-io/k3d-%' + AND image NOT LIKE 'ghcr.io/wolfi-dev/%' AND image NOT LIKE 'melange-%' AND command NOT LIKE '/usr/bin/melange build %' From 27a0d5573778229ad8ac4abf766c40d253ba3b0a Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Tue, 9 Jan 2024 16:19:52 -0500 Subject: [PATCH 2/2] fpr: syncthing --- detection/c2/unexpected-talkers-macos.sql | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql index 95e3c765..b0752609 100644 --- a/detection/c2/unexpected-talkers-macos.sql +++ b/detection/c2/unexpected-talkers-macos.sql @@ -208,6 +208,10 @@ WHERE AND remote_port > 20 AND remote_port < 32000 ) + AND NOT ( + exception_key LIKE '500,6,%,syncthing,syncthing,Developer ID Application: Kastelo AB (LQE5SYM783),syncthing' + AND remote_port > 24 + ) AND NOT ( exception_key LIKE '500,6,%,syncthing,syncthing,Developer ID Application: Jakob Borg (LQE5SYM783),syncthing' AND remote_port > 24