Merge pull request #407 from tstromberg/oct24

refactor minimal-socket-client-macos, fpr for AWS, Valve, Sparkle, Streamdeck, Python

detection/c2/unexpected-https-macos.sql

@@ -186,7 +186,6 @@ WHERE
     '500,istioctl,istioctl,500u,20g',
     '500,istioctl,istioctl,,a.out',
     '500,java,java,0u,0g',
-    '500,streamer,streamer,Developer ID Application: Autodesk (XXKJ396S2Y),streamer',
     '500,log-streaming,log-streaming,500u,80g',
     '500,.man-wrapped,.man-wrapped,0u,500g',
     '500,nami,nami,0u,0g',
@@ -211,6 +210,8 @@ WHERE
   )
   AND NOT s.authority IN (
     'Developer ID Application: Adguard Software Limited (TC3Q7MAJXF)',
+    'Developer ID Application: AMZN Mobile LLC (94KV3E626L)',
+    'Developer ID Application: Autodesk (XXKJ396S2Y)',
     'Developer ID Application: Adobe Inc. (JQ525L2MZD)',
     'Developer ID Application: AgileBits Inc. (2BUA8C4S2C)',
     'Developer ID Application: ANCHORE, INC. (9MJHKYX5AT)',

detection/c2/unexpected-talkers-macos.sql

@@ -79,6 +79,7 @@ WHERE pos.pid IN (
       AND state != 'LISTEN'
   ) -- Ignore most common application paths
   AND p0.path NOT LIKE '/Applications/%.app/Contents/MacOS/%'
+  AND p0.path NOT LIKE '/Applications/%.app/Contents/%/MacOS/%'
   AND p0.path NOT LIKE '/Applications/%.app/Contents/Resources/%'
   AND p0.path NOT LIKE '/Library/Apple/%'
   AND p0.path NOT LIKE '/Library/Application Support/%/Contents/%'
@@ -92,7 +93,8 @@ WHERE pos.pid IN (
     '0,Developer ID Application: Tailscale Inc. (W5364U7YZB)',
     '500,Apple Mac OS Application Signing',
     '500,Developer ID Application: Cisco (DE8Y96K9QP)',
-    '500,Developer ID Application: Google LLC (EQHXZ8M8AV)'
+    '500,Developer ID Application: Google LLC (EQHXZ8M8AV)',
+    '500,Developer ID Application: Valve Corporation (MXGJJ98X76)'
   )
   AND NOT (
     unsigned_exception = '500,6,80,main,main'

detection/evasion/hidden-executable.sql

@@ -74,6 +74,7 @@ WHERE (
     '~/.pulumi',
     '~/Code',
     '~/code',
+    '~/.cursor',
     '~/Projects',
     '~/src',
     '~/.sdkman',
@@ -92,7 +93,6 @@ WHERE (
     '~/.config/bluejeans-v2',
     '~/.config/Code',
     '~/.config/nvm',
-    '~/.cursor',
     '~/.deno/bin',
     '~/.devpod/contexts',
     '~/.docker/cli-plugins',

detection/evasion/unexpected-user-executables-macos.sql

@@ -224,7 +224,8 @@ WHERE
   AND NOT homepath LIKE '~/Library/%/%.sqlite-wal'
   AND NOT homepath LIKE '~/Library/%/%.db'
   AND NOT homepath LIKE '~/Library/%/%.db-wal'
-  AND NOT f.directory LIKE '/var/root/Library/Caches/%/org.sparkle-project.Sparkle/%/Sparkle.framework'
+  AND NOT f.directory LIKE '/var/root/Library/Caches/%/org.sparkle-project.Sparkle/%/Sparkle.framework%'
+  AND NOT f.directory LIKE '/var/root/Library/Caches/%/org.sparkle-project.Sparkle/%/Contents/MacOS'
   AND NOT f.directory LIKE '/Users/%/.docker/cli-plugins'
   AND NOT f.directory LIKE '/Users/%/.nix-profile/bin'
   AND NOT f.path LIKE '/Users/%/Library/Fonts/%.ttf'

detection/execution/unexpected-fetcher-parents.sql

@@ -3,7 +3,7 @@
 -- refs:
 --   * https://attack.mitre.org/techniques/T1105/ (Ingress Tool Transfer)
 --
--- tags: transient process state often
+-- tags: transient process state often extra
 -- platform: posix
 SELECT
   p.pid,
@@ -53,11 +53,15 @@ WHERE -- NOTE: The remainder of this query is synced with unexpected-fetcher-par
     'curl,303,bash,nix',
     'curl,305,bash,nix',
     'curl,307,bash,nix',
+    'curl,500,ShellLauncher,',
+    'curl,500,ShellLauncher,login',
+    'curl,500,Slack,launchd',
+    'curl,500,Stats,bash',
+    'curl,500,bash,ShellLauncher',
     'curl,500,bash,bash',
     'curl,500,bash,fakeroot',
     'curl,500,bash,fish',
     'curl,500,bash,nix-daemon',
-    'curl,500,bash,ShellLauncher',
     'curl,500,bash,zsh',
     'curl,500,colima,zsh',
     'curl,500,endpoint-instal,bash',
@@ -71,11 +75,8 @@ WHERE -- NOTE: The remainder of this query is synced with unexpected-fetcher-par
     'curl,500,nvim,nvim',
     'curl,500,nwg-panel,systemd',
     'curl,500,ruby,zsh',
-    'curl,500,ShellLauncher,',
-    'curl,500,ShellLauncher,login',
-    'curl,500,Slack,launchd',
-    'curl,500,Stats,bash',
     'curl,500,zsh,Code Helper',
+    'curl,500,zsh,Cursor Helper',
     'curl,500,zsh,Emacs-arm64-11',
     'curl,500,zsh,Hyper',
     'curl,500,zsh,login',
@@ -92,6 +93,7 @@ WHERE -- NOTE: The remainder of this query is synced with unexpected-fetcher-par
     AND gparent_name IN (
       'alacritty',
       'Code Helper',
+      'Cursor Helper',
       'emacs',
       'bash',
       'gnome-terminal-',

detection/execution/unexpected-long-running-security-framework-macos.sql

@@ -61,6 +61,7 @@ WHERE -- Focus on longer-running programs
       AND NOT path LIKE '/Users/%/dev/%'
       AND NOT path LIKE '/Users/%/src/%'
       AND NOT path LIKE '/Users/%/bin/%'
+      AND NOT path LIKE '/Users/%/Library/Application Support/com.elgato.StreamDeck/Plugins/%'
       AND NOT path LIKE '/private/var/folders%/T/go-build%/exe/%'
       AND NOT path LIKE '/Users/%/.terraform/providers/%'
       AND NOT REGEX_MATCH (path, '(.*)/', 1) LIKE '%/bin'
@@ -85,6 +86,7 @@ WHERE -- Focus on longer-running programs
     '500,sdzoomplugin,,',
     '500,sdaudioswitch,,',
     '500,gopls,a.out,',
+    '500,sdmicmute,sdmicmute,',
     '500,sdaudioswitch,sdaudioswitch,'
   )
   AND NOT exception_key LIKE '500,lifx-streamdeck,lifx-streamdeck-%'

detection/persistence/listening-from-unusual-location.sql

@@ -115,6 +115,7 @@ WHERE
     '32768,6,500,Chromium',
     '32768,6,500,Code Helper (Plugin)',
     '24024,17,500,MTGA',
+    '32768,6,500,Python',
     '32768,17,499,viscosity_openvpn',
     '1,1,500,ping'
   )

detection/persistence/minimal-socket-client-macos.sql

@@ -40,26 +40,74 @@ FROM processes p
   LEFT JOIN signature s ON p.path = s.path
 WHERE p.pid IN (
     SELECT processes.pid
-    FROM processes
-      JOIN process_open_sockets ON processes.pid = process_open_sockets.pid
-      AND family != 1
+    FROM process_open_sockets
+      JOIN processes ON process_open_sockets.pid = processes.pid
+      AND family != 1 -- The outer query is slow due to the use of process_memory_map, so narrow down our choices here
     WHERE processes.path NOT LIKE '/System/%'
-      AND processes.path NOT LIKE '/Applications/%.app/Contents/Frameworks/%/Contents/MacOS/%'
-      AND processes.path NOT LIKE '/Applications/%.app/Contents/MacOS/%'
       AND processes.path NOT LIKE '/Library/Apple/%'
-      AND processes.path NOT LIKE '/nix/store/%/bin/nix'
-      AND processes.path NOT LIKE '/opt/%/bin/%'
       AND processes.path NOT LIKE '/private/var/db/com.apple.xpc.roleaccountd.staging/%'
       AND processes.path NOT LIKE '/sbin/%'
       AND processes.path NOT LIKE '/usr/bin/%'
       AND processes.path NOT LIKE '/usr/libexec/%'
-      AND processes.path NOT LIKE '/usr/local/kolide-k2/bin/launcher-updates/%/Kolide.app/Contents/MacOS/launcher'
-      AND processes.path NOT LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd'
+      AND processes.path NOT LIKE '/private/var/kolide-k2/k2device.kolide.com/updates/%.app/Contents/MacOS/%'
       AND processes.path NOT LIKE '/usr/sbin/%'
+      AND processes.path NOT LIKE '/Library/Elastic/Agent/data/%'
+      AND NOT (
+        processes.euid >= 500
+        AND (
+          processes.path LIKE '/Applications/%.app/Contents/Frameworks/%/Contents/MacOS/%'
+          OR processes.path LIKE '/Applications/%.app/Contents/MacOS/%'
+          OR processes.path LIKE '/nix/store/%/bin/nix'
+          OR processes.path LIKE '/opt/%/bin/%'
+          OR processes.path LIKE '/Users/%/go/bin/%'
+          OR processes.path LIKE '/Users/%/Library/Application Support/Figma/FigmaAgent.app/Contents/MacOS/figma_agent'
+          OR processes.path LIKE '/Users/%/Library/Application Support/com.elgato.StreamDeck/Plugins/%'
+          OR processes.path LIKE '/Users/%/Applications/zoom.us.app/Contents/MacOS/zoom.us'
+          OR processes.path LIKE '/Users/%/Library/Application Support/Steam/Steam.AppBundle/Steam/Contents/%'
+          OR processes.path LIKE '/private/var/folders/%/X/com.google.Chrome.code_sign_clone/code_sign_clone%'
+          OR processes.path IN (
+            '/Applications/Elgato Stream Deck.app/Contents/Helpers/node20',
+            '/Applications/GoLand.app/Contents/plugins/go-plugin/lib/dlv/macarm/dlv',
+            '/Applications/lghub.app/Contents/MacOS/lghub_updater.app/Contents/MacOS/lghub_updater',
+            '/Applications/AirBuddy.app/Contents/Library/LoginItems/AirBuddyHelper.app/Contents/XPCServices/MobileDevicesService.xpc/Contents/MacOS/MobileDevicesService',
+            '/Applications/Ollama.app/Contents/Resources/ollama',
+            '/Applications/Rancher Desktop.app/Contents/Resources/resources/darwin/lima/bin/limactl.ventura',
+            '/Applications/Rancher Desktop.app/Contents/Resources/resources/darwin/lima/bin/qemu-system-aarch64',
+            '/Applications/Syncthing.app/Contents/Resources/syncthing/syncthing',
+            '/Library/Application Support/Adobe/Adobe Desktop Common/IPCBox/AdobeIPCBroker.app/Contents/MacOS/AdobeIPCBroker',
+            '/Library/Application Support/Kandji/Kandji Menu/Kandji Menu.app/Contents/MacOS/Kandji Menu',
+            '/Applications/Google Drive.app/Contents/Applications/FinderHelper.app/Contents/PlugIns/FinderSyncExtension.appex/Contents/MacOS/FinderSyncExtension',
+            '/Applications/Google Drive.app/Contents/PlugIns/DFSFileProviderExtension.appex/Contents/MacOS/DFSFileProviderExtension',
+            '/Library/Application Support/Adobe/Adobe Desktop Common/ADS/Adobe Desktop Service.app/Contents/MacOS/Adobe Desktop Service',
+            '/Library/Application Support/Logitech.localized/LogiOptionsPlus/logioptionsplus_agent.app/Contents/Frameworks/logioptionsplus_updater.app/Contents/MacOS/logioptionsplus_updater',
+            '/Library/Application Support/Logitech.localized/LogiOptionsPlus/logioptionsplus_agent.app/Contents/MacOS/logioptionsplus_agent',
+            '/Library/Developer/CommandLineTools/Library/PrivateFrameworks/LLDB.framework/Versions/A/Resources/debugserver',
+            '/Library/Frameworks/Python.framework/Versions/3.10/Resources/Python.app/Contents/MacOS/Python',
+            '/Library/Kandji/Kandji Agent.app/Contents/Helpers/Kandji Daemon.app/Contents/MacOS/kandji-daemon',
+            '/Library/Printers/Brother/Utilities/Server/NETserver.app/Contents/MacOS/NETserver',
+            '/Library/Printers/Brother/Utilities/Server/USBAppControl.app/Contents/MacOS/USBAppControl',
+            '/Library/Printers/Brother/Utilities/Server/WorkflowAppControl.app/Contents/MacOS/WorkflowAppControl',
+            '/Volumes/Google Chrome/Google Chrome.app/Contents/MacOS/Google Chrome',
+            '/Applications/Loom.app/Contents/Resources/binaries/loom-recorder-production',
+            '/Volumes/Slack/Slack.app/Contents/Frameworks/Slack Helper.app/Contents/MacOS/Slack Helper',
+            '/usr/local/bin/node'
+          )
+        )
+      ) -- uid0-499 exceptions
+      AND NOT processes.path IN (
+        '/Library/Kandji/Kandji Agent.app/Contents/Helpers/Kandji Daemon.app/Contents/MacOS/kandji-daemon',
+        '/Library/safeqclientcore/bin/safeqclientcore',
+        '/Applications/WiFiman Desktop.app/Contents/service/wifiman-desktopd',
+        '/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint',
+        '/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/Contents/MacOS/IPNExtension',
+        '/usr/local/sbin/velociraptor'
+      )
       AND processes.start_time < (strftime('%s', 'now') -600)
-    GROUP BY processes.path
+      GROUP BY processes.path
   )
+  AND NOT exception_key = '500,Steam Helper,~/Library/Application Support/Steam/Steam.AppBundle/Steam/Contents/MacOS/Frameworks/Steam Helper.app/Contents/MacOS/Steam HelperDeveloper ID Application: Valve Corporation (MXGJJ98X76)'
   AND pmm.path LIKE "%.dylib"
+
 GROUP BY pos.pid
 HAVING lib_count IN (1, 2)
   AND libs NOT LIKE '/Applications/%/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib,/usr/lib/libobjc-trampolines.dylib'