From f038dc755795f7fb300e97d1891f0982666217e5 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Thu, 24 Oct 2024 15:12:33 -0400 Subject: [PATCH 1/4] fpr, refactor minimal-socket-client-macos --- detection/c2/unexpected-https-macos.sql | 3 +- detection/c2/unexpected-talkers-macos.sql | 4 +- .../unexpected-user-executables-macos.sql | 3 +- ...-long-running-security-framework-macos.sql | 2 + .../listening-from-unusual-location.sql | 1 + .../minimal-socket-client-macos.sql | 68 ++++++++++++++++--- 6 files changed, 68 insertions(+), 13 deletions(-) diff --git a/detection/c2/unexpected-https-macos.sql b/detection/c2/unexpected-https-macos.sql index 0af076e..433c545 100644 --- a/detection/c2/unexpected-https-macos.sql +++ b/detection/c2/unexpected-https-macos.sql @@ -186,7 +186,6 @@ WHERE '500,istioctl,istioctl,500u,20g', '500,istioctl,istioctl,,a.out', '500,java,java,0u,0g', - '500,streamer,streamer,Developer ID Application: Autodesk (XXKJ396S2Y),streamer', '500,log-streaming,log-streaming,500u,80g', '500,.man-wrapped,.man-wrapped,0u,500g', '500,nami,nami,0u,0g', @@ -211,6 +210,8 @@ WHERE ) AND NOT s.authority IN ( 'Developer ID Application: Adguard Software Limited (TC3Q7MAJXF)', + 'Developer ID Application: AMZN Mobile LLC (94KV3E626L)', + 'Developer ID Application: Autodesk (XXKJ396S2Y)', 'Developer ID Application: Adobe Inc. (JQ525L2MZD)', 'Developer ID Application: AgileBits Inc. (2BUA8C4S2C)', 'Developer ID Application: ANCHORE, INC. (9MJHKYX5AT)', diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql index 7279898..f43ffa4 100644 --- a/detection/c2/unexpected-talkers-macos.sql +++ b/detection/c2/unexpected-talkers-macos.sql @@ -79,6 +79,7 @@ WHERE pos.pid IN ( AND state != 'LISTEN' ) -- Ignore most common application paths AND p0.path NOT LIKE '/Applications/%.app/Contents/MacOS/%' + AND p0.path NOT LIKE '/Applications/%.app/Contents/%/MacOS/%' AND p0.path NOT LIKE '/Applications/%.app/Contents/Resources/%' AND p0.path NOT LIKE '/Library/Apple/%' AND p0.path NOT LIKE '/Library/Application Support/%/Contents/%' @@ -92,7 +93,8 @@ WHERE pos.pid IN ( '0,Developer ID Application: Tailscale Inc. (W5364U7YZB)', '500,Apple Mac OS Application Signing', '500,Developer ID Application: Cisco (DE8Y96K9QP)', - '500,Developer ID Application: Google LLC (EQHXZ8M8AV)' + '500,Developer ID Application: Google LLC (EQHXZ8M8AV)', + '500,Developer ID Application: Valve Corporation (MXGJJ98X76)' ) AND NOT ( unsigned_exception = '500,6,80,main,main' diff --git a/detection/evasion/unexpected-user-executables-macos.sql b/detection/evasion/unexpected-user-executables-macos.sql index 22e29bb..c4d2b72 100644 --- a/detection/evasion/unexpected-user-executables-macos.sql +++ b/detection/evasion/unexpected-user-executables-macos.sql @@ -224,7 +224,8 @@ WHERE AND NOT homepath LIKE '~/Library/%/%.sqlite-wal' AND NOT homepath LIKE '~/Library/%/%.db' AND NOT homepath LIKE '~/Library/%/%.db-wal' - AND NOT f.directory LIKE '/var/root/Library/Caches/%/org.sparkle-project.Sparkle/%/Sparkle.framework' + AND NOT f.directory LIKE '/var/root/Library/Caches/%/org.sparkle-project.Sparkle/%/Sparkle.framework%' + AND NOT f.directory LIKE '/var/root/Library/Caches/%/org.sparkle-project.Sparkle/%/Contents/MacOS' AND NOT f.directory LIKE '/Users/%/.docker/cli-plugins' AND NOT f.directory LIKE '/Users/%/.nix-profile/bin' AND NOT f.path LIKE '/Users/%/Library/Fonts/%.ttf' diff --git a/detection/execution/unexpected-long-running-security-framework-macos.sql b/detection/execution/unexpected-long-running-security-framework-macos.sql index 8ed6ae5..d42fb5a 100644 --- a/detection/execution/unexpected-long-running-security-framework-macos.sql +++ b/detection/execution/unexpected-long-running-security-framework-macos.sql @@ -61,6 +61,7 @@ WHERE -- Focus on longer-running programs AND NOT path LIKE '/Users/%/dev/%' AND NOT path LIKE '/Users/%/src/%' AND NOT path LIKE '/Users/%/bin/%' + AND NOT path LIKE '/Users/%/Library/Application Support/com.elgato.StreamDeck/Plugins/%' AND NOT path LIKE '/private/var/folders%/T/go-build%/exe/%' AND NOT path LIKE '/Users/%/.terraform/providers/%' AND NOT REGEX_MATCH (path, '(.*)/', 1) LIKE '%/bin' @@ -85,6 +86,7 @@ WHERE -- Focus on longer-running programs '500,sdzoomplugin,,', '500,sdaudioswitch,,', '500,gopls,a.out,', + '500,sdmicmute,sdmicmute,', '500,sdaudioswitch,sdaudioswitch,' ) AND NOT exception_key LIKE '500,lifx-streamdeck,lifx-streamdeck-%' diff --git a/detection/persistence/listening-from-unusual-location.sql b/detection/persistence/listening-from-unusual-location.sql index 97dec8e..0b22abe 100644 --- a/detection/persistence/listening-from-unusual-location.sql +++ b/detection/persistence/listening-from-unusual-location.sql @@ -115,6 +115,7 @@ WHERE '32768,6,500,Chromium', '32768,6,500,Code Helper (Plugin)', '24024,17,500,MTGA', + '32768,6,500,Python', '32768,17,499,viscosity_openvpn', '1,1,500,ping' ) diff --git a/detection/persistence/minimal-socket-client-macos.sql b/detection/persistence/minimal-socket-client-macos.sql index c4a7850..3ee21b1 100644 --- a/detection/persistence/minimal-socket-client-macos.sql +++ b/detection/persistence/minimal-socket-client-macos.sql @@ -40,26 +40,74 @@ FROM processes p LEFT JOIN signature s ON p.path = s.path WHERE p.pid IN ( SELECT processes.pid - FROM processes - JOIN process_open_sockets ON processes.pid = process_open_sockets.pid - AND family != 1 + FROM process_open_sockets + JOIN processes ON process_open_sockets.pid = processes.pid + AND family != 1 -- The outer query is slow due to the use of process_memory_map, so narrow down our choices here WHERE processes.path NOT LIKE '/System/%' - AND processes.path NOT LIKE '/Applications/%.app/Contents/Frameworks/%/Contents/MacOS/%' - AND processes.path NOT LIKE '/Applications/%.app/Contents/MacOS/%' AND processes.path NOT LIKE '/Library/Apple/%' - AND processes.path NOT LIKE '/nix/store/%/bin/nix' - AND processes.path NOT LIKE '/opt/%/bin/%' AND processes.path NOT LIKE '/private/var/db/com.apple.xpc.roleaccountd.staging/%' AND processes.path NOT LIKE '/sbin/%' AND processes.path NOT LIKE '/usr/bin/%' AND processes.path NOT LIKE '/usr/libexec/%' - AND processes.path NOT LIKE '/usr/local/kolide-k2/bin/launcher-updates/%/Kolide.app/Contents/MacOS/launcher' - AND processes.path NOT LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd' + AND processes.path NOT LIKE '/private/var/kolide-k2/k2device.kolide.com/updates/%.app/Contents/MacOS/%' AND processes.path NOT LIKE '/usr/sbin/%' + AND processes.path NOT LIKE '/Library/Elastic/Agent/data/%' + AND NOT ( + processes.euid >= 500 + AND ( + processes.path LIKE '/Applications/%.app/Contents/Frameworks/%/Contents/MacOS/%' + OR processes.path LIKE '/Applications/%.app/Contents/MacOS/%' + OR processes.path LIKE '/nix/store/%/bin/nix' + OR processes.path LIKE '/opt/%/bin/%' + OR processes.path LIKE '/Users/%/go/bin/%' + OR processes.path LIKE '/Users/%/Library/Application Support/Figma/FigmaAgent.app/Contents/MacOS/figma_agent' + OR processes.path LIKE '/Users/%/Library/Application Support/com.elgato.StreamDeck/Plugins/%' + OR processes.path LIKE '/Users/%/Applications/zoom.us.app/Contents/MacOS/zoom.us' + OR processes.path LIKE '/Users/%/Library/Application Support/Steam/Steam.AppBundle/Steam/Contents/%' + OR processes.path LIKE '/private/var/folders/%/X/com.google.Chrome.code_sign_clone/code_sign_clone%' + OR processes.path IN ( + '/Applications/Elgato Stream Deck.app/Contents/Helpers/node20', + '/Applications/GoLand.app/Contents/plugins/go-plugin/lib/dlv/macarm/dlv', + '/Applications/lghub.app/Contents/MacOS/lghub_updater.app/Contents/MacOS/lghub_updater', + '/Applications/AirBuddy.app/Contents/Library/LoginItems/AirBuddyHelper.app/Contents/XPCServices/MobileDevicesService.xpc/Contents/MacOS/MobileDevicesService', + '/Applications/Ollama.app/Contents/Resources/ollama', + '/Applications/Rancher Desktop.app/Contents/Resources/resources/darwin/lima/bin/limactl.ventura', + '/Applications/Rancher Desktop.app/Contents/Resources/resources/darwin/lima/bin/qemu-system-aarch64', + '/Applications/Syncthing.app/Contents/Resources/syncthing/syncthing', + '/Library/Application Support/Adobe/Adobe Desktop Common/IPCBox/AdobeIPCBroker.app/Contents/MacOS/AdobeIPCBroker', + '/Library/Application Support/Kandji/Kandji Menu/Kandji Menu.app/Contents/MacOS/Kandji Menu', + '/Applications/Google Drive.app/Contents/Applications/FinderHelper.app/Contents/PlugIns/FinderSyncExtension.appex/Contents/MacOS/FinderSyncExtension', + '/Applications/Google Drive.app/Contents/PlugIns/DFSFileProviderExtension.appex/Contents/MacOS/DFSFileProviderExtension', + '/Library/Application Support/Adobe/Adobe Desktop Common/ADS/Adobe Desktop Service.app/Contents/MacOS/Adobe Desktop Service', + '/Library/Application Support/Logitech.localized/LogiOptionsPlus/logioptionsplus_agent.app/Contents/Frameworks/logioptionsplus_updater.app/Contents/MacOS/logioptionsplus_updater', + '/Library/Application Support/Logitech.localized/LogiOptionsPlus/logioptionsplus_agent.app/Contents/MacOS/logioptionsplus_agent', + '/Library/Developer/CommandLineTools/Library/PrivateFrameworks/LLDB.framework/Versions/A/Resources/debugserver', + '/Library/Frameworks/Python.framework/Versions/3.10/Resources/Python.app/Contents/MacOS/Python', + '/Library/Kandji/Kandji Agent.app/Contents/Helpers/Kandji Daemon.app/Contents/MacOS/kandji-daemon', + '/Library/Printers/Brother/Utilities/Server/NETserver.app/Contents/MacOS/NETserver', + '/Library/Printers/Brother/Utilities/Server/USBAppControl.app/Contents/MacOS/USBAppControl', + '/Library/Printers/Brother/Utilities/Server/WorkflowAppControl.app/Contents/MacOS/WorkflowAppControl', + '/Volumes/Google Chrome/Google Chrome.app/Contents/MacOS/Google Chrome', + '/Applications/Loom.app/Contents/Resources/binaries/loom-recorder-production', + '/Volumes/Slack/Slack.app/Contents/Frameworks/Slack Helper.app/Contents/MacOS/Slack Helper', + '/usr/local/bin/node' + ) + ) + ) -- uid0-499 exceptions + AND NOT processes.path IN ( + '/Library/Kandji/Kandji Agent.app/Contents/Helpers/Kandji Daemon.app/Contents/MacOS/kandji-daemon', + '/Library/safeqclientcore/bin/safeqclientcore', + '/Applications/WiFiman Desktop.app/Contents/service/wifiman-desktopd', + '/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint', + '/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/Contents/MacOS/IPNExtension', + '/usr/local/sbin/velociraptor' + ) AND processes.start_time < (strftime('%s', 'now') -600) - GROUP BY processes.path + GROUP BY processes.path ) + AND NOT exception_key = '500,Steam Helper,~/Library/Application Support/Steam/Steam.AppBundle/Steam/Contents/MacOS/Frameworks/Steam Helper.app/Contents/MacOS/Steam HelperDeveloper ID Application: Valve Corporation (MXGJJ98X76)' AND pmm.path LIKE "%.dylib" + GROUP BY pos.pid HAVING lib_count IN (1, 2) AND libs NOT LIKE '/Applications/%/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib,/usr/lib/libobjc-trampolines.dylib' From 0b41ec5d07d3757f0f9378c9343ade95a10f094a Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Thu, 24 Oct 2024 15:34:04 -0400 Subject: [PATCH 2/4] unexpected fetcher parents: add Cursor Helper --- detection/execution/unexpected-fetcher-parents.sql | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/detection/execution/unexpected-fetcher-parents.sql b/detection/execution/unexpected-fetcher-parents.sql index 1db87a1..845917a 100644 --- a/detection/execution/unexpected-fetcher-parents.sql +++ b/detection/execution/unexpected-fetcher-parents.sql @@ -53,11 +53,15 @@ WHERE -- NOTE: The remainder of this query is synced with unexpected-fetcher-par 'curl,303,bash,nix', 'curl,305,bash,nix', 'curl,307,bash,nix', + 'curl,500,ShellLauncher,', + 'curl,500,ShellLauncher,login', + 'curl,500,Slack,launchd', + 'curl,500,Stats,bash', + 'curl,500,bash,ShellLauncher', 'curl,500,bash,bash', 'curl,500,bash,fakeroot', 'curl,500,bash,fish', 'curl,500,bash,nix-daemon', - 'curl,500,bash,ShellLauncher', 'curl,500,bash,zsh', 'curl,500,colima,zsh', 'curl,500,endpoint-instal,bash', @@ -71,11 +75,8 @@ WHERE -- NOTE: The remainder of this query is synced with unexpected-fetcher-par 'curl,500,nvim,nvim', 'curl,500,nwg-panel,systemd', 'curl,500,ruby,zsh', - 'curl,500,ShellLauncher,', - 'curl,500,ShellLauncher,login', - 'curl,500,Slack,launchd', - 'curl,500,Stats,bash', 'curl,500,zsh,Code Helper', + 'curl,500,zsh,Cursor Helper', 'curl,500,zsh,Emacs-arm64-11', 'curl,500,zsh,Hyper', 'curl,500,zsh,login', @@ -92,6 +93,7 @@ WHERE -- NOTE: The remainder of this query is synced with unexpected-fetcher-par AND gparent_name IN ( 'alacritty', 'Code Helper', + 'Cursor Helper', 'emacs', 'bash', 'gnome-terminal-', From bf8b60cd33aa15e84747d84dcb324b84fb08a770 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Thu, 24 Oct 2024 15:36:05 -0400 Subject: [PATCH 3/4] Fix cursor placement --- detection/evasion/hidden-executable.sql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection/evasion/hidden-executable.sql b/detection/evasion/hidden-executable.sql index 0c66fe4..c41d838 100644 --- a/detection/evasion/hidden-executable.sql +++ b/detection/evasion/hidden-executable.sql @@ -74,6 +74,7 @@ WHERE ( '~/.pulumi', '~/Code', '~/code', + '~/.cursor', '~/Projects', '~/src', '~/.sdkman', @@ -92,7 +93,6 @@ WHERE ( '~/.config/bluejeans-v2', '~/.config/Code', '~/.config/nvm', - '~/.cursor', '~/.deno/bin', '~/.devpod/contexts', '~/.docker/cli-plugins', From 462fbef63946a79f189b00b227dfcd3876db216b Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Thu, 24 Oct 2024 15:36:21 -0400 Subject: [PATCH 4/4] Mark as extra, as this query is racey --- detection/execution/unexpected-fetcher-parents.sql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection/execution/unexpected-fetcher-parents.sql b/detection/execution/unexpected-fetcher-parents.sql index 845917a..d15f043 100644 --- a/detection/execution/unexpected-fetcher-parents.sql +++ b/detection/execution/unexpected-fetcher-parents.sql @@ -3,7 +3,7 @@ -- refs: -- * https://attack.mitre.org/techniques/T1105/ (Ingress Tool Transfer) -- --- tags: transient process state often +-- tags: transient process state often extra -- platform: posix SELECT p.pid,