Merge pull request #405 from tstromberg/oct24

fpr, de-extra minimal-socket, +extra touched-executable-macos

detection/c2/unexpected-dns-traffic-events.sql

@@ -70,8 +70,10 @@ WHERE
     '68.105.28.13', -- Cox
     '80.248.7.1', -- 21st Century (NG)
     '34.160.111.32', -- wolfi.dev
-    '185.125.190.31' -- Canonical
+    '185.125.190.31', -- Canonical
+    '185.125.190.77' -- Canonical
   )
+
   -- Exceptions that specifically talk to one server
   AND exception_key NOT IN (
     'coredns,0.0.0.0,53',
@@ -111,6 +113,7 @@ WHERE
     'apk',
     'agentbeat',
     'apko',
+    'canonical-livep',
     'chrome',
     'com.apple.WebKit.Networking',
     'com.docker.backend',
@@ -135,6 +138,7 @@ WHERE
   AND p.name NOT IN ('Jabra Direct Helper', 'terraform-provi')
   -- Chromium/Electron apps seem to send stray packets out like nobodies business
   AND p.path NOT LIKE '%/%.app/Contents/MacOS/% Helper'
+  AND p.path NOT LIKE '/snap/%'
   -- Workaround for the GROUP_CONCAT subselect adding a blank ent
 GROUP BY
   s.remote_address,

detection/evasion/hidden-cwd.sql

@@ -87,38 +87,38 @@ WHERE p0.pid IN (
   AND NOT (
     exception_key IN (
       'Arduino IDE Helper,/private/var/folders',
+      'Electron,~/.vscode/extensions',
       'arduino-language-server,/private/var/folders',
       'as,~/.cache/yay',
-      'bash,~/go/src',
-      'bash,~/.local/share',
       'bash,~/.Trash',
+      'bash,~/.local/share',
+      'bash,~/go/src',
+      'c++,~/.cache/yay',
       'cc1,/home/build/.cache',
       'cc1plus,~/.cache/yay',
-      'c++,~/.cache/yay',
       'cgo,~/.gimme/versions',
       'clangd,/private/var/folders',
       'conmon,/var~/.local/share',
       'dirhelper,/private/var/folders',
-      'Electron,~/.vscode/extensions',
       'fileproviderd,~/Library/Mobile Documents',
-      'fish,~/.local/share',
       'fish,~/.Trash',
+      'fish,~/.local/share',
       'git,~/.local/share',
-      'java,~/.gradle/daemon',
       'java,/home/build/.gradle',
       'java,/home/build/.kotlin',
+      'java,~/.gradle/daemon',
       'java,~/.local/share',
       'make,~/.cache/yay',
       'makepkg,~/.cache/yay',
       'mysqld,~/.local/share',
-      'mysqld,/var~/.local/share',
       'npm install,~/.npm/_cacache',
       'opera_autoupdate,/private/var/folders',
       'postinstall,/Library/InstallerSandboxes/.PKInstallSandboxManager',
       'rm,/private/var/folders',
       'rust-analyzer-p,~/.cargo/registry',
       'rustc,/home/build/.cargo',
       'vet,/home/build/.cache',
+      'zsh,/private/tmp/workspace',
       'zsh,~/.Trash'
     )
     OR exception_key LIKE '%sh,~/.Trash/%'

detection/evasion/touched-executable-macos.sql

@@ -9,10 +9,9 @@
 -- references:
 --   * https://attack.mitre.org/techniques/T1070/006/ (Timestomping)
 --
--- tags: transient seldom filesystem state
+-- tags: transient seldom filesystem state extra
 -- platform: darwin
-SELECT
-  p.path,
+SELECT p.path,
   p.name,
   p.cmdline,
   p.euid,
@@ -29,26 +28,23 @@ SELECT
   hash.sha256 AS sha256,
   signature.identifier,
   signature.authority
-FROM
-  processes p
+FROM processes p
   LEFT JOIN file f ON p.path = f.path
   LEFT JOIN processes pp ON p.parent = pp.pid
   LEFT JOIN hash ON p.path = hash.path
   LEFT JOIN signature ON p.path = signature.path
-WHERE
-  p.pid IN (
-    SELECT
-      pid
-    FROM
-      processes
-    WHERE
-      path NOT LIKE '/System/%'
+WHERE p.pid IN (
+    SELECT pid
+    FROM processes
+    WHERE path NOT LIKE '/System/%'
       AND path NOT LIKE '/Library/Apple/%'
       AND path NOT LIKE '/usr/libexec/%'
       AND path NOT LIKE '/usr/sbin/%'
       AND path NOT LIKE '/sbin/%'
       AND path NOT LIKE '/Volumes/%'
       AND path NOT LIKE '/private/var/db/com.apple.xpc.roleaccountd.staging/%'
+      AND path NOT LIKE '/Applications/%/Contents/MacOS/%'
+      AND path NOT LIKE '/opt/%/bin/%'
       AND path NOT LIKE '/usr/bin/%'
       AND path NOT LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd'
       AND path NOT LIKE '/usr/local/kolide-k2/bin/launcher-updates/%/Kolide.app/Contents/MacOS/launcher'
@@ -60,8 +56,7 @@ WHERE
     OR (
       (btime_ctime_days_diff < -365)
       AND (btime_ctime_days_diff < -1000)
-    )
-    -- access time is older than start time
+    ) -- access time is older than start time
     OR start_atime_days_diff > 90
   ) -- Vendors that create software packages that look like a touched file.
   AND NOT signature.authority IN (
@@ -74,7 +69,8 @@ WHERE
     'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
     'Developer ID Application: Docker Inc (9BNSXJN65R)',
     'Developer ID Application: Emmanouil Konstantinidis (3YP8SXP3BF)',
-    'Developer ID Application: Fumihiko Takayama (G43BCU2T37)', -- Karibiner
+    'Developer ID Application: Fumihiko Takayama (G43BCU2T37)',
+    -- Karibiner
     'Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D)',
     'Developer ID Application: Galvanix (5BRAQAFB8B)',
     'Developer ID Application: General Arcade (Pte. Ltd.) (S8JLSG5ES7)',
@@ -122,8 +118,7 @@ WHERE
     AND p.path LIKE '/nix/store/%'
   )
   AND NOT (
-    p.euid > 300
-    -- Electron
+    p.euid > 300 -- Electron
     AND p.path LIKE '% Helper'
   )
   AND NOT (
@@ -133,5 +128,4 @@ WHERE
       OR p.path LIKE '/nix/store/%/bin/nix-daemon'
     )
   )
-GROUP by
-  p.pid
+GROUP by p.pid

detection/execution/tiny-executable-events.sql

@@ -48,7 +48,7 @@ WHERE
     '/usr/sbin/ldconfig',
     '/usr/sbin/update-ca-certificates'
   )
-  AND NOT p.path LIKE '%/bin/firefox'
+  AND NOT p.path LIKE '%/firefox'
   AND NOT (
     p.path LIKE '/Users/%'
     AND magic.data LIKE 'POSIX shell script%'

detection/execution/unexpected-long-running-security-framework-macos.sql

@@ -2,8 +2,7 @@
 --
 -- platform: darwin
 -- tags: persistent state process seldom
-SELECT
-  s.authority,
+SELECT s.authority,
   s.identifier,
   CONCAT (
     MIN(p0.euid, 500),
@@ -39,62 +38,57 @@ SELECT
   p2.path AS p2_path,
   p2.cmdline AS p2_cmd,
   p2_hash.sha256 AS p2_sha256
-FROM
-  processes p0
+FROM processes p0
   JOIN process_memory_map pmm ON p0.pid = pmm.pid
   LEFT JOIN signature s ON p0.path = s.path
   LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
   LEFT JOIN processes p1 ON p0.parent = p1.pid
   LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
   LEFT JOIN processes p2 ON p1.parent = p2.pid
   LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
-WHERE
-  -- Focus on longer-running programs
+WHERE -- Focus on longer-running programs
   p0.pid IN (
-    SELECT
-      pid
-    FROM
-      processes
-    WHERE
-      start_time < (strftime('%s', 'now') - 25200)
-      AND parent != 0
-      -- Assume STP
+    SELECT pid
+    FROM processes
+    WHERE start_time < (strftime('%s', 'now') - 25200)
+      AND parent != 0 -- Assume STP
       AND NOT path LIKE '/System/%'
       AND NOT path LIKE '/usr/libexec/%'
-      AND NOT path LIKE '/usr/sbin/%'
-      -- Regular apps
-      AND NOT path LIKE '/Applications/%.app/%'
-      -- Other oddball binary paths
+      AND NOT path LIKE '/usr/sbin/%' -- Regular apps
+      AND NOT path LIKE '/Applications/%.app/%' -- Other oddball binary paths
       AND NOT path LIKE '/opt/%'
       AND NOT path LIKE '/Users/%/go/%'
       AND NOT path LIKE '/Users/%/dev/%'
       AND NOT path LIKE '/Users/%/src/%'
       AND NOT path LIKE '/Users/%/bin/%'
+      AND NOT path LIKE '/private/var/folders%/T/go-build%/exe/%'
       AND NOT path LIKE '/Users/%/.terraform/providers/%'
       AND NOT REGEX_MATCH (path, '(.*)/', 1) LIKE '%/bin'
       AND NOT (
         path LIKE '/Users/%/Library/Application Support/com.elgato.StreamDeck/Plugins/com.elgato.cpu.sdPlugin/cpu'
         AND name = 'cpu'
-      )
-      -- Takes arguments
+      ) -- Takes arguments
       AND NOT (
-        euid >= 500 AND
-        cmdline LIKE "% --%"
+        euid >= 500
+        AND cmdline LIKE "% --%"
       )
   )
   AND pmm.path LIKE '%Security.framework%'
-  AND exception_key NOT IN (
-    '0,velociraptor,a.out,',
-    '0,osqueryd,io.osquery.agent,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)'
-  )
-  AND NOT exception_key LIKE '500,lifx-streamdeck,lifx-streamdeck-%'
-  AND NOT (
-    exception_key LIKE '500,%,a.out,'
-    AND p0.path LIKE '/private/var/folders%/T/go-build%/exe/%'
-  )
   AND NOT s.authority IN (
     'Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
+    'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
+    'Developer ID Application: Google, Inc. (EQHXZ8M8AV)',
     'Developer ID Application: Valve Corporation (MXGJJ98X76)'
   )
-GROUP BY
-  p0.pid
+  AND exception_key NOT IN (
+    '0,velociraptor,a.out,',
+    '500,sdzoomplugin,,',
+    '500,sdaudioswitch,,',
+    '500,gopls,a.out,',
+    '500,sdaudioswitch,sdaudioswitch,'
+  )
+  AND NOT exception_key LIKE '500,lifx-streamdeck,lifx-streamdeck-%'
+  AND NOT exception_key LIKE '500,___Test%.test,a.out'
+  AND NOT exception_key LIKE '500,nvim,bob-%,'
+  AND NOT exception_key LIKE '500,sm-agent,sm_agent-%'
+GROUP BY p0.pid

detection/execution/unexpected-root-signer-macos.sql → detection/execution/unexpected-root-signer-events-macos.sql

@@ -126,24 +126,8 @@ WHERE
   )
   AND NOT (
     s.authority = ""
-    AND pe.path LIKE "/opt/%/bin/socket_vmnet"
+    AND pe.path LIKE "/opt/%/bin/%"
     AND p1_path IN ("/usr/bin/sudo", "/sbin/launchd")
   )
-  AND NOT (
-    s.authority = ""
-    AND pe.path LIKE "/opt/homebrew/Cellar/mariadb/%/bin/mariadbd"
-    AND p0_cmd LIKE "/opt/homebrew/opt/mariadb/bin/mariadbd %"
-  )
-  AND NOT (
-    s.authority = ""
-    AND pe.path LIKE "/opt/homebrew/Cellar/tailscale/%/bin/tailscaled"
-    AND p0_cmd LIKE "/opt/homebrew/Cellar/tailscale/%/bin/tailscaled %"
-  )
-  AND NOT (
-    s.authority = "Developer ID Application: Node.js Foundation (HX7739G8FX)"
-    AND p0_name = "node"
-    AND p1_name IN ("vim", "nvim")
-  )
-  AND NOT pe.path LIKE '/usr/local/Cellar/htop/%/bin/htop'
   -- Surfshark
   AND NOT pe.path LIKE '/Library/SystemExtensions/%/com.surfshark.vpnclient.macos.direct.PacketTunnel-WireGuard.systemextension/Contents/MacOS'

detection/exfil/high_disk_bytes_read.sql

@@ -82,6 +82,7 @@ WHERE
     'factorio',
     'Fedora Media Writer',
     'firefox',
+    'firefox-bin',
     'fish',
     'fleet_backend',
     'fsdaemon',
@@ -164,6 +165,7 @@ WHERE
   )
   AND NOT p0.path LIKE '/Library/SystemExtensions/%/io.kandji.KandjiAgent.ESF-Extension.systemextension/Contents/MacOS/io.kandji.KandjiAgent.ESF-Extension'
   AND NOT p0.path LIKE '/Users/%/Library/Application Support/Google/GoogleUpdater/%/GoogleUpdater.app/Contents/MacOS/GoogleUpdater'
+  AND NOT p0.path LIKE '/private/var/folders/%/T/go-build%'
   AND NOT (
     p0.name = 'bindfs'
     AND p0.cmdline LIKE 'bindfs%-o fsname=%'

detection/exfil/yara-unexpected-rust-http-exec-process.sql

@@ -60,6 +60,7 @@ WHERE
   AND yara.count > 0
   AND p0.name NOT IN (
     'atuin',
+    'cargo',
     'Cody',
     'deno',
     'DevPod',

detection/persistence/low-fd-socket.sql

@@ -54,6 +54,7 @@ WHERE
   AND pos.family != 1
   AND p0.path NOT IN (
     '/Applications/NetSpot.app/Contents/MacOS/NetSpot',
+    '/Library/Application Support/Viscosity/viscosity_openvpn',
     '/usr/bin/skopeo',
     '/usr/libexec/bootpd',
     '/usr/libexec/pcp/bin/pmcd',