From 781f1a33aff3443d612fa46733beb94ea4c54b32 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Thu, 24 Oct 2024 11:20:06 -0400 Subject: [PATCH 1/2] fpr + Mark touched-executable as extra on macOS --- .../c2/unexpected-dns-traffic-events.sql | 6 +- detection/evasion/hidden-cwd.sql | 14 +-- .../evasion/touched-executable-macos.sql | 34 +++----- .../execution/tiny-executable-events.sql | 2 +- ...-long-running-security-framework-macos.sql | 54 +++++------- ...> unexpected-root-signer-events-macos.sql} | 18 +--- detection/exfil/high_disk_bytes_read.sql | 2 + ...yara-unexpected-rust-http-exec-process.sql | 1 + detection/persistence/low-fd-socket.sql | 1 + .../minimal-socket-client-macos.sql | 87 +++++++------------ .../persistence/unexpected-device-linux.sql | 45 +++++----- .../unexpected-listening-port-linux.sql | 2 + .../unexpected-uid0-daemon-macos.sql | 1 + 13 files changed, 109 insertions(+), 158 deletions(-) rename detection/execution/{unexpected-root-signer-macos.sql => unexpected-root-signer-events-macos.sql} (89%) diff --git a/detection/c2/unexpected-dns-traffic-events.sql b/detection/c2/unexpected-dns-traffic-events.sql index 82b3b94f..c127b798 100644 --- a/detection/c2/unexpected-dns-traffic-events.sql +++ b/detection/c2/unexpected-dns-traffic-events.sql @@ -70,8 +70,10 @@ WHERE '68.105.28.13', -- Cox '80.248.7.1', -- 21st Century (NG) '34.160.111.32', -- wolfi.dev - '185.125.190.31' -- Canonical + '185.125.190.31', -- Canonical + '185.125.190.77' -- Canonical ) + -- Exceptions that specifically talk to one server AND exception_key NOT IN ( 'coredns,0.0.0.0,53', @@ -111,6 +113,7 @@ WHERE 'apk', 'agentbeat', 'apko', + 'canonical-livep', 'chrome', 'com.apple.WebKit.Networking', 'com.docker.backend', @@ -135,6 +138,7 @@ WHERE AND p.name NOT IN ('Jabra Direct Helper', 'terraform-provi') -- Chromium/Electron apps seem to send stray packets out like nobodies business AND p.path NOT LIKE '%/%.app/Contents/MacOS/% Helper' + AND p.path NOT LIKE '/snap/%' -- Workaround for the GROUP_CONCAT subselect adding a blank ent GROUP BY s.remote_address, diff --git a/detection/evasion/hidden-cwd.sql b/detection/evasion/hidden-cwd.sql index e820f3db..3343393b 100644 --- a/detection/evasion/hidden-cwd.sql +++ b/detection/evasion/hidden-cwd.sql @@ -87,31 +87,30 @@ WHERE p0.pid IN ( AND NOT ( exception_key IN ( 'Arduino IDE Helper,/private/var/folders', + 'Electron,~/.vscode/extensions', 'arduino-language-server,/private/var/folders', 'as,~/.cache/yay', - 'bash,~/go/src', - 'bash,~/.local/share', 'bash,~/.Trash', + 'bash,~/.local/share', + 'bash,~/go/src', + 'c++,~/.cache/yay', 'cc1,/home/build/.cache', 'cc1plus,~/.cache/yay', - 'c++,~/.cache/yay', 'cgo,~/.gimme/versions', 'clangd,/private/var/folders', 'conmon,/var~/.local/share', 'dirhelper,/private/var/folders', - 'Electron,~/.vscode/extensions', 'fileproviderd,~/Library/Mobile Documents', - 'fish,~/.local/share', 'fish,~/.Trash', + 'fish,~/.local/share', 'git,~/.local/share', - 'java,~/.gradle/daemon', 'java,/home/build/.gradle', 'java,/home/build/.kotlin', + 'java,~/.gradle/daemon', 'java,~/.local/share', 'make,~/.cache/yay', 'makepkg,~/.cache/yay', 'mysqld,~/.local/share', - 'mysqld,/var~/.local/share', 'npm install,~/.npm/_cacache', 'opera_autoupdate,/private/var/folders', 'postinstall,/Library/InstallerSandboxes/.PKInstallSandboxManager', @@ -119,6 +118,7 @@ WHERE p0.pid IN ( 'rust-analyzer-p,~/.cargo/registry', 'rustc,/home/build/.cargo', 'vet,/home/build/.cache', + 'zsh,/private/tmp/workspace', 'zsh,~/.Trash' ) OR exception_key LIKE '%sh,~/.Trash/%' diff --git a/detection/evasion/touched-executable-macos.sql b/detection/evasion/touched-executable-macos.sql index c356da3a..a723cc1f 100644 --- a/detection/evasion/touched-executable-macos.sql +++ b/detection/evasion/touched-executable-macos.sql @@ -9,10 +9,9 @@ -- references: -- * https://attack.mitre.org/techniques/T1070/006/ (Timestomping) -- --- tags: transient seldom filesystem state +-- tags: transient seldom filesystem state extra -- platform: darwin -SELECT - p.path, +SELECT p.path, p.name, p.cmdline, p.euid, @@ -29,26 +28,23 @@ SELECT hash.sha256 AS sha256, signature.identifier, signature.authority -FROM - processes p +FROM processes p LEFT JOIN file f ON p.path = f.path LEFT JOIN processes pp ON p.parent = pp.pid LEFT JOIN hash ON p.path = hash.path LEFT JOIN signature ON p.path = signature.path -WHERE - p.pid IN ( - SELECT - pid - FROM - processes - WHERE - path NOT LIKE '/System/%' +WHERE p.pid IN ( + SELECT pid + FROM processes + WHERE path NOT LIKE '/System/%' AND path NOT LIKE '/Library/Apple/%' AND path NOT LIKE '/usr/libexec/%' AND path NOT LIKE '/usr/sbin/%' AND path NOT LIKE '/sbin/%' AND path NOT LIKE '/Volumes/%' AND path NOT LIKE '/private/var/db/com.apple.xpc.roleaccountd.staging/%' + AND path NOT LIKE '/Applications/%/Contents/MacOS/%' + AND path NOT LIKE '/opt/%/bin/%' AND path NOT LIKE '/usr/bin/%' AND path NOT LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd' AND path NOT LIKE '/usr/local/kolide-k2/bin/launcher-updates/%/Kolide.app/Contents/MacOS/launcher' @@ -60,8 +56,7 @@ WHERE OR ( (btime_ctime_days_diff < -365) AND (btime_ctime_days_diff < -1000) - ) - -- access time is older than start time + ) -- access time is older than start time OR start_atime_days_diff > 90 ) -- Vendors that create software packages that look like a touched file. AND NOT signature.authority IN ( @@ -74,7 +69,8 @@ WHERE 'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', 'Developer ID Application: Docker Inc (9BNSXJN65R)', 'Developer ID Application: Emmanouil Konstantinidis (3YP8SXP3BF)', - 'Developer ID Application: Fumihiko Takayama (G43BCU2T37)', -- Karibiner + 'Developer ID Application: Fumihiko Takayama (G43BCU2T37)', + -- Karibiner 'Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D)', 'Developer ID Application: Galvanix (5BRAQAFB8B)', 'Developer ID Application: General Arcade (Pte. Ltd.) (S8JLSG5ES7)', @@ -122,8 +118,7 @@ WHERE AND p.path LIKE '/nix/store/%' ) AND NOT ( - p.euid > 300 - -- Electron + p.euid > 300 -- Electron AND p.path LIKE '% Helper' ) AND NOT ( @@ -133,5 +128,4 @@ WHERE OR p.path LIKE '/nix/store/%/bin/nix-daemon' ) ) -GROUP by - p.pid +GROUP by p.pid \ No newline at end of file diff --git a/detection/execution/tiny-executable-events.sql b/detection/execution/tiny-executable-events.sql index eb197bd9..fce66e3a 100644 --- a/detection/execution/tiny-executable-events.sql +++ b/detection/execution/tiny-executable-events.sql @@ -48,7 +48,7 @@ WHERE '/usr/sbin/ldconfig', '/usr/sbin/update-ca-certificates' ) - AND NOT p.path LIKE '%/bin/firefox' + AND NOT p.path LIKE '%/firefox' AND NOT ( p.path LIKE '/Users/%' AND magic.data LIKE 'POSIX shell script%' diff --git a/detection/execution/unexpected-long-running-security-framework-macos.sql b/detection/execution/unexpected-long-running-security-framework-macos.sql index 42836bd5..f10b93fa 100644 --- a/detection/execution/unexpected-long-running-security-framework-macos.sql +++ b/detection/execution/unexpected-long-running-security-framework-macos.sql @@ -2,8 +2,7 @@ -- -- platform: darwin -- tags: persistent state process seldom -SELECT - s.authority, +SELECT s.authority, s.identifier, CONCAT ( MIN(p0.euid, 500), @@ -39,8 +38,7 @@ SELECT p2.path AS p2_path, p2.cmdline AS p2_cmd, p2_hash.sha256 AS p2_sha256 -FROM - processes p0 +FROM processes p0 JOIN process_memory_map pmm ON p0.pid = pmm.pid LEFT JOIN signature s ON p0.path = s.path LEFT JOIN hash p0_hash ON p0.path = p0_hash.path @@ -48,53 +46,43 @@ FROM LEFT JOIN hash p1_hash ON p1.path = p1_hash.path LEFT JOIN processes p2 ON p1.parent = p2.pid LEFT JOIN hash p2_hash ON p2.path = p2_hash.path -WHERE - -- Focus on longer-running programs +WHERE -- Focus on longer-running programs p0.pid IN ( - SELECT - pid - FROM - processes - WHERE - start_time < (strftime('%s', 'now') - 25200) - AND parent != 0 - -- Assume STP + SELECT pid + FROM processes + WHERE start_time < (strftime('%s', 'now') - 25200) + AND parent != 0 -- Assume STP AND NOT path LIKE '/System/%' AND NOT path LIKE '/usr/libexec/%' - AND NOT path LIKE '/usr/sbin/%' - -- Regular apps - AND NOT path LIKE '/Applications/%.app/%' - -- Other oddball binary paths + AND NOT path LIKE '/usr/sbin/%' -- Regular apps + AND NOT path LIKE '/Applications/%.app/%' -- Other oddball binary paths AND NOT path LIKE '/opt/%' AND NOT path LIKE '/Users/%/go/%' AND NOT path LIKE '/Users/%/dev/%' AND NOT path LIKE '/Users/%/src/%' AND NOT path LIKE '/Users/%/bin/%' + AND NOT path LIKE '/private/var/folders%/T/go-build%/exe/%' AND NOT path LIKE '/Users/%/.terraform/providers/%' AND NOT REGEX_MATCH (path, '(.*)/', 1) LIKE '%/bin' AND NOT ( path LIKE '/Users/%/Library/Application Support/com.elgato.StreamDeck/Plugins/com.elgato.cpu.sdPlugin/cpu' AND name = 'cpu' - ) - -- Takes arguments + ) -- Takes arguments AND NOT ( - euid >= 500 AND - cmdline LIKE "% --%" + euid >= 500 + AND cmdline LIKE "% --%" ) ) AND pmm.path LIKE '%Security.framework%' - AND exception_key NOT IN ( - '0,velociraptor,a.out,', - '0,osqueryd,io.osquery.agent,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)' - ) - AND NOT exception_key LIKE '500,lifx-streamdeck,lifx-streamdeck-%' - AND NOT ( - exception_key LIKE '500,%,a.out,' - AND p0.path LIKE '/private/var/folders%/T/go-build%/exe/%' - ) AND NOT s.authority IN ( 'Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)', + 'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)', + 'Developer ID Application: Google, Inc. (EQHXZ8M8AV)', 'Developer ID Application: Valve Corporation (MXGJJ98X76)' ) -GROUP BY - p0.pid + AND exception_key NOT IN ('0,velociraptor,a.out,') + AND NOT exception_key LIKE '500,lifx-streamdeck,lifx-streamdeck-%' + AND NOT exception_key LIKE '500,___Test%.test,a.out' + AND NOT exception_key LIKE '500,nvim,bob-%,' + AND NOT exception_key LIKE '500,%,a.out,' +GROUP BY p0.pid \ No newline at end of file diff --git a/detection/execution/unexpected-root-signer-macos.sql b/detection/execution/unexpected-root-signer-events-macos.sql similarity index 89% rename from detection/execution/unexpected-root-signer-macos.sql rename to detection/execution/unexpected-root-signer-events-macos.sql index 41067d25..a2b55c21 100644 --- a/detection/execution/unexpected-root-signer-macos.sql +++ b/detection/execution/unexpected-root-signer-events-macos.sql @@ -126,24 +126,8 @@ WHERE ) AND NOT ( s.authority = "" - AND pe.path LIKE "/opt/%/bin/socket_vmnet" + AND pe.path LIKE "/opt/%/bin/%" AND p1_path IN ("/usr/bin/sudo", "/sbin/launchd") ) - AND NOT ( - s.authority = "" - AND pe.path LIKE "/opt/homebrew/Cellar/mariadb/%/bin/mariadbd" - AND p0_cmd LIKE "/opt/homebrew/opt/mariadb/bin/mariadbd %" - ) - AND NOT ( - s.authority = "" - AND pe.path LIKE "/opt/homebrew/Cellar/tailscale/%/bin/tailscaled" - AND p0_cmd LIKE "/opt/homebrew/Cellar/tailscale/%/bin/tailscaled %" - ) - AND NOT ( - s.authority = "Developer ID Application: Node.js Foundation (HX7739G8FX)" - AND p0_name = "node" - AND p1_name IN ("vim", "nvim") - ) - AND NOT pe.path LIKE '/usr/local/Cellar/htop/%/bin/htop' -- Surfshark AND NOT pe.path LIKE '/Library/SystemExtensions/%/com.surfshark.vpnclient.macos.direct.PacketTunnel-WireGuard.systemextension/Contents/MacOS' diff --git a/detection/exfil/high_disk_bytes_read.sql b/detection/exfil/high_disk_bytes_read.sql index cd30efe8..710918ca 100644 --- a/detection/exfil/high_disk_bytes_read.sql +++ b/detection/exfil/high_disk_bytes_read.sql @@ -82,6 +82,7 @@ WHERE 'factorio', 'Fedora Media Writer', 'firefox', + 'firefox-bin', 'fish', 'fleet_backend', 'fsdaemon', @@ -164,6 +165,7 @@ WHERE ) AND NOT p0.path LIKE '/Library/SystemExtensions/%/io.kandji.KandjiAgent.ESF-Extension.systemextension/Contents/MacOS/io.kandji.KandjiAgent.ESF-Extension' AND NOT p0.path LIKE '/Users/%/Library/Application Support/Google/GoogleUpdater/%/GoogleUpdater.app/Contents/MacOS/GoogleUpdater' + AND NOT p0.path LIKE '/private/var/folders/%/T/go-build%' AND NOT ( p0.name = 'bindfs' AND p0.cmdline LIKE 'bindfs%-o fsname=%' diff --git a/detection/exfil/yara-unexpected-rust-http-exec-process.sql b/detection/exfil/yara-unexpected-rust-http-exec-process.sql index e68077f9..78a25a5e 100644 --- a/detection/exfil/yara-unexpected-rust-http-exec-process.sql +++ b/detection/exfil/yara-unexpected-rust-http-exec-process.sql @@ -60,6 +60,7 @@ WHERE AND yara.count > 0 AND p0.name NOT IN ( 'atuin', + 'cargo', 'Cody', 'deno', 'DevPod', diff --git a/detection/persistence/low-fd-socket.sql b/detection/persistence/low-fd-socket.sql index d7c62c49..9227e101 100644 --- a/detection/persistence/low-fd-socket.sql +++ b/detection/persistence/low-fd-socket.sql @@ -54,6 +54,7 @@ WHERE AND pos.family != 1 AND p0.path NOT IN ( '/Applications/NetSpot.app/Contents/MacOS/NetSpot', + '/Library/Application Support/Viscosity/viscosity_openvpn', '/usr/bin/skopeo', '/usr/libexec/bootpd', '/usr/libexec/pcp/bin/pmcd', diff --git a/detection/persistence/minimal-socket-client-macos.sql b/detection/persistence/minimal-socket-client-macos.sql index 67949d7b..c4a78503 100644 --- a/detection/persistence/minimal-socket-client-macos.sql +++ b/detection/persistence/minimal-socket-client-macos.sql @@ -6,10 +6,9 @@ -- references: -- * https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game -- --- tags: persistent process state seldom extra +-- tags: persistent process state seldom -- platform: macos -SELECT - p.uid, +SELECT p.uid, p.euid, pos.protocol, pos.pid, @@ -25,69 +24,43 @@ SELECT pos.state, GROUP_CONCAT(DISTINCT pmm.path) AS libs, COUNT(DISTINCT pmm.path) AS lib_count, - -- Normally we would use signatures for exceptions, but it was triggering - -- an unusual performance issue in osquery. - CONCAT (MIN(p.euid, 500), ',', p.name, ',', p.path) AS exception_key -FROM - processes p - -- For some reason, joining this table increases the runtime by 30X - -- LEFT JOIN signature s ON p.path = s.path + CONCAT ( + MIN(p.euid, 500), + ',', + p.name, + ',', + REPLACE(p.path, u.directory, '~'), + s.authority + ) AS exception_key +FROM processes p JOIN process_memory_map pmm ON p.pid = pmm.pid JOIN process_open_sockets pos ON p.pid = pos.pid -WHERE - p.pid IN ( - SELECT - processes.pid - FROM - processes + LEFT JOIN file f ON p.path = f.path + LEFT JOIN users u ON f.uid = u.uid + LEFT JOIN signature s ON p.path = s.path +WHERE p.pid IN ( + SELECT processes.pid + FROM processes JOIN process_open_sockets ON processes.pid = process_open_sockets.pid AND family != 1 - WHERE - processes.path NOT LIKE '/System/%' - -- TODO: consider whitelisting /Applications/%.app/Contents/MacOS/% + WHERE processes.path NOT LIKE '/System/%' + AND processes.path NOT LIKE '/Applications/%.app/Contents/Frameworks/%/Contents/MacOS/%' + AND processes.path NOT LIKE '/Applications/%.app/Contents/MacOS/%' AND processes.path NOT LIKE '/Library/Apple/%' - AND processes.path NOT LIKE '/usr/libexec/%' - AND processes.path NOT LIKE '/usr/sbin/%' - AND processes.path NOT LIKE '/sbin/%' + AND processes.path NOT LIKE '/nix/store/%/bin/nix' + AND processes.path NOT LIKE '/opt/%/bin/%' AND processes.path NOT LIKE '/private/var/db/com.apple.xpc.roleaccountd.staging/%' + AND processes.path NOT LIKE '/sbin/%' AND processes.path NOT LIKE '/usr/bin/%' - AND processes.path NOT LIKE '/nix/store/%/bin/nix' - AND processes.path NOT LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd' + AND processes.path NOT LIKE '/usr/libexec/%' AND processes.path NOT LIKE '/usr/local/kolide-k2/bin/launcher-updates/%/Kolide.app/Contents/MacOS/launcher' + AND processes.path NOT LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd' + AND processes.path NOT LIKE '/usr/sbin/%' AND processes.start_time < (strftime('%s', 'now') -600) - GROUP BY - processes.path + GROUP BY processes.path ) AND pmm.path LIKE "%.dylib" - AND exception_key NOT IN ( - '500,Bitwarden,/Applications/Bitwarden.app/Contents/MacOS/Bitwarden', - '500,Clipy,/Applications/Clipy.app/Contents/MacOS/Clipy', - '500,Evernote,/Applications/Evernote.app/Contents/MacOS/Evernote', - '500,Final Cut Pro,/Applications/Final Cut Pro.app/Contents/MacOS/Final Cut Pro', - '500,J8RPQ294UB.com.skitch.SkitchHelper,/Applications/Skitch.app/Contents/Library/LoginItems/J8RPQ294UB.com.skitch.SkitchHelper.app/Contents/MacOS/J8RPQ294UB.com.skitch.SkitchHelper', - '500,Lightshot Screenshot,/Applications/Lightshot Screenshot.app/Contents/MacOS/Lightshot Screenshot', - '500,Macdown,/Applications/MacDown.app/Contents/MacOS/MacDown', - '500,Revolt Helper (GPU),/Applications/Revolt.app/Contents/Frameworks/Revolt Helper (GPU).app/Contents/MacOS/Revolt Helper (GPU)', - '500,Revolt Helper,/Applications/Revolt.app/Contents/Frameworks/Revolt Helper.app/Contents/MacOS/Revolt Helper', - '500,Revolt,/Applications/Revolt.app/Contents/MacOS/Revolt', - '500,Skitch,/Applications/Skitch.app/Contents/MacOS/Skitch', - '500,Slack Helper (GPU),/Applications/Slack.app/Contents/Frameworks/Slack Helper (GPU).app/Contents/MacOS/Slack Helper (GPU)', - '500,Slack Helper (Renderer),/Applications/Slack.app/Contents/Frameworks/Slack Helper (Renderer).app/Contents/MacOS/Slack Helper (Renderer)', - '500,Slack,/Applications/Slack.app/Contents/MacOS/Slack', - '500,Snagit 2020,/Applications/Snagit 2020.app/Contents/MacOS/Snagit 2020', - '500,SnagitHelper2020,/Applications/Snagit 2020.app/Contents/Library/LoginItems/SnagitHelper2020.app/Contents/MacOS/SnagitHelper2020', - '500,Speedtest,/Applications/Speedtest.app/Contents/MacOS/Speedtest', - '500,Todoist,/Applications/Todoist.app/Contents/MacOS/Todoist', - '500,WhatsApp Helper (GPU),/Applications/WhatsApp.app/Contents/Frameworks/WhatsApp Helper (GPU).app/Contents/MacOS/WhatsApp Helper (GPU)', - '500,monday.com,/Applications/monday.com.app/Contents/MacOS/monday.com' - ) - AND exception_key NOT LIKE '500,MacVim,/%/MacVim.app/Contents/MacOS/MacVim' - AND exception_key NOT LIKE '500,PrinterProxy,/Users/%/Library/Printers/Brother %.app/Contents/MacOS/PrinterProxy' - AND exception_key NOT LIKE '500,Steam Helper,/Users/%/Library/Application Support/Steam/Steam.AppBundle/Steam/Contents/MacOS/Frameworks/Steam Helper.app/Contents/MacOS/Steam Helper' - AND exception_key NOT LIKE '500,Skitch,/private/var/folders/%/d/Skitch.app/Contents/MacOS/Skitch' -GROUP BY - pos.pid -HAVING - lib_count IN (1, 2) +GROUP BY pos.pid +HAVING lib_count IN (1, 2) AND libs NOT LIKE '/Applications/%/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib,/usr/lib/libobjc-trampolines.dylib' - AND libs NOT LIKE '/usr/lib/libobjc-trampolines.dylib,/Applications/%.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib' + AND libs NOT LIKE '/usr/lib/libobjc-trampolines.dylib,/Applications/%.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib' \ No newline at end of file diff --git a/detection/persistence/unexpected-device-linux.sql b/detection/persistence/unexpected-device-linux.sql index adcc60a6..19b375c7 100644 --- a/detection/persistence/unexpected-device-linux.sql +++ b/detection/persistence/unexpected-device-linux.sql @@ -60,37 +60,39 @@ WHERE ( AND path NOT LIKE '%/./%' AND path NOT LIKE '%/../%' AND exception_key NOT IN ( - '/dev/accel/accel,character', + '/dev/HID-SENSOR-e..auto,character', '/dev/accel/,directory', + '/dev/accel/accel,character', '/dev/acpi_thermal_rel,character', '/dev/autofs,character', '/dev/binder,character', + '/dev/binderfs/,directory', '/dev/binderfs/binder,character', '/dev/binderfs/binder-control,character', - '/dev/binderfs/,directory', '/dev/binderfs/features,directory', '/dev/binderfs/hwbinder,character', '/dev/binderfs/vndbinder,character', - '/dev/block/:,block', '/dev/block/,directory', - '/dev/bsg/:::,character', + '/dev/block/:,block', '/dev/bsg/,directory', + '/dev/bsg/:::,character', '/dev/btrfs-control,character', '/dev/bus/,directory', '/dev/bus/usb,directory', '/dev/cdrom,block', '/dev/cec,character', - '/dev/char/:,character', '/dev/char/,directory', + '/dev/char/:,character', '/dev/char/:,unknown', '/dev/console,character', '/dev/core,regular', '/dev/cpu/,directory', - '/dev/cpu_dma_latency,character', '/dev/cpu/microcode', + '/dev/cpu_dma_latency,character', '/dev/cros_ec,character', '/dev/cuse,character', '/dev/dbc,character', + '/dev/disk/,directory', '/dev/disk/by-diskseq,directory', '/dev/disk/by-dname,directory', '/dev/disk/by-id,directory', @@ -101,13 +103,12 @@ WHERE ( '/dev/disk/by-partuuid,directory', '/dev/disk/by-path,directory', '/dev/disk/by-uuid,directory', - '/dev/disk/,directory', + '/dev/dm-,block', '/dev/dma_heap/,directory', '/dev/dma_heap/system,character', - '/dev/dm-,block', + '/dev/dri/,directory', '/dev/dri/by-path,directory', '/dev/dri/card,character', - '/dev/dri/,directory', '/dev/dri/renderD,character', '/dev/drm_dp_aux,character', '/dev/ecryptfs,character', @@ -122,7 +123,6 @@ WHERE ( '/dev/fuse,character', '/dev/gpiochip,character', '/dev/hidraw,character', - '/dev/HID-SENSOR-e..auto,character', '/dev/hpet,character', '/dev/hugepages/,directory', '/dev/hugepages/libvirt,directory', @@ -131,9 +131,9 @@ WHERE ( '/dev/ic-,character', '/dev/iio:device,character', '/dev/initctl,fifo', + '/dev/input/,directory', '/dev/input/by-id,directory', '/dev/input/by-path,directory', - '/dev/input/,directory', '/dev/input/event,character', '/dev/input/js,character', '/dev/input/mice,character', @@ -142,6 +142,7 @@ WHERE ( '/dev/kfd,character', '/dev/kmsg,character', '/dev/kvm,character', + '/dev/libmtp--.,character', '/dev/log,socket', '/dev/loop,block', '/dev/loop-control,character', @@ -151,9 +152,9 @@ WHERE ( '/dev/mei,character', '/dev/mem,character', '/dev/mqueue/,directory', - '/dev/mtd/by-name,directory', '/dev/mtd,character', '/dev/mtd/,directory', + '/dev/mtd/by-name,directory', '/dev/mtdro,character', '/dev/net/,directory', '/dev/net/tun,character', @@ -161,10 +162,10 @@ WHERE ( '/dev/ntsync,character', '/dev/null,character', '/dev/nvidia,character', - '/dev/nvidiactl,character', '/dev/nvidia-modeset,character', '/dev/nvidia-uvm,character', '/dev/nvidia-uvm-tools,character', + '/dev/nvidiactl,character', '/dev/nvme,character', '/dev/nvmen,block', '/dev/nvmenp,block', @@ -186,9 +187,9 @@ WHERE ( '/dev/sdc,block', '/dev/sdd,block', '/dev/sde,block', + '/dev/serial/,directory', '/dev/serial/by-id,directory', '/dev/serial/by-path,directory', - '/dev/serial/,directory', '/dev/sg,character', '/dev/sgx_provision', '/dev/shm/,directory', @@ -197,29 +198,29 @@ WHERE ( '/dev/shm/lttng-ust-wait-,regular', '/dev/shm/lttng-ust-wait--,regular', '/dev/snapshot,character', + '/dev/snd/,directory', '/dev/snd/by-id,directory', '/dev/snd/by-path,directory', '/dev/snd/controlC,character', - '/dev/snd/,directory', '/dev/snd/hwCD,character', '/dev/snd/pcmCDc,character', '/dev/snd/pcmCDp,character', '/dev/snd/seq,character', '/dev/snd/timer,character', '/dev/sr,block', - '/dev/stderr,fifo', '/dev/stderr,character', + '/dev/stderr,fifo', '/dev/stdin,character', '/dev/stdin,fifo', - '/dev/stdout,fifo', '/dev/stdout,character', + '/dev/stdout,fifo', '/dev/tee,character', '/dev/tpm,character', '/dev/tpmrm,character', - '/dev/ttyACM,character', '/dev/tty,character', - '/dev/ttyprintk,character', + '/dev/ttyACM,character', '/dev/ttyS,character', + '/dev/ttyprintk,character', '/dev/ubuntu-vg/,directory', '/dev/udmabuf,character', '/dev/uhid,character', @@ -230,8 +231,8 @@ WHERE ( '/dev/usbmon,character', '/dev/userfaultfd,character', '/dev/userio,character', - '/dev/vcsa,character', '/dev/vcs,character', + '/dev/vcsa,character', '/dev/vcsu,character', '/dev/vfio/,directory', '/dev/vfio/vfio,character', @@ -248,11 +249,11 @@ WHERE ( '/dev/vhost-vsock', '/dev/vhost-vsock,character', '/dev/video,character', + '/dev/vl-subdev,character', + '/dev/vl/,directory', '/dev/vl/by-id,directory', '/dev/vl/by-path,directory', - '/dev/vl/,directory', '/dev/vlloopback,character', - '/dev/vl-subdev,character', '/dev/vndbinder,character', '/dev/vsock,character', '/dev/watchdog,character', diff --git a/detection/persistence/unexpected-listening-port-linux.sql b/detection/persistence/unexpected-listening-port-linux.sql index 9980a67c..26d19f19 100644 --- a/detection/persistence/unexpected-listening-port-linux.sql +++ b/detection/persistence/unexpected-listening-port-linux.sql @@ -84,11 +84,13 @@ WHERE '17,255,0,.tailscaled-wra', '17,255,500,dhcpcd', '17,255,500,mtr-packet', + '17500,6,500,dropbox', '18000,6,500,kourier', '22000,6,500,syncthing', '2222,6,500,qemu-system-x86', '22,6,0,sshd', '22,6,0,systemd', + '22,6,500,systemd', '22,6,500,sshd', '2379,6,500,etcd', '2380,6,500,etcd', diff --git a/detection/persistence/unexpected-uid0-daemon-macos.sql b/detection/persistence/unexpected-uid0-daemon-macos.sql index 65eb716d..44c5bf82 100644 --- a/detection/persistence/unexpected-uid0-daemon-macos.sql +++ b/detection/persistence/unexpected-uid0-daemon-macos.sql @@ -323,6 +323,7 @@ WHERE -- Focus on longer-running programs 'Developer ID Application: Google LLC (EQHXZ8M8AV)', 'Developer ID Application: Ilya Parniuk (ACC5R6RH47)', 'Developer ID Application: Kandji, Inc. (P3FGV63VK7)', + 'Developer ID Application: SparkLabs Pty Ltd (34XR7GXFPX)', 'Developer ID Application: Keybase, Inc. (99229SGT5K)', 'Developer ID Application: Kolide Inc (YZ3EM74M78)', 'Developer ID Application: Kolide, Inc (X98UFR7HA3)', From 25f0e1479035100c0012c48d514ff09c80578a27 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Thu, 24 Oct 2024 11:31:28 -0400 Subject: [PATCH 2/2] add more exceptions --- ...nexpected-long-running-security-framework-macos.sql | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/detection/execution/unexpected-long-running-security-framework-macos.sql b/detection/execution/unexpected-long-running-security-framework-macos.sql index f10b93fa..8ed6ae58 100644 --- a/detection/execution/unexpected-long-running-security-framework-macos.sql +++ b/detection/execution/unexpected-long-running-security-framework-macos.sql @@ -80,9 +80,15 @@ WHERE -- Focus on longer-running programs 'Developer ID Application: Google, Inc. (EQHXZ8M8AV)', 'Developer ID Application: Valve Corporation (MXGJJ98X76)' ) - AND exception_key NOT IN ('0,velociraptor,a.out,') + AND exception_key NOT IN ( + '0,velociraptor,a.out,', + '500,sdzoomplugin,,', + '500,sdaudioswitch,,', + '500,gopls,a.out,', + '500,sdaudioswitch,sdaudioswitch,' + ) AND NOT exception_key LIKE '500,lifx-streamdeck,lifx-streamdeck-%' AND NOT exception_key LIKE '500,___Test%.test,a.out' AND NOT exception_key LIKE '500,nvim,bob-%,' - AND NOT exception_key LIKE '500,%,a.out,' + AND NOT exception_key LIKE '500,sm-agent,sm_agent-%' GROUP BY p0.pid \ No newline at end of file