Skip to content

Commit

Permalink
Merge pull request #348 from tstromberg/rapid7-elastic-bob
Browse files Browse the repository at this point in the history 
fpr: elastic, rapid7, zwift
  • Loading branch information
@tstromberg
tstromberg authored Jan 10, 2024
2 parents 944b9b7 + 3cc2af5 commit eaf42fb
Show file tree
Hide file tree
Showing 7 changed files with 41 additions and 27 deletions.
26 changes: 14 additions & 12 deletions detection/c2/unexpected-talker-events.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -113,11 +113,12 @@ WHERE
'500,0,1234,spotify',
'500,0,123,sntp',
'500,0,20480,io.tailscale.ipn.macsys.network-extension',
'500,0,32768,com.apple.MobileSoftwareUpdate.UpdateBrainService',
'500,0,22,ssh',
'500,0,31488,sntp',
'500,0,443,go',
'500,0,32768,com.apple.MobileSoftwareUpdate.UpdateBrainService',
'500,0,32768,com.apple.NRD.UpdateBrainService',
'500,0,32768,elastic-endpoint',
'500,500,443,ZwiftAppSilicon',
'500,0,32768,firefox',
'500,0,32768,io.tailscale.ipn.macsys.network-extension',
'500,0,32768,ksfetch',
Expand All @@ -134,13 +135,16 @@ WHERE
'500,0,443,com.fortinet.forticlient.macos.vpn.nwextension',
'500,0,443,com.google.one.NetworkExtension',
'500,0,443,curl',
'500,0,443,elastic-endpoint',
'500,0,443,electron',
'500,0,443,firefox',
'500,0,443,fwupdmgr',
'500,0,443,git-remote-http',
'500,0,443,gnome-software',
'500,0,443,go',
'500,0,443,http',
'500,0,443,io.tailscale.ipn.macsys.network-extension',
'500,0,443,ir_agent',
'500,0,443,kioslave5',
'500,0,443,ksfetch',
'500,0,443,launcher',
Expand All @@ -149,13 +153,11 @@ WHERE
'500,0,443,node',
'500,0,443,OneDriveStandaloneUpdater',
'500,0,443,pingsender',
'500,0,9,snapd',
'500,0,443,slack',
'500,0,443,snapd',
'500,0,443,spotify',
'500,0,443,ssh',
'500,0,443,syncthing',
'500,500,443,Acrobat Updater',
'500,0,443,velociraptor',
'500,0,443,wget',
'500,0,5228,chrome',
Expand All @@ -165,22 +167,19 @@ WHERE
'500,0,53,launcher',
'500,0,53,nessusd',
'500,0,53,NetworkManager',
'500,99,32768,Slack',
'500,0,53,slack',
'500,0,53,spotify',
'500,500,32768,G2MUpdate',
'500,0,53,wget',
'500,0,5632,ssh',
'500,0,53,nessusd',
'500,0,80,chrome',
'500,0,80,com.apple.NRD.UpdateBrainService',
'500,0,80,electron',
'500,0,80,firefox',
'500,0,80,http',
'500,0,80,io.tailscale.ipn.macsys.network-extension',
'500,0,80,ksfetch',
'500,500,53,gitsign',
'500,0,9,launcher',
'500,0,9,snapd',
'500,500,13568,Code Helper',
'500,500,20480,Code Helper',
'500,500,20480,GoogleUpdater',
Expand All @@ -192,14 +191,14 @@ WHERE
'500,500,32768,cloud-sql-proxy',
'500,500,32768,Code Helper',
'500,500,32768,Electron',
'500,500,32768,G2MUpdate',
'500,500,32768,GoogleUpdater',
'500,500,32768,java',
'500,99,443,Slack Helper',
'500,500,32768,ksfetch',
'500,0,32768,elastic-endpoint',
'500,500,32768,melange',
'500,500,32768,node',
'500,500,4318,Code Helper (Plugin)',
'500,500,443,Acrobat Updater',
'500,500,443,apk',
'500,500,443,aws',
'500,500,443,chainctl',
Expand All @@ -224,7 +223,6 @@ WHERE
'500,500,443,istioctl',
'500,500,443,ksfetch',
'500,500,443,kubectl',
'500,99,443,Slack',
'500,500,443,minikube',
'500,500,443,node',
'500,500,443,old',
Expand All @@ -233,14 +231,18 @@ WHERE
'500,500,443,syft',
'500,500,443,wolfictl',
'500,500,53,Code Helper',
'500,500,53,gitsign',
'500,500,80,cloud_sql_proxy',
'500,500,80,Code Helper',
'500,500,80,Code Helper (Plugin)',
'500,500,80,copilot-agent-macos-arm64',
'500,500,80,Google Chrome Helper',
'500,500,80,GoogleUpdater',
'500,500,80,ksfetch',
'500,500,80,node'
'500,500,80,node',
'500,99,32768,Slack',
'500,99,443,Slack',
'500,99,443,Slack Helper'
)
AND NOT exception_key LIKE '500,500,443,terraform%'
AND NOT exception_key LIKE '500,0,%,syncthing'
Expand Down
10 changes: 6 additions & 4 deletions detection/c2/unexpected-talkers-macos.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -227,15 +227,15 @@ WHERE
)
AND id_exception_key IN (
'Apple Mac OS Application Signing,com.microsoft.OneDrive-mac',
'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.Reader',
'Apple Mac OS Application Signing,com.ookla.speedtest-macos',
'Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird',
'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.AdobeResourceSynchronizer',
'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.Reader',
'Developer ID Application: Bookry Ltd (4259LE8SU5),com.bookry.wavebox.helper',
'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4),com.brave.Browser.helper',
'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.AdobeResourceSynchronizer',
'Developer ID Application: Cloudflare Inc. (68WVV388M8),CloudflareWARP',
'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker',
'Developer ID Application: Epic Games International, S.a.r.l. (96DBZ92D3Y),com.epicgames.EpicGamesLauncher',
'Developer ID Application: Epic Games International, S.a.r.l. (96DBZ92D3Y),com.epicgames.UE4EditorServices',
'Developer ID Application: Fortinet, Inc (AH4XFXJ7DK),fctupdate',
'Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D),com.googlecode.iterm2',
'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.Chrome.helper',
Expand All @@ -245,6 +245,7 @@ WHERE
'Developer ID Application: Microsoft Corporation (UBF8T346G9),net.java.openjdk.java',
'Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.firefox',
'Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.firefoxdeveloperedition',
'Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird',
'Developer ID Application: Opera Software AS (A2P9LX4JPN),com.operasoftware.Opera.helper',
'Developer ID Application: Parallels International GmbH (4C6364ACXT),com.parallels.naptd',
'Developer ID Application: Skype Communications S.a.r.l (AL798K98FX),com.skype.skype.Helper',
Expand All @@ -255,7 +256,8 @@ WHERE
'Developer ID Application: TechSmith Corporation (7TQL462TU8),com.techsmith.snagit.capturehelper2020',
'Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G),company.thebrowser.browser.helper',
'Developer ID Application: Valve Corporation (MXGJJ98X76),com.valvesoftware.steam',
'Developer ID Application: Vladimir Prelovac (TFVG979488),com.apple.WebKit.Networking'
'Developer ID Application: Vladimir Prelovac (TFVG979488),com.apple.WebKit.Networking',
'Developer ID Application: Zwift, Inc (C2GM8Y9VFM),ZwiftAppSilicon'
)
)
GROUP BY
Expand Down
3 changes: 2 additions & 1 deletion detection/evasion/missing-from-disk-macos.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ SELECT
p.cwd,
p.on_disk,
p.state,
strftime('%s', 'now') - p.start_time AS age,
pp.on_disk AS parent_on_disk,
pp.path AS parent_path,
pp.cmdline AS parent_cmd,
Expand All @@ -33,7 +34,7 @@ FROM
LEFT JOIN hash ON pp.path = hash.path
WHERE
p.on_disk != 1 -- false positives from recently spawned processes
AND (strftime('%s', 'now') - p.start_time) > 15
AND (strftime('%s', 'now') - p.start_time) > 900
AND p.pid > 0
AND p.parent != 2 -- kthreadd
AND p.state != 'Z' -- The kernel no longer has enough tracking information for this alert to be useful
Expand Down
1 change: 1 addition & 0 deletions detection/evasion/unexpected-hidden-system-paths.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,7 @@ WHERE
'/.lesshst',
'/.mozilla/',
'/.vol/',
'/var/root/.zsh_history',
'/dev/.mdadm/',
'/etc/.#sudoers',
'/etc/.clean',
Expand Down
22 changes: 12 additions & 10 deletions detection/execution/recently-created-executables-long-lived-macos.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,28 +86,29 @@ WHERE
'~/Library/Application Support/BraveSoftware/',
'~/Library/Application Support/com.elgato.StreamDeck/',
'~/Library/Application Support/duckly/',
'~/Library/Application Support/com.elgato.StreamDeck/',
'~/Library/Application Support/Figma/',
'~/.vscode/extensions/ms-vscode.cpptools-1.15.4-darwin-arm64/',
'~/Library/Application Support/Steam/',
'~/Library/Application Support/Zed/',
'~/Library/Application Support/WebEx Folder/',
'/Library/Application Support/EcammLive',
'/usr/local/kolide-k2/Kolide.app/Contents/MacOS',
'~/Library/Application Support/Figma/',
'~/Library/Application Support/Foxit Software/',
'~/Library/Application Support/JetBrains/',
'~/Library/Application Support/OpenLens',
'~/Library/Application Support/sourcegraph-sp/',
'~/Library/Application Support/Steam/',
'~/Library/Application Support/WebEx Folder/',
'~/Library/Application Support/Zed/',
'~/Library/Application Support/Zwift/',
'~/Library/Application Support/Zwift',
'~/Library/Caches/com.mimestream.Mimestream/',
'~/Library/Caches/company.thebrowser.Browser/',
'~/Library/Caches/com.sempliva.Tiles/',
'~/Library/Caches/JetBrains/',
'~/Library/Caches/org.gpgtools.updater/',
'~/Library/Caches/snyk/',
'~/projects/go/src/',
'~/Library/Caches/company.thebrowser.Browser/',
'/Library/Developer/Xcode/',
'~/.terraform.d/plugin-cache/registry.terraform.io/'
'~/.local/share/bob/',
'~/projects/go/src/',
'~/.terraform.d/plugin-cache/registry.terraform.io/',
'/usr/local/kolide-k2/Kolide.app/Contents/MacOS',
'~/.vscode/extensions/ms-vscode.cpptools-1.15.4-darwin-arm64/'
)
OR dir IN (
'~/bin',
Expand Down Expand Up @@ -152,6 +153,7 @@ WHERE
'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4)',
'Developer ID Application: Brother Industries, LTD. (5HCL85FLGW)',
'Developer ID Application: Bryan Jones (49EYHPJ4Q3)',
'Developer ID Application: Zwift, Inc (C2GM8Y9VFM)',
'Developer ID Application: Canon Inc. (XE2XNRRXZ5)',
'Developer ID Application: Cisco (DE8Y96K9QP)',
'Developer ID Application: CodeWeavers Inc. (9C6B7X7Z8E)',
Expand Down
3 changes: 3 additions & 0 deletions detection/execution/unexpected-execdir-events-macos.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,8 @@ WHERE
'/Volumes/Slack/Slack.app',
'/opt/homebrew/Caskroom',
'/opt/homebrew/Cellar',
'/opt/rapid7/ir_agent',
'/opt/Elastic/Endpoint',
'/Library/Elastic/Agent',
'/opt/homebrew/Library',
'/private/var/kolide-k2',
Expand Down Expand Up @@ -317,6 +319,7 @@ WHERE
'Developer ID Application: Brother Industries, LTD. (5HCL85FLGW)',
'Developer ID Application: Canonical Group Limited (X4QN7LTP59)',
'Developer ID Application: Cisco (DE8Y96K9QP)',
'Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
'Developer ID Application: CodeWeavers Inc. (9C6B7X7Z8E)',
'Developer ID Application: Canon Inc. (XE2XNRRXZ5)',
'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
Expand Down
3 changes: 3 additions & 0 deletions detection/execution/unexpected-execdir-macos.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,7 @@ WHERE
'~/Library/Caches/com.mimestream.Mimestream/',
'~/Library/Caches/com.sempliva.Tiles/',
'~/.local/share/bob/',
'/opt/rapid7/ir_agent',
'~/anaconda3/Anaconda-Navigator.app/Contents/',
'~/Library/Services/UE4EditorServices.app/',
'~/Library/Caches/com.grammarly.ProjectLlama/',
Expand Down Expand Up @@ -181,6 +182,7 @@ WHERE
'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
'Developer ID Application: Docker Inc (9BNSXJN65R)',
'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)',
'Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z)',
'Developer ID Application: EnterpriseDB Corporation (26QKX55P9K)',
'Developer ID Application: Epic Games International, S.a.r.l. (96DBZ92D3Y)',
'Developer ID Application: Figma, Inc. (T8RA8NE3B7)',
Expand All @@ -196,6 +198,7 @@ WHERE
'Developer ID Application: Objective-See, LLC (VBG97UB4TA)',
'Developer ID Application: Opal Camera Inc (97Z3HJWCRT)',
'Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
'Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
'Developer ID Application: Sublime HQ Pty Ltd (Z6D26JE4Y4)',
'Developer ID Application: TablePlus Inc (3X57WP8E8V)',
'Developer ID Application: Tenable, Inc. (4B8J598M7U)',
Expand Down

0 comments on commit eaf42fb

Please sign in to comment.