Merge pull request #396 from tstromberg/oct17

fpr: alf, hidden paths, proc names, listeners, systemd
chainguard-dev · Oct 17, 2024 · 1054dfe · 1054dfe
2 parents 0090392 + 3cbb0ab
commit 1054dfe
Show file tree

Hide file tree

Showing 6 changed files with 50 additions and 107 deletions.
diff --git a/detection/evasion/unexpected-alf-exceptions-macos.sql b/detection/evasion/unexpected-alf-exceptions-macos.sql
@@ -46,124 +46,48 @@ WHERE -- Filter out stock exceptions to decrease overhead
   ) -- Ignore files that ahve already been removed
   AND file.filename NOT NULL
   AND exception_key NOT IN (
-    ',a.out,/opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/kubectl,501',
-    ',a.out,/opt/homebrew/Cellar/go/1.20.4/libexec/pkg/tool/darwin_arm64/trace,501',
     ',a.out,/private/tmp/learning-labs-static/server,501',
     ',a.out,/Users/amouat/proj/learning-labs-static/server,501',
     ',a.out,/Users/dlorenc/.wash/downloads/nats-server,501',
-    'Apple Mac OS Application Signing,com.anydo.mac,/Applications/Anydo.app/,0',
-    'Apple Mac OS Application Signing,com.apple.garageband10,/Applications/GarageBand.app/,0',
-    'Apple Mac OS Application Signing,com.busymac.busycal3,/Applications/BusyCal.app/,0',
-    'Apple Mac OS Application Signing,com.evernote.Evernote,/Applications/Evernote.app/,0',
-    'Apple Mac OS Application Signing,com.joeallen.teleprompter.mac,/Applications/Teleprompter.app/,0',
-    'Apple Mac OS Application Signing,com.utmapp.QEMULauncher,/Applications/UTM.app/Contents/XPCServices/QEMUHelper.xpc/Contents/MacOS/QEMULauncher.app/,0',
     'Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension,/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/,0',
     'Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension,/Applications/Tailscale.localized/Tailscale.app/Contents/PlugIns/IPNExtension.appex/,0',
-    ',,/Applications/Google%20Chrome.app/,',
-    ',,/Applications/IntelliJ%20IDEA.app/,',
-    ',,/Applications/ProtonMail%20Bridge.app/,',
-    ',,/Applications/Visual%20Studio%20Code.app/,',
-    ',,/Applications/Visual%20Studio%20Code.app/Contents/Frameworks/Code%20Helper.app/,',
+    ',deskflow-server,/Applications/Deskflow.app/Contents/MacOS/deskflow-server,501',
     'Developer ID Application: Adguard Software Limited (TC3Q7MAJXF),com.adguard.mac.adguard.network-extension,/Library/SystemExtensions/AD3BCA34-237A-4135-B7A4-0F7477D9144C/com.adguard.mac.adguard.network-extension.systemextension/,0',
-    'Developer ID Application: Any.DO inc. (FW4RAPJ9FF),com.anydo.mac,/Applications/Anydo.app/,501',
-    'Developer ID Application: Bearly Inc (NK6K4BACCF),com.bearly.app,/Applications/Bearly.app/,501',
-    'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.sketch3,/Applications/Sketch.app/,501',
-    'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.SketchMirrorHelper,/Applications/Sketch.app/Contents/XPCServices/SketchMirrorHelper.xpc/,501',
-    'Developer ID Application: Brother Industries, LTD. (5HCL85FLGW),com.brother.utility.WorkflowAppControlServer,/Library/Printers/Brother/Utilities/Server/WorkflowAppControl.app/,0',
-    'Developer ID Application: Canonical Group Limited (X4QN7LTP59),com.canonical.multipass.,/Applications/Multipass.app/,0',
-    'Developer ID Application: Canonical Group Limited (X4QN7LTP59),com.canonical.multipassGui,/Applications/Multipass.app/,0',
-    'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5),com.elgato.WaveLink,/Applications/WaveLink.app/,0',
-    'Developer ID Application: Crul, Inc. (5PTD6R25S6),com.electron.crul,/Applications/crul.app/,501',
-    'Developer ID Application: DBeaver Corporation (42B6MDKMW8),org.jkiss.dbeaver.core.product,/Applications/DBeaver.app/,501',
-    'Developer ID Application: Digital Ignition LLC (5DPYRBHEAR),org.m0k.transmission,/Applications/Transmission.app/,501',
-    'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker.docker,/Applications/Docker.app/,501',
-    'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK),com.getdropbox.dropbox,/Applications/Dropbox.app/,501',
-    'Developer ID Application: Evernote Corporation (Q79WDW8YH9),com.evernote.Evernote,/Applications/Evernote.app/,501',
-    'Developer ID Application: folivora.AI GmbH (DAFVSXZ82P),com.hegenberg.BetterTouchTool,/Applications/BetterTouchTool.app/,501',
-    'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland,/Applications/GoLand.app/,501',
-    'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.pycharm,/Applications/PyCharm.app/,501',
-    'Developer ID Application: Loom, Inc (QGD2ZPXZZG),com.loom.desktop,/Applications/Loom.app/,501',
-    'Developer ID Application: Martijn Smit (GX645XXEAX),com.mutedeck.mac,/Applications/MuteDeck/MuteDeck.app/,501',
-    'Developer ID Application: Opentest, Inc. (QGD2ZPXZZG),com.loom.desktop,/Applications/Loom.app/,501',
-    'Developer ID Application: Postdot Technologies, Inc (H7H8Q7M5CK),com.postmanlabs.mac,/Applications/Postman.app/,501',
     'Developer ID Application: Python Software Foundation (BMM5U3QVKW),org.python.python,/Library/Frameworks/Python.framework/Versions/3.11/Resources/Python.app/,0',
     'Developer ID Application: Python Software Foundation (BMM5U3QVKW),org.python.python,/Library/Frameworks/Python.framework/Versions/3.12/Resources/Python.app/,0',
-    'Developer ID Application: Raycast Technologies Inc (SY64MV22J9),com.raycast.macos,/Applications/Raycast.app/,501',
-    'Developer ID Application: RescueTime, Inc (FSY4RB8H39),c]om.rescuetime.RescueTime,/Applications/RescueTime.app/,0',
-    'Developer ID Application: Shanghai Lunkuo Technology Co., Ltd (T3UBR9Y3B2),com.bambulab.bambu-studio,/Applications/BambuStudio.app/,501',
-    'Developer ID Application: Sonos, Inc. (2G4LW83Q3E),com.sonos.macController,/Applications/Sonos.app/,501',
-    'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client,/Applications/Spotify.app/,501',
     'Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension,/Library/SystemExtensions/A30AF854-E980-4345-A658-17000BF66D00/io.tailscale.ipn.macsys.network-extension.systemextension/,0',
-    'Developer ID Application: VNG ONLINE CO.,LTD (CVB6BX97VM),com.vng.zalo,/Applications/Zalo.app/,501',
-    'Developer ID Application: Voicemod Sociedad Limitada. (S2MC4XQDSM),net.voicemod.desktop,/Applications/Voicemod.app/,0',
-    'Developer ID Application: Zed Industries, Inc. (MQ55VZLNZQ),dev.zed.Zed,/Applications/Zed.app/,501',
-    'Developer ID Application: Zed Industries, Inc. (MQ55VZLNZQ),dev.zed.Zed,/Volumes/Zed/Zed.app/,501',
-    ',dnsmasq,/opt/homebrew/Cellar/dnsmasq/2.88/sbin/dnsmasq,0',
-    ',java,/opt/homebrew/Cellar/openjdk/19/libexec/openjdk.jdk/Contents/Home/bin/java,501',
-    ',net.java.openjdk.java,/usr/local/Cellar/openjdk/21.0.2/libexec/openjdk.jdk/Contents/Home/bin/java,501',
-    'Software Signing,com.apple.audio.AUHostingService.arm64e,/System/Library/Frameworks/AudioToolbox.framework/XPCServices/AUHostingServiceXPC_arrow.xpc/,0',
-    'Software Signing,com.apple.audio.AUHostingService.x86-64,/System/Library/Frameworks/AudioToolbox.framework/XPCServices/AUHostingServiceXPC.xpc/,0',
-    'Software Signing,com.apple.audio.InfoHelper,/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.InfoHelper.xpc/,0',
-    'Software Signing,com.apple.controlcenter,/System/Library/CoreServices/ControlCenter.app/,0',
-    'Software Signing,com.apple.Music,/System/Applications/Music.app/,0',
-    'Software Signing,com.apple.nc,/usr/bin/nc,0',
-    'Software Signing,com.apple.netbiosd,/usr/sbin/netbiosd,0',
-    'Software Signing,com.apple.python3,/Applications/Xcode.app/Contents/Developer/Library/Frameworks/Python3.framework/Versions/3.9/Resources/Python.app/,0',
-    'Software Signing,com.apple.python3,/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.9/Resources/Python.app/,0',
-    'Software Signing,com.apple.rapportd,/usr/libexec/rapportd,0',
-    'Software Signing,com.apple.RemoteDesktopAgent,/System/Library/CoreServices/RemoteManagement/ARDAgent.app/,0',
-    'Software Signing,com.apple.rpc,/usr/sbin/rpc.lockd,0',
-    'Software Signing,com.apple.Terminal,/System/Applications/Utilities/Terminal.app/,0',
-    'Software Signing,com.apple.WebKit.Networking,/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/,0',
-    'Software Signing,com.apple.WebKit.Networking,/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/,0',
-    'Software Signing,com.apple.xartstorageremoted,/usr/libexec/xartstorageremoted,0',
     '/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/',
     ',,/Users/cpanato/code/src/github.com/sigstore/docs/node_modules/.bin/hugo/hugo,501'
   )
-  AND NOT exception_key LIKE ',a.out,/Users/%/dev/%,501'
-  AND NOT exception_key LIKE ',a.out,/Users/%/hugo,501'
-  AND NOT exception_key LIKE 'Developer ID Application: Cypress.Io, Inc. (7D655LWGLY),com.electron.cypress,/Users/%/Library/Caches/Cypress/13.12.0/Cypress.app/,501'
-  AND NOT exception_key LIKE 'Developer ID Application: The Foundry (82R497YNSK),org.python.python,/Applications/Nuke%/Contents/Frameworks/Python.framework/Versions/%/Resources/Python.app/,501'
+  -- Signed
+  AND NOT exception_key LIKE 'Developer ID Application:%,/Applications/%.app/,501'
+  -- Unsigned
+  AND NOT exception_key LIKE ',,/Applications/%.app/,'
+  -- Locally compiled
+  AND NOT exception_key LIKE ',a.out,/Users/%,501'
+  -- Homebrew
+  AND NOT exception_key LIKE ',%,/opt/homebrew/Cellar/%,501'
+  -- Nix
+  AND NOT exception_key LIKE ',%,/nix/store/%,0'
+  AND NOT exception_key LIKE ',%,/nix/store/%,501'
+  -- Apple (root)
+  AND NOT exception_key LIKE 'Software Signing,com.apple.%,0'
+  -- App Store
+  AND NOT exception_key LIKE 'Apple Mac OS Application Signing,%,/Applications/%.app/,0'
+  -- Other weirdo apps
+  AND NOT exception_key LIKE 'Developer ID Application: Cypress.Io, Inc. (7D655LWGLY),com.electron.cypress,/Users/%/Library/Caches/Cypress/%/Cypress.app/,501'
   AND NOT exception_key LIKE 'Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension,/Library/SystemExtensions/%'
-  AND NOT exception_key LIKE ',org.python.python,/opt/homebrew/Cellar/python%/Frameworks/Python.framework/Versions/%/Resources/Python.app/,501'
-  AND NOT exception_key LIKE ',a.out,/Users/%/act/dist/local/act,501'
-  AND NOT exception_key LIKE ',git-daemon-%,/opt/homebrew/Cellar/git/%/libexec/git-core/git-daemon,501'
-  AND NOT exception_key LIKE ',org.python.python,/opt/homebrew/Cellar/python@%/Frameworks/Python.framework/Versions/3.11/Resources/Python.app/,501'
-  AND NOT exception_key LIKE ',a.out,/opt/homebrew/Cellar/podman/%/libexec/podman/gvproxy,501'
-  AND NOT exception_key LIKE ',net.java.openjdk.java,/opt/homebrew/Cellar/openjdk%/libexec/openjdk.jdk/Contents/Home/bin/java,501'
-  AND NOT exception_key LIKE ',a.out,/private/var/folders/%/T/GoLand/%,501'
-  AND NOT exception_key LIKE ',a.out,/Users/%/cloud-provider-kind,501'
-  AND NOT exception_key LIKE ',a.out,/Users/%/GolandProjects/documentation-code-examples/debuggingTutorial/myApp,501'
-  AND NOT exception_key LIKE ',node,/opt/homebrew/Cellar/nvm/%/versions/node/v%/bin/node,501'
-  AND NOT exception_key LIKE ',java,/opt/homebrew/Cellar/openjdk/%/libexec/openjdk.jdk/Contents/Home/bin/java,501'
-  AND NOT exception_key LIKE ',python3.%,/nix/store/%-python3-3%/bin/python3.%,0'
-  AND NOT exception_key LIKE 'Developer ID Application: Cypress.Io, Inc. (7D655LWGLY),com.electron.cypress,/Users/%/Library/Caches/Cypress/12.9.0/Cypress.app/,501'
+  AND NOT exception_key LIKE 'Developer ID Application: The Foundry (82R497YNSK),org.python.python,/Applications/Nuke%/Contents/Frameworks/Python.framework/Versions/%/Resources/Python.app/,501'
   AND NOT signature.authority IN (
     'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)',
     'Developer ID Application: The Foundry (82R497YNSK)',
     'Developer ID Application: Docker Inc (9BNSXJN65R)',
     'Developer ID Application: OpenAI, L.L.C. (2DC432GLL2)'
   )
-  AND NOT (
-    signature.identifier LIKE 'cargo-%'
-    AND ae.path LIKE '/Users/%/.rustup/%'
-  )
   AND NOT (
     signature.identifier LIKE 'fake-%'
     AND ae.path LIKE '%/exe/fake'
   )
-  AND NOT (
-    signature.identifier LIKE 'mariadbd-%'
-    AND ae.path LIKE '/opt/homebrew/%/mariadbd'
-  )
-  AND NOT (
-    signature.identifier = 'netcat'
-    AND ae.path LIKE '/Users/%/homebrew/Cellar/netcat/%/bin/netcat'
-  )
-  AND NOT (
-    signature.identifier = 'syncthing'
-    AND ae.path LIKE '/nix/store/%-syncthing-%/bin/syncthing'
-  )
   AND NOT (
     signature.identifier = 'nix'
     AND ae.path LIKE '/nix/store/%-nix-%/bin/nix'
@@ -176,6 +100,7 @@ WHERE -- Filter out stock exceptions to decrease overhead
     AND signature.identifier = 'org.chromium.Chromium'
     AND ae.path LIKE '/Users/%/Library/pnpm/global/%/.pnpm/carlo@%/node_modules/carlo/lib/.local-data/mac-%/chrome-mac/Chromium.app/'
   )
+  -- End user tools
   AND NOT (
     (
       signature.identifier = 'a.out'

diff --git a/detection/evasion/unexpected-hidden-system-paths.sql b/detection/evasion/unexpected-hidden-system-paths.sql
@@ -92,29 +92,32 @@ WHERE
     '/tmp/.eos-update-notifier.log',
     '/tmp/.featureflags-agent/',
     '/tmp/.font-unix/',
+    '/tmp/.git/',
     '/tmp/.go-version',
+    '/tmp/.helmrepo',
     '/tmp/.ICE-unix/',
     '/tmp/.last_survey_prompt.yaml',
     '/tmp/.last_update_check.json',
     '/tmp/.metrics-agent/',
     '/tmp/.PKGINFO',
     '/tmp/.searcher.tmp/',
+    '/tmp/.ses',
     '/tmp/.settings-agent/',
     '/tmp/.SIGN.RSA.chainguard-enterprise.rsa.pub',
     '/tmp/.SIGN.RSA..local-melange.rsa.pub',
     '/tmp/.SIGN.RSA.local-melange.rsa.pub',
     '/tmp/.SIGN.RSA.wolfi-signing.rsa.pub',
+    '/tmp/.s.PGSQL.5432',
+    '/tmp/.s.PGSQL.5432.lock',
     '/tmp/.terraform/',
     '/tmp/.terraform.lock.hcl',
     '/tmp/.Test-unix/',
     '/tmp/.touchpaddefaults',
     '/tmp/.ui-agent/',
-    '/var/roothome/.dbus/',
     '/tmp/.updater-agent/',
     '/tmp/.vbox-t-ipc/',
     '/tmp/.vscode.dmypy_status/',
     '/tmp/.wsdl/',
-    '/tmp/.helmrepo',
     '/tmp/.X0-lock',
     '/tmp/.X11-unix/',
     '/tmp/.X1-lock',
@@ -139,6 +142,7 @@ WHERE
     '/var/db/.SoftwareUpdateOptions',
     '/var/db/.StagedAppleUpgrade',
     '/var/db/.SystemPolicy-default',
+    '/var/home/.duperemove.hash',
     '/var/mail/.cache/',
     '/var/.ntw_cache',
     '/var/.Parallels_swap/',
@@ -155,6 +159,7 @@ WHERE
     '/var/roothome/.bashrc',
     '/var/roothome/.cache/',
     '/var/roothome/.config/',
+    '/var/roothome/.dbus/',
     '/var/roothome/.justfile',
     '/var/roothome/.local/',
     '/var/roothome/.osquery/',
@@ -167,9 +172,9 @@ WHERE
     '/var/root/.osquery/',
     '/var/root/.PenTablet/',
     '/var/root/.provisio',
+    '/var/root/.ssh/',
     '/var/root/.Trash/',
     '/var/root/.viminfo',
-    '/var/root/.ssh/',
     '/var/root/.zsh_history',
     '/var/run/.heim_org.h5l.kcm-socket',
     '/var/run/.sim_diagnosticd_socket',
@@ -178,10 +183,8 @@ WHERE
     '/var/setup/.TemporaryItems',
     '/var/setup/.TemporaryItems/',
     '/var/tmp/.ses',
-    '/tmp/.ses',
     '/var/tmp/.ses.bak',
     '/.vol/',
-    '/tmp/.git/',
     '/.VolumeIcon.icns'
   )
   AND file.directory NOT IN (

diff --git a/detection/evasion/unusual-process-name-macos.sql b/detection/evasion/unusual-process-name-macos.sql
@@ -109,13 +109,14 @@ WHERE
     'launchd_startx'
   )
   -- example: 85C27NK92C.com.flexibits.fantastical2.mac.helper
-  AND NOT pname LIKE "%.com.flexibits.fantastical2.mac.helper"
+  AND NOt pname LIKE '___1Test%'
+  AND NOT pname LIKE 'BetterTouchToolAppleScriptRunner%'
   AND NOT pname LIKE 'cody-engine-%'
-  AND NOT pname LIKE '%-macos-arm64'
+  AND NOT pname LIKE "%.com.flexibits.fantastical2.mac.helper"
   AND NOT pname LIKE 'debug.test%'
   AND NOT pname LIKE '__%go_build%'
-  AND NOt pname LIKE '___1Test%'
-  AND NOT pname LIKE 'BetterTouchToolAppleScriptRunner%'
+  AND NOT pname LIKE '%-macos-arm64'
+  AND NOT pname LIKE '___Test%'
   AND NOT s.authority IN (
     "Software Signing",
     "Apple Mac OS Application Signing"

diff --git a/detection/persistence/listening-from-unusual-location.sql b/detection/persistence/listening-from-unusual-location.sql
@@ -109,9 +109,12 @@ WHERE
   AND NOT exception_key IN (
     '16620,6,500,psi-bastion',
     '32768,6,500,java',
+    '32768,6,500,logioptionsplus_agent',
+    '32768,17,500,logioptionsplus_agent',
     '32768,6,500,Chromium',
     '32768,6,500,Code Helper (Plugin)',
     '24024,17,500,MTGA',
+    '32768,17,499,viscosity_openvpn',
     '1,1,500,ping'
   )
   AND NOT p0.path LIKE '/nix/store/%'

diff --git a/detection/persistence/suspicious-systemd-unit.sql b/detection/persistence/suspicious-systemd-unit.sql
@@ -118,6 +118,7 @@ rule systemd_small_multiuser_no_comments_or_documentation : high {
     $not_oneshot = "Type=oneshot"
     $not_lima = "Description=lima-guestagent"
     $not_check_sb = "Description=Service to check for secure boot key enrollment"
+    $not_waydroid = "waydroid"
   condition:
     filesize < 384 and $execstart and $multiuser and none of ($not_*)
 }
@@ -190,6 +191,7 @@ rule systemd_small_restart_always : medium {
     $not_after = /After=\w/
     $not_before = /Before=\w{1,128}/
     $not_notify = "Type=notify"
+    $not_wanted_by = /WantedBy=\w{2,32}\.target/
   condition:
     filesize < 384 and $restart and none of ($not*)
 }
@@ -223,6 +225,7 @@ rule usr_bin_execstop_shell : medium {
   strings:
     $execstop = /ExecStop=\/bin\/sh .{0,64}/
     $not_podman_logging = "/usr/bin/podman $LOGGING"
+    $not_stderr = /ExecStop=\/bin\/sh .{0,64}set -eu/
   condition:
     filesize < 4096 and $execstop and none of ($not*)
 }