From 3cbb0ab34c241609f15375a405546a1f542ba9bf Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Thu, 17 Oct 2024 11:44:47 -0400 Subject: [PATCH] fpr: alf, hidden paths, proc names, listeners, systemd --- .../unexpected-alf-exceptions-macos.sql | 115 +++--------------- .../unexpected-hidden-system-paths.sql | 13 +- .../evasion/unusual-process-name-macos.sql | 9 +- .../listening-from-unusual-location.sql | 3 + .../persistence/suspicious-systemd-unit.sql | 3 + .../unexpected-listening-port-macos.sql | 14 ++- 6 files changed, 50 insertions(+), 107 deletions(-) diff --git a/detection/evasion/unexpected-alf-exceptions-macos.sql b/detection/evasion/unexpected-alf-exceptions-macos.sql index 13f98e7..f450c16 100644 --- a/detection/evasion/unexpected-alf-exceptions-macos.sql +++ b/detection/evasion/unexpected-alf-exceptions-macos.sql @@ -46,124 +46,48 @@ WHERE -- Filter out stock exceptions to decrease overhead ) -- Ignore files that ahve already been removed AND file.filename NOT NULL AND exception_key NOT IN ( - ',a.out,/opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/kubectl,501', - ',a.out,/opt/homebrew/Cellar/go/1.20.4/libexec/pkg/tool/darwin_arm64/trace,501', ',a.out,/private/tmp/learning-labs-static/server,501', ',a.out,/Users/amouat/proj/learning-labs-static/server,501', ',a.out,/Users/dlorenc/.wash/downloads/nats-server,501', - 'Apple Mac OS Application Signing,com.anydo.mac,/Applications/Anydo.app/,0', - 'Apple Mac OS Application Signing,com.apple.garageband10,/Applications/GarageBand.app/,0', - 'Apple Mac OS Application Signing,com.busymac.busycal3,/Applications/BusyCal.app/,0', - 'Apple Mac OS Application Signing,com.evernote.Evernote,/Applications/Evernote.app/,0', - 'Apple Mac OS Application Signing,com.joeallen.teleprompter.mac,/Applications/Teleprompter.app/,0', - 'Apple Mac OS Application Signing,com.utmapp.QEMULauncher,/Applications/UTM.app/Contents/XPCServices/QEMUHelper.xpc/Contents/MacOS/QEMULauncher.app/,0', 'Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension,/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/,0', 'Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension,/Applications/Tailscale.localized/Tailscale.app/Contents/PlugIns/IPNExtension.appex/,0', - ',,/Applications/Google%20Chrome.app/,', - ',,/Applications/IntelliJ%20IDEA.app/,', - ',,/Applications/ProtonMail%20Bridge.app/,', - ',,/Applications/Visual%20Studio%20Code.app/,', - ',,/Applications/Visual%20Studio%20Code.app/Contents/Frameworks/Code%20Helper.app/,', + ',deskflow-server,/Applications/Deskflow.app/Contents/MacOS/deskflow-server,501', 'Developer ID Application: Adguard Software Limited (TC3Q7MAJXF),com.adguard.mac.adguard.network-extension,/Library/SystemExtensions/AD3BCA34-237A-4135-B7A4-0F7477D9144C/com.adguard.mac.adguard.network-extension.systemextension/,0', - 'Developer ID Application: Any.DO inc. (FW4RAPJ9FF),com.anydo.mac,/Applications/Anydo.app/,501', - 'Developer ID Application: Bearly Inc (NK6K4BACCF),com.bearly.app,/Applications/Bearly.app/,501', - 'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.sketch3,/Applications/Sketch.app/,501', - 'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.SketchMirrorHelper,/Applications/Sketch.app/Contents/XPCServices/SketchMirrorHelper.xpc/,501', - 'Developer ID Application: Brother Industries, LTD. (5HCL85FLGW),com.brother.utility.WorkflowAppControlServer,/Library/Printers/Brother/Utilities/Server/WorkflowAppControl.app/,0', - 'Developer ID Application: Canonical Group Limited (X4QN7LTP59),com.canonical.multipass.,/Applications/Multipass.app/,0', - 'Developer ID Application: Canonical Group Limited (X4QN7LTP59),com.canonical.multipassGui,/Applications/Multipass.app/,0', - 'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5),com.elgato.WaveLink,/Applications/WaveLink.app/,0', - 'Developer ID Application: Crul, Inc. (5PTD6R25S6),com.electron.crul,/Applications/crul.app/,501', - 'Developer ID Application: DBeaver Corporation (42B6MDKMW8),org.jkiss.dbeaver.core.product,/Applications/DBeaver.app/,501', - 'Developer ID Application: Digital Ignition LLC (5DPYRBHEAR),org.m0k.transmission,/Applications/Transmission.app/,501', - 'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker.docker,/Applications/Docker.app/,501', - 'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK),com.getdropbox.dropbox,/Applications/Dropbox.app/,501', - 'Developer ID Application: Evernote Corporation (Q79WDW8YH9),com.evernote.Evernote,/Applications/Evernote.app/,501', - 'Developer ID Application: folivora.AI GmbH (DAFVSXZ82P),com.hegenberg.BetterTouchTool,/Applications/BetterTouchTool.app/,501', - 'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland,/Applications/GoLand.app/,501', - 'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.pycharm,/Applications/PyCharm.app/,501', - 'Developer ID Application: Loom, Inc (QGD2ZPXZZG),com.loom.desktop,/Applications/Loom.app/,501', - 'Developer ID Application: Martijn Smit (GX645XXEAX),com.mutedeck.mac,/Applications/MuteDeck/MuteDeck.app/,501', - 'Developer ID Application: Opentest, Inc. (QGD2ZPXZZG),com.loom.desktop,/Applications/Loom.app/,501', - 'Developer ID Application: Postdot Technologies, Inc (H7H8Q7M5CK),com.postmanlabs.mac,/Applications/Postman.app/,501', 'Developer ID Application: Python Software Foundation (BMM5U3QVKW),org.python.python,/Library/Frameworks/Python.framework/Versions/3.11/Resources/Python.app/,0', 'Developer ID Application: Python Software Foundation (BMM5U3QVKW),org.python.python,/Library/Frameworks/Python.framework/Versions/3.12/Resources/Python.app/,0', - 'Developer ID Application: Raycast Technologies Inc (SY64MV22J9),com.raycast.macos,/Applications/Raycast.app/,501', - 'Developer ID Application: RescueTime, Inc (FSY4RB8H39),c]om.rescuetime.RescueTime,/Applications/RescueTime.app/,0', - 'Developer ID Application: Shanghai Lunkuo Technology Co., Ltd (T3UBR9Y3B2),com.bambulab.bambu-studio,/Applications/BambuStudio.app/,501', - 'Developer ID Application: Sonos, Inc. (2G4LW83Q3E),com.sonos.macController,/Applications/Sonos.app/,501', - 'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client,/Applications/Spotify.app/,501', 'Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension,/Library/SystemExtensions/A30AF854-E980-4345-A658-17000BF66D00/io.tailscale.ipn.macsys.network-extension.systemextension/,0', - 'Developer ID Application: VNG ONLINE CO.,LTD (CVB6BX97VM),com.vng.zalo,/Applications/Zalo.app/,501', - 'Developer ID Application: Voicemod Sociedad Limitada. (S2MC4XQDSM),net.voicemod.desktop,/Applications/Voicemod.app/,0', - 'Developer ID Application: Zed Industries, Inc. (MQ55VZLNZQ),dev.zed.Zed,/Applications/Zed.app/,501', - 'Developer ID Application: Zed Industries, Inc. (MQ55VZLNZQ),dev.zed.Zed,/Volumes/Zed/Zed.app/,501', - ',dnsmasq,/opt/homebrew/Cellar/dnsmasq/2.88/sbin/dnsmasq,0', - ',java,/opt/homebrew/Cellar/openjdk/19/libexec/openjdk.jdk/Contents/Home/bin/java,501', - ',net.java.openjdk.java,/usr/local/Cellar/openjdk/21.0.2/libexec/openjdk.jdk/Contents/Home/bin/java,501', - 'Software Signing,com.apple.audio.AUHostingService.arm64e,/System/Library/Frameworks/AudioToolbox.framework/XPCServices/AUHostingServiceXPC_arrow.xpc/,0', - 'Software Signing,com.apple.audio.AUHostingService.x86-64,/System/Library/Frameworks/AudioToolbox.framework/XPCServices/AUHostingServiceXPC.xpc/,0', - 'Software Signing,com.apple.audio.InfoHelper,/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.InfoHelper.xpc/,0', - 'Software Signing,com.apple.controlcenter,/System/Library/CoreServices/ControlCenter.app/,0', - 'Software Signing,com.apple.Music,/System/Applications/Music.app/,0', - 'Software Signing,com.apple.nc,/usr/bin/nc,0', - 'Software Signing,com.apple.netbiosd,/usr/sbin/netbiosd,0', - 'Software Signing,com.apple.python3,/Applications/Xcode.app/Contents/Developer/Library/Frameworks/Python3.framework/Versions/3.9/Resources/Python.app/,0', - 'Software Signing,com.apple.python3,/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.9/Resources/Python.app/,0', - 'Software Signing,com.apple.rapportd,/usr/libexec/rapportd,0', - 'Software Signing,com.apple.RemoteDesktopAgent,/System/Library/CoreServices/RemoteManagement/ARDAgent.app/,0', - 'Software Signing,com.apple.rpc,/usr/sbin/rpc.lockd,0', - 'Software Signing,com.apple.Terminal,/System/Applications/Utilities/Terminal.app/,0', - 'Software Signing,com.apple.WebKit.Networking,/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/,0', - 'Software Signing,com.apple.WebKit.Networking,/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/,0', - 'Software Signing,com.apple.xartstorageremoted,/usr/libexec/xartstorageremoted,0', '/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/', ',,/Users/cpanato/code/src/github.com/sigstore/docs/node_modules/.bin/hugo/hugo,501' ) - AND NOT exception_key LIKE ',a.out,/Users/%/dev/%,501' - AND NOT exception_key LIKE ',a.out,/Users/%/hugo,501' - AND NOT exception_key LIKE 'Developer ID Application: Cypress.Io, Inc. (7D655LWGLY),com.electron.cypress,/Users/%/Library/Caches/Cypress/13.12.0/Cypress.app/,501' - AND NOT exception_key LIKE 'Developer ID Application: The Foundry (82R497YNSK),org.python.python,/Applications/Nuke%/Contents/Frameworks/Python.framework/Versions/%/Resources/Python.app/,501' + -- Signed + AND NOT exception_key LIKE 'Developer ID Application:%,/Applications/%.app/,501' + -- Unsigned + AND NOT exception_key LIKE ',,/Applications/%.app/,' + -- Locally compiled + AND NOT exception_key LIKE ',a.out,/Users/%,501' + -- Homebrew + AND NOT exception_key LIKE ',%,/opt/homebrew/Cellar/%,501' + -- Nix + AND NOT exception_key LIKE ',%,/nix/store/%,0' + AND NOT exception_key LIKE ',%,/nix/store/%,501' + -- Apple (root) + AND NOT exception_key LIKE 'Software Signing,com.apple.%,0' + -- App Store + AND NOT exception_key LIKE 'Apple Mac OS Application Signing,%,/Applications/%.app/,0' + -- Other weirdo apps + AND NOT exception_key LIKE 'Developer ID Application: Cypress.Io, Inc. (7D655LWGLY),com.electron.cypress,/Users/%/Library/Caches/Cypress/%/Cypress.app/,501' AND NOT exception_key LIKE 'Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension,/Library/SystemExtensions/%' - AND NOT exception_key LIKE ',org.python.python,/opt/homebrew/Cellar/python%/Frameworks/Python.framework/Versions/%/Resources/Python.app/,501' - AND NOT exception_key LIKE ',a.out,/Users/%/act/dist/local/act,501' - AND NOT exception_key LIKE ',git-daemon-%,/opt/homebrew/Cellar/git/%/libexec/git-core/git-daemon,501' - AND NOT exception_key LIKE ',org.python.python,/opt/homebrew/Cellar/python@%/Frameworks/Python.framework/Versions/3.11/Resources/Python.app/,501' - AND NOT exception_key LIKE ',a.out,/opt/homebrew/Cellar/podman/%/libexec/podman/gvproxy,501' - AND NOT exception_key LIKE ',net.java.openjdk.java,/opt/homebrew/Cellar/openjdk%/libexec/openjdk.jdk/Contents/Home/bin/java,501' - AND NOT exception_key LIKE ',a.out,/private/var/folders/%/T/GoLand/%,501' - AND NOT exception_key LIKE ',a.out,/Users/%/cloud-provider-kind,501' - AND NOT exception_key LIKE ',a.out,/Users/%/GolandProjects/documentation-code-examples/debuggingTutorial/myApp,501' - AND NOT exception_key LIKE ',node,/opt/homebrew/Cellar/nvm/%/versions/node/v%/bin/node,501' - AND NOT exception_key LIKE ',java,/opt/homebrew/Cellar/openjdk/%/libexec/openjdk.jdk/Contents/Home/bin/java,501' - AND NOT exception_key LIKE ',python3.%,/nix/store/%-python3-3%/bin/python3.%,0' - AND NOT exception_key LIKE 'Developer ID Application: Cypress.Io, Inc. (7D655LWGLY),com.electron.cypress,/Users/%/Library/Caches/Cypress/12.9.0/Cypress.app/,501' + AND NOT exception_key LIKE 'Developer ID Application: The Foundry (82R497YNSK),org.python.python,/Applications/Nuke%/Contents/Frameworks/Python.framework/Versions/%/Resources/Python.app/,501' AND NOT signature.authority IN ( 'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)', 'Developer ID Application: The Foundry (82R497YNSK)', 'Developer ID Application: Docker Inc (9BNSXJN65R)', 'Developer ID Application: OpenAI, L.L.C. (2DC432GLL2)' ) - AND NOT ( - signature.identifier LIKE 'cargo-%' - AND ae.path LIKE '/Users/%/.rustup/%' - ) AND NOT ( signature.identifier LIKE 'fake-%' AND ae.path LIKE '%/exe/fake' ) - AND NOT ( - signature.identifier LIKE 'mariadbd-%' - AND ae.path LIKE '/opt/homebrew/%/mariadbd' - ) - AND NOT ( - signature.identifier = 'netcat' - AND ae.path LIKE '/Users/%/homebrew/Cellar/netcat/%/bin/netcat' - ) - AND NOT ( - signature.identifier = 'syncthing' - AND ae.path LIKE '/nix/store/%-syncthing-%/bin/syncthing' - ) AND NOT ( signature.identifier = 'nix' AND ae.path LIKE '/nix/store/%-nix-%/bin/nix' @@ -176,6 +100,7 @@ WHERE -- Filter out stock exceptions to decrease overhead AND signature.identifier = 'org.chromium.Chromium' AND ae.path LIKE '/Users/%/Library/pnpm/global/%/.pnpm/carlo@%/node_modules/carlo/lib/.local-data/mac-%/chrome-mac/Chromium.app/' ) + -- End user tools AND NOT ( ( signature.identifier = 'a.out' diff --git a/detection/evasion/unexpected-hidden-system-paths.sql b/detection/evasion/unexpected-hidden-system-paths.sql index 007d155..90bec6f 100644 --- a/detection/evasion/unexpected-hidden-system-paths.sql +++ b/detection/evasion/unexpected-hidden-system-paths.sql @@ -92,29 +92,32 @@ WHERE '/tmp/.eos-update-notifier.log', '/tmp/.featureflags-agent/', '/tmp/.font-unix/', + '/tmp/.git/', '/tmp/.go-version', + '/tmp/.helmrepo', '/tmp/.ICE-unix/', '/tmp/.last_survey_prompt.yaml', '/tmp/.last_update_check.json', '/tmp/.metrics-agent/', '/tmp/.PKGINFO', '/tmp/.searcher.tmp/', + '/tmp/.ses', '/tmp/.settings-agent/', '/tmp/.SIGN.RSA.chainguard-enterprise.rsa.pub', '/tmp/.SIGN.RSA..local-melange.rsa.pub', '/tmp/.SIGN.RSA.local-melange.rsa.pub', '/tmp/.SIGN.RSA.wolfi-signing.rsa.pub', + '/tmp/.s.PGSQL.5432', + '/tmp/.s.PGSQL.5432.lock', '/tmp/.terraform/', '/tmp/.terraform.lock.hcl', '/tmp/.Test-unix/', '/tmp/.touchpaddefaults', '/tmp/.ui-agent/', - '/var/roothome/.dbus/', '/tmp/.updater-agent/', '/tmp/.vbox-t-ipc/', '/tmp/.vscode.dmypy_status/', '/tmp/.wsdl/', - '/tmp/.helmrepo', '/tmp/.X0-lock', '/tmp/.X11-unix/', '/tmp/.X1-lock', @@ -139,6 +142,7 @@ WHERE '/var/db/.SoftwareUpdateOptions', '/var/db/.StagedAppleUpgrade', '/var/db/.SystemPolicy-default', + '/var/home/.duperemove.hash', '/var/mail/.cache/', '/var/.ntw_cache', '/var/.Parallels_swap/', @@ -155,6 +159,7 @@ WHERE '/var/roothome/.bashrc', '/var/roothome/.cache/', '/var/roothome/.config/', + '/var/roothome/.dbus/', '/var/roothome/.justfile', '/var/roothome/.local/', '/var/roothome/.osquery/', @@ -167,9 +172,9 @@ WHERE '/var/root/.osquery/', '/var/root/.PenTablet/', '/var/root/.provisio', + '/var/root/.ssh/', '/var/root/.Trash/', '/var/root/.viminfo', - '/var/root/.ssh/', '/var/root/.zsh_history', '/var/run/.heim_org.h5l.kcm-socket', '/var/run/.sim_diagnosticd_socket', @@ -178,10 +183,8 @@ WHERE '/var/setup/.TemporaryItems', '/var/setup/.TemporaryItems/', '/var/tmp/.ses', - '/tmp/.ses', '/var/tmp/.ses.bak', '/.vol/', - '/tmp/.git/', '/.VolumeIcon.icns' ) AND file.directory NOT IN ( diff --git a/detection/evasion/unusual-process-name-macos.sql b/detection/evasion/unusual-process-name-macos.sql index 0f865f7..ee35ad5 100644 --- a/detection/evasion/unusual-process-name-macos.sql +++ b/detection/evasion/unusual-process-name-macos.sql @@ -109,13 +109,14 @@ WHERE 'launchd_startx' ) -- example: 85C27NK92C.com.flexibits.fantastical2.mac.helper - AND NOT pname LIKE "%.com.flexibits.fantastical2.mac.helper" + AND NOt pname LIKE '___1Test%' + AND NOT pname LIKE 'BetterTouchToolAppleScriptRunner%' AND NOT pname LIKE 'cody-engine-%' - AND NOT pname LIKE '%-macos-arm64' + AND NOT pname LIKE "%.com.flexibits.fantastical2.mac.helper" AND NOT pname LIKE 'debug.test%' AND NOT pname LIKE '__%go_build%' - AND NOt pname LIKE '___1Test%' - AND NOT pname LIKE 'BetterTouchToolAppleScriptRunner%' + AND NOT pname LIKE '%-macos-arm64' + AND NOT pname LIKE '___Test%' AND NOT s.authority IN ( "Software Signing", "Apple Mac OS Application Signing" diff --git a/detection/persistence/listening-from-unusual-location.sql b/detection/persistence/listening-from-unusual-location.sql index 9db14c5..e4101f7 100644 --- a/detection/persistence/listening-from-unusual-location.sql +++ b/detection/persistence/listening-from-unusual-location.sql @@ -109,9 +109,12 @@ WHERE AND NOT exception_key IN ( '16620,6,500,psi-bastion', '32768,6,500,java', + '32768,6,500,logioptionsplus_agent', + '32768,17,500,logioptionsplus_agent', '32768,6,500,Chromium', '32768,6,500,Code Helper (Plugin)', '24024,17,500,MTGA', + '32768,17,499,viscosity_openvpn', '1,1,500,ping' ) AND NOT p0.path LIKE '/nix/store/%' diff --git a/detection/persistence/suspicious-systemd-unit.sql b/detection/persistence/suspicious-systemd-unit.sql index 73ffc68..0aaf65b 100644 --- a/detection/persistence/suspicious-systemd-unit.sql +++ b/detection/persistence/suspicious-systemd-unit.sql @@ -118,6 +118,7 @@ rule systemd_small_multiuser_no_comments_or_documentation : high { $not_oneshot = "Type=oneshot" $not_lima = "Description=lima-guestagent" $not_check_sb = "Description=Service to check for secure boot key enrollment" + $not_waydroid = "waydroid" condition: filesize < 384 and $execstart and $multiuser and none of ($not_*) } @@ -190,6 +191,7 @@ rule systemd_small_restart_always : medium { $not_after = /After=\w/ $not_before = /Before=\w{1,128}/ $not_notify = "Type=notify" + $not_wanted_by = /WantedBy=\w{2,32}\.target/ condition: filesize < 384 and $restart and none of ($not*) } @@ -223,6 +225,7 @@ rule usr_bin_execstop_shell : medium { strings: $execstop = /ExecStop=\/bin\/sh .{0,64}/ $not_podman_logging = "/usr/bin/podman $LOGGING" + $not_stderr = /ExecStop=\/bin\/sh .{0,64}set -eu/ condition: filesize < 4096 and $execstop and none of ($not*) } diff --git a/detection/persistence/unexpected-listening-port-macos.sql b/detection/persistence/unexpected-listening-port-macos.sql index 2f34f57..deef7b7 100644 --- a/detection/persistence/unexpected-listening-port-macos.sql +++ b/detection/persistence/unexpected-listening-port-macos.sql @@ -54,7 +54,6 @@ WHERE AND NOT exception_key IN ( '10011,6,0,launchd,Software Signing', '10011,6,0,webfilterproxyd,Software Signing', - '49152,6,500,Capture One,Developer ID Application: Capture One A/S (5WTDB5F65L)', '1024,6,0,systemmigrationd,Software Signing', '10250,6,500,OrbStack Helper,Developer ID Application: Orbital Labs, LLC (U.S.) (HUAQ24HBR6)', '111,17,1,rpcbind,Software Signing', @@ -82,6 +81,8 @@ WHERE '22,6,0,launchd,Software Signing', '2345,6,500,dlv,', '24678,6,500,node,', + '24800,6,500,deskflow-server,', + '24800,6,500,synergy-core,Developer ID Application: Symless Ltd (4HX897Y6GJ)', '24802,6,500,synergy-service,Developer ID Application: Symless Ltd (4HX897Y6GJ)', '24851,6,500,HueSync,Developer ID Application: Signify Netherlands B.V. (PREPN2W95S)', '25565,6,500,java,', @@ -118,6 +119,7 @@ WHERE '49152,6,0,remotepairingdeviced,Software Signing', '49152,6,500,AUHostingServiceXPC_arrow,Software Signing', '49152,6,500,CaptureCoreService,Developer ID Application: Capture One A/S (5WTDB5F65L)', + '49152,6,500,Capture One,Developer ID Application: Capture One A/S (5WTDB5F65L)', '49152,6,500,com.adguard.mac.adguard.network-extension,Developer ID Application: Adguard Software Limited (TC3Q7MAJXF)', '49152,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)', '49152,6,500,com.docker.supervisor,Developer ID Application: Docker Inc (9BNSXJN65R)', @@ -126,8 +128,8 @@ WHERE '49152,6,500,dbeaver,Developer ID Application: DBeaver Corporation (42B6MDKMW8)', '49152,6,500,EcammLiveRemoteXPCServer,Developer ID Application: Ecamm Network, LLC (5EJH68M642)', '49152,6,500,GarageBand,Apple Mac OS Application Signing', - '49152,6,500,HP Smart,Apple Mac OS Application Signing', '49152,6,500,git-daemon,', + '49152,6,500,HP Smart,Apple Mac OS Application Signing', '49152,6,500,idea,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)', '49152,6,500,IPNExtension,Apple Mac OS Application Signing', '49152,6,500,java,Developer ID Application: Eclipse Foundation, Inc. (JCDTMS22B4)', @@ -139,7 +141,6 @@ WHERE '49152,6,500,Luna Display,Developer ID Application: Astro HQ LLC (8356ZZ8Y5K)', '49152,6,500,Music,Software Signing', '49152,6,500,node,', - '49152,6,500,HP Smart,Apple Mac OS Application Signing', '49152,6,500,qemu-system-aarch64,', '49152,6,500,rapportd,Software Signing', '49152,6,500,Resolve,Developer ID Application: Blackmagic Design Inc (9ZGFBWLSYP)', @@ -166,6 +167,9 @@ WHERE '53,17,65,mDNSResponder,Software Signing', '53,6,500,dnsmasq,', '53,6,65,mDNSResponder,Software Signing', + '5432,6,500,postgres,Developer ID Application: EnterpriseDB Corporation (26QKX55P9K)', + '5432,6,500,postgres', + '5433,6,500,postgres', '5454,6,0,xrdd,Developer ID Application: X-Rite, Incorporated (2K7GT73B4R)', '546,17,0,configd,Software Signing', '547,17,500,dhcp6d,Software Signing', @@ -215,6 +219,10 @@ WHERE exception_key LIKE '%,6,500,IPNExtension,Apple Mac OS Application Signing' AND lp.port > 5000 ) + AND NOT ( + exception_key LIKE '3%,6,500,java,' + AND p.cwd LIKE '/Users/%' + ) AND NOT ( p.path LIKE ',ko-app,%' AND lp.port > 1024