Merge pull request #327 from tstromberg/fpr-oct24

fpr: Kolide, qemu, bash, monday, macOS

detection/c2/unexpected-https-macos.sql

@@ -119,6 +119,7 @@ WHERE
     '0,multipassd,multipassd,Developer ID Application: Canonical Group Limited (X4QN7LTP59),com.canonical.multipass.multipassd',
     '0,nessusd,nessusd,Developer ID Application: Tenable, Inc. (4B8J598M7U),nessusd',
     '500,Authy,Authy,Apple iPhone OS Application Signing,com.authy',
+    '500,Signal Helper (Renderer),Signal Helper (Renderer),Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR),org.whispersystems.signal-desktop.helper.Renderer',
     '500,Code Helper (Plugin),Code Helper (Plugin),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
     '500,Code Helper (Renderer),Code Helper (Renderer),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
     '500,Code Helper,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode.helper',
@@ -177,6 +178,7 @@ WHERE
     '500,cilium,cilium,500u,123g',
     '500,cloud-sql-proxy,cloud-sql-proxy,500u,20g',
     '500,cosign,cosign,0u,500g',
+    '500,snyk-macos-arm64,snyk-macos-arm64,500u,20g',
     '500,cosign,cosign,500u,20g',
     '500,cosign,cosign,500u,80g',
     '500,git-credential-osxkeychain,git-credential-osxkeychain,500u,80g',

detection/c2/unexpected-talker-events.sql

@@ -78,6 +78,7 @@ WHERE
   AND s.remote_address NOT LIKE '::ffff:192.168.%'
   AND s.remote_address NOT LIKE 'fc00:%'
   AND NOT s.path LIKE '/Applications/%' -- NOTE: Do not filter out /bin (bash) or /usr/bin (nc)
+  AND NOT s.path LIKE '/private/var/folders/%/T/go-build%'
   AND NOT top2_dir IN (
     '/Library/Apple',
     '/Library/Application Support',
@@ -104,7 +105,11 @@ WHERE
     '500,0,110,syncthing',
     '500,0,123,sntp',
     '500,0,53,spotify',
+    '500,500,443,Signal',
+    '500,500,443,Google Chrome Helper',
+    '500,500,443,Signal Helper (Renderer)',
     '500,0,1234,spotify',
+    '500,500,443,apk',
     '500,0,20480,io.tailscale.ipn.macsys.network-extension',
     '500,0,22,ssh',
     '500,0,31488,sntp',
@@ -123,6 +128,9 @@ WHERE
     '500,0,443,git-remote-http',
     '500,0,443,gnome-software',
     '500,0,443,http',
+    '500,0,443,Brackets',
+    '500,500,80,Google Chrome Helper',
+    '500,500,443,minikube',
     '500,0,443,io.tailscale.ipn.macsys.network-extension',
     '500,0,443,ksfetch',
     '500,0,443,launcher',
@@ -134,6 +142,7 @@ WHERE
     '500,500,53,Code Helper',
     '500,0,43,whois',
     '500,0,443,spotify',
+    '500,0,443,snapd',
     '500,0,443,syncthing',
     '500,0,443,velociraptor',
     '500,0,443,wget',
@@ -143,6 +152,7 @@ WHERE
     '500,0,53,NetworkManager',
     '500,0,53,chrome',
     '500,0,53,git',
+    '500,500,443,GoogleUpdater',
     '500,0,53,launcher',
     '500,0,53,slack',
     '500,0,53,wget',
@@ -151,6 +161,7 @@ WHERE
     '500,0,80,com.apple.NRD.UpdateBrainService',
     '500,0,80,firefox',
     '500,0,80,http',
+    '500,500,20480,GoogleUpdater',
     '500,0,80,io.tailscale.ipn.macsys.network-extension',
     '500,0,80,ksfetch',
     '500,0,9,launcher',

detection/c2/unexpected-talkers-linux.sql

@@ -247,7 +247,7 @@ WHERE
     AND p.euid > 500
   )
   AND NOT (
-    p.name = 'java'
+    p.name IN ('java', 'jcef_helper')
     AND p.cmdline LIKE '/home/%/PhpStorm%'
     AND s.remote_port > 79
     AND s.protocol = 6

detection/credentials/unexpected-dev-opener-linux.sql

@@ -233,6 +233,7 @@ WHERE
   AND path_exception NOT LIKE '/dev/shm/pym-%python3.%'
   -- celery
   AND path_exception NOT LIKE '/dev/shm/pymp-%,python3.%'
+  AND dir_exception NOT LIKE '/dev/shm/byobu-%/status.tmux,'
   AND NOT (
     pof.path LIKE '/dev/bus/usb/%'
     AND p0.name IN (

detection/credentials/unexpected-dev-opener-macos.sql

@@ -76,6 +76,7 @@ WHERE
   AND exception_key NOT IN (
     '/dev/afsc_type,revisiond,Software Signing,com.apple.revisiond',
     '/dev/auditpipe,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF),osqueryd',
+    '/dev/auditpipe,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF),io.osquery.agent',
     '/dev/auditsessions,GSSCred,Software Signing,com.apple.GSSCred',
     '/dev/auditsessions,TouchBarServer,Software Signing,com.apple.touchbarserver',
     '/dev/auditsessions,authd,Software Signing,com.apple.authd',

detection/evasion/unexpected-hidden-system-paths.sql

@@ -105,6 +105,7 @@ WHERE
     '/tmp/.last_update_check.json',
     '/tmp/.metrics-agent/',
     '/tmp/.searcher.tmp/',
+    '/tmp/.bazelci/',
     '/tmp/.settings-agent/',
     '/tmp/.terraform.lock.hcl',
     '/tmp/.terraform/',

detection/execution/exotic-commands-macos.sql

@@ -95,11 +95,11 @@ WHERE
   )
   AND NOT (
     p0_cmd LIKE '%UserKnownHostsFile=/dev/null%'
-    AND p0_cmd LIKE "%lima/%"
-  )
-  AND NOT (
-    p0_cmd LIKE '%UserKnownHostsFile=/dev/null%'
-    AND p0_cmd LIKE '%@localhost'
+    AND (
+      p0_cmd LIKE "%lima/%"
+      OR p0_cmd LIKE "%minikube/%"
+      OR p0_cmd LIKE '%@localhost'
+    )
   )
   AND NOT (
     p0_cmd LIKE '%sh -i'

detection/execution/unexpected-security-framework-program-macos.sql

@@ -81,6 +81,8 @@ WHERE
     '0,nix,nix,',
     '0,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
     '0,velociraptor,a.out,',
+    '500,monday.com Helper (GPU),com.monday.desktop.helper.GPU,Apple Mac OS Application Signing',
+    '500,clangd,clangd,',
     '500,.cargo-wrapped,.cargo-wrapped,',
     '500,Android File Transfer Agent,com.google.android.mtpagent,Developer ID Application: Google, Inc. (EQHXZ8M8AV)',
     '500,AppleMusic,AppleMusic,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',

detection/exfil/yara-unexpected-go-crypt-exec-process.sql

@@ -43,8 +43,7 @@ FROM
   LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
 WHERE
   p0.start_time > (strftime('%s', 'now') - 7200)
-  AND
-  yara.sigrule = '    
+  AND yara.sigrule = '    
     rule cryptexec {
     strings:
         $c0 = "crypto/cipher.newCBC" ascii
@@ -64,6 +63,7 @@ WHERE
   AND p0.path NOT LIKE '%terraform%'
   AND p0.path NOT LIKE '%rootlesskit%'
   AND p0.path NOT LIKE '/opt/homebrew/%'
+  AND p0.path NOT LIKE '/private/var/folders/%/T/go-build%'
   AND p0.name NOT IN (
     'buildkit',
     'buildkitd',
@@ -90,4 +90,4 @@ WHERE
     'velociraptor',
     'wolfictl'
   )
-  AND p1.name NOT LIKE "%docker%"
+  AND p1.name NOT LIKE "%docker%"

detection/initial_access/unexpected-shell-parent-events.sql

@@ -80,6 +80,7 @@ WHERE
       'at-spi-bus-launcher',
       'bash',
       'build-script-build',
+      'sddm-helper',
       'chainctl',
       'chezmoi',
       'clang-11',
@@ -207,6 +208,7 @@ WHERE
       '/bin/sh -c sysctl hw.model kern.osrelease',
       '/bin/sh /usr/bin/lsb_release -a',
       '/bin/sh /usr/bin/lsb_release -a --short',
+      '/usr/bin/python3 /usr/bin/terminator',
       '/bin/zsh -c ls',
       'sh -c /Applications/Xcode.app/Contents/Developer/usr/bin/xcodebuild -sdk /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk -find python3 2> /dev/null',
       'sh -c /bin/stty size 2>/dev/null',

detection/initial_access/unexpected-shell-parents.sql

@@ -180,6 +180,7 @@ WHERE
     '/System/Library/Frameworks/Security.framework/authtrampoline',
     '/usr/bin/alacritty',
     '/usr/bin/apt',
+    '/usr/sbin/networksetup',
     '/usr/bin/apt-get',
     '/usr/bin/bash',
     '/usr/bin/bwrap',

detection/persistence/minimal-socket-client-macos.sql

@@ -61,6 +61,7 @@ WHERE
   AND pmm.path LIKE "%.dylib"
   AND exception_key NOT IN (
     '500,Bitwarden,/Applications/Bitwarden.app/Contents/MacOS/Bitwarden',
+    '500,Evernote,/Applications/Evernote.app/Contents/MacOS/Evernote',
     '500,Skitch,/Applications/Skitch.app/Contents/MacOS/Skitch',
     '500,monday.com,/Applications/monday.com.app/Contents/MacOS/monday.com',
     '500,J8RPQ294UB.com.skitch.SkitchHelper,/Applications/Skitch.app/Contents/Library/LoginItems/J8RPQ294UB.com.skitch.SkitchHelper.app/Contents/MacOS/J8RPQ294UB.com.skitch.SkitchHelper',
@@ -83,3 +84,4 @@ GROUP BY
 HAVING
   lib_count IN (1, 2)
   AND libs NOT LIKE '/Applications/%/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib,/usr/lib/libobjc-trampolines.dylib'
+  AND libs NOT LIKE '/usr/lib/libobjc-trampolines.dylib,/Applications/%.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib'

detection/persistence/unexpected-chrome-extensions.sql

@@ -221,6 +221,8 @@ WHERE
     'true,,coLaboratory Notebook,pianggobfjcgeihlmfhfgkfalopndooo',
     'true,,crouton integration,gcpneefbbnfalgjniomfjknbcgkbijom',
     'true,,iCloud Bookmarks,fkepacicchenbjecpbpbclokcabebhah',
+    'true,,Todoist for Gmail,clgenfnodoocmhnlnpknojdbjjnmecff',
+    'true,,Cisco Umbrella Chromebook client (Ext),jcdhmojfecjfmbdpchihbeilohgnbdci',
     'true,,uBlock,epcnnfbjfcgphgdmggkamkmgojdagdnn',
     'true,,writeGPT - ChatGPT Prompt Engineer Assistant,dflcdbibjghipieemcligeelbmackgco',
     'true,Adaware,Safe Torrent Scanner,aegnopegbbhjeeiganiajffnalhlkkjb',

detection/persistence/unexpected-listening-port-macos.sql

@@ -144,6 +144,7 @@ WHERE
     '80,6,500,limactl,',
     '8081,6,500,crane,',
     '81,6,500,nginx,',
+    '49152,6,500,qemu-system-aarch64,',
     '8123,6,500,Brackets-node,Developer ID Application: CORE.AI SCIENTIFIC TECHNOLOGIES PRIVATE LIMITED (8F632A866K)',
     '8770,6,500,sharingd,Software Signing',
     '8771,6,500,sharingd,Software Signing',

detection/persistence/yara-suspicious-strings-process-linux.sql

@@ -86,9 +86,12 @@ WHERE
   AND p0.path NOT LIKE '/usr/local/kolide-k2/bin/launcher-updates/%/launcher'
   AND p0.path NOT IN (
     '/bin/fish',
+    '/usr/bin/nvim',
+    '/bin/bash',
     '/usr/bin/sudo',
     '/usr/bin/bash',
     '/usr/bin/containerd-shim-runc-v2',
+    '/usr/libexec/flatpak-system-helper',
     '/bin/containerd-shim-runc-v2',
     '/usr/bin/docker-proxy',
     '/usr/bin/fish',