Merge pull request #466 from tstromberg/fpr-feb26

fpr: podman, docker, iotop, pop-launcher, go, argo, ObjSee

detection/c2/1-unexpected-https-linux.sql

@@ -88,6 +88,7 @@ WHERE
     '0,http,0u,0g,https',
     '0,ir_agent,0u,0g,ir_agent',
     '0,kmod,0u,0g,depmod',
+    '500,argo,500u,500g,argo',
     '0,launcher,0u,0g,launcher',
     '0,launcher,500u,500g,launcher',
     '0,ldconfig,0u,0g,ldconfig',

detection/c2/1-unexpected-talkers-macos.sql

@@ -102,6 +102,7 @@ WHERE
   AND NOT signed_exception IN (
     '0,Developer ID Application: Tailscale Inc. (W5364U7YZB)',
     '0,Developer ID Application: Y Soft Corporation, a.s. (3CPED8WGS9)',
+    '0,Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R)',
     '500,Apple Mac OS Application Signing',
     '500,Developer ID Application: Adguard Software Limited (TC3Q7MAJXF)',
     '500,Developer ID Application: Autodesk (XXKJ396S2Y)',

detection/collection/1-high-disk-bytes-written.sql

@@ -221,6 +221,8 @@ WHERE
   AND p0.path NOT LIKE '/var/kolide-k2/%/osqueryd'
   AND p0.path NOT LIKE "%/terraform-provider-%"
   AND NOT p0.cmdline LIKE '%/gsutil %rsync%'
+  AND NOT p0.cmdline LIKE '%python -m build%'
   AND NOT p0.cmdline LIKE '%/lib/gcloud.py components update'
   AND NOT p0.cmdline LIKE '%brew.rb upgrade'
   AND NOT p0.cgroup_path LIKE '/system.slice/docker-%'
+  AND p0.cwd != '/home/build'

detection/discovery/1-unexpected-netutil-calls-linux.sql

@@ -80,14 +80,7 @@ WHERE
   AND pe.time > (strftime('%s', 'now') -300)
   AND NOT (
     pe.euid > 500
-    AND p1_name IN (
-      'bash',
-      'dash',
-      'fish',
-      'nu',
-      'sh',
-      'zsh'
-    )
+    AND p1_name IN ('bash', 'dash', 'fish', 'nu', 'sh', 'zsh')
     AND p2_name IN (
       'alacritty',
       'gnome-terminal-',

detection/discovery/1-unexpected-netutil-calls-macos.sql

@@ -88,13 +88,7 @@ WHERE
   AND pe.status == 0
   AND NOT (
     pe.euid > 500
-    AND p1_name IN (
-      'bash',
-      'dash',
-      'fish',
-      'sh',
-      'zsh'
-    )
+    AND p1_name IN ('bash', 'dash', 'fish', 'sh', 'zsh')
     AND p2_name IN (
       'kitty',
       'login',

detection/evasion/0-touched-executable-linux.sql

@@ -7,59 +7,59 @@
 -- tags: transient process state extra
 -- platform: linux
 SELECT
-    p.pid,
-    p.path,
-    p.name,
-    p.cmdline,
-    p.cgroup_path,
-    p.cwd,
-    p.euid,
-    p.parent,
-    f.ctime,
-    f.btime,
-    f.mtime,
-    p.start_time,
-    pp.path AS parent_path,
-    pp.cmdline AS parent_cmd,
-    pp.cwd AS parent_cwd,
-    hash.sha256 AS sha256
+  p.pid,
+  p.path,
+  p.name,
+  p.cmdline,
+  p.cgroup_path,
+  p.cwd,
+  p.euid,
+  p.parent,
+  f.ctime,
+  f.btime,
+  f.mtime,
+  p.start_time,
+  pp.path AS parent_path,
+  pp.cmdline AS parent_cmd,
+  pp.cwd AS parent_cwd,
+  hash.sha256 AS sha256
 FROM
-    processes p
-    LEFT JOIN file f ON p.path = f.path
-    LEFT JOIN processes pp ON p.parent = pp.pid
-    LEFT JOIN hash ON p.path = hash.path
+  processes p
+  LEFT JOIN file f ON p.path = f.path
+  LEFT JOIN processes pp ON p.parent = pp.pid
+  LEFT JOIN hash ON p.path = hash.path
 WHERE
-    f.ctime = f.mtime
-    AND (strftime ('%s', 'now') - p.start_time) > 25000
-    AND p.path != '/'
-    AND f.path NOT IN (
-        '/opt/Elastic/Endpoint/elastic-endpoint',
-        '/opt/google/endpoint-verification/bin/apihelper',
-        '/opt/resolve/bin/resolve',
-        '/usr/bin/ld.bfd',
-        '/usr/bin/ld',
-        '/usr/bin/ghostty',
-        '/usr/bin/melange',
-        '/var/opt/velociraptor/bin/velociraptor'
-    )
-    AND f.path NOT LIKE '/home/%'
-    AND f.path NOT LIKE '/opt/Elastic/Agent/data/elastic-agent%'
-    AND f.path NOT LIKE '/opt/rapid7/ir_agent/%'
-    AND f.path NOT LIKE '/snap/%'
-    AND f.path NOT LIKE '/tmp/%/.terraform/providers/%'
-    AND f.path NOT LIKE '/tmp/%go-build%/exe/%'
-    AND f.path NOT LIKE '/tmp/cargo-install%/%'
-    AND f.path NOT LIKE '/tmp/go-build%'
-    AND f.path NOT LIKE '/usr/local/aws-cli/%/dist/aws'
-    AND f.path NOT LIKE '/usr/local/bin/%'
-    AND f.path NOT LIKE '/usr/local/kolide-k2/bin/%-updates/%'
-    AND f.path NOT LIKe '/var/home/%'
-    AND f.path NOT LIKE '/var/home/linuxbrew/.linuxbrew/%'
-    AND f.path NOT LIKE '/var/home/linuxbrew/.linuxbrew/Cellar/%/bin/%'
-    AND f.path NOT LIKE '/var/kolide-k2/k2device.kolide.com/updates/%'
-    AND f.path NOT LIKE '/var/opt/Elastic/Endpoint/elastic-endpoint'
-    AND f.path NOT LIKE '%/go/bin/%'
-    AND f.path NOT LIKE '%/osqueryi'
-    AND p.name NOT LIKE 'osqtool%'
+  f.ctime = f.mtime
+  AND (strftime('%s', 'now') - p.start_time) > 25000
+  AND p.path != '/'
+  AND f.path NOT IN (
+    '/opt/Elastic/Endpoint/elastic-endpoint',
+    '/opt/google/endpoint-verification/bin/apihelper',
+    '/opt/resolve/bin/resolve',
+    '/usr/bin/ld.bfd',
+    '/usr/bin/ld',
+    '/usr/bin/ghostty',
+    '/usr/bin/melange',
+    '/var/opt/velociraptor/bin/velociraptor'
+  )
+  AND f.path NOT LIKE '/home/%'
+  AND f.path NOT LIKE '/opt/Elastic/Agent/data/elastic-agent%'
+  AND f.path NOT LIKE '/opt/rapid7/ir_agent/%'
+  AND f.path NOT LIKE '/snap/%'
+  AND f.path NOT LIKE '/tmp/%/.terraform/providers/%'
+  AND f.path NOT LIKE '/tmp/%go-build%/exe/%'
+  AND f.path NOT LIKE '/tmp/cargo-install%/%'
+  AND f.path NOT LIKE '/tmp/go-build%'
+  AND f.path NOT LIKE '/usr/local/aws-cli/%/dist/aws'
+  AND f.path NOT LIKE '/usr/local/bin/%'
+  AND f.path NOT LIKE '/usr/local/kolide-k2/bin/%-updates/%'
+  AND f.path NOT LIKe '/var/home/%'
+  AND f.path NOT LIKE '/var/home/linuxbrew/.linuxbrew/%'
+  AND f.path NOT LIKE '/var/home/linuxbrew/.linuxbrew/Cellar/%/bin/%'
+  AND f.path NOT LIKE '/var/kolide-k2/k2device.kolide.com/updates/%'
+  AND f.path NOT LIKE '/var/opt/Elastic/Endpoint/elastic-endpoint'
+  AND f.path NOT LIKE '%/go/bin/%'
+  AND f.path NOT LIKE '%/osqueryi'
+  AND p.name NOT LIKE 'osqtool%'
 GROUP by
-    p.pid
+  p.pid

detection/evasion/2-unexpected-user-executables-macos.sql

@@ -60,7 +60,6 @@ WHERE
         OR directory LIKE '/Users/%/Library/.%'
         OR directory LIKE '/Users/%/Library/%'
         OR directory LIKE '/Users/%/Library/%/.%'
-        OR directory LIKE '/Users/%/Library/%/%'
         OR directory LIKE '/Users/%/Photos'
         OR directory LIKE '/Users/%/Photos/.%'
         OR directory LIKE '/Users/%/Photos/%'
@@ -70,7 +69,7 @@ WHERE
         OR directory LIKE '/Users/Shared/.%'
         OR directory LIKE '/Users/Shared/%'
         OR directory LIKE '/var/root/.%'
-        OR directory LIKE '/var/root/%%'
+        OR directory LIKE '/var/root/%'
       )
       AND (
         type = 'regular'
@@ -207,25 +206,15 @@ WHERE
     '~/.config/i3',
     '~/.config/nvm/nvm.sh',
     '~/.config/polybar',
-    '~/Library/Assistant/SiriAnalytics.db',
-    '~/Library/Calendars/Calendar.sqlitedb-wal',
-    '~/Library/Calendars/Calendar.sqlitedb',
-    '~/Library/com.apple.iTunesCloud/play_activity.sqlitedb-wal',
-    '~/Library/Group Containers/group.com.apple.calendar/Calendar.sqlitedb-wal',
-    '~/Library/Group Containers/group.com.apple.calendar/Calendar.sqlitedb',
-    '~/Library/Finance/finance_cloud.db-wal',
-    '~/Library/Finance/finance_cloud.db',
     '~/Library/Group Containers/group.com.docker/unleash-repo-schema-v1-Docker Desktop.json',
-    '~/Library/HTTPStorages/com.apple.AddressBookSourceSync',
-    '~/Library/HTTPStorages/com.apple.AddressBookSourceSync/httpstorages.sqlite-shm',
+    '~/Library/Preferences/Macromedia/Flash Player/www.macromedia.com/bin/airappinstaller/airappinstaller_rsrc',
     '~/Library/Keychains/login.keychain-db',
     '~/Library/Logs/zoom.us/upload_history.txt',
     '~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2'
   )
   AND NOT homepath LIKE '~/Library/%/%.db-wal'
   AND NOT homepath LIKE '~/Library/%/%.db'
-  AND NOT homepath LIKE '~/Library/%/%.sqlite-wal'
-  AND NOT homepath LIKE '~/Library/%/%.sqlite'
+  AND NOT homepath LIKE '~/Library/%/%.sqlite%'
   AND NOT f.directory LIKE '/Users/%/.docker/cli-plugins'
   AND NOT f.directory LIKE '/Users/%/.nix-profile/bin'
   AND NOT f.directory LIKE '/Users/%/.pkg-cache/%'

detection/execution/1-exotic-command-events-linux.sql

@@ -197,13 +197,7 @@ WHERE
   AND NOT p0_cmd LIKE 'modprobe --all%'
   AND NOT p0_cmd LIKE 'modprobe -ab%'
   AND NOT p0_cmd LIKE 'pkill -f cut -c3%'
-  AND NOT p0_name IN (
-    'ar',
-    'cc1',
-    'cc1plus',
-    'cmake',
-    'compile'
-  )
+  AND NOT p0_name IN ('ar', 'cc1', 'cc1plus', 'cmake', 'compile')
   AND NOT exception_key IN (
     'bash,0,bash,containerd-shim-runc-v2',
     'bash,500,ninja,bash',

detection/execution/1-exotic-command-events-macos.sql

@@ -208,11 +208,7 @@ WHERE
   AND NOT p0_cmd LIKE 'rm -f /tmp/locate%/mklocate%/_mklocatedb%'
   AND NOT p0_cmd LIKE 'touch -r . /private/tmp/nix-build%'
   AND NOT p0_cmd LIKE 'touch -r /tmp/KSInstallAction.%'
-  AND NOT p0_name IN (
-    'cc1',
-    'compile',
-    'yara'
-  )
+  AND NOT p0_name IN ('cc1', 'compile', 'yara')
   AND NOT exception_key IN (
     'bash,500,idea,launchd',
     'bat,500,zsh,login',

detection/execution/1-recently-created-executables-long-lived-macos.sql

@@ -145,6 +145,7 @@ WHERE
       OR dir LIKE '~/dev/%'
       OR dir LIKE '~/Downloads/%.app/Contents/MacOS'
       OR dir LIKE '~/git/%'
+      OR dir LIKE '~/Applications/%.app/%'
       OR f.path LIKE '%go-build%'
       OR homepath LIKE '~/%/cloud_sql_proxy'
       OR homepath LIKE '~/%/gopls'

detection/execution/1-unexpected-fetcher-parent-events.sql

@@ -88,13 +88,7 @@ WHERE
   )
   AND NOT (
     pe.euid > 500
-    AND p1_name IN (
-      'bash',
-      'dash',
-      'fish',
-      'sh',
-      'zsh'
-    )
+    AND p1_name IN ('bash', 'dash', 'fish', 'sh', 'zsh')
     AND p2_name IN (
       'alacritty',
       'gnome-terminal-',

detection/execution/2-unexpected-long-running-security-framework-macos.sql

@@ -107,7 +107,8 @@ WHERE -- Focus on longer-running programs
   AND NOT exception_key LIKE '500,terraform-provider-%,a.out,'
   AND NOT exception_key LIKE '500,___%go_build_%,a.out,'
   AND NOT exception_key LIKE '500,___2go_build_main_go,a.out,'
-  AND NOT exception_key LIKE '500,___Test%.test,a.out'
+  AND NOT exception_key LIKE '500,___Test%.test,a.out,'
+  AND NOT exception_key LIKE '500,___%__go_1_%,a.out,'
   AND NOT exception_key LIKE '500,lifx-streamdeck,lifx-streamdeck-%'
   AND NOT exception_key LIKE '500,marksman-macos,marksman-%,'
   AND NOT exception_key LIKE '500,nvim,bob-%,'

detection/exfil/3-yara-unexpected-rust-http-exec-process.sql

@@ -100,5 +100,6 @@ WHERE
   AND p0.path NOT IN (
     '/Applications/safeqclient.app/Contents/MacOS/safeqclient',
     '/Applications/Zed.app/Contents/MacOS/Zed',
+    '/usr/bin/pop-launcher',
     '/Library/safeqclientcore/bin/safeqclientcore'
   )

detection/initial_access/2-sketchy-download-name.sql

@@ -23,12 +23,7 @@ FROM
 WHERE
   file.path LIKE "/Users/%/Downloads/%"
   -- Frequently targetted extension for InfoStealer attacks
-  AND extension IN (
-    'dmg',
-    'exe',
-    'pkg',
-    'rar'
-  )
+  AND extension IN ('dmg', 'exe', 'pkg', 'rar')
   AND (
     file.filename LIKE "%.app%"
     OR file.filename LIKE "%Adobe Photoshop%"

detection/persistence/2-minimal-socket-client-linux.sql

@@ -72,9 +72,7 @@ WHERE
     pos.local_address = "127.0.0.1"
     AND pos.remote_address = "127.0.0.1"
   )
-  AND NOT proc_cgroup in (
-    '/system.slice/snapd.service'
-  )
+  AND NOT proc_cgroup in ('/system.slice/snapd.service')
 GROUP BY
   pos.pid -- libc.so, ld-linux
 HAVING

detection/persistence/2-unexpected-listening-port-macos.sql

@@ -97,6 +97,7 @@ WHERE
     '49152,6,500,Music,Software Signing',
     '49152,6,500,OmniFocus,Apple Mac OS Application Signing',
     '49152,6,500,barrier',
+    '22,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)',
     '80,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)',
     '443,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)',
     '49152,6,500,git-daemon,',
@@ -111,7 +112,6 @@ WHERE
     '5000,6,500,ControlCenter,Software Signing',
     '5001,6,500,Record It,Apple Mac OS Application Signing',
     '5001,6,500,crane,',
-    '5001,6,500,gvproxy,',
     '5060,6,500,CommCenter,Software Signing',
     '53,17,500,dnsmasq,',
     '53,17,500,server,',
@@ -231,6 +231,7 @@ WHERE
         'crane',
         'crc',
         'docker-proxy',
+        'gvproxy',
         'hugo',
         'kubectl',
         'node',

detection/persistence/2-unexpected-uid0-daemon-linux.sql

@@ -93,6 +93,7 @@ WHERE
     'agetty,/usr/sbin/agetty,0,system.slice,system-serial\x2dgetty.slice,0755',
     'alsactl,/usr/sbin/alsactl,0,system.slice,alsa-state.service,0755',
     'anacron,/usr/bin/anacron,0,system.slice,cronie.service,0755',
+    'iotop,/usr/sbin/iotop-c,0,user.slice,user-1000.slice,0755',
     'anacron,/usr/sbin/anacron,0,system.slice,anacron.service,0755',
     'anacron,/usr/sbin/anacron,0,system.slice,crond.service,0755',
     'apache2,/usr/sbin/apache2,0,system.slice,apache2.service,0755',

incident_response/unified_log_macos.sql

@@ -4,8 +4,13 @@
 -- platform: darwin
 -- interval: 1800
 SELECT
-  timestamp, pid, process, category, subsystem, message
+  timestamp,
+  pid,
+  process,
+  category,
+  subsystem,
+  message
 FROM
   unified_log
 WHERE
- timestamp > (strftime('%s', 'now') - 1800)
+  timestamp > (strftime('%s', 'now') - 1800)