diff --git a/detection/c2/unexpected-dns-traffic-events.sql b/detection/c2/unexpected-dns-traffic-events.sql index f9e6ca08..6e0e3eb2 100644 --- a/detection/c2/unexpected-dns-traffic-events.sql +++ b/detection/c2/unexpected-dns-traffic-events.sql @@ -152,6 +152,7 @@ WHERE 'io.tailscale.ipn.macsys.network-extension', 'IPNExtension', 'Jabra Direct Helper', + 'java', 'limactl', 'mDNSResponder', 'melange', diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql index 771f9c5b..6c7ea014 100644 --- a/detection/c2/unexpected-talkers-macos.sql +++ b/detection/c2/unexpected-talkers-macos.sql @@ -101,7 +101,6 @@ WHERE '0,Developer ID Application: Tailscale Inc. (W5364U7YZB)', '0,Developer ID Application: Y Soft Corporation, a.s. (3CPED8WGS9)', '500,Apple Mac OS Application Signing', - '500,Software Signing', '500,Developer ID Application: Autodesk (XXKJ396S2Y)', '500,Developer ID Application: Blackmagic Design Inc (9ZGFBWLSYP)', '500,Developer ID Application: Cisco (DE8Y96K9QP)', @@ -109,12 +108,14 @@ WHERE '500,Developer ID Application: Google LLC (EQHXZ8M8AV)', '500,Developer ID Application: Microsoft Corporation (UBF8T346G9)', '500,Developer ID Application: ngrok LLC (TEX8MHRDQ9)', + '500,Developer ID Application: Oracle America, Inc. (VB5E2TV963)', '500,Developer ID Application: Sky UK Limited (GJ24C8864F)', '500,Developer ID Application: Spotify (2FNC3A47ZF)', '500,Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G)', '500,Developer ID Application: Valve Corporation (MXGJJ98X76)', '500,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)', - '500,Developer ID Application: Zwift, Inc (C2GM8Y9VFM)' + '500,Developer ID Application: Zwift, Inc (C2GM8Y9VFM)', + '500,Software Signing' ) AND NOT ( unsigned_exception = '500,6,80,main,main' diff --git a/detection/credentials/unexpected-dev-opener-macos.sql b/detection/credentials/unexpected-dev-opener-macos.sql index d4332b95..cd4e6f2f 100644 --- a/detection/credentials/unexpected-dev-opener-macos.sql +++ b/detection/credentials/unexpected-dev-opener-macos.sql @@ -135,5 +135,7 @@ WHERE '/dev/xcpm,systemstats,Software Signing,com.apple.systemstats', '/dev/xcpm,thermald,Software Signing,com.apple.thermald' ) + -- Keyboard flashing + AND NOT exception_key LIKE '/dev/cu.usbmodem%,Google Chrome,Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.Chrome' GROUP BY pof.pid diff --git a/detection/evasion/hidden-cwd.sql b/detection/evasion/hidden-cwd.sql index d3f563bc..7ef3732b 100644 --- a/detection/evasion/hidden-cwd.sql +++ b/detection/evasion/hidden-cwd.sql @@ -173,6 +173,7 @@ WHERE OR dir LIKE '%/.build' OR dir LIKE '%/.cache/melange%' OR dir LIKE '%/.cargo/%' + OR dir LIKE '%/.cargo-arm64%' OR dir LIKE '~/code/%' OR dir LIKE '~/%/.config/nvim' OR dir LIKE '~/dev/%/dots/%/.config%' diff --git a/detection/evasion/unexpected-process-extension-linux.sql b/detection/evasion/unexpected-process-extension-linux.sql index 1fcc0a5c..d92a775b 100644 --- a/detection/evasion/unexpected-process-extension-linux.sql +++ b/detection/evasion/unexpected-process-extension-linux.sql @@ -46,6 +46,7 @@ FROM WHERE extension IS NOT NULL AND extension NOT IN ( + '0', '1', '2', '3', diff --git a/detection/evasion/unusual-process-name-macos.sql b/detection/evasion/unusual-process-name-macos.sql index 8a7a14b7..5f64be4d 100644 --- a/detection/evasion/unusual-process-name-macos.sql +++ b/detection/evasion/unusual-process-name-macos.sql @@ -99,22 +99,23 @@ WHERE AND pext NOT IN ("", "gui", "cli", "us", "node", "com") ) AND NOT pname IN ( + 'at.obdev.littlesnitch.endpointsecurity', + 'at.obdev.littlesnitchmini.networkextension', + 'at.obdev.littlesnitch.networkextension', 'BetterTouchToolAppleScriptRunner', 'BetterTouchToolAppleScriptRunner3', 'BetterTouchToolShellScriptRunner', - 'EcammLiveVideoOutAssistantXPCHelper', - 'ThingsWidgetExtensionMacAppStore', - 'TwitterNotificationServiceExtension', - 'at.obdev.littlesnitch.endpointsecurity', - 'at.obdev.littlesnitch.networkextension', 'com.microsoft.teams2.notificationcenter', 'cpu', - 'xdg-open', - 'EncryptMe', 'dynamiclinkmanager', + 'dynamiclinkmediaserver', + 'EcammLiveVideoOutAssistantXPCHelper', + 'EncryptMe', 'launchd_startx', + 'ThingsWidgetExtensionMacAppStore', + 'TwitterNotificationServiceExtension', 'usercontextservice', - 'at.obdev.littlesnitchmini.networkextension' + 'xdg-open' ) -- example: 85C27NK92C.com.flexibits.fantastical2.mac.helper AND NOT pname LIKE '___1Test%' diff --git a/detection/execution/unexpected-chmod-exec-event-linux.sql b/detection/execution/unexpected-chmod-exec-event-linux.sql index 05629acc..4dc8dd9e 100644 --- a/detection/execution/unexpected-chmod-exec-event-linux.sql +++ b/detection/execution/unexpected-chmod-exec-event-linux.sql @@ -124,5 +124,6 @@ WHERE AND p1_cgroup NOT LIKE '/user.slice/user-1000.slice/user@1000.service/user.slice/nerdctl-%' AND p2_cgroup NOT LIKE '/system.slice/docker-%' AND p2_cgroup NOT LIKE '/user.slice/user-1000.slice/user@1000.service/user.slice/nerdctl-%' + AND NOT exception_key IN ('chmod,500,bash,gnome-terminal-server') GROUP BY p0_pid diff --git a/detection/exfil/yara-unexpected-rust-http-exec-process.sql b/detection/exfil/yara-unexpected-rust-http-exec-process.sql index b0e24e45..23269d8b 100644 --- a/detection/exfil/yara-unexpected-rust-http-exec-process.sql +++ b/detection/exfil/yara-unexpected-rust-http-exec-process.sql @@ -75,16 +75,17 @@ WHERE 'atuin', 'cargo', 'Cody', - 'i3status-rs', 'deno', 'DevPod', 'fig-darwin-universal', 'figma_agent', + 'i3status-rs', 'i3status-rust', 'nvim', 'old', 'OrbStack Helper', 'rpm-ostree', + 'rustc', 'sg-nvim-agent', 'sm-agent', 'stable', diff --git a/detection/initial_access/unexpected-webmail-downloads.sql b/detection/initial_access/unexpected-webmail-downloads.sql index fb336580..875596cf 100644 --- a/detection/initial_access/unexpected-webmail-downloads.sql +++ b/detection/initial_access/unexpected-webmail-downloads.sql @@ -49,6 +49,7 @@ WHERE 'jpg', 'json', 'key', + 'loaded_1', 'md', 'mov', 'mp3', @@ -80,7 +81,7 @@ WHERE 'xlsm', 'xlsx', 'xml', - 'yml', 'yaml', + 'yml', 'zip' ) diff --git a/detection/persistence/unexpected-listening-port-linux.sql b/detection/persistence/unexpected-listening-port-linux.sql index 63cc19f8..5dcbd1c8 100644 --- a/detection/persistence/unexpected-listening-port-linux.sql +++ b/detection/persistence/unexpected-listening-port-linux.sql @@ -169,6 +169,7 @@ WHERE '6443,6,0,kube-apiserver', '6443,6,500,kube-apiserver', '67,17,114,dnsmasq', + '1601,6,500,rsyslogd', '67,17,130,dnsmasq', '67,17,500,dnsmasq', '68,17,0,dhclient', @@ -240,5 +241,6 @@ WHERE AND NOT p.cgroup_path LIKE '/system.slice/docker-%' AND NOT p.cgroup_path LIKE '/user.slice/user-%.slice/user@%.service/user.slice/nerdctl-%' AND NOT p.cgroup_path LIKE '/user.slice/user-1000.slice/user@1000.service/user.slice/libpod-%' + AND NOT p1_cmd LIKE 'bwrap --bind%' GROUP BY exception_key diff --git a/detection/privesc/unexpected-setxid-process.sql b/detection/privesc/unexpected-setxid-process.sql index 9af7d45e..db4e3ec7 100644 --- a/detection/privesc/unexpected-setxid-process.sql +++ b/detection/privesc/unexpected-setxid-process.sql @@ -62,6 +62,7 @@ WHERE '/usr/sbin/traceroute', '/usr/bin/bwrap' ) + AND f.filename != 'chrome-sandbox' AND f.path NOT LIKE '/Users/%/homebrew/Cellar/socket_vmnet/%/bin/socket_vmnet' AND f.path NOT LIKE '/opt/homebrew/Cellar/dnsmasq/%/sbin/dnsmasq' AND f.path NOT LIKE '/opt/homebrew/Cellar/socket_vmnet/%/bin/socket_vmnet'