Merge pull request #342 from tstromberg/fpr-jan5

fpr: Elastic Defend, Rapid7 InsightIDR & others

detection/c2/unexpected-https-linux.sql

@@ -60,14 +60,18 @@ WHERE
     '0,.tailscaled-wrapped,0u,0g,.tailscaled-wra',
     '0,apk,u,g,apk',
     '0,applydeltarpm,0u,0g,applydeltarpm',
+    '0,elastic-endpoint,0u,0g,elastic-endpoin',
     '0,bash,0u,0g,bash',
+    '0,filebeat,0u,0g,filebeat',
     '0,bash,0u,0g,mkinitcpio',
     '0,bash,0u,0g,sh',
     '0,chainctl,0u,0g,chainctl',
     '0,cmake,u,g,cmake',
     '0,containerd,u,g,containerd',
     '0,dirmngr,0u,0g,dirmngr',
     '0,dockerd,0u,0g,dockerd',
+    '0,elastic-agent,0u,0g,elastic-agent',
+    '0,metricbeat,0u,0g,metricbeat',
     '0,flatpak-system-helper,0u,0g,flatpak-system-',
     '0,git-remote-http,0u,0g,git-remote-http',
     '0,go,0u,0g,go',

detection/c2/unexpected-https-macos.sql

@@ -112,56 +112,62 @@ WHERE
     '0,Setup,Setup,Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.acc.Setup',
     '0,com.fortinet.forticlient.macos.vpn.nwextension,com.fortinet.forticlient.macos.vpn.nwextension,Developer ID Application: Fortinet, Inc (AH4XFXJ7DK),com.fortinet.forticlient.macos.vpn.nwextension',
     '0,com.google.one.NetworkExtension,com.google.one.NetworkExtension,Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.one.NetworkExtension',
+    '0,elastic-agent,elastic-agent,Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z),co.elastic.elastic-agent',
+    '0,elastic-endpoint,elastic-endpoint,Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z),co.elastic.endpoint',
+    '0,filebeat,filebeat,Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z),filebeat',
+    '0,io.tailscale.ipn.macsys.network-extension,io.tailscale.ipn.macsys.network-extension,Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension',
+    '0,ir_agent,ir_agent,Developer ID Application: Rapid7 LLC (UL6CGN7MAL),ir_agent',
     '0,kandji-daemon,kandji-daemon,Developer ID Application: Kandji, Inc. (P3FGV63VK7),kandji-daemon',
     '0,kandji-library-manager,kandji-library-manager,Developer ID Application: Kandji, Inc. (P3FGV63VK7),kandji-library-manager',
     '0,kandji-parameter-agent,kandji-parameter-agent,Developer ID Application: Kandji, Inc. (P3FGV63VK7),kandji-parameter-agent',
     '0,launcher,launcher,Developer ID Application: Kolide, Inc (X98UFR7HA3),com.kolide.agent',
     '0,logioptionsplus_installer,logioptionsplus_installer,Developer ID Application: Logitech Inc. (QED4VVPZWA),com.logi.optionsplus.installer',
+    '0,metricbeat,metricbeat,Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z),metricbeat',
     '0,multipassd,multipassd,Developer ID Application: Canonical Group Limited (X4QN7LTP59),com.canonical.multipass.multipassd',
     '0,nessusd,nessusd,Developer ID Application: Tenable, Inc. (4B8J598M7U),nessusd',
     '500,Authy,Authy,Apple iPhone OS Application Signing,com.authy',
-    '500,Realm,Realm,Apple iPhone OS Application Signing,camera.youpi.metareal',
-    '500,Signal Helper (Renderer),Signal Helper (Renderer),Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR),org.whispersystems.signal-desktop.helper.Renderer',
     '500,Code Helper (Plugin),Code Helper (Plugin),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
     '500,Code Helper (Renderer),Code Helper (Renderer),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
     '500,Code Helper,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode.helper',
     '500,Ecamm Live Stream Deck Plugin,Ecamm Live Stream Deck Plugin,Developer ID Application: Ecamm Network, LLC (5EJH68M642),Ecamm Live Stream Deck Plugin',
     '500,Electron,Electron,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode',
     '500,Elgato Capture Device Utility,Elgato Capture Device Utility,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5),com.elgato.CaptureDeviceUtility',
     '500,Fleet,~/Library/Caches/JetBrains/Fleet',
+    '500,GitX,GitX,Developer ID Application: Farhan Ahmed (4RZN52RN5P),net.phere.GitX',
+    '500,Google Chrome Helper,Google Chrome Helper,Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.Chrome.helper',
     '500,Install Spotify,Install Spotify,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.installer',
     '500,IterableRichNotifications,IterableRichNotifications,Apple iPhone OS Application Signing,com.plexapp.plex.IterableRichNotifications',
     '500,Java Updater,Java Updater,Developer ID Application: Oracle America, Inc. (VB5E2TV963),com.oracle.java.Java-Updater',
     '500,Kindle,Kindle,TestFlight Beta Distribution,com.amazon.Lassen',
     '500,OneDriveStandaloneUpdater,OneDriveStandaloneUpdater,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.OneDriveStandaloneUpdater',
+    '500,PSI Bridge Secure Browser Helper,PSI Bridge Secure Browser Helper,Developer ID Application: PSI Services LLC (73AT498HPV),com.psiexams.psi-bridge-secure-browser.helper',
     '500,Paintbrush,Paintbrush,Developer ID Application: Michael Schreiber (G966ML7VBG),com.soggywaffles.paintbrush',
+    '500,Plex,Plex,Developer ID Application: Plex Inc. (K4QJ56KR4A),tv.plex.desktop',
     '500,PlexMobile,PlexMobile,Apple iPhone OS Application Signing,com.plexapp.plex',
+    '500,Realm,Realm,Apple iPhone OS Application Signing,camera.youpi.metareal',
     '500,Reflect Helper,Reflect Helper,Developer ID Application: Reflect App, LLC (789ULN5MZB),app.reflect.ReflectDesktop',
     '500,Reflect,Reflect,Developer ID Application: Reflect App, LLC (789ULN5MZB),app.reflect.ReflectDesktop',
+    '500,Signal Helper (Renderer),Signal Helper (Renderer),Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR),org.whispersystems.signal-desktop.helper.Renderer',
+    '500,Slack Helper,Slack Helper,Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL),com.tinyspeck.slackmacgap.helper',
+    '500,Slack,Slack,Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL),com.tinyspeck.slackmacgap',
     '500,SteelSeriesEngine,SteelSeriesEngine,Developer ID Application: SteelSeries (6WGL6CHFH2),SteelSeriesEngine',
     '500,SteelSeriesGG,SteelSeriesGG,Developer ID Application: SteelSeries (6WGL6CHFH2),SteelSeriesGG',
-    '500,GitX,GitX,Developer ID Application: Farhan Ahmed (4RZN52RN5P),net.phere.GitX',
     '500,Transmit,Transmit,Developer ID Application: Panic, Inc. (VE8FC488U5),com.panic.Transmit',
     '500,TwitchStudioStreamDeck,TwitchStudioStreamDeck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5),TwitchStudioStreamDeck',
     '500,bash,bash,,bash',
-    '500,Google Chrome Helper,Google Chrome Helper,Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.Chrome.helper',
-    '500,Slack Helper,Slack Helper,Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL),com.tinyspeck.slackmacgap.helper',
-    '500,Slack,Slack,Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL),com.tinyspeck.slackmacgap',
-    '0,io.tailscale.ipn.macsys.network-extension,io.tailscale.ipn.macsys.network-extension,Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension',
     '500,chrome_crashpad_handler,chrome_crashpad_handler,Developer ID Application: Microsoft Corporation (UBF8T346G9),chrome_crashpad_handler',
     '500,cloud_sql_proxy,cloud_sql_proxy,,a.out',
     '500,git-remote-http,git-remote-http,,git-remote-http-55554944748a32c47cdc35cfa7f071bb69a39ce4',
     '500,go,go,Developer ID Application: Google LLC (EQHXZ8M8AV),org.golang.go',
-    '500,PSI Bridge Secure Browser Helper,PSI Bridge Secure Browser Helper,Developer ID Application: PSI Services LLC (73AT498HPV),com.psiexams.psi-bridge-secure-browser.helper',
     '500,grype,grype,Developer ID Application: ANCHORE, INC. (9MJHKYX5AT),grype',
-    '500,plugin_host-3.3,plugin_host-3.3,Developer ID Application: Sublime HQ Pty Ltd (Z6D26JE4Y4),plugin_host-3',
     '500,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV),ksfetch',
     '500,melange,melange,,a.out',
     '500,ngrok,ngrok,Developer ID Application: ngrok LLC (TEX8MHRDQ9),a.out',
     '500,ngrok,ngrok,Developer ID Application: ngrok LLC (TEX8MHRDQ9),darwin_amd64',
     '500,node,node,Developer ID Application: Node.js Foundation (HX7739G8FX),node',
     '500,old,old,Developer ID Application: Denver Technologies, Inc (2BBY89MBSN),dev.warp.Warp-Stable',
     '500,op,op,Developer ID Application: AgileBits Inc. (2BUA8C4S2C),com.1password.op',
+    '500,plugin_host-3.3,plugin_host-3.3,Developer ID Application: Sublime HQ Pty Ltd (Z6D26JE4Y4),plugin_host-3',
     '500,sdaudioswitch,sdaudioswitch,,sdaudioswitch',
     '500,snyk-ls_darwin_arm64,snyk-ls_darwin_arm64,,a.out',
     '500,steam_osx,steam_osx,Developer ID Application: Valve Corporation (MXGJJ98X76),com.valvesoftware.steam',

detection/c2/unexpected-talker-events.sql

@@ -165,6 +165,7 @@ WHERE
     '500,0,53,launcher',
     '500,0,53,nessusd',
     '500,0,53,NetworkManager',
+    '500,99,32768,Slack',
     '500,0,53,slack',
     '500,0,53,spotify',
     '500,500,32768,G2MUpdate',

detection/credentials/unexpected-dev-opener-macos.sql

@@ -75,8 +75,9 @@ WHERE
   AND p0.path NOT LIKE '/usr/sbin/%'
   AND exception_key NOT IN (
     '/dev/afsc_type,revisiond,Software Signing,com.apple.revisiond',
-    '/dev/auditpipe,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF),osqueryd',
+    '/dev/auditpipe,ir_agent,Developer ID Application: Rapid7 LLC (UL6CGN7MAL),ir_agent',
     '/dev/auditpipe,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF),io.osquery.agent',
+    '/dev/auditpipe,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF),osqueryd',
     '/dev/auditsessions,GSSCred,Software Signing,com.apple.GSSCred',
     '/dev/auditsessions,TouchBarServer,Software Signing,com.apple.touchbarserver',
     '/dev/auditsessions,authd,Software Signing,com.apple.authd',

detection/discovery/unexpected-pcap-user-macos.sql

@@ -66,7 +66,8 @@ WHERE
     'Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
     'Apple Mac OS Application Signing',
     'Developer ID Application: Kolide Inc (YZ3EM74M78)',
-    'Developer ID Application: Docker Inc (9BNSXJN65R)'
+    'Developer ID Application: Docker Inc (9BNSXJN65R)',
+    'Developer ID Application: Rapid7 LLC (UL6CGN7MAL)'
   )
 GROUP BY
   p0.pid

detection/evasion/empty_root_environ_linux.sql

@@ -56,6 +56,7 @@ WHERE
     'sshd',
     'sudo',
     'systemd',
+    'elastic-agent',
     'systemd-udevd',
     'systemd-userdbd',
     'systemd-userwor',

detection/evasion/hidden-executable.sql

@@ -59,6 +59,7 @@ WHERE
   AND NOT f.directory LIKE '%/.go/bin'
   AND NOT f.directory LIKE '%/.rustup/%'
   AND NOT f.directory LIKE '%/.terraform%'
+  AND NOT f.directory LIKE '%/.steampipe/db/%'
   AND NOT f.directory LIKE '%/.docker/cli-plugins'
   AND NOT f.directory LIKE '%/.cursor/%'
   AND NOT f.directory LIKE '%/.tflint.d/%'

detection/evasion/old-binaries-running.sql

@@ -46,6 +46,7 @@ WHERE
     '/Library/Application Support/Logitech/com.logitech.vc.LogiVCCoreService/LogiVCCoreService.app/Contents/MacOS/LogiVCCoreService',
     '/Library/Printers/Brother/Utilities/BrStatusMonitor.app/Contents/MacOS/BrStatusMonitor',
     '/Library/Printers/Brother/Utilities/Server/LOGINserver.app/Contents/MacOS/LOGINserver',
+    '/Applications/Vimari.app/Contents/PlugIns/Vimari Extension.appex/Contents/MacOS/Vimari Extension',
     '/Library/Printers/Brother/Utilities/Server/NETserver.app/Contents/MacOS/NETserver',
     '/Library/Printers/Brother/Utilities/Server/USBAppControl.app/Contents/MacOS/USBAppControl',
     '/Library/Printers/Brother/Utilities/Server/USBserver.app/Contents/MacOS/USBserver',

detection/evasion/parent-missing-from-disk-macos.sql

@@ -73,6 +73,7 @@ WHERE
       AND pp.path NOT IN (
         "",
         "/sbin/launchd",
+        '/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper',
         "/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper (Plugin).app/Contents/MacOS/Code Helper (Plugin)",
         "/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper"
       )

detection/evasion/touched-executable-linux.sql

@@ -32,6 +32,7 @@ WHERE
   AND p.path != '/'
   AND f.path NOT IN (
     '/opt/google/endpoint-verification/bin/apihelper',
+    '/opt/Elastic/Endpoint/elastic-endpoint',
     '/usr/bin/melange'
   )
   AND f.path NOT LIKE '/home/%'

detection/evasion/unexpected-hidden-system-paths.sql

@@ -62,6 +62,7 @@ WHERE
   AND file.path NOT IN (
     '/.VolumeIcon.icns',
     '/.autorelabel',
+    '/.equarantine/',
     '/.file',
     '/.lesshst',
     '/.mozilla/',

detection/evasion/unexpected-var-run-macos.sql

@@ -62,5 +62,6 @@ WHERE
     'utmpx',
     'wifi'
   )
+  AND NOT file.filename LIKE '%.pid'
 GROUP BY
   file.path;

detection/execution/unexpected-execdir-events-macos.sql

@@ -155,6 +155,7 @@ WHERE
     '/Volumes/Slack/Slack.app',
     '/opt/homebrew/Caskroom',
     '/opt/homebrew/Cellar',
+    '/Library/Elastic/Agent',
     '/opt/homebrew/Library',
     '/private/var/kolide-k2',
     '/usr/libexec/AssetCache',

detection/execution/unexpected-executable-permissions.sql

@@ -50,6 +50,7 @@ WHERE
     '0544',
     '0555',
     '0711',
+    '0750',
     '0755',
     '0775',
     '0744',
@@ -115,3 +116,7 @@ WHERE
     f.path LIKE '/Users/%/Library/Application Support/com.raycast.macos/NodeJS/runtime/%/bin/node'
     AND f.mode = '0754'
   )
+  AND NOT (
+    f.path LIKE '/opt/Elastic/Agent/data/elastic-agent%/elastic-agent'
+    AND f.mode = '0770'
+  )