Merge pull request #442 from tstromberg/fpr9

fpr: docker, nix, macOS, evernote, writerside, newgrp, roon, etc
chainguard-dev · Jan 8, 2025 · 5bed25b · 5bed25b
2 parents 26cccf9 + d589b98
commit 5bed25b
Show file tree

Hide file tree

Showing 13 changed files with 31 additions and 14 deletions.
diff --git a/detection/c2/unexpected-dns-traffic.sql b/detection/c2/unexpected-dns-traffic.sql
@@ -88,6 +88,7 @@ WHERE
   -- Local DNS servers and custom clients go here
   AND p.path NOT IN (
     '/Applications/Evernote.app/Contents/MacOS/Evernote',
+    '/Applications/Evernote.app/Contents/Frameworks/Evernote Helper.app/Contents/MacOS/Evernote Helper',
     '/Applications/Slack.app/Contents/Frameworks/Slack Helper.app/Contents/MacOS/Slack Helper',
     '/Applications/Spotify.app/Contents/Frameworks/Spotify Helper.app/Contents/MacOS/Spotify Helper',
     '/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/Contents/MacOS/IPNExtension',

diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql
@@ -126,6 +126,7 @@ WHERE
     '500,0,0,gvproxy,gvproxy',
     '500,0,0,Python,Python',
     '500,6,0,gvproxy,gvproxy',
+    '500,6,5223,apsd,apsd',
     '500,6,80,chainlink,chainlink',
     '500,17,53,gvproxy,gvproxy',
     '500,17,53,gvproxy,gvproxy',

diff --git a/detection/evasion/hidden-executable.sql b/detection/evasion/hidden-executable.sql
@@ -75,6 +75,7 @@ WHERE
   AND NOT homepath LIKE '~/%x86_64%'
   AND NOT top3_dir LIKE '~/.%/extensions'
   AND NOT top2_dir IN (
+    '/nix/store/.links',
     '~/.cursor',
     '~/.dropbox-dist',
     '~/.fzf',

diff --git a/detection/evasion/unexpected-kernel-extensions-macos.sql b/detection/evasion/unexpected-kernel-extensions-macos.sql
@@ -6,18 +6,18 @@
 -- platform: darwin
 -- tags: persistent seldom kernel
 SELECT
-  linked_against,
-  name,
-  path,
-  size,
-  version,
+  k.linked_against,
+  k.name,
+  k.path,
+  k.size,
+  k.version,
   hash.sha256,
-  path || ',' || name || ',' || version || ',' || linked_against AS exception_key
+  k.path || ',' || k.name || ',' || k.version || ',' || k.linked_against AS exception_key
 FROM
-  kernel_extensions
-  LEFT JOIN hash ON kernel_extensions.path = hash.path
+  kernel_extensions AS k
+  LEFT JOIN hash ON k.path = hash.path
 WHERE
-  path NOT LIKE '/System/Library/Extensions/%'
+  k.path NOT LIKE '/System/Library/Extensions/%'
   AND NOT (
     idx = 0
     AND name = '__kernel__'

diff --git a/detection/evasion/unusual-process-name-macos.sql b/detection/evasion/unusual-process-name-macos.sql
@@ -87,7 +87,10 @@ WHERE
     OR REGEX_MATCH (pname, "^(\d\d)", 1) != ""
     OR (
       REGEX_MATCH (pname, "^(\W)", 1) != ""
-      AND p0.path NOT LIKE "/nix/store/%/.%-wrapped"
+      AND NOT (
+        p0.path LIKE "/nix/store/%/.%-wrapped"
+        OR p0.path LIKE "/etc/profiles-per-user/%"
+      )
     )
     OR (
       REGEX_MATCH (pname, "(\W)$", 1) != ""
@@ -110,7 +113,8 @@ WHERE
     'EncryptMe',
     'dynamiclinkmanager',
     'launchd_startx',
-    'usercontextservice'
+    'usercontextservice',
+    'at.obdev.littlesnitchmini.networkextension'
   )
   -- example: 85C27NK92C.com.flexibits.fantastical2.mac.helper
   AND NOT pname LIKE '___1Test%'

diff --git a/detection/execution/unexpected-env-values-linux.sql b/detection/execution/unexpected-env-values-linux.sql
@@ -61,7 +61,8 @@ WHERE -- This time should match the interval
       'libfakeroot.so',
       '/usr/local/lib/libmimalloc.so',
       '/opt/splunkforwarder/lib/libdlwrapper.so',
-      '/usr/lib/libjemalloc.so'
+      '/usr/lib/libjemalloc.so',
+      '/usr/lib/libsnmallocshim.so'
     )
     AND NOT pe.value LIKE ':/home/%/.local/share/Steam'
     AND NOT pe.value LIKE ':/home/%/.var/app/com.valvesoftware.Steam/%'

diff --git a/detection/execution/unexpected-execdir-macos.sql b/detection/execution/unexpected-execdir-macos.sql
@@ -125,6 +125,7 @@ WHERE
     '~/Parallels/',
     '~/proj/',
     '~/projects/',
+    '~/Projects/',
     '~/.provisio/',
     '~/.pulumi/',
     '~/.pyenv/',

diff --git a/detection/execution/unexpected-long-running-security-framework-macos.sql b/detection/execution/unexpected-long-running-security-framework-macos.sql
@@ -69,6 +69,7 @@ WHERE -- Focus on longer-running programs
       AND NOT path LIKE '/nix/store/%'
       AND NOT path LIKE '/Users/%/Library/Application Support/com.elgato.StreamDeck/Plugins/%'
       AND NOT path LIKE '/Users/%/Library/Application Support/Zed/supermaven/%'
+      AND NOT path LIKE '/Users/%/Library/Application Support/Zed/extensions/%'
       AND NOT path LIKE '/private/var/folders%/T/go-build%/exe/%'
       AND NOT path LIKE '/Users/%/.terraform/providers/%'
       AND NOT REGEX_MATCH (path, '(.*)/', 1) LIKE '%/bin'

diff --git a/detection/initial_access/sketchy-mounted-diskimage.sql b/detection/initial_access/sketchy-mounted-diskimage.sql
@@ -145,6 +145,7 @@ WHERE
         "Developer ID Application: Logitech Inc. (QED4VVPZWA)",
         "Developer ID Application: Oracle America, Inc. (VB5E2TV963)",
         "Developer ID Application: Orbital Labs, LLC (U.S.) (HUAQ24HBR6)",
+        "Developer ID Application: Roblox Corporation (2CFABCH843)",
         "Developer ID Application: VideoLAN (75GAHG3SZQ)"
       )
     ) --   6. Volumes containing a hidden top-level folder or binary, such as yWnBJLaF (1302.app)

diff --git a/detection/persistence/unexpected-launchd-program-macos.sql b/detection/persistence/unexpected-launchd-program-macos.sql
@@ -84,7 +84,7 @@ WHERE
     l.path = '/Library/LaunchDaemons/com.docker.vmnetd.plist'
     AND program_identifier = 'com.docker.vmnetd'
     AND program_authority = NULL
-    AND program = ' /Library/PrivilegedHelperTools/com.docker.vmnetd'
+    AND program = '/Library/PrivilegedHelperTools/com.docker.vmnetd'
   )
 GROUP BY
   l.path
diff --git a/detection/persistence/unexpected-listening-port-linux.sql b/detection/persistence/unexpected-listening-port-linux.sql
@@ -56,7 +56,7 @@ WHERE
     AND lp.protocol = 6
   )
   -- Filter out unmapped raw sockets
-  AND NOT (p.pid == '')
+  AND NOT p.pid = ''
   -- Exceptions: the uid is capped at 500 to represent regular users versus system users
   -- port is capped at 32768 to represent transient ports
   AND NOT CONCAT (
@@ -113,6 +113,7 @@ WHERE
     '32768,6,500,java',
     '32768,6,500,jetbrains-toolb',
     '32768,6,500,spotify',
+    '32768,6,500,writerside',
     '3551,6,0,apcupsd',
     '4143,6,500,linkerd2-proxy',
     '4191,6,500,linkerd2-proxy',

diff --git a/detection/persistence/unexpected-listening-port-macos.sql b/detection/persistence/unexpected-listening-port-macos.sql
@@ -53,6 +53,10 @@ WHERE
   -- port is capped at 49152 to represent transient ports
   AND NOT exception_key IN (
     '10011,6,0,launchd,Software Signing',
+    '443,6,500,ssh,Software Signing',
+    '80,6,500,ssh,Software Signing',
+    '9200,6,500,RAATServer,Developer ID Application: Roon Labs LLC (WU8DGC424P)',
+    '24513,6,500,LogiPluginService,Developer ID Application: Loupedeck Oy (M24R8BN5BK)',
     '10011,6,0,webfilterproxyd,Software Signing',
     '1024,6,0,systemmigrationd,Software Signing',
     '10250,6,500,OrbStack Helper,Developer ID Application: Orbital Labs, LLC (U.S.) (HUAQ24HBR6)',

diff --git a/detection/privesc/unexpected-setxid-process.sql b/detection/privesc/unexpected-setxid-process.sql
@@ -41,6 +41,7 @@ WHERE
     '/usr/bin/crontab',
     '/usr/bin/fusermount',
     '/usr/bin/fusermount3',
+    '/usr/bin/newgrp',
     '/usr/bin/schroot',
     '/usr/bin/keybase-redirector',
     '/usr/bin/login',