diff --git a/detection/c2/1-unexpected-https-linux.sql b/detection/c2/1-unexpected-https-linux.sql index b135589c..630be878 100644 --- a/detection/c2/1-unexpected-https-linux.sql +++ b/detection/c2/1-unexpected-https-linux.sql @@ -66,7 +66,6 @@ WHERE '0,apk,u,g,apk', '0,applydeltarpm,0u,0g,applydeltarpm', '0,bash,0u,0g,bash', - '0,multipassd,0u,0g,multipassd', '0,bash,0u,0g,mkinitcpio', '0,bash,0u,0g,sh', '0,canonical-livepatchd,0u,0g,canonical-livep', @@ -86,7 +85,6 @@ WHERE '0,go,0u,0g,go', '0,gtk4-update-icon-cache,0u,0g,gtk-update-icon', '0,http,0u,0g,https', - '500,firefox-bin,0u,0g,firefox-bin', '0,ir_agent,0u,0g,ir_agent', '0,kmod,0u,0g,depmod', '0,launcher,0u,0g,launcher', @@ -95,6 +93,7 @@ WHERE '0,make,0u,0g,make', '0,melange,500u,500g,melange', '0,metricbeat,0u,0g,metricbeat', + '0,multipassd,0u,0g,multipassd', '0,nessusd,0u,0g,nessusd', '0,nix,0u,0g,nix', '0,nix,0u,0g,nix-daemon', @@ -118,13 +117,11 @@ WHERE '120,fwupdmgr,0u,0g,fwupdmgr', '128,fwupdmgr,0u,0g,fwupdmgr', '129,fwupdmgr,0u,0g,fwupdmgr', - '500,transmission-daemon,500u,500g,transmission-da', '42,http,0u,0g,https', '500,1password,0u,0g,1password', '500,___go_build_main_go,500u,500g,___go_build_mai', '500,abrt-action-generate-core-backtrace,0u,0g,abrt-action-gen', '500,accountwizard,u,g,accountwizard', - '500,thunderbird-bin,0u,0g,thunderbird-bi', '500,act,0u,0g,act', '500,apk,500u,500g,apk', '500,apk,u,g,apk', @@ -133,7 +130,6 @@ WHERE '500,armcord,u,g,armcord', '500,aws,0u,0g,aws', '500,aws,500u,500g,aws', - '500,node,u,g,npm ci', '500,bash,0u,0g,bash', '500,beeper,u,g,beeper', '500,bitwarden,u,g,bitwarden', @@ -184,6 +180,7 @@ WHERE '500,docker,0u,0g,docker', '500,docker-buildx,0u,0g,docker-buildx', '500,drkonqi,0u,0g,drkonqi', + '500,dropbox,500u,500g,dropbox', '500,eksctl,0u,0g,eksctl', '500,eksctl,500u,500g,eksctl', '500,electron,0u,0g,electron', @@ -280,6 +277,7 @@ WHERE '500,node,0u,0g,npm install', '500,node,500u,500g,npm run start', '500,node,u,g,node', + '500,node,u,g,npm ci', '500,nuclei,500u,500g,nuclei', '500,obs,0u,0g,obs', '500,obs,u,g,obs', @@ -351,11 +349,13 @@ WHERE '500,terraform-ls,500u,500g,terraform-ls', '500,thunderbird,0u,0g,thunderbird', '500,thunderbird,u,g,thunderbird', + '500,thunderbird-bin,0u,0g,thunderbird-bi', '500,thunderbird-bin,u,g,thunderbird-bin', '500,tidal-hifi,u,g,tidal-hifi', '500,tilt,500u,500g,tilt', '500,TJPP8_Vulkan,500u,500g,TJPP8_Vulkan', '500,todoist,0u,0g,todoist', + '500,transmission-daemon,500u,500g,transmission-da', '500,trivy,0u,0g,trivy', '500,trivy,500u,500g,trivy', '500,ubuntu-report,0u,0g,ubuntu-report', @@ -364,8 +364,6 @@ WHERE '500,wget,0u,0g,wget', '500,wine64-preloader,500u,500g,DaveTheDiver.ex', '500,wine64-preloader,500u,500g,Root.exe', - '500,wolfi-package-status,500u,500g,wolfi-package-s', - '500,wolfictl,500u,500g,wolfictl', '500,WPILibInstaller,500u,500g,WPILibInstaller', '500,writerside,500u,500g,writerside', '500,xmobar,0u,0g,xmobar', @@ -375,6 +373,7 @@ WHERE '500,zoom,0u,0g,zoom', '500,zoom.real,u,g,zoom.real' ) -- Exceptions where we have to be more flexible for the process name + AND NOT exception_key LIKE '500,wolfi%,500u,500g,wolfi%' AND NOT exception_key LIKE '0,python3.%,0u,0g,dnf-automatic' AND NOT exception_key LIKE '0,python3.%,0u,0g,dnf' AND NOT exception_key LIKE '0,python3.%,0u,0g,yum' diff --git a/detection/c2/1-unexpected-https-macos.sql b/detection/c2/1-unexpected-https-macos.sql index da6e74f9..f283c1aa 100644 --- a/detection/c2/1-unexpected-https-macos.sql +++ b/detection/c2/1-unexpected-https-macos.sql @@ -108,13 +108,14 @@ WHERE AND NOT exception_key IN ( '0,AGSService,AGSService,Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.ags', '0,chainctl,chainctl,,a.out', - '0,licenseDaemon,licenseDaemon,Developer ID Application: PACE Anti-Piracy, Inc. (TFZ8226T6X),com.paceap.eden.licenseDaemon', '0,com.nordvpn.macos.helper,com.nordvpn.macos.helper,Developer ID Application: Nordvpn S.A. (W5W395V82Y),com.nordvpn.macos.helper', + '0,licenseDaemon,licenseDaemon,Developer ID Application: PACE Anti-Piracy, Inc. (TFZ8226T6X),com.paceap.eden.licenseDaemon', '500,.Telegram-wrapped,.Telegram-wrapped,,Telegram', '500,agent,agent,Developer ID Application: Datadog, Inc. (JKFCB4CN7C),agent', '500,apko,apko,,a.out', - '500,proctor,proctor,500u,20g', + '500,apkoaas,apkoaas,,a.out', '500,Arc Helper,Arc Helper,Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G),company.thebrowser.browser.helper', + '500,art,art,,a.out', '500,Authy,Authy,Apple iPhone OS Application Signing,com.authy', '500,bash,bash,,bash', '500,cloud_sql_proxy,cloud_sql_proxy,,a.out', @@ -138,7 +139,6 @@ WHERE '500,kubectl,kubectl,Developer ID Application: Docker Inc (9BNSXJN65R),kubectl', '500,melange,melange,,a.out', '500,nami,nami,,a.out', - '500,art,art,500u,20g', '500,ngrok,ngrok,Developer ID Application: ngrok LLC (TEX8MHRDQ9),a.out', '500,node,node,Developer ID Application: Node.js Foundation (HX7739G8FX),node', '500,odo-darwin-amd64-b4853e1fa,odo-darwin-amd64-b4853e1fa,500u,20g', @@ -148,6 +148,7 @@ WHERE '500,podman,podman,Developer ID Application: Red Hat, Inc. (HYSCB8KRL2),podman', '500,PowerPoint,PowerPoint,Apple Development: Zack Hoherchak (SS9PSPF8UF),PowerPoint', '500,process-agent,process-agent,Developer ID Application: Datadog, Inc. (JKFCB4CN7C),process-agent', + '500,proctor,proctor,,a.out', '500,pycharm,pycharm,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.pycharm', '500,Realm,Realm,Apple iPhone OS Application Signing,camera.youpi.metareal', '500,sdaudioswitch,sdaudioswitch,,sdaudioswitch', diff --git a/detection/execution/1-recently-created-executables-long-lived-linux.sql b/detection/execution/1-recently-created-executables-long-lived-linux.sql index 6c93b988..0f8389c9 100644 --- a/detection/execution/1-recently-created-executables-long-lived-linux.sql +++ b/detection/execution/1-recently-created-executables-long-lived-linux.sql @@ -188,7 +188,7 @@ WHERE AND p0.cmdline LIKE './%' ) AND NOT p1.path IN ('/usr/bin/gnome-shell') -- Filter out developers working on their own code - AND NOT p1.name = 'makepkg' + AND NOT p1.name IN ('makepkg', 'make') AND NOT p2.path = '/usr/bin/yay' AND NOT p2.cmdline LIKE '/usr/bin/yay %' AND NOT ( diff --git a/detection/execution/1-recently-created-executables-long-lived-macos.sql b/detection/execution/1-recently-created-executables-long-lived-macos.sql index 689d6ea5..d6eb67d6 100644 --- a/detection/execution/1-recently-created-executables-long-lived-macos.sql +++ b/detection/execution/1-recently-created-executables-long-lived-macos.sql @@ -151,6 +151,8 @@ WHERE OR homepath LIKE '~/%/pkg/%.test' OR homepath LIKE '~/%/src/%.test' OR homepath LIKE '~/%/terraform-provider-%' + OR homepath LIKE '~/chainguard-dev/%' + OR homepath LIKE '~/repos/%' OR homepath LIKE '~/github/%' OR homepath LIKE '~/go/%/bin' OR homepath LIKE '~/go/src/%' @@ -245,6 +247,7 @@ WHERE AND p0.path NOT LIKE '%/.%' AND p0.path NOT LIKE '%Cache%' ) + AND NOT p1.name IN ('makepkg', 'make') -- Arc AND NOT ( p0.path LIKE '/Users/%/Library/Caches/%/org.sparkle-project.Sparkle/Launcher/%' diff --git a/detection/persistence/2-unexpected-device-linux.sql b/detection/persistence/1-unexpected-device-linux.sql similarity index 99% rename from detection/persistence/2-unexpected-device-linux.sql rename to detection/persistence/1-unexpected-device-linux.sql index 9d10dc57..e6e37127 100644 --- a/detection/persistence/2-unexpected-device-linux.sql +++ b/detection/persistence/1-unexpected-device-linux.sql @@ -166,6 +166,8 @@ WHERE '/dev/ngn,character', '/dev/ntsync,character', '/dev/null,character', + '/dev/nvidia-caps/,directory', + '/dev/nvidia-caps/nvidia-cap,character', '/dev/nvidia-modeset,character', '/dev/nvidia-uvm-tools,character', '/dev/nvidia-uvm,character',