detection: Reduce Linux desktop false positives

detection/c2/unexpected-https-client-linux.sql

@@ -64,6 +64,8 @@ WHERE
   AND s.remote_address NOT LIKE 'fc00:%'
   AND p.path != ''
   AND NOT exception_key IN (
+    '0,/opt/snapd,0u,0g,snapd',
+    '0,/usr/bash,0u,0g,mkinitcpio',
     '0,/usr/dockerd,0u,0g,dockerd',
     '0,/usr/flatpak-system-helper,0u,0g,flatpak-system-',
     '0,/usr/launcher,0u,0g,launcher',
@@ -78,13 +80,16 @@ WHERE
     '500,/app/zoom.real,u,g,zoom.real',
     '500,/home/chainctl,500u,100g,chainctl',
     '500,/home/chainctl,500u,500g,chainctl',
+    '500,/usr/gnome-recipes,0u,0g,gnome-recipes',
     '500,/home/gitsign,500u,500g,gitsign',
     '500,/home/go,500u,500g,go',
+    '500,/home/jcef_helper,500u,500g,jcef_helper',
     '500,/ko-app/chainctl,u,g,chainctl',
     '500,/ko-app/controlplane,u,g,controlplane',
     '500,/opt/1password,0u,0g,1password',
     '500,/opt/chrome,0u,0g,chrome',
     '500,/opt/firefox,0u,0g,firefox',
+    '500,/opt/firefox,0u,0g,Socket Process',
     '500,/opt/kubectl,0u,0g,kubectl',
     '500,/opt/slack,0u,0g,slack',
     '500,/opt/spotify,0u,0g,spotify',
@@ -102,6 +107,7 @@ WHERE
     '500,/usr/gitsign,0u,0g,gitsign',
     '500,/usr/gnome-software,0u,0g,gnome-software',
     '500,/usr/go,500u,500g,go',
+    '500,/usr/gvfsd-http,0u,0g,gvfsd-http',
     '500,/usr/java,0u,0g,java',
     '500,/usr/kubectl,500u,500g,kubectl',
     '500,/usr/slack,0u,0g,slack',

detection/c2/unexpected-talkers-linux.sql

@@ -90,12 +90,12 @@ WHERE
     '5228,6,500,/opt/chrome,0u,0g,chrome',
     '5228,6,500,/usr/chrome,0u,0g,chrome',
     '8000,6,500,/opt/chrome,0u,0g,chrome',
-    '80,6,0,/usr/packagekitd,0u,0g,packagekitd',
-    '80,6,0,/usr/python3.10,0u,0g,yum',
-    '80,6,0,/usr/applydeltarpm,0u,0g,applydeltarpm',
     '8000,6,500,/usr/firefox,0u,0g,firefox',
+    '80,6,0,/usr/applydeltarpm,0u,0g,applydeltarpm',
     '80,6,0,/usr/NetworkManager,0u,0g,NetworkManager',
-    '80,6,500,/usr/firefox,0u,0g,.firefox-wrappe',
+    '80,6,0,/usr/packagekitd,0u,0g,packagekitd',
+    '80,6,0,/usr/pacman,0u,0g,pacman',
+    '80,6,0,/usr/python3.10,0u,0g,yum',
     '80,6,0,/usr/tailscaled,0u,0g,tailscaled',
     '80,6,0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra',
     '80,6,500,/app/thunderbird,u,g,thunderbird',

detection/collection/high-disk-bytes-written.sql

@@ -37,6 +37,7 @@ WHERE
     '/usr/bin/bash',
     '/usr/bin/bwrap',
     '/usr/bin/curl',
+    '/usr/bin/darktable',
     '/usr/bin/dockerd',
     '/usr/bin/fish',
     '/usr/bin/gnome-shell',

detection/evasion/hidden-cwd.sql

@@ -69,11 +69,13 @@ WHERE
       'mysqld,~/.local/share'
     )
     OR dir IN (
+      '~/.config',
       '~/.vim',
       '~/.cache/yay',
       '~/.local/share/chezmoi',
       '~/.local/share/nvim',
-      '~/.gmailctl'
+      '~/.gmailctl',
+      '~/.zsh'
     )
     OR p.name IN (
       'bindfs',
@@ -85,20 +87,21 @@ WHERE
       'gitsign',
       'Code Helper'
     )
-    OR dir LIKE '~/.dotfiles/%'
-    OR dir LIKE '~/.gradle/%'
-    OR dir LIKE "~/%/.terraform%"
-    OR dir LIKE '~/.local/share/kotlin/%'
-    OR dir LIKE '~/go/src/%'
-    OR dir LIKE '~/.local/share/nvim/%'
-    OR dir LIKE '~/.vscode/extensions/%'
-    OR dir LIKE '~/.local/share/fish/%'
     OR dir LIKE '~/.cache/yay/%'
-    OR dir LIKE '/Library/Apple/System/Library/InstallerSandboxes/.PKInstallSandboxManager-SystemSoftware/%'
-    OR dir LIKE '~/src/%'
-    OR dir LIKE '~/%/.github%'
     OR dir LIKE '~/.cargo/%'
-    OR dir LIKE '~/.provisio%'
-    OR dir LIKE '~/.local/share/JetBrains/%'
     OR dir LIKE '~/code/%'
+    OR dir LIKE '~/.dotfiles/%'
+    OR dir LIKE '~/%/.github%'
+    OR dir LIKE '~/go/src/%'
+    OR dir LIKE '~/.gradle/%'
+    OR dir LIKE '/Library/Apple/System/Library/InstallerSandboxes/.PKInstallSandboxManager-SystemSoftware/%'
+    OR dir LIKE '~/.local/share/fish/%'
+    OR dir LIKE '~/.local/share/JetBrains/%'
+    OR dir LIKE '~/.local/share/kotlin/%'
+    OR dir LIKE '~/.local/share/nvim/%'
+    OR dir LIKE '~/.provisio%'
+    OR dir LIKE '~/src/%'
+    OR dir LIKE '~/%/.terraform%'
+    OR dir LIKE '~/.vscode/extensions/%'
+    OR dir LIKE '~/.zsh/%'
   )

detection/evasion/parent-missing-from-disk.sql

@@ -41,6 +41,7 @@ WHERE
   AND NOT parent_path IN (
     '/opt/google/chrome/chrome',
     '/usr/lib/systemd/systemd',
+    '/usr/bin/dockerd',
     '/usr/bin/gnome-shell'
   ) -- long-running launchers
   AND NOT parent_name IN (

detection/evasion/unexpected-kernel-modules-linux.sql

@@ -117,6 +117,7 @@ WHERE
     'encrypted_keys',
     'essiv',
     'evdev',
+    'exfat',
     'ext4',
     'fat',
     'fb_sys_fops',

detection/execution/exotic-command-events-linux.sql

@@ -133,3 +133,5 @@ WHERE
   AND NOT cmd LIKE '%modprobe overlay'
   AND NOT cmd LIKE '%modprobe aufs'
   AND NOT cmd IN ('lsmod')
+  -- Seen on Ubuntu
+  AND NOT cmd LIKE 'rm -f /tmp/apt-key-gpghome.%/pubring.gpg'

detection/execution/tiny-executable.sql

@@ -10,6 +10,7 @@ SELECT
   p.cmdline,
   file.size,
   file.mode,
+  file.type,
   p.cwd,
   p.euid,
   p.parent,
@@ -26,3 +27,5 @@ FROM
 WHERE
   file.size > 0
   AND file.size < 10000
+  AND NOT file.path LIKE '/Users/%/.zsh/completion'
+  AND NOT file.path LIKE '/home/%/.zsh/completion'

detection/execution/unexpected-osascript-calls.sql

@@ -22,7 +22,13 @@ SELECT
   hash.sha256 AS parent_sha256,
   signature.identifier AS parent_identifier,
   signature.authority AS parent_auth,
-  CONCAT(signature.identifier, ",", signature.authority, ",", SUBSTR(TRIM(p.cmdline), 0, 54)) AS exception_key
+  CONCAT (
+    signature.identifier,
+    ",",
+    signature.authority,
+    ",",
+    SUBSTR(TRIM(p.cmdline), 0, 54)
+  ) AS exception_key
 FROM
   uptime,
   process_events p
@@ -34,9 +40,10 @@ WHERE
   AND p.time > (strftime('%s', 'now') -60)
   AND exception_key NOT IN (
     'com.vng.zalo,Developer ID Application: VNG ONLINE CO.,LTD (CVB6BX97VM),osascript -ss',
-     ',,osascript -e set zoomStatus to "closed"\x0Aset muteStatu'
+    ',,osascript -e set zoomStatus to "closed"\x0Aset muteStatu'
   )
   AND cmd != 'osascript -e user locale of (get system info)'
   AND NOT (
-    exception_key='org.python.python,,osascript' AND parent_cmd LIKE '% /opt/homebrew/bin/jupyter-notebook'
+    exception_key = 'org.python.python,,osascript'
+    AND parent_cmd LIKE '% /opt/homebrew/bin/jupyter-notebook'
   )

detection/exfil/high_disk_bytes_read.sql

@@ -58,11 +58,12 @@ WHERE
     'zsh'
   )
   AND NOT p.path IN (
+    '/usr/bin/darktable',
     '/usr/bin/dockerd',
     '/usr/bin/gnome-shell',
-    '/usr/libexec/coreduetd',
     '/usr/bin/udevadm',
     '/usr/libexec/aned',
+    '/usr/libexec/coreduetd',
     '/usr/libexec/logd',
     '/usr/libexec/packagekitd',
     '/usr/libexec/PerfPowerServices',

detection/persistence/unexpected-uid0-daemon-linux.sql

@@ -61,6 +61,10 @@ WHERE
     '/usr/bin/pacman',
     '/usr/bin/sshd',
     '/usr/bin/tailscaled',
+    '/usr/libexec/xdg-permission-store',
+    '/usr/libexec/xdg-document-portal',
+    '/usr/bin/dbus-daemon',
+    '/usr/bin/dbus-launch',
     '/usr/bin/wpa_supplicant',
     '/usr/libexec/accounts-daemon',
     '/usr/libexec/docker/docker-proxy',

detection/privesc/unexpected-privilege-escalation-events.sql

@@ -46,6 +46,10 @@ WHERE
   )
   AND p.path NOT LIKE '/nix/store/%/bin/sudo'
   AND p.path NOT LIKE '/nix/store/%/bin/dhcpcd'
+  AND NOT (
+    p.path LIKE '/snap/snapd/%/usr/lib/snapd/snap-confine'
+    AND parent_path = '/usr/lib/systemd/systemd'
+  )
   AND NOT (
     child_name = 'polkit-agent-helper-1'
     AND parent_path = '/usr/bin/gnome-shell'

detection/privesc/unexpected-privilege-escalation.sql

@@ -54,6 +54,10 @@ WHERE
     AND parent_path = '/usr/lib/xdg-document-portal'
   )
   AND NOT (
-    p.name = 'pkexec'
+    p.path = '/usr/bin/pkexec'
     AND parent_path = '/usr/bin/update-notifier'
   )
+  AND NOT (
+    p.path = '/usr/libexec/xdg-permission-store'
+    AND parent_path = '/usr/lib/systemd/systemd'
+  )