Another false positive flush: Capital One, tailscaled, agetty, snap, ninja, epson printers, etc

detection/c2/unexpected-dns-traffic-events.sql

@@ -67,7 +67,8 @@ WHERE
     '208.67.222.123', -- OpenDNS
     '75.75.75.75', -- Comcast
     '75.75.76.76', -- Comcast
-    '68.105.28.13' -- Cox
+    '68.105.28.13', -- Cox
+    '80.248.7.1' -- 21st Century (NG)
   )
   -- Exceptions that specifically talk to one server
   AND exception_key NOT IN (

detection/c2/unexpected-https-client-linux.sql

@@ -11,6 +11,7 @@
 SELECT
   s.remote_address,
   p.name,
+  p.cgroup_path,
   p.path,
   p.cmdline AS child_cmd,
   p.cwd,
@@ -75,16 +76,23 @@ WHERE
     '0,/usr/flatpak-system-helper,0u,0g,flatpak-system-',
     '0,/usr/launcher,0u,0g,launcher',
     '0,/usr/nix,0u,0g,nix',
+    '0,/usr/nix,0u,0g,nix-daemon',
     '0,/usr/packagekitd,0u,0g,packagekitd',
     '0,/usr/pacman,0u,0g,pacman',
     '0,/usr/python3.10,0u,0g,dnf',
     '0,/usr/python3.10,0u,0g,dnf-automatic',
     '0,/usr/python3.10,0u,0g,yum',
     '0,/usr/python3.11,0u,0g,dnf',
+    '0,/usr/python3.11,0u,0g,dnf-automatic',
+    '0,/usr/python3.11,0u,0g,yum',
     '0,/usr/rpi-imager,0u,0g,rpi-imager',
     '0,/usr/snapd,0u,0g,snapd',
     '0,/usr/tailscaled,0u,0g,tailscaled',
     '0,/usr/tailscaled,500u,500g,tailscaled',
+    '500,/usr/chainctl,500u,500g,chainctl',
+    '500,/usr/grype,0u,0g,grype',
+    '500,/home/krel,500u,500g,krel',
+    '500,/usr/cosign-linux-amd64,0u,0g,cosign',
     '0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra',
     '105,/usr/http,0u,0g,https',
     '106,/usr/geoclue,0u,0g,geoclue',
@@ -100,6 +108,7 @@ WHERE
     '500,/home/cosign,500u,500g,cosign',
     '500,/home/gitsign,500u,500g,gitsign',
     '500,/home/go,500u,500g,go',
+    '500,/usr/obs-ffmpeg-mux,0u,0g,obs-ffmpeg-mux',
     '500,/home/grype,500u,500g,grype',
     '500,/home/java,500u,500g,java',
     '500,/home/jcef_helper,500u,500g,jcef_helper',
@@ -164,9 +173,11 @@ WHERE
     '500,/usr/kbfsfuse,0u,0g,kbfsfuse',
     '500,/usr/keybase,0u,0g,keybase',
     '500,/usr/ko,u,g,ko',
+    '500,/usr/node,0u,0g,node',
     '500,/usr/kubectl,500u,500g,kubectl',
     '500,/usr/lens,0u,0g,lens',
     '500,/usr/nautilus,0u,0g,nautilus',
+    '500,/usr/nix,0u,0g,nix',
     '500,/usr/obs,0u,0g,obs',
     '500,/usr/pacman,0u,0g,pacman',
     '500,/usr/python3,0u,0g,python3',
@@ -191,6 +202,7 @@ WHERE
   AND NOT exception_key LIKE '500,/usr/node,0u,0g,npm exec %'
   AND NOT exception_key LIKE '500,/usr/node,0u,0g,npm install %'
   AND NOT exception_key LIKE '500,%/terraform-provider-%,500u,500g,terraform-provi'
+  AND NOT exception_key LIKE '0,/ko-app/%,u,g,%'
   -- stay weird, NixOS (Fastly nix mirror)
   AND NOT (
     pp.cmdline = '/run/current-system/sw/bin/bash'

detection/c2/unexpected-talkers-linux.sql

@@ -90,6 +90,7 @@ WHERE
     '22000,6,500,/usr/syncthing,0u,0g,syncthing',
     '22,6,500,/home/cargo,500u,500g,cargo',
     '22,6,500,/usr/cargo,0u,0g,cargo',
+    '80,6,500,/usr/python3.11,0u,0g,abrt-action-ins',
     '22,6,500,/usr/ssh,0u,0g,ssh',
     '22,6,0,/usr/ssh,0u,0g,ssh',
     '27034,6,500,/home/steam,500u,100g,steam',
@@ -100,6 +101,7 @@ WHERE
     '3478,6,500,/opt/chrome,0u,0g,chrome',
     '3478,6,500,/usr/chrome,0u,0g,chrome',
     '3478,6,500,/usr/firefox,0u,0g,firefox',
+    '80,6,0,/usr/bash,0u,0g,mkinitcpio',
     '4070,6,500,/app/spotify,u,g,spotify',
     '4070,6,500,/opt/spotify,0u,0g,spotify',
     '4070,6,500,/usr/spotify,0u,0g,spotify',
@@ -129,6 +131,7 @@ WHERE
     '80,6,500,/opt/firefox,0u,0g,firefox',
     '80,6,500,/opt/spotify,0u,0g,spotify',
     '80,6,0,/usr/python3.11,0u,0g,yum',
+    '80,6,500,/opt/brave,0u,0g,brave',
     '80,6,500,/usr/chrome,0u,0g,chrome',
     '80,6,500,/usr/curl,0u,0g,curl',
     '80,6,0,/usr/python3.11,0u,0g,dnf',

detection/c2/unexpected-talkers-macos.sql

@@ -260,6 +260,7 @@ WHERE
     '6000,6,500,ssh,ssh-55554944fbf65684ab9b37c2bad3a27ef78b23f4,',
     '80,6,0,com.apple.MobileSoftwareUpdate.UpdateBrainService,com.apple.MobileSoftwareUpdate.UpdateBrainService,Software Signing',
     '80,6,500,curl,com.apple.curl,Software Signing',
+    '8801,17,500,zoom.us,us.zoom.xos,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)',
     '80,6,500,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV)',
     '80,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
     '80,6,500,webhook.test,a.out,'
@@ -365,5 +366,12 @@ WHERE
     remote_port IN (53, 443)
     AND p.path LIKE '/private/var/folders/%/T/GoLand/%'
   )
+  -- theScore and other iPhone apps
+  AND NOT (
+    remote_port = 443
+    AND signature.authority = 'Apple iPhone OS Application Signing'
+    AND p.cwd = '/'
+    AND p.path = '/private/var/folders/%/Wrapper/%.app/%'
+  )
 GROUP BY
   s.pid

detection/collection/high-disk-bytes-written.sql

@@ -38,6 +38,7 @@ WHERE
     '/usr/bin/apt',
     '/usr/bin/aptd',
     '/usr/bin/bash',
+    '/usr/lib/baloo_file_extractor',
     '/usr/bin/bwrap',
     '/usr/bin/curl',
     '/usr/bin/darktable',
@@ -53,6 +54,7 @@ WHERE
     '/usr/lib64/thunderbird/thunderbird',
     '/usr/libexec/coreduetd',
     '/usr/share/spotify-client/spotify',
+    '/Library/Application Support/Adobe/Adobe Desktop Common/HDBox/Setup',
     '/usr/libexec/flatpak-system-helper',
     '/usr/libexec/logd_helper',
     '/usr/libexec/packagekitd',
@@ -97,25 +99,30 @@ WHERE
     AND cmdline = '/usr/bin/python3 /usr/sbin/aptd'
   )
   AND NOT name IN (
+    'baloo_file_extr',
+    'bwrap',
+    'cargo',
     'chrome',
     'com.apple.MobileSoftwareUpdate.UpdateBrainService',
     'com.apple.NRD.UpdateBrainService',
     'containerd',
-    'cargo',
-    'esbuild',
     'darkfiles',
+    'esbuild',
     'firefox',
     'fsdaemon',
     'go',
     'goland',
-    'qemu-system-aarch64',
+    'golangci-lint-v',
     'gopls',
     'grype',
     'java',
-    'nessusd',
     'jetbrains-toolb',
     'launcher',
+    'nessusd',
+    'ninja',
+    'qemu-system-aarch64',
     'slack',
+    'snyk',
     'steam',
     'wineserver'
   )

detection/credentials/unexpected-dev-opener-linux.sql

@@ -94,6 +94,8 @@ WHERE
   AND pof.path NOT LIKE '/dev/hidraw%'
   AND pof.path NOT LIKE '/dev/shm/.com.google.Chrome.%'
   AND pof.path NOT LIKE '/dev/shm/.org.chromium.Chromium.%'
+  -- Zoom
+  AND pof.path NOT LIKE '/dev/shm/aomshm.%'
   AND pof.path NOT LIKE '/dev/shm/authentik_%'
   AND NOT dir_exception IN (
     '/dev/bus/usb,pcscd',
@@ -154,6 +156,7 @@ WHERE
     '/dev/tty,gdm-wayland-session',
     '/dev/tty,gdm-x-session',
     '/dev/tty,systemd-logind',
+    '/dev/shm/envoy_shared_memory_1,envoy',
     '/dev/tty,Xorg',
     '/dev/uinput,bluetoothd',
     '/dev/usb/hiddev,apcupsd',

detection/credentials/unexpected-sensitive-file-access-linux.sql

@@ -74,21 +74,18 @@ WHERE
     file_uid == process_uid
     AND exception_key IN (
       'aws,aws,~/.aws',
-      'python3,python3,~/.config/gcloud',
-      'chrome_crashpad_handler,chrome_crashpad,',
-      'soffice.bin,soffice.bin,~/.mozilla/firefox',
-      'chrome_crashpad_handler,chrome_crashpad,~/.config/google-chrome',
       'chrome,chrome,~/.config/google-chrome',
-      'firefox,.firefox-wrappe,~/.cache/mozilla',
-      'firefox,Web Content,~/.mozilla/firefox',
-      'firefox,.firefox-wrappe,~/.mozilla/firefox',
+      'chrome_crashpad_handler,chrome_crashpad,',
+      'chrome_crashpad_handler,chrome_crashpad,~/.config/google-chrome',
+      'firefox,file:// Content,~/.cache/mozilla',
       'firefox,file:// Content,~/.mozilla/firefox',
-      'firefox,Isolated Servic,~/.mozilla/firefox',
       'firefox,firefox,~/.cache/mozilla',
       'firefox,firefox,~/.mozilla/firefox',
-      'firefox,file:// Content,~/.cache/mozilla',
       'firefox,firefox,~/snap/firefox',
+      'firefox,.firefox-wrappe,~/.cache/mozilla',
+      'firefox,.firefox-wrappe,~/.mozilla/firefox',
       'firefox,Isolated Servic,~/.cache/mozilla',
+      'firefox,Isolated Servic,~/.mozilla/firefox',
       'firefox,Isolated Servic,~/snap/firefox',
       'firefox,Isolated Web Co,~/.cache/mozilla',
       'firefox,Isolated Web Co,~/.mozilla/firefox',
@@ -97,13 +94,17 @@ WHERE
       'firefox,Privileged Cont,~/.mozilla/firefox',
       'firefox,Privileged Cont,~/snap/firefox',
       'firefox,Web Content,~/.cache/mozilla',
+      'firefox,Web Content,~/.mozilla/firefox',
       'firefox,Web Content,~/snap/firefox',
       'firefox,WebExtensions,~/.cache/mozilla',
       'firefox,WebExtensions,~/.mozilla/firefox',
       'firefox,WebExtensions,~/snap/firefox',
       'plugin-container,MainThread,~/.mozilla/firefox',
+      'plugin-container,MainThread,~/snap/firefox',
+      'python3,python3,~/.config/gcloud',
       'slack,slack,~/.config/Slack',
-      'slack,slack,~/snap/slack'
+      'slack,slack,~/snap/slack',
+      'soffice.bin,soffice.bin,~/.mozilla/firefox'
     )
   )
 GROUP BY

detection/discovery/unexpected-bpf-user.sql

@@ -38,6 +38,7 @@ WHERE
     '/usr/bin/qemu-system-x86_64',
     '/usr/lib/systemd/systemd'
   )
+  AND p.cmdline != '/usr/bin/python3 /usr/sbin/execsnoop-bpfcc'
   AND p.path NOT LIKE '/nix/store/%/lib/systemd/systemd'
 GROUP BY
   pmm.pid

detection/evasion/hidden-executable.sql

@@ -31,4 +31,7 @@ WHERE
     OR f.filename LIKE '.%'
   )
   AND NOT f.path LIKE '/nix/store/%/%-wrapped'
-  AND NOT p.name = '.firefox-wrappe'
+  AND NOT p.name IN (
+    '.firefox-wrappe',
+    '.pylsp-wrapped'
+  )

detection/evasion/name_path_mismatch.sql

@@ -59,6 +59,7 @@ WHERE
     'name=gnome-characte,file=gjs-console,500',
     'name=gnome-character,file=gjs-console,500',
     'name=gnome-tweak-to,file=python3,500',
+    'name=exe,file=rootlesskit,500',
     'name=gsettings-hel,file=gsettings-help,500',
     'name=iptables,file=xtables-nft-mu,0',
     'name=Isolated,file=firefox,500',
@@ -66,6 +67,7 @@ WHERE
     'name=MainThread,file=plugin-contain,500',
     'name=mysqld,file=mariadbd,500',
     'name=networkd-dispa,file=python3,0',
+    'name=ninja,file=samu,500',
     'name=nix-daemon,file=nix,0',
     'name=npm,file=node,500',
     'name=osqueryi,file=osqueryd,0',

detection/evasion/parent-missing-from-disk-linux.sql

@@ -54,7 +54,10 @@ WHERE
     'kube-proxy',
     'kubelet'
   ) -- These alerts were unfortunately useless - lots of spam on macOS
-  AND parent_path NOT LIKE '/app/extra/%'
+  AND NOT (
+    parent_path LIKE '/app/%'
+    AND child_cgroup LIKE '/user.slice/user-1000.slice/user@1000.service/app.slice/%'
+  )
   AND parent_path NOT LIKE '/opt/homebrew/Cellar/%'
   AND parent_path NOT LIKE '/tmp/.mount_%/%'
   AND parent_path NOT LIKE '%google-cloud-sdk/.install/.backup%'

detection/evasion/unexpected-alf-exceptions-macos.sql

@@ -46,6 +46,7 @@ WHERE -- NOTE:We intentionally want to preserve missing files
     'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.sketch3,/Applications/Sketch.app/,501',
     'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.SketchMirrorHelper,/Applications/Sketch.app/Contents/XPCServices/SketchMirrorHelper.xpc/,501',
     'Developer ID Application: Brother Industries, LTD. (5HCL85FLGW),com.brother.utility.WorkflowAppControlServer,/Library/Printers/Brother/Utilities/Server/WorkflowAppControl.app/,0',
+    'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5),com.elgato.WaveLink,/Applications/WaveLink.app/,0',
     'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK),com.getdropbox.dropbox,/Applications/Dropbox.app/,501',
     'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland,/Applications/GoLand.app/,501',
     'Developer ID Application: Opentest, Inc. (QGD2ZPXZZG),com.loom.desktop,/Applications/Loom.app/,501',

detection/evasion/unexpected-etc-executables.sql

@@ -37,6 +37,7 @@ WHERE
     '/etc/avahi',
     '/etc/bash_completion.d',
     '/etc/brltty/Contraction',
+    '/etc/ca-certificates/update.d',
     '/etc/chromium/native-messaging-hosts',
     '/etc/cifs-utils',
     '/etc/console-setup',
@@ -66,6 +67,7 @@ WHERE
     '/etc/ifplugd',
     '/etc/ifplugd/action.d',
     '/etc/init.d',
+    '/etc/initramfs/post-update.d',
     '/etc/kde/shutdown',
     '/etc/kernel/header_postinst.d',
     '/etc/kernel/install.d',
@@ -74,6 +76,7 @@ WHERE
     '/etc/kernel/preinst.d',
     '/etc/kernel/prerm.d',
     '/etc/lightdm',
+    '/etc/localtime',
     '/etc/mcelog/triggers',
     '/etc/menu-methods',
     '/etc/network/if-down.d',
@@ -89,6 +92,7 @@ WHERE
     '/etc/periodic/weekly',
     '/etc/pinentry',
     '/etc/pm/sleep.d',
+    '/etc/pop-os/update-motd.d',
     '/etc/ppp',
     '/etc/ppp/ip-down.d',
     '/etc/ppp/ip-up.d',
@@ -113,6 +117,7 @@ WHERE
     '/etc/rcS.d',
     '/etc/rdnssd',
     '/etc/redhat-lsb',
+    '/etc/resolvconf/update.d',
     '/etc/security',
     '/etc/skel',
     '/etc/ssl/certs',
@@ -121,18 +126,14 @@ WHERE
     '/etc/systemd/system',
     '/etc/systemd/system/graphical.target.wants',
     '/etc/systemd/system-shutdown',
+    '/etc/udev/rules.d',
     '/etc/update-motd.d',
     '/etc/vmware-tools',
     '/etc/vpnc',
-    '/etc/localtime',
-    '/etc/udev/rules.d',
     '/etc/wpa_supplicant',
     '/etc/X11',
     '/etc/X11/xinit',
     '/etc/X11/xinit/xinitrc.d',
-    '/etc/pop-os/update-motd.d',
-    '/etc/initramfs/post-update.d',
-    '/etc/resolvconf/update.d',
     '/etc/xdg/Xwayland-session.d',
     '/etc/zfs-fuse',
     '/etc/zfs/zed.d',

detection/evasion/unexpected-tmp-executables.sql

@@ -45,6 +45,7 @@ WHERE
       OR file.path LIKE '/tmp/%/site-packages/markupsafe/_speedups.cpython-%'
       OR file.path LIKE '/tmp/go.%.sum'
       OR file.path LIKE '/tmp/guile-%/guile-%'
+      OR file.path LIKE '/tmp/src/%'
       OR file.path LIKE '/tmp/terraformer/%'
       OR file.path LIKE '/tmp/tmp.%'
       OR file.path LIKE '%/bin/%-gen'

detection/evasion/unexpected-var-executables-macos.sql

@@ -75,13 +75,14 @@ WHERE
   )
   -- It's pretty rare, but some vendors install updates into /var. Spotify, I'm looking at you!
   AND NOT signature.authority IN (
-    'Developer ID Application: Spotify (2FNC3A47ZF)',
     'Developer ID Application: Adobe Inc. (JQ525L2MZD)',
     'Developer ID Application: Docker Inc (9BNSXJN65R)',
     'Developer ID Application: GitHub (VEKTX9H2N7)',
     'Developer ID Application: Google LLC (EQHXZ8M8AV)',
     'Developer ID Application: Microsoft Corporation (UBF8T346G9)',
-    'Developer ID Application: Mozilla Corporation (43AQ936H96)'
+    'Developer ID Application: Mozilla Corporation (43AQ936H96)',
+    'Developer ID Application: Spotify (2FNC3A47ZF)',
+    'Software Signing'
   )
   AND file.path NOT IN (
     '/var/log/acroUpdaterTools.log',
@@ -105,3 +106,10 @@ WHERE
     AND file.size < 1024
     AND file.mode = '0744'
   )
+  -- Epson
+  AND NOT (
+    file.path LIKE '/var/tmp/InstallLog/%.plist'
+    AND magic.data = 'Apple binary property list'
+    AND file.size < 3000
+    AND file.mode = '0777'
+  )

detection/execution/exotic-command-events-linux.sql

@@ -48,6 +48,8 @@ WHERE
       'dnscat2',
       'tuns',
       'iodine',
+      'esxcli',
+      'vim-cmd',
       'minerd',
       'cpuminer-multi',
       'cpuminer',

detection/execution/exotic-command-events-macos.sql

@@ -125,13 +125,14 @@ WHERE
     cmd IN (
       '/bin/launchctl asuser 0 /bin/launchctl list',
       '/bin/launchctl list',
-      'launchctl list',
-      'sudo launchctl list',
       '/bin/launchctl list com.logi.optionsplus.update',
+      '/bin/launchctl list com.logi.optionsplus.updater',
       '/bin/launchctl list homebrew.mxcl.yabai',
+      'launchctl list',
       'launchctl list com.parallels.desktop.launchdaemon',
       'launchctl list us.zoom.ZoomDaemon',
       '/Library/Apple/System/Library/StagedFrameworks/Safari/SafariShared.framework/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History',
+      'sudo launchctl list',
       'sudo launchctl list us.zoom.ZoomDaemon',
       '/usr/bin/csrutil report',
       '/usr/bin/csrutil status',

detection/execution/exotic-commands.sql

@@ -10,6 +10,7 @@ SELECT
   p.name,
   p.cmdline AS cmd,
   p.cwd,
+  p.cgroup_path,
   p.euid,
   p.parent,
   pp.name AS parent_name,
@@ -26,7 +27,7 @@ FROM
   LEFT JOIN hash AS phash ON pp.path = phash.path
 WHERE
   -- Known attack scripts
-  p.name IN ('nc', 'mkfifo')
+  p.name IN ('nc', 'mkfifo', 'esxcli', 'vim-cmd')
   OR p.name LIKE '%pwn%'
   OR p.name LIKE '%xig%'
   OR p.name LIKE '%xmr%'
@@ -75,11 +76,17 @@ WHERE
   OR cmd LIKE '%pty.spawn%'
   OR (
     cmd LIKE '%sh -i'
-    AND NOT parent_name IN ('sh', 'java')
+    AND NOT p.path = '/usr/bin/docker'
+    AND NOT parent_name IN ('sh', 'java', 'containerd-shim')
     AND NOT parent_cmd LIKE '%pipenv shell'
   )
   OR cmd LIKE '%socat%'
-  OR cmd LIKE '%SOCK_STREAM%'
-  OR cmd LIKE '%Socket.fork%'
-  OR cmd LIKE '%Socket.new%'
-  OR cmd LIKE '%socket.socket%'
+  OR (
+    p.name NOT IN ('cc1plus')
+    AND (
+     cmd LIKE '%SOCK_STREAM%'
+     OR cmd LIKE '%Socket.fork%'
+     OR cmd LIKE '%Socket.new%'
+     OR cmd LIKE '%socket.socket%'
+    )
+  )

detection/execution/recently-created-executables-linux.sql

@@ -17,6 +17,7 @@ SELECT
   f.ctime,
   f.btime,
   f.mtime,
+  p.cgroup_path,
   p.start_time,
   pp.path AS parent_path,
   pp.name AS parent_name,
@@ -50,9 +51,11 @@ WHERE
     '/opt/Lens/lens',
     '/opt/sublime_text/sublime_text',
     '/usr/bin/alacritty',
+    '/usr/libexec/tracker-miner-fs-3',
     '/usr/bin/bash',
     '/usr/bin/cargo',
     '/usr/bin/containerd',
+    '/usr/lib64/thunderbird/thunderbird',
     '/usr/bin/containerd-shim-runc-v2',
     '/usr/bin/docker',
     '/usr/bin/dockerd',
@@ -67,8 +70,10 @@ WHERE
     '/usr/bin/pavucontrol',
     '/usr/bin/pipewire',
     '/usr/bin/rpi-imager',
+    '/usr/bin/snap',
     '/usr/bin/tailscaled',
     '/usr/bin/udevadm',
+    '/usr/bin/wireplumber',
     '/usr/bin/wpa_supplicant',
     '/usr/lib64/electron/electron',
     '/usr/lib64/firefox/firefox',
@@ -93,14 +98,13 @@ WHERE
     '/usr/lib/slack/slack',
     '/usr/lib/snapd/snapd',
     '/usr/lib/systemd/systemd',
-    '/usr/bin/wireplumber',
-    '/usr/lib/xdg-desktop-portal-gtk',
     '/usr/lib/systemd/systemd-journald',
     '/usr/lib/systemd/systemd-logind',
     '/usr/lib/systemd/systemd-oomd',
     '/usr/lib/systemd/systemd-resolved',
     '/usr/lib/systemd/systemd-timesyncd',
     '/usr/lib/x86_64-linux-gnu/obs-plugins/obs-browser-page',
+    '/usr/lib/xdg-desktop-portal-gtk',
     '/usr/lib/xf86-video-intel-backlight-helper',
     '/usr/local/bin/kind',
     '/usr/sbin/alsactl',
@@ -118,8 +122,10 @@ WHERE
   AND NOT p.path LIKE '/home/%/terraform-provider-%'
   AND NOT p.path LIKE '/home/%/%.test'
   AND NOT p.path LIKE '/home/%/Projects/%'
+  AND NOT p.path LIKE '/home/%/.local/share/nvim/mason/packages/%'
   AND NOT p.path LIKE '/home/%/node_modules/.bin/%'
   AND NOT p.path LIKE '/nix/store/%/bin/%'
+  AND NOT p.path LIKE '/nix/store/%/libexec/%'
   AND NOT p.path LIKE '/usr/local/bin/%'
   AND NOT p.path LIKE '/opt/%'
   AND NOT p.path LIKE '/usr/local/Cellar/%'

detection/execution/recently-created-executables-macos.sql

@@ -49,6 +49,7 @@ WHERE
     'Developer ID Application: Bryan Jones (49EYHPJ4Q3)',
     'Developer ID Application: CodeWeavers Inc. (9C6B7X7Z8E)',
     'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
+    'Developer ID Application: Objective-See, LLC (VBG97UB4TA)',
     'Developer ID Application: Microsoft Corporation (UBF8T346G9)',
     'Developer ID Application: Docker Inc (9BNSXJN65R)',
     'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)',
@@ -83,6 +84,7 @@ WHERE
   AND NOT p.path LIKE '/opt/homebrew/Cellar/%'
   AND NOT p.path LIKE '/private/tmp/%/Creative Cloud Installer.app/Contents/MacOS/Install'
   AND NOT p.path LIKE '/private/tmp/go-build%'
+  AND NOT p.path LIKE '/private/tmp/go-%/go/pkg/%'
   AND NOT p.path LIKE '/private/tmp/nix-build-%'
   AND NOT p.path LIKE '/private/var/db/com.apple.xpc.roleaccountd.staging/%'
   AND NOT p.path LIKE '/private/var/folders/%/bin/%'
@@ -114,5 +116,10 @@ WHERE
     AND f.uid = p.uid
     AND p.cmdline LIKE './%'
   )
+  AND NOT (
+    p.path LIKE '/Users/%/Library/Printers/EPSON%/Contents/MacOS/PrinterProxy'
+    AND signature.identifier = 'com.apple.print.PrinterProxy'
+    AND signatur.authority = ''
+  )
 GROUP BY
   p.pid

detection/execution/unexpected-execdir-events-macos.sql

@@ -112,6 +112,7 @@ WHERE
     '~/go/bin',
     '~/.local/bin',
     '~/.magefile',
+    '~/Downloads/protoc/bin',
     '~/projects/go/bin'
   )
   AND top_homedir NOT IN (
@@ -134,6 +135,7 @@ WHERE
     '~/Parallels/',
     '~/projects/',
     '~/.pulumi/',
+    '~/.provisio/',
     '~/.pyenv/',
     '~/.rustup/',
     '~/src/',

detection/execution/unexpected-execdir-linux.sql

@@ -11,6 +11,7 @@ SELECT
   p.path,
   p.euid,
   p.gid,
+  p.cgroup_path,
   f.ctime,
   f.directory AS dirname,
   p.cmdline,
@@ -58,6 +59,7 @@ WHERE
   AND dirname NOT LIKE '/nix/store/%'
   AND dirname NOT LIKE '/opt/%'
   AND dirname NOT LIKE '/snap/%'
+  AND dirname NOT LIKE '/var/lib/snapd/snap/snapd/%'
   AND dirname NOT LIKE '%/.terraform/providers/%'
   AND dirname NOT LIKE '/tmp/%/bin'
   AND dirname NOT LIKE '/tmp/go-build%'
@@ -71,6 +73,6 @@ WHERE
   )
   AND NOT (
     dirname = ''
-    AND p.name LIKE 'runc%'
+    AND (p.name LIKE 'runc%' OR p.cmdline LIKE 'runc init%')
   )
   AND p.path NOT LIKE '/tmp/terraform_%/terraform'

detection/exfil/high_disk_bytes_read.sql

@@ -52,6 +52,7 @@ WHERE
     'nautilus',
     'nessusd',
     'nix',
+    'nix-daemon',
     'osqueryd',
     'qemu-system-aarch64',
     'qemu-system-x86',

detection/initial_access/unexpected-shell-parents.sql

@@ -14,6 +14,7 @@ SELECT
   p.path AS path,
   p.cmdline AS cmd,
   p.pid,
+  p.cgroup_path,
   p.parent,
   pp.name AS parent_name,
   pp.path AS parent_path,
@@ -63,6 +64,7 @@ WHERE
     'nix',
     'nix-build',
     'nix-daemon',
+    'ninja',
     'node',
     'nvim',
     'package_script_service',

detection/persistence/unexpected-chrome-extensions.sql

@@ -58,6 +58,7 @@ WHERE
     'false,,Google Photos,ncmjhecbjeaamljdfahankockkkdmedg,', -- Deprecated Google Extension
     'false,,YouTube,agimnkijcaahngcdmfeangaknmldooml,', -- Deprecated Google Extension
     'true,Adaware,Safe Torrent Scanner,aegnopegbbhjeeiganiajffnalhlkkjb,storage, tabs',
+    'true,,Capital One Shopping: Add to Chrome for Free,nenlahapcbofgnanklpelkaejcehkggg,alarms, tabs, contextMenus, storage, cookies, webRequest, webRequestBlocking, <all_urls>',
     'true,,Adblock for Youtube™,cmedhionkhpnakcndndgjdbohmhepckk,storage, unlimitedStorage, webRequest, webRequestBlocking, <all_urls>',
     'true,Adblock, Inc.,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom,tabs, <all_urls>, contextMenus, webRequest, webRequestBlocking, webNavigation, storage, unlimitedStorage, notifications, idle, alarms',
     'true,,Add to Amazon Wish List,ciagpekplgpbepdgggflgmahnjgiaced,tabs, http://*/*, https://*/*',

detection/persistence/unexpected-launchd-program-arguments.sql

@@ -56,9 +56,10 @@ WHERE
   )
   AND program_arguments NOT IN (
     '/Applications/Stream Deck.app/Contents/MacOS/Stream Deck --runinbk',
+    '/opt/homebrew/opt/jenkins/bin/jenkins --httpListenAddress=127.0.0.1 --httpPort=8080',
     '/opt/homebrew/opt/mariadb/bin/mysqld_safe',
     '/opt/homebrew/opt/skhd/bin/skhd',
-    '/opt/homebrew/opt/jenkins/bin/jenkins --httpListenAddress=127.0.0.1 --httpPort=8080',
+    '/opt/homebrew/opt/tailscale/bin/tailscaled',
     '/opt/homebrew/opt/yubikey-agent/bin/yubikey-agent -l /opt/homebrew/var/run/yubikey-agent.sock',
     '/usr/local/MacGPG2/libexec/fixGpgHome'
   )

detection/persistence/unexpected-uid0-daemon-linux.sql

@@ -45,6 +45,7 @@ WHERE
   AND p.path NOT IN (
     '',
     '/sbin/apcupsd',
+    '/usr/sbin/agetty',
     '/usr/bin/abrt-dump-journal-core',
     '/usr/bin/abrt-dump-journal-oops',
     '/usr/bin/abrt-dump-journal-xorg',

detection/privesc/unexpected-elevated-children-events_linux.sql

@@ -60,6 +60,7 @@ WHERE
   AND p.path NOT LIKE '/nix/store/%/bin/sudo'
   AND p.path NOT LIKE '/nix/store/%/bin/dhcpcd'
   AND p.path NOT LIKE '/snap/snapd/%/usr/lib/snapd/snap-confine'
+  AND p.path NOT LIKE '/snap/snapd/%/usr/lib/snapd/snap-update-ns'
   AND NOT pp.cmdline = '/usr/lib/systemd/systemd --user'
   -- used by kind
   AND NOT (