From 42e9f2721b258bf3f2a2a801b235f7aa4a22fcb6 Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Mon, 16 Jan 2023 13:55:53 -0500
Subject: [PATCH] FP removal: plymouth, 1Password, firejail, systemd

---
 .../evasion/empty_root_environ_linux.sql      |  1 +
 ...ected-security-framework-program-macos.sql | 27 ++++++++++---------
 .../execution/unexpected-setuid-binaries.sql  |  1 +
 .../unexpected-xattr-calls-macos.sql          | 22 +++++++--------
 .../unexpected-active-systemd-units.sql       |  1 +
 5 files changed, 27 insertions(+), 25 deletions(-)

diff --git a/detection/evasion/empty_root_environ_linux.sql b/detection/evasion/empty_root_environ_linux.sql
index 627a7b7..3677124 100644
--- a/detection/evasion/empty_root_environ_linux.sql
+++ b/detection/evasion/empty_root_environ_linux.sql
@@ -41,6 +41,7 @@ WHERE
     'systemd-udevd',
     'gdm-session-wor',
     'fprintd',
+    'systemd',
     'gpg-agent',
     'systemd-userdbd',
     'nginx',
diff --git a/detection/execution/unexpected-security-framework-program-macos.sql b/detection/execution/unexpected-security-framework-program-macos.sql
index c5a04ee..7d7814c 100644
--- a/detection/execution/unexpected-security-framework-program-macos.sql
+++ b/detection/execution/unexpected-security-framework-program-macos.sql
@@ -44,6 +44,8 @@ WHERE
     '500,Bitwarden Helper (GPU),com.bitwarden.desktop.helper.GPU,Apple Mac OS Application Signing',
     '500,Bitwarden Helper (Renderer),com.bitwarden.desktop.helper.Renderer,Apple Mac OS Application Signing',
     '500,.cargo-wrapped,.cargo-wrapped,',
+    '500,cosign,a.out,',
+    '500,cpu,cpu-555549441132dc6b7af538428ce3359ae94eab37,',
     '500,Emacs-arm64-11,Emacs-arm64-11,Developer ID Application: Galvanix (5BRAQAFB8B)',
     '500,epdfinfo,epdfinfo,',
     '500,esbuild,a.out,',
@@ -51,25 +53,22 @@ WHERE
     '500,gitsign-credential-cache,a.out,',
     '500,GitterHelperApp,com.troupe.gitter.mac.GitterHelperApp,Developer ID Application: Troupe Technology Limited (A86QBWJ43W)',
     '500,gopls,a.out,',
-    '500,ipcserver,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
-    '500,gpg-agent,gpg-agent,',
-    '500,cpu,cpu-555549441132dc6b7af538428ce3359ae94eab37,',
-    '500,ipcserver.old,,',
-    '500,vim,vim,',
     '500,gopls,gopls,',
-    '500,TwitchStudioStreamDeck,TwitchStudioStreamDeck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
-    '500,vim,,',
+    '500,gpg-agent,gpg-agent,',
+    '500,ipcserver,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
+    '500,ipcserver.old,,',
+    '500,ko,a.out,',
     '500,kubectl,a.out,',
-    '500,cosign,a.out,',
-    '500,sdzoomplugin,,',
     '500,lua-language-server,lua-language-server,',
-    '500,sdaudioswitch,sdaudioswitch,',
     '500,Magnet,com.crowdcafe.windowmagnet,Apple Mac OS Application Signing',
     '500,Mattermost Helper,Mattermost.Desktop.helper,Apple Mac OS Application Signing',
     '500,Mattermost Helper (Renderer),Mattermost.Desktop.helper.Renderer,Apple Mac OS Application Signing',
+    '500,PrinterProxy,com.apple.print.PrinterProxy,',
     '500,registry-redirect,a.out,',
     '500,rust-analyzer,rust_analyzer-d11ae4e1bae4360d,',
     '500,scdaemon,scdaemon,',
+    '500,sdaudioswitch,sdaudioswitch,',
+    '500,sdzoomplugin,,',
     '500,Slack,com.tinyspeck.slackmacgap,Apple Mac OS Application Signing',
     '500,Slack Helper,com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
     '500,Slack Helper (GPU),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
@@ -80,8 +79,12 @@ WHERE
     '500,Todoist,com.todoist.mac.Todoist,Apple Mac OS Application Signing',
     '500,Todoist Helper,com.todoist.mac.Todoist.helper,Apple Mac OS Application Signing',
     '500,Todoist Helper (GPU),com.todoist.mac.Todoist.helper.GPU,Apple Mac OS Application Signing',
-    '500,Todoist Helper (Renderer),com.todoist.mac.Todoist.helper.Renderer,Apple Mac OS Application Signing'
-
+    '500,Todoist Helper (Renderer),com.todoist.mac.Todoist.helper.Renderer,Apple Mac OS Application Signing',
+    '500,TwitchStudioStreamDeck,TwitchStudioStreamDeck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
+    '500,vim,,',
+    '500,vim,vim,',
+    '500,WinAppHelper,,',
+    '500,WinAppHelper,WinAppHelper,'
   )
   -- TODO: Narrow this down
   AND NOT p.path LIKE '/opt/homebrew/Cellar/%'
diff --git a/detection/execution/unexpected-setuid-binaries.sql b/detection/execution/unexpected-setuid-binaries.sql
index 73de592..5a36dae 100644
--- a/detection/execution/unexpected-setuid-binaries.sql
+++ b/detection/execution/unexpected-setuid-binaries.sql
@@ -157,6 +157,7 @@ FROM
           '/bin/su',
           '/bin/sudo',
           '/bin/firejail',
+          '/sbin/firejail',
           '/usr/bin/firejail',
           '/usr/sbin/firejail',
           '/bin/sudoedit',
diff --git a/detection/execution/unexpected-xattr-calls-macos.sql b/detection/execution/unexpected-xattr-calls-macos.sql
index 2e23f12..88fb27e 100644
--- a/detection/execution/unexpected-xattr-calls-macos.sql
+++ b/detection/execution/unexpected-xattr-calls-macos.sql
@@ -49,21 +49,17 @@ FROM process_events pe
   LEFT JOIN signature ON pp.path = signature.path
   LEFT JOIN signature esignature ON ppe.path = esignature.path
 WHERE pe.path = '/usr/bin/xattr'
-  AND pe.time > (strftime('%s', 'now') -300)
+  AND pe.time > (strftime('%s', 'now') -30000)
+  AND cmd != '/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app'
   AND NOT (
-    pe.euid > 500 AND
-    cmd LIKE '%xattr -l %'
-  )
-  AND NOT cmd IN (
-    '/usr/bin/xattr -r -d com.apple.quarantine /Applications/1Password.app'
+    pe.euid > 500
+    AND cmd LIKE '%xattr -l %'
   )
   AND NOT (
-    cmd = '/usr/bin/xattr -h'
+    pe.euid > 500
+    AND cmd = '/usr/bin/xattr -h'
     AND parent_cmd LIKE '%/opt/homebrew/bin/brew%'
   )
-  -- 0002 is downloaded, but never opened
-  AND NOT cmd LIKE '/usr/bin/xattr -w com.apple.quarantine 0002;%'
-  -- 0181 seems the same?
-  AND NOT cmd LIKE '/usr/bin/xattr -w com.apple.quarantine 0181;%'
-  AND NOT cmd LIKE '/usr/bin/xattr -p com.apple.quarantine %'
-GROUP BY pe.pid
+  AND cmd NOT LIKE '/usr/bin/xattr -w com.apple.quarantine 0002;%'
+  AND cmd NOT LIKE '/usr/bin/xattr -w com.apple.quarantine 0181;%'
+GROUP BY pe.pid, cmd
diff --git a/detection/persistence/unexpected-active-systemd-units.sql b/detection/persistence/unexpected-active-systemd-units.sql
index 28df003..34edbf9 100644
--- a/detection/persistence/unexpected-active-systemd-units.sql
+++ b/detection/persistence/unexpected-active-systemd-units.sql
@@ -234,6 +234,7 @@ WHERE
         'plocate-updatedb.service,Update the plocate database,,200',
         'plocate-updatedb.timer,Update the plocate database daily,,100',
         'plymouth-quit-wait.service,Hold until boot process finishes up,,200',
+        'plymouth-quit.service,Terminate Plymouth Boot Screen,,200',
         'plymouth-read-write.service,Tell Plymouth To Write Out Runtime Data,,200',
         'plymouth-start.service,Show Plymouth Boot Screen,,500',
         'plymouth-start.service,Show Plymouth Boot Screen,,600',