fpr: New Chrome etxensions, vbox, chrome, gcloud, gdm3, yay, etc

detection/c2/unexpected-talkers-linux.sql

@@ -87,7 +87,6 @@ WHERE
   AND NOT exception_key IN (
     '123,17,114,/usr/chronyd,0u,0g,chronyd',
     '123,17,500,/usr/chronyd,0u,0g,chronyd',
-    '80,6,500,/usr/WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
     '143,6,500,/app/thunderbird,u,g,thunderbird',
     '143,6,500,/usr/thunderbird,0u,0g,thunderbird',
     '19305,6,500,/opt/firefox,0u,0g,firefox',
@@ -129,10 +128,12 @@ WHERE
     '80,6,0,/usr/bash,0u,0g,sh',
     '80,6,0,/usr/bash,0u,0g,update-ca-trust',
     '80,6,0,/usr/cp,0u,0g,cp',
+    '80,6,0,/usr/fc-cache,0u,0g,fc-cache',
     '80,6,0,/usr/find,0u,0g,find',
     '80,6,0,/usr/gpg,0u,0g,gpg',
     '80,6,0,/usr/kmod,0u,0g,depmod',
     '80,6,0,/usr/kubelet,u,g,kubelet',
+    '80,6,0,/usr/ldconfig,0u,0g,ldconfig',
     '80,6,0,/usr/NetworkManager,0u,0g,NetworkManager',
     '80,6,0,/usr/packagekitd,0u,0g,packagekitd',
     '80,6,0,/usr/pacman,0u,0g,pacman',
@@ -170,6 +171,7 @@ WHERE
     '80,6,500,/usr/rpi-imager,0u,0g,rpi-imager',
     '80,6,500,/usr/signal-desktop,0u,0g,signal-desktop',
     '80,6,500,/usr/thunderbird,0u,0g,thunderbird',
+    '80,6,500,/usr/WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
     '8080,6,500,/opt/chrome,0u,0g,chrome',
     '8080,6,500,/usr/firefox,0u,0g,firefox',
     '8080,6,500,/usr/python3.11,0u,0g,speedtest-cli',

detection/c2/unexpected-talkers-macos.sql

@@ -140,7 +140,6 @@ WHERE
     '22,6,500,ssh,com.apple.openssh,Software Signing',
     '22,6,500,ssh,com.apple.ssh,Software Signing',
     '22,6,500,ssh,ssh,',
-    '443,6,500,jx,,',
     '22,6,500,ssh,ssh-55554944fbf65684ab9b37c2bad3a27ef78b23f4,',
     '30004,6,500,java,net.java.openjdk.java,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
     '30011,6,500,java,net.java.openjdk.java,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
@@ -174,6 +173,7 @@ WHERE
     '443,6,500,chainctl,,',
     '443,6,500,chainctl,a.out,',
     '443,6,500,chainctl,chainctl,',
+    '443,6,500,chainctl_darwin_arm64,a.out,',
     '443,6,500,chainctl_Darwin_arm64,a.out,',
     '443,6,500,civo,a.out,',
     '443,6,500,cloud_sql_proxy,a.out,',
@@ -224,6 +224,7 @@ WHERE
     '443,6,500,java,net.java.openjdk.java,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
     '443,6,500,java,net.java.openjdk.java,Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
     '443,6,500,Java Updater,com.oracle.java.Java-Updater,Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
+    '443,6,500,jx,,',
     '443,6,500,ko,a.out,',
     '443,6,500,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV)',
     '443,6,500,kubectl,,',
@@ -279,6 +280,7 @@ WHERE
     '6000,6,500,ssh,com.apple.openssh,Software Signing',
     '6000,6,500,ssh,ssh-55554944fbf65684ab9b37c2bad3a27ef78b23f4,',
     '80,6,0,com.apple.MobileSoftwareUpdate.UpdateBrainService,com.apple.MobileSoftwareUpdate.UpdateBrainService,Software Signing',
+    '80,6,0,com.google.one.NetworkExtension,com.google.one.NetworkExtension,Developer ID Application: Google LLC (EQHXZ8M8AV)',
     '80,6,500,curl,com.apple.curl,Software Signing',
     '80,6,500,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV)',
     '80,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',

detection/discovery/unexpected-netutil-calls-linux.sql

@@ -1,11 +1,11 @@
--- Suspicious parenting of fetch tools (event-based)
+-- Suspicious parenting of network utilities (event-based)
 --
 -- refs:
 --   * https://attack.mitre.org/techniques/T1016/ (System Network Configuration Discovery)
 --
 -- tags: transient process state often
 -- platform: linux
--- interval: 300
+-- interval: 60
 SELECT
   -- Child
   pe.path AS p0_path,
@@ -65,7 +65,7 @@ WHERE
     '/sbin/nft'
   )
   AND pe.cmdline != ''
-  AND pe.time > (strftime('%s', 'now') -300)
+  AND pe.time > (strftime('%s', 'now') -60)
   AND NOT (
     pe.euid > 500
     AND p1_name IN ('sh', 'fish', 'zsh', 'bash', 'dash')

detection/evasion/parent-missing-from-disk-linux.sql

@@ -43,13 +43,14 @@ WHERE
   AND NOT parent_path IN (
     '/opt/google/chrome/chrome',
     '/usr/bin/alacritty',
+    '/usr/bin/doas',
     '/usr/bin/dockerd',
     '/usr/bin/fusermount3',
-    '/usr/bin/osqueryd',
-    '/usr/bin/yay',
-    '/usr/bin/sudo',
-    '/usr/bin/doas',
     '/usr/bin/gnome-shell',
+    '/usr/bin/osqueryd',
+    '/usr/bin/sudo',
+    '/usr/bin/yay',
+    '/usr/libexec/gnome-terminal-server',
     '/usr/lib/systemd/systemd'
   ) -- long-running launchers
   AND NOT parent_name IN (

detection/execution/exotic-command-events-macos.sql

@@ -157,7 +157,11 @@ WHERE pe.time > (strftime('%s', 'now') -30)
   )
   AND NOT (
     p0_cmd IN (
+      '/bin/launchctl bootout gui/501 /Library/LaunchAgents/com.logi.optionsplus.plist',
+      '/bin/launchctl bootout system/com.docker.socket',
+      '/bin/launchctl load /Library/LaunchDaemons/com.logi.optionsplus.updater.plist',
       '/bin/launchctl load -wF /Library/LaunchAgents/com.adobe.GC.AGM.plist',
+      '/bin/launchctl load -w /Library/LaunchDaemons/com.docker.socket.plist',
       '/bin/rm -f /tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress',
       'git history',
       'launchctl asuser 501 launchctl load /System/Library/LaunchAgents/com.apple.SafariBookmarksSyncAgent.plist',

detection/execution/exotic-commands.sql

@@ -119,4 +119,5 @@ WHERE
   )
   AND NOT cmd IN (
     'socat UNIX-LISTEN:/run/user/1000/app/com.discordapp.Discord/discord-ipc-0,forever,fork UNIX-CONNECT:/run/user/1000/discord-ipc-0'
-  )
+  )
+   AND NOT p.name IN ('cc1', 'compile', 'cmake', 'cc1plus')

detection/exfil/high_disk_bytes_read.sql

@@ -83,6 +83,7 @@ WHERE
     'thunderbird',
     'vim',
     'wineserver',
+    'yay',
     'ykman-gui',
     'zsh'
   )

detection/initial_access/unexpected-diskimage-source-macos.sql

@@ -45,6 +45,9 @@ WHERE
     'arc.net',
     'balena.io',
     'balsamiq.com',
+    'techsmith.com',
+    'cron.com',
+    'macbartender.com',
     'brave.com',
     'canon.co.uk',
     'cdn.mozilla.net',

detection/initial_access/unexpected-shell-parent-events.sql

@@ -58,6 +58,7 @@ WHERE
     p1_name IN (
       'abrt-handle-eve',
       'alacritty',
+      'at-spi-bus-launcher',
       'bash',
       'build-script-build',
       'chainctl',
@@ -77,22 +78,26 @@ WHERE
       'doas',
       'docker-credential-desktop',
       'docker-credential-gcr',
+      'Docker Desktop',
+      'Emacs-arm64-11',
       'env',
       'erl_child_setup',
       'find',
       'FinderSyncExtension',
       'fish',
       'gatherheaderdoc',
+      'gdm3',
       'gdm-session-worker',
       'gdm-x-session',
       'git',
       'gke-gcloud-auth-plugin',
+      'gnome-session-binary',
+      'gnome-shell',
       'gnome-terminal-server',
       'go',
       'goland',
       'gopls',
       'helm',
-      'Docker Desktop',
       'HP Diagnose & Fix',
       'i3bar',
       'i3blocks',
@@ -101,7 +106,6 @@ WHERE
       'ko',
       'kubectl',
       'lightdm',
-      'Xorg',
       'local-path-provisioner',
       'login',
       'make',
@@ -133,6 +137,7 @@ WHERE
       'systemd',
       'systemd-sleep',
       'terminator',
+      'terraform-ls',
       'test2json',
       'tmux',
       'tmux:server',
@@ -145,8 +150,10 @@ WHERE
       'xargs',
       'xcrun',
       'xfce4-terminal',
+      'Xorg',
       'yay',
       'yum',
+      'zed'','
       'zellij',
       'zsh'
     )
@@ -156,12 +163,14 @@ WHERE
     OR p2_name IN ('env', 'git')
     -- Homebrew, except we don't want to allow all of ruby
     OR p0_cmd IN (
-      'sh -c /bin/stty size 2>/dev/null',
-      'sh -c python3.7 --version 2>&1',
+      '/bin/bash /usr/bin/xdg-settings set default-url-scheme-handler slack Slack.desktop',
       '/bin/sh -c lsb_release -a --short',
-      '/bin/zsh -c ls',
       '/bin/sh -c ps ax -ww -o pid,ppid,uid,gid,args',
+      '/bin/sh /usr/bin/lsb_release -a --short',
+      '/bin/zsh -c ls',
+      'sh -c /bin/stty size 2>/dev/null',
       "sh -c osascript -e 'user locale of (get system info)'",
+      'sh -c python3.7 --version 2>&1',
       'sh -c xcode-select --print-path >/dev/null 2>&1 && xcrun --sdk macosx --show-sdk-path 2>/dev/null'
     )
     OR (
@@ -175,20 +184,33 @@ WHERE
     )
     OR (
       p1_cmd LIKE '%Python% /opt/homebrew/bin/jupyter%'
-      AND p0_cmd =  '/bin/sh -c osascript'
+      AND p0_cmd = '/bin/sh -c osascript'
+    )
+    OR (
+      p1_name = 'osqueryd'
+      AND p0_cmd LIKE '/bin/sh /etc/NetworkManager/dispatcher.d/%'
+    )
+    OR (
+      p1_name = 'ssh'
+      AND p0_cmd LIKE 'gcloud.py compute start-iap-tunnel%'
+    )
+
+    OR exception_key IN (
+      'bash,0,pia-daemon,launchd',
+      'zsh,500,python3.10,gnome-shell'
     )
-    OR exception_key IN ('bash,0,pia-daemon,launchd')
     OR p0_cmd LIKE '%/bash -e%/bin/as -arch%'
     OR p0_cmd LIKE '/bin/bash /usr/local/Homebrew/%'
     OR p0_cmd LIKE '/bin/bash /opt/homebrew/%'
     OR p0_cmd LIKE '/bin/sh -c pkg-config %'
     OR p0_cmd LIKE '/bin/sh %/docker-credential-gcloud get'
-    OR p0_cmd LIKE '%/google-chrome --flag-switches-begin % --product-version'
+    OR p0_cmd LIKE '%/google-chrome% --flag-switches-begin % --product-version'
     OR p0_cmd LIKE '/bin/sh /usr/bin/xdg-open %'
     OR p0_cmd LIKE '/bin/bash /usr/bin/xdg-settings check %'
     OR p0_cmd LIKE '/bin/sh /usr/bin/xdg-settings set %'
     OR p0_cmd LIKE '/bin/sh /usr/bin/xdg-settings check %'
     OR p0_cmd LIKE '%gcloud config config-helper --format=json'
+    OR p0_cmd LIKE '%gcloud config get-value%'
     OR p1_cmd LIKE '%Python /opt/homebrew/bin/aws configure sso'
     OR p2_cmd LIKE '/bin/bash /usr/local/bin/brew%'
     OR p2_cmd LIKE '/usr/bin/python3 -m py_compile %'

detection/persistence/unexpected-active-systemd-units.sql

@@ -45,8 +45,8 @@ WHERE
     )
     AND (
       exception_key IN (
-        'abrtd.service,ABRT Automated Bug Reporting Tool,,400',
-        'nvidia-fallback.service,Fallback to nouveau as nvidia did not load,,400',
+
+       'abrtd.service,ABRT Automated Bug Reporting Tool,,400',
         'abrt-journal-core.service,Creates ABRT problems from coredumpctl messages,,200',
         'abrt-oops.service,ABRT kernel log watcher,,200',
         'abrt-xorg.service,ABRT Xorg log watcher,,200',
@@ -226,6 +226,7 @@ WHERE
         'nscd.service,Name Service Cache Daemon,nscd,1800',
         'nss-lookup.target,Host and Network Name Lookups,,500',
         'nss-user-lookup.target,User and Group Name Lookups,,500',
+        'nvidia-fallback.service,Fallback to nouveau as nvidia did not load,,400',
         'nvidia-persistenced.service,NVIDIA Persistence Daemon,,300',
         'nvidia-powerd.service,nvidia-powerd service,,100',
         'openvpn.service,OpenVPN service,,200',
@@ -389,6 +390,7 @@ WHERE
         'user.slice,User and Session Slice,,400',
         'uuidd.socket,UUID daemon activation socket,,100',
         'vboxautostart-service.service,vboxautostart-service.service,,400',
+        'vboxballoonctrl-service.service,vboxballoonctrl-service.service,,500',
         'vboxdrv.service,VirtualBox Linux kernel module,,400',
         'vboxweb-service.service,vboxweb-service.service,,500',
         'veritysetup.target,Local Verity Protected Volumes,,400',
@@ -434,7 +436,7 @@ WHERE
         'znapzend.service,ZnapZend - ZFS Backup System,root,1700',
         'zpool-trim.service,ZFS pools trim,,1200',
         'zpool-trim.timer,zpool-trim.timer,,0'
-      )
+     )
       OR exception_key LIKE 'machine-qemu%,Virtual Machine qemu%,,300'
       OR exception_key LIKE 'dbus-:1.%-org.freedesktop.problems@%.service,dbus-:%.%-org.freedesktop.problems@%.service,0,200'
       OR exception_key LIKE 'run-media-%.mount,run-media-%.mount,,0'

detection/persistence/unexpected-chrome-extensions.sql

@@ -72,6 +72,7 @@ WHERE
     'true,,Bardeen - automate manual work,ihhkmalpkhkoedlmcnilbbhhbhnicjga',
     'true,,Bardeen - automate workflows with one click,ihhkmalpkhkoedlmcnilbbhhbhnicjga',
     'true,BetaFish,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom',
+    'true,,Bionic Reading,kdfkejelgkdjgfoolngegkhkiecmlflj',
     'true,Bitwarden Inc.,Bitwarden - Free Password Manager,nngceckbapebfimnlniiiahkandclblb',
     'true,,BrowserStack Local,mfiddfehmfdojjfdpfngagldgaaafcfo',
     'true,CAD Team,Cookie AutoDelete,fhcgjolkccmbidfldomjliifgaodjagh',
@@ -95,6 +96,7 @@ WHERE
     "true,Daniel Kladnik @ kiboke studio,I don't care about cookies,fihnjjcciajhdojfnbdddfaoknhalnja",
     'true,,Datanyze Chrome Extension,mlholfadgbpidekmhdibonbjhdmpmafd',
     'true,,DEPRECATED Secure Shell App,pnhechapfaindjhompbnflcldabbghjo',
+    'true,,Disconnect,jeoacafpbcihiomhlakheieifhpjdfeo',
     'true,,DuckDuckGo Privacy Essentials,bkdgflcldnnnapblkhphbgpggdiikppg',
     'true,,EditThisCookie,fngmhnnpilhplaeedifhccceomclgfbg',
     'true,,Endpoint Verification,callobklhcbilhphinckomhgkigmfocg',
@@ -128,6 +130,7 @@ WHERE
     'true,Keepa GmbH,Keepa - Amazon Price Tracker,neebplgakaahbhdphmkckjjcegoiijjo',
     'true,LastPass,LastPass: Free Password Manager,hdokiejnpimakedhajhdlcegeplioahd',
     'true,Leadjet,Leadjet - Make your CRM work on LinkedIn,kojhcdejfimplnokhhhekhiapceggamn',
+    'true,,Link to Text Fragment,pbcodcjpfjdpcineamnnmbkkmkdpajjg',
     'true,,Lolli: Earn Bitcoin When You Shop,fleenceagaplaefnklabikkmocalkcpo',
     'true,,Loom – Free Screen Recorder & Screen Capture,liecbddmkiiihnedobmlmillhodjkdmb',
     'true,,Loom – Screen Recorder & Screen Capture,liecbddmkiiihnedobmlmillhodjkdmb',
@@ -164,8 +167,10 @@ WHERE
     'true,,Save to Pocket,niloccemoadcdkdjlinkgdfekeahmflj',
     'true,,Secure Shell,iodihamcpbpeioajjeobimgagajmlibd',
     'true,,Selenium IDE,mooikfkahbdckldjjndioackbalphokd',
+    'true,,Send from Gmail (by Google),pgphcomnlaojlmmcjmiddhdapjpbgeoc',
     'true,,Send to Kindle for Google Chrome™,cgdjpilhipecahhcilnafpblkieebhea',
     'true,,Session Buddy,edacconmaakjimmfgnblocblbcdcpbko',
+    'true,,Shodan,jjalcfnidlmpjhdfepjhjbhnhkbgleap',
     'true,,Simple Tab Sorter,cgfpgnepljlgenjclbekbjdlgcodfmjp',
     'true,,Slack,jeogkiiogjbmhklcnbgkdcjoioegiknm',
     'true,,SSH for Google Cloud Platform,ojilllmhjhibplnppnamldakhpmdnibd',