From 485f69a61cd0cde2c18823cb8f6068acb5c5dc5e Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Thu, 13 Jul 2023 19:43:35 -0400
Subject: [PATCH] fpr: Revolt, Bearly, user executables, melange

---
 detection/c2/unexpected-talkers-macos.sql     |  1 +
 detection/evasion/hidden-executable.sql       |  1 +
 .../evasion/hidden-home-libappsupport.sql     |  3 +-
 .../evasion/touched-executable-linux.sql      |  2 +-
 .../unexpected-alf-exceptions-macos.sql       | 13 +++-
 .../unexpected-process-extension-linux.sql    |  2 +
 .../unexpected-tmp-executables-macos.sql      |  5 +-
 .../unexpected-user-executables-macos.sql     | 61 ++++++++++++++-----
 .../unexpected-execdir-events-macos.sql       |  2 +
 .../execution/unexpected-sysutils-macos.sql   |  1 +
 .../unexpected-diskimage-source-macos.sql     |  1 +
 .../minimal-socket-client-macos.sql           | 11 ++--
 12 files changed, 77 insertions(+), 26 deletions(-)

diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql
index 24d3dee..8c48f52 100644
--- a/detection/c2/unexpected-talkers-macos.sql
+++ b/detection/c2/unexpected-talkers-macos.sql
@@ -132,6 +132,7 @@ WHERE
     '500,6,4318,Code Helper (Plugin),Code Helper (Plugin),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
     '500,6,5091,ZoomPhone,ZoomPhone,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3),us.zoom.ZoomPhone',
     '500,6,5222,Telegram,Telegram,Apple Mac OS Application Signing,ru.keepcoder.Telegram',
+    '500,6,5053,bridge,bridge,Developer ID Application: Proton Technologies AG (6UN54H93QT),bridge',
     '500,6,5223,KakaoTalk,KakaoTalk,Apple Mac OS Application Signing,com.kakao.KakaoTalkMac',
     '500,6,5228,Clay,Clay,Developer ID Application: Clay Software, Inc. (C68GA48KN3),com.clay.mac',
     '500,6,8009,Spotify Helper,Spotify Helper,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client.helper',
diff --git a/detection/evasion/hidden-executable.sql b/detection/evasion/hidden-executable.sql
index a5f1379..7b3585b 100644
--- a/detection/evasion/hidden-executable.sql
+++ b/detection/evasion/hidden-executable.sql
@@ -47,6 +47,7 @@ WHERE
   AND NOT f.directory LIKE '%/.bin'
   AND NOT f.directory LIKE '%/.bin-unwrapped'
   AND NOT f.directory LIKE '%/.cargo/bin'
+  AND NOT f.directory LIKE '%/.fig/bin'
   AND NOT f.directory LIKE '%/.config/nvm/%/bin'
   AND NOT f.directory LIKE '%/.provisio/bin/%'
   AND NOT f.directory LIKE '%/.local/%'
diff --git a/detection/evasion/hidden-home-libappsupport.sql b/detection/evasion/hidden-home-libappsupport.sql
index de02557..c8b1d4a 100644
--- a/detection/evasion/hidden-home-libappsupport.sql
+++ b/detection/evasion/hidden-home-libappsupport.sql
@@ -48,6 +48,8 @@ WHERE
     '~/Library/Application Support/1Password',
     '~/Library/Application Support/Adobe',
     '~/Library/Application Support/Beeper',
+    '~/Library/Application Support/CleanMyMac X',
+    '~/Library/Application Support/CleanMyMac X Menu',
     '~/Library/Application Support/Code',
     '~/Library/Application Support/com.apple.spotlight',
     '~/Library/Application Support/com.bohemiancoding.sketch3',
@@ -60,7 +62,6 @@ WHERE
     '~/Library/Application Support/DropboxElectron',
     '~/Library/Application Support/GitHub Desktop',
     '~/Library/Application Support/Jabra Direct',
-    '~/Library/Application Support/CleanMyMac X Menu',
     '~/Library/Application Support/Keybase',
     '~/Library/Application Support/Lens',
     '~/Library/Application Support/lghub',
diff --git a/detection/evasion/touched-executable-linux.sql b/detection/evasion/touched-executable-linux.sql
index e6ee840..640c494 100644
--- a/detection/evasion/touched-executable-linux.sql
+++ b/detection/evasion/touched-executable-linux.sql
@@ -36,7 +36,7 @@ WHERE
   )
   AND f.path NOT LIKE '/home/%'
   AND f.path NOT LIKE '/snap/%'
-  AND f.path NOT LIKE '/tmp/go-build%/exe/%'
+  AND f.path NOT LIKE '/tmp/%go-build%/exe/%'
   AND f.path NOT LIKE '/usr/local/bin/%'
   AND f.path NOT LIKE '/usr/local/aws-cli/%/dist/aws'
   AND f.path NOT LIKE '/usr/local/kolide-k2/bin/%-updates/%'
diff --git a/detection/evasion/unexpected-alf-exceptions-macos.sql b/detection/evasion/unexpected-alf-exceptions-macos.sql
index 0c8a708..518d02d 100644
--- a/detection/evasion/unexpected-alf-exceptions-macos.sql
+++ b/detection/evasion/unexpected-alf-exceptions-macos.sql
@@ -49,8 +49,10 @@ WHERE
   AND file.filename NOT NULL
   AND exception_key NOT IN (
     ',a.out,/opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/kubectl,501',
+    ',a.out,/opt/homebrew/Cellar/go/1.20.4/libexec/pkg/tool/darwin_arm64/trace,501',
     'Apple Mac OS Application Signing,com.anydo.mac,/Applications/Anydo.app/,0',
     'Apple Mac OS Application Signing,com.apple.garageband10,/Applications/GarageBand.app/,0',
+    'Apple Mac OS Application Signing,com.joeallen.teleprompter.mac,/Applications/Teleprompter.app/,0',
     'Apple Mac OS Application Signing,com.utmapp.QEMULauncher,/Applications/UTM.app/Contents/XPCServices/QEMUHelper.xpc/Contents/MacOS/QEMULauncher.app/,0',
     'Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension,/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/,0',
     ',,/Applications/Google%20Chrome.app/,',
@@ -58,6 +60,7 @@ WHERE
     ',,/Applications/ProtonMail%20Bridge.app/,',
     ',,/Applications/Visual%20Studio%20Code.app/,',
     ',,/Applications/Visual%20Studio%20Code.app/Contents/Frameworks/Code%20Helper.app/,',
+    'Developer ID Application: Bearly Inc (NK6K4BACCF),com.bearly.app,/Applications/Bearly.app/,501',
     'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.sketch3,/Applications/Sketch.app/,501',
     'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.SketchMirrorHelper,/Applications/Sketch.app/Contents/XPCServices/SketchMirrorHelper.xpc/,501',
     'Developer ID Application: Brother Industries, LTD. (5HCL85FLGW),com.brother.utility.WorkflowAppControlServer,/Library/Printers/Brother/Utilities/Server/WorkflowAppControl.app/,0',
@@ -66,7 +69,6 @@ WHERE
     'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK),com.getdropbox.dropbox,/Applications/Dropbox.app/,501',
     'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland,/Applications/GoLand.app/,501',
     'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.pycharm,/Applications/PyCharm.app/,501',
-    'Apple Mac OS Application Signing,com.joeallen.teleprompter.mac,/Applications/Teleprompter.app/,0',
     'Developer ID Application: Opentest, Inc. (QGD2ZPXZZG),com.loom.desktop,/Applications/Loom.app/,501',
     'Developer ID Application: RescueTime, Inc (FSY4RB8H39),com.rescuetime.RescueTime,/Applications/RescueTime.app/,0',
     'Developer ID Application: Sonos, Inc. (2G4LW83Q3E),com.sonos.macController,/Applications/Sonos.app/,501',
@@ -75,7 +77,6 @@ WHERE
     'Developer ID Application: VNG ONLINE CO.,LTD (CVB6BX97VM),com.vng.zalo,/Applications/Zalo.app/,501',
     'Developer ID Application: Voicemod Sociedad Limitada. (S2MC4XQDSM),net.voicemod.desktop,/Applications/Voicemod.app/,0',
     ',dnsmasq,/opt/homebrew/Cellar/dnsmasq/2.88/sbin/dnsmasq,0',
-    ',a.out,/opt/homebrew/Cellar/go/1.20.4/libexec/pkg/tool/darwin_arm64/trace,501',
     ',iodined-55554944d1ffcb236a84363d9b667be6a1742a17,/usr/local/sbin/iodined,501',
     ',java,/opt/homebrew/Cellar/openjdk/19/libexec/openjdk.jdk/Contents/Home/bin/java,501',
     ',org.python.python,/opt/homebrew/Cellar/python@3.10/3.10.9/Frameworks/Python.framework/Versions/3.10/Resources/Python.app/,501',
@@ -116,6 +117,10 @@ WHERE
     signature.identifier = 'syncthing'
     AND ae.path LIKE '/nix/store/%-syncthing-%/bin/syncthing'
   )
+  AND NOT (
+    signature.identifier = 'nix'
+    AND ae.path LIKE '/nix/store/%-nix-%/bin/nix'
+  )  
   AND NOT (
     ae.path LIKE '/Users/%/Library/Application%20Support/Steam/Steam.AppBundle/Steam/'
   )
@@ -135,6 +140,10 @@ WHERE
       OR file.directory LIKE '/Users/%/bin'
       OR file.directory LIKE '/Users/%/code/%'
       OR file.directory LIKE '/Users/%/src/%'
+      OR file.directory LIKE '/Users/%/gh/%'
+      OR file.directory LIKE '/Users/%/debug/%'
+      OR file.directory LIKE '/Users/%/target/%'
+      OR file.directory LIKE '/Users/%/tmp/%'
       OR file.directory LIKE '/Users/%/sigstore/%'
       OR file.directory LIKE '/Users/%/node_modules/.bin/%'
       OR file.directory LIKE '/Users/%/git/%'
diff --git a/detection/evasion/unexpected-process-extension-linux.sql b/detection/evasion/unexpected-process-extension-linux.sql
index e9d38ec..aefc2d7 100644
--- a/detection/evasion/unexpected-process-extension-linux.sql
+++ b/detection/evasion/unexpected-process-extension-linux.sql
@@ -49,7 +49,9 @@ WHERE
   AND extension NOT IN (
     '1',
     '2',
+    'basic',
     'real',
+    'AppImage',
     'ext'
   )
   AND NOT basename LIKE 'python3.%'
diff --git a/detection/evasion/unexpected-tmp-executables-macos.sql b/detection/evasion/unexpected-tmp-executables-macos.sql
index dcf7cdb..1fbb7f0 100644
--- a/detection/evasion/unexpected-tmp-executables-macos.sql
+++ b/detection/evasion/unexpected-tmp-executables-macos.sql
@@ -92,7 +92,10 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
             'goreleaser'
           )
         )
-      ) -- Nix
+      )
+      -- Melange
+      AND NOT file.directory LIKE '/tmp/melange-guest-%'
+       -- Nix
       AND NOT (
         file.directory LIKE '/tmp/tmp%'
         AND gid = 0
diff --git a/detection/evasion/unexpected-user-executables-macos.sql b/detection/evasion/unexpected-user-executables-macos.sql
index 3625cdd..5822c1b 100644
--- a/detection/evasion/unexpected-user-executables-macos.sql
+++ b/detection/evasion/unexpected-user-executables-macos.sql
@@ -80,23 +80,24 @@ WHERE
       -- Prevent weird recursion
       AND NOT path LIKE '%/../%'
       AND NOT path LIKE '%/./%' -- Exclude very temporary files
-      AND NOT directory LIKE '/Users/%/Library/Mobile Documents/com~apple~shoebox/%'
-      AND NOT directory LIKE '/Users/%/Library/Containers/%'
-      AND NOT directory LIKE '/Users/%/.Trash/'
-      AND NOT directory LIKE '/Users/%/.go/bin/'
       AND NOT directory LIKE '/Users/%/.bin/'
-      AND NOT directory LIKE '/Users/%/.local/bin/'
       AND NOT directory LIKE '/Users/%/.cargo/bin/'
-      AND NOT directory LIKE '/Users/%/.vim/backup/'
+      AND NOT directory LIKE '/Users/%/.go/bin/'
+      AND NOT directory LIKE '/Users/%/Library/Application Support/AutoFirma/certutil/'
+      AND NOT directory LIKE '/Users/%/Library/Caches/chainctl/'
+      AND NOT directory LIKE '/Users/%/Library/Containers/%'
       AND NOT directory LIKE '/Users/%/Library/Daemon Containers/%'
+      AND NOT directory LIKE '/Users/%/Library/Mobile Documents/com~apple~shoebox/%'
+      AND NOT directory LIKE '/Users/%/.local/bin/'
+      AND NOT directory LIKE '/Users/%/.minikube/bin/'
       AND NOT directory LIKE '/Users/Shared/LGHUB/depots/%'
       AND NOT directory LIKE '/Users/Shared/LogiOptionsPlus/depots/%'
-      AND NOT directory LIKE '/Users/%/Library/Application Support/AutoFirma/certutil'
-      AND NOT directory LIKE '/Users/%/Library/Caches/chainctl'
+      AND NOT directory LIKE '/Users/%/.Trash/%'
+      AND NOT directory LIKE '/Users/%/.vim/backup/'
       AND NOT directory IN (
-        '/Users/Shared/LogiOptionsPlus/cache',
-        '/Users/Shared/logitune',
-        '/Users/Shared/Red Giant/Uninstall'
+        '/Users/Shared/LogiOptionsPlus/cache/',
+        '/Users/Shared/logitune/',
+        '/Users/Shared/Red Giant/Uninstall/'
       )
       AND NOT (strftime('%s', 'now') - ctime) < 60 -- Only executable files
   )
@@ -113,6 +114,39 @@ WHERE
     magic.data IS NOT NULL
     AND magic.data LIKE "0420 Alliant virtual executable%"
   )
+  AND NOT homedir LIKE '~/%/bin'
+  AND NOT homedir LIKE '~/%/shims'
+  AND NOT homedir LIKE '~/%/plugins'
+  AND NOT homedir IN (
+    '~/.bin',
+    '~/.fzf',
+    '~/.fzf/bin',
+    '~/.venv/bin',
+    '~/.fig/bin',
+    '~/.zed/gopls',
+    '~/.config/kn',
+    '~/.asdf/shims',
+    '~/.amplify/bin',
+    '~/.emacs.d/backups',
+    '~/.rbenv/shims',
+    '~/.config/nvim.bak',
+    '~/.bazel/bin',
+    '~/.pulumi-dev/bin',
+    '~/.gvm/bin',
+    '~/.emacs.d.bak/bin',
+    '~/.docker/cli-plugins',
+    '~/.zsh_snap/zsh-autocomplete',
+    '~/.cache/gitstatus',
+    '~/.wrangler/bin',
+    '~/.provisio',
+    '~/.pyenv/shims',
+    '~/Library/ApplicationSupport/iTerm2',
+    '~/.kn/plugins',
+    '~/.kuberlr/darwin-amd64',
+    '/Users/Shared/logitune',
+    '~/.oh-my-zsh/tools',
+    '~/Library/Dropbox/DropboxMacUpdate.app/Contents/MacOS'
+  )
   AND NOT top2_homedir IN (
     '~/Library/Application Support',
     '/Users/Shared/LGHUB/cache',
@@ -132,10 +166,5 @@ WHERE
     '~/.magefile',
     '~/.nvm'
   )
-  AND NOT homedir IN (
-    '~/.bin',
-    '~/.fzf',
-    '~/Library/Dropbox/DropboxMacUpdate.app/Contents/MacOS'
-  )
 GROUP BY
   f.path
diff --git a/detection/execution/unexpected-execdir-events-macos.sql b/detection/execution/unexpected-execdir-events-macos.sql
index 44ab4f4..e24381a 100644
--- a/detection/execution/unexpected-execdir-events-macos.sql
+++ b/detection/execution/unexpected-execdir-events-macos.sql
@@ -223,6 +223,7 @@ WHERE
     '/opt/X11/libexec',
     '~/projects/go/bin',
     '/run/current-system/sw/bin',
+    '/tmp/bin',
     '/sbin',
     '/usr/bin',
     '/usr/lib',
@@ -270,6 +271,7 @@ WHERE
   AND dir NOT LIKE '/opt/%/bin'
   AND dir NOT LIKE '/private/tmp/%.app/Contents/MacOS'
   AND dir NOT LIKE '/private/tmp/go-build%/exe'
+  AND dir NOT LIKE '%/go/bin'
   AND dir NOT LIKE '/private/tmp/KSInstallAction.%/Install Google Software Update.app/Contents/Helpers'
   AND dir NOT LIKE '/private/tmp/nix-build-%'
   AND dir NOT LIKE '/private/var/folders/%/T/cargo-install%'
diff --git a/detection/execution/unexpected-sysutils-macos.sql b/detection/execution/unexpected-sysutils-macos.sql
index 23b533f..6f23a47 100644
--- a/detection/execution/unexpected-sysutils-macos.sql
+++ b/detection/execution/unexpected-sysutils-macos.sql
@@ -107,6 +107,7 @@ WHERE
   )
   AND NOT exception_key IN (
     'system_profiler,500,Google Drive,launchd',
+    'system_profiler,500,bash,launchd',
     'system_profiler,0,launcher,launchd'
   )
   AND NOT p0_cmd LIKE '/usr/libexec/security_authtrampoline /Library/Application Support/Adobe/Adobe Desktop Common/ElevationManager/Adobe Installer auth%'
diff --git a/detection/initial_access/unexpected-diskimage-source-macos.sql b/detection/initial_access/unexpected-diskimage-source-macos.sql
index c1bba41..f27e6a0 100644
--- a/detection/initial_access/unexpected-diskimage-source-macos.sql
+++ b/detection/initial_access/unexpected-diskimage-source-macos.sql
@@ -128,6 +128,7 @@ WHERE
     'presenting.app',
     'adoptium.net',
     'balsamiq.com',
+    'bearly.ai',
     'brave.com',
     'cron.com',
     'discord.com',
diff --git a/detection/persistence/minimal-socket-client-macos.sql b/detection/persistence/minimal-socket-client-macos.sql
index 93a61ea..2421733 100644
--- a/detection/persistence/minimal-socket-client-macos.sql
+++ b/detection/persistence/minimal-socket-client-macos.sql
@@ -59,16 +59,17 @@ WHERE
   )
   AND pmm.path LIKE "%.dylib"
   AND exception_key NOT IN (
-    '500,Slack,/Applications/Slack.app/Contents/MacOS/Slack',
+    '500,Bitwarden,/Applications/Bitwarden.app/Contents/MacOS/Bitwarden',
     '500,J8RPQ294UB.com.skitch.SkitchHelper,/Applications/Skitch.app/Contents/Library/LoginItems/J8RPQ294UB.com.skitch.SkitchHelper.app/Contents/MacOS/J8RPQ294UB.com.skitch.SkitchHelper',
+    '500,Revolt,/Applications/Revolt.app/Contents/MacOS/Revolt',
+    '500,Revolt Helper,/Applications/Revolt.app/Contents/Frameworks/Revolt Helper.app/Contents/MacOS/Revolt Helper',
+    '500,Revolt Helper (GPU),/Applications/Revolt.app/Contents/Frameworks/Revolt Helper (GPU).app/Contents/MacOS/Revolt Helper (GPU)',
+    '500,Slack,/Applications/Slack.app/Contents/MacOS/Slack',
     '500,Slack Helper (GPU),/Applications/Slack.app/Contents/Frameworks/Slack Helper (GPU).app/Contents/MacOS/Slack Helper (GPU)',
     '500,Slack Helper (Renderer),/Applications/Slack.app/Contents/Frameworks/Slack Helper (Renderer).app/Contents/MacOS/Slack Helper (Renderer)',
     '500,Snagit 2020,/Applications/Snagit 2020.app/Contents/MacOS/Snagit 2020',
-    '500,Bitwarden,/Applications/Bitwarden.app/Contents/MacOS/Bitwarden',
-    '500,Revolt Helper (GPU),/Applications/Revolt.app/Contents/Frameworks/Revolt Helper (GPU).app/Contents/MacOS/Revolt Helper (GPU)',
-    '500,Revolt,/Applications/Revolt.app/Contents/MacOS/Revolt',
-    '500,Steam Helper,/Users/kaniini/Library/Application Support/Steam/Steam.AppBundle/Steam/Contents/MacOS/Frameworks/Steam Helper.app/Contents/MacOS/Steam Helper',
     '500,SnagitHelper2020,/Applications/Snagit 2020.app/Contents/Library/LoginItems/SnagitHelper2020.app/Contents/MacOS/SnagitHelper2020',
+    '500,Steam Helper,/Users/kaniini/Library/Application Support/Steam/Steam.AppBundle/Steam/Contents/MacOS/Frameworks/Steam Helper.app/Contents/MacOS/Steam Helper',
     '500,Todoist,/Applications/Todoist.app/Contents/MacOS/Todoist',
     '500,WhatsApp Helper (GPU),/Applications/WhatsApp.app/Contents/Frameworks/WhatsApp Helper (GPU).app/Contents/MacOS/WhatsApp Helper (GPU)'
   )