fpr: microbit, i3, Grammarly for Safari, wine

detection/c2/unexpected-https-linux.sql

@@ -258,6 +258,7 @@ WHERE
     '500,todoist,0u,0g,todoist',
     '500,trivy,0u,0g,trivy',
     '500,trivy,500u,500g,trivy',
+    '500,wine64-preloader,500u,500g,Root.exe',
     '500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
     '500,wget,0u,0g,wget',
     '500,wolfictl,500u,500g,wolfictl',
@@ -278,12 +279,7 @@ WHERE
     p.path = '/usr/bin/mage'
     AND p.cmdline LIKE '/home/%/.magefile/%'
   )
-  AND NOT (
-    pp.cmdline = '/run/current-system/sw/bin/bash'
-    AND p.path LIKE '/nix/store/%'
-    AND s.remote_address LIKE '151.101.%'
-    AND s.state = 'ESTABLISHED'
-  )
+  AND NOT p.path LIKE '/nix/store/%/bin/%'
   AND NOT (
     exception_key LIKE '500,%,500u,500g,%'
     AND p.path LIKE '/tmp/go-build%/exe/%'

detection/c2/unexpected-https-macos.sql

@@ -33,7 +33,7 @@ SELECT
     MIN(f.uid, 500),
     'u,',
     MIN(f.gid, 500),
-    'g,'
+    'g'
   ) AS alt_exception_key,
   -- Child
   p0.pid AS p0_pid,
@@ -106,33 +106,43 @@ WHERE
     AND s.authority = 'Software Signing'
   )
   AND NOT exception_key IN (
-    '500,go,go,Developer ID Application: Google LLC (EQHXZ8M8AV),org.golang.go',
     '500,bash,bash,,bash',
-    '500,Transmit,Transmit,Developer ID Application: Panic, Inc. (VE8FC488U5),com.panic.Transmit',
-    '500,op,op,Developer ID Application: AgileBits Inc. (2BUA8C4S2C),com.1password.op',
     '500,cloud_sql_proxy,cloud_sql_proxy,,a.out',
-    '500,Code Helper (Plugin),Code Helper (Plugin),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
-    '500,Reflect,Reflect,Developer ID Application: Reflect App, LLC (789ULN5MZB),app.reflect.ReflectDesktop',
     '500,Code Helper,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode.helper',
+    '500,Code Helper (Plugin),Code Helper (Plugin),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
+    '500,Code Helper (Renderer),Code Helper (Renderer),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
     '500,Ecamm Live Stream Deck Plugin,Ecamm Live Stream Deck Plugin,Developer ID Application: Ecamm Network, LLC (5EJH68M642),Ecamm Live Stream Deck Plugin',
+    '500,Electron,Electron,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode',
     '500,git-remote-http,git-remote-http,,git-remote-http-55554944748a32c47cdc35cfa7f071bb69a39ce4',
-    '500,Paintbrush,Paintbrush,Developer ID Application: Michael Schreiber (G966ML7VBG),com.soggywaffles.paintbrush',
+    '500,go,go,Developer ID Application: Google LLC (EQHXZ8M8AV),org.golang.go',
     '500,grype,grype,Developer ID Application: ANCHORE, INC. (9MJHKYX5AT),grype',
     '500,melange,melange,,a.out',
-    '500,Code Helper (Renderer),Code Helper (Renderer),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
-    '500,Electron,Electron,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode',
+    '500,node,node,Developer ID Application: Node.js Foundation (HX7739G8FX),node',
     '500,old,old,Developer ID Application: Denver Technologies, Inc (2BBY89MBSN),dev.warp.Warp-Stable',
+    '500,op,op,Developer ID Application: AgileBits Inc. (2BUA8C4S2C),com.1password.op',
+    '500,Paintbrush,Paintbrush,Developer ID Application: Michael Schreiber (G966ML7VBG),com.soggywaffles.paintbrush',
     '500,Reflect Helper,Reflect Helper,Developer ID Application: Reflect App, LLC (789ULN5MZB),app.reflect.ReflectDesktop',
+    '500,Reflect,Reflect,Developer ID Application: Reflect App, LLC (789ULN5MZB),app.reflect.ReflectDesktop',
+    '500,sdaudioswitch,sdaudioswitch,,sdaudioswitch',
     '500,snyk-ls_darwin_arm64,snyk-ls_darwin_arm64,,a.out',
     '500,syncthing,syncthing,,syncthing',
+    '500,Transmit,Transmit,Developer ID Application: Panic, Inc. (VE8FC488U5),com.panic.Transmit',
     '500,TwitchStudioStreamDeck,TwitchStudioStreamDeck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5),TwitchStudioStreamDeck',
     '500,zoom.us,zoom.us,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3),us.zoom.xos'
   )
-  AND NOT alt_exception_key LIKE '500,terraform-provider-google-%,terraform-provider-google-%,500u,20g,'
+  AND NOT alt_exception_key IN (
+    '500,cpu,cpu,500u,20g',
+    '500,sdaudioswitch,sdaudioswitch,500u,20g',
+    '500,sdzoomplugin,sdzoomplugin,500u,20g'
+  )
+  AND NOT alt_exception_key LIKE '500,terraform-provider-google-%,terraform-provider-google-%,500u,20g'
   AND NOT p0.path LIKE '/private/var/folders/%/T/GoLand/%'
   AND NOT (
     exception_key = '500,Python,Python,,org.python.python'
-    AND p0_cmd LIKE '%/gcloud.py%'
+    AND (
+      p0_cmd LIKE '%/gcloud.py%'
+      OR p0_cmd LIKE '%pip install%'
+    )
   )
   -- theScore and other iPhone apps
   AND NOT (

detection/c2/unexpected-talkers-macos.sql

@@ -112,8 +112,8 @@ WHERE pos.protocol > 0
     AND s.authority = 'Software Signing'
   )
   AND NOT exception_key IN (
+    "500,17,8801,zoom.us,zoom.us,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3),us.zoom.xos",
     '500,17,8801,zoom.us,zoom.us,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3),us.zoom.xos',
-    '500,6,22067,syncthing,syncthing,,syncthing',
     '500,6,22,Cyberduck,Cyberduck,Developer ID Application: David Kocher (G69SCX94XU),ch.sudo.cyberduck',
     '500,6,22,goland,goland,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland',
     '500,6,32000,Spotify Helper,Spotify Helper,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client.helper',
@@ -123,14 +123,14 @@ WHERE pos.protocol > 0
     '500,6,8009,Spotify Helper,Spotify Helper,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client.helper',
     '500,6,80,Arc Helper,Arc Helper,Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G),company.thebrowser.browser.helper',
     '500,6,80,Code Helper (Plugin),Code Helper (Plugin),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
-    '500,6,80,Code - Insiders Helper (Plugin),Code - Insiders Helper (Plugin),Developer ID Application: Microsoft Corporation',
-    '500,6,80,launcher-Helper,launcher-Helper,Developer ID Application: Mojang AB (HR992ZEAE6),com.mojang.mclauncher.helper',
     '500,6,80,Code - Insiders Helper (Plugin),Code - Insiders Helper (Plugin),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
+    '500,6,80,com.docker.backend,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R),com.docker',
     '500,6,80,Creative Cloud UI Helper,Creative Cloud UI Helper,Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.acc.HEXHelper',
     '500,6,80,firefox,firefox,Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.firefox',
     '500,6,80,IPNExtension,IPNExtension,Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension',
     '500,6,80,Jabra Direct,Jabra Direct,Developer ID Application: GN Audio AS (55LV32M29R),com.jabra.directonline',
     '500,6,80,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV),ksfetch',
+    '500,6,80,launcher-Helper,launcher-Helper,Developer ID Application: Mojang AB (HR992ZEAE6),com.mojang.mclauncher.helper',
     '500,6,80,Snagit 2023,Snagit 2023,Developer ID Application: TechSmith Corporation (7TQL462TU8),com.TechSmith.Snagit2023',
     '500,6,80,SnagitHelper2020,SnagitHelper2020,Apple Mac OS Application Signing,com.techsmith.snagit.capturehelper2020',
     '500,6,80,Spotify,Spotify,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client',
@@ -140,9 +140,14 @@ WHERE pos.protocol > 0
   ) -- Useful for unsigned binaries
   AND NOT alt_exception_key IN (
     '500,6,22,ssh,ssh,500u,20g',
+    '500,6,80,copilot-agent-macos-arm64,copilot-agent-macos-arm64,500u,20g',
     '500,6,22,ssh,ssh,500u,80g',
     '500,6,3307,cloud-sql-proxy,cloud-sql-proxy,500u,20g'
   )
+  AND NOT (
+    exception_key LIKE '500,6,%,syncthing,syncthing,,syncthing'
+    AND remote_port > 1024
+  )
   AND NOT (
     alt_exception_key = '500,6,80,main,main,500u,20g'
     AND p0.path LIKE '/var/folders/%/T/go-build%/b001/exe/main'

detection/credentials/unexpected-dev-opener-linux.sql

@@ -143,6 +143,7 @@ WHERE
     '/dev/shm,gopls',
     '/dev/shm,hl2_linux',
     '/dev/shm,java',
+    '/dev/shm,Tabletop Simulator.x86_64',
     '/dev/shm,jcef_helper',
     '/dev/shm,Melvor Idle',
     '/dev/shm,reaper',

detection/evasion/old-binaries-running.sql

@@ -54,6 +54,7 @@ WHERE
     '/snap/brackets/138/opt/brackets/Brackets-node',
     '/usr/bin/i3blocks',
     '/usr/bin/sshfs',
+    '/usr/bin/xclip',
     '/usr/bin/xss-lock',
     '/usr/local/bin/dive'
   )

detection/execution/recently-created-executables-linux.sql

@@ -180,7 +180,7 @@ WHERE
   AND NOT p0.path LIKE '/home/%/.local/share/JetBrains/Toolbox/apps/%'
   AND NOT p0.path LIKE '/home/%/.local/share/nvim/mason/packages/%'
   AND NOT p0.path LIKE '/home/%/.cache/JetBrains/%/GoLand/___%'
-  AND NOT p0.path LIKE '/home/%/.local/share/Steam/ubuntu12_64/%'
+  AND NOT p0.path LIKE '/home/%/.local/share/Steam/ubuntu%'
   AND NOT p0.path LIKE '/home/%/.rustup/toolchains/%/libexec/%'
   AND NOT p0.path LIKE '/home/%/jbr/lib/jcef_helper'
   AND NOT p0.path LIKE '/home/%/jbr/bin/java'

detection/execution/unexpected-execdir-events-macos.sql

@@ -134,6 +134,7 @@ WHERE
     '~/Library/Caches/com.knollsoft.Rectangle',
     '~/Library/Caches/com.mimestream.Mimestream',
     '~/Library/Caches/JetBrains',
+    '~/.wdm/drivers/chromedriver',
     '~/Library/Caches/snyk',
     '/Library/Developer/CommandLineTools',
     '~/Library/Developer/Xcode',

detection/execution/unexpected-security-framework-program-macos.sql

@@ -98,6 +98,7 @@ WHERE
     '500,gitsign,a.out,',
     '500,debug.test,a.out,',
     '500,dive,a.out,',
+    '500,Grammarly for Safari,com.grammarly.safari.extension,Apple Mac OS Application Signing',
     '500,bash,bash,',
     '500,Divvy,com.mizage.Divvy,Apple Mac OS Application Signing',
     '500,dlv,a.out,',

detection/persistence/unexpected-device.sql

@@ -172,6 +172,7 @@ WHERE
     '/dev/shm/libpod_rootless_lock_',
     '/dev/shm/pulse-shm-',
     '/dev/shm/aomshm.b.',
+    '/dev/shm/i-log-',
     '/dev/snapshot',
     '/dev/snd/',
     '/dev/snd/by-id',

detection/persistence/unexpected-small-udev-entry-linux.sql

@@ -38,6 +38,7 @@ WHERE
     '/usr/lib/udev/rules.d/60-rfkill.rules',
     '/usr/lib/udev/rules.d/61-accelerometer.rules',
     '/usr/lib/udev/rules.d/61-mutter.rules',
+    '/usr/lib/udev/rules.d/90-usb-microbit.rules',
     '/usr/lib/udev/rules.d/66-saned.rules',
     '/usr/lib/udev/rules.d/70-hypervfcopy.rules',
     '/usr/lib/udev/rules.d/70-hypervkvp.rules',

detection/privesc/unexpected-elevated-children-events_macos.sql

@@ -16,6 +16,7 @@ SELECT -- Child
   TRIM(pe.cmdline) AS p0_cmd,
   pe.cwd AS p0_cwd,
   pe.pid AS p0_pid,
+  pe.uid AS p0_uid,
   pe.euid AS p0_euid,
   s.authority AS p0_authority,
   -- Parent

policy/gcp-service-account-keys.sql

@@ -43,5 +43,8 @@ WHERE
     filename,
     REPLACE(LOWER(TRIM(description)), " ", "-")
   ) == 1
-  -- Demo key
-  AND NOT hash.sha256 = "c7d6bac8e942511e25973889ac38656d4d46f68044650d694721017fda23716e"
+  -- Demo keys
+  AND NOT hash.sha256 IN (
+    "c7d6bac8e942511e25973889ac38656d4d46f68044650d694721017fda23716e",
+    "bd5f4c01ebb5636b94584ee4ae42514b27d371859f7344f6aa5a37332ee714ba"
+  )