From 785b7c2bdedcf2b798dfebc8ea351ac4aace680e Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Mon, 8 May 2023 12:19:19 -0400
Subject: [PATCH] fpr: LogiTune, EndeavourOS, less

---
 detection/c2/unexpected-https-macos.sql       |  1 +
 .../unexpected-hidden-system-paths.sql        | 45 +++++++++----------
 .../execution/unexpected-fetcher-parents.sql  |  1 +
 ...xpected-elevated-children-events_macos.sql |  1 +
 4 files changed, 24 insertions(+), 24 deletions(-)

diff --git a/detection/c2/unexpected-https-macos.sql b/detection/c2/unexpected-https-macos.sql
index 2ba0c9e..dd09b05 100644
--- a/detection/c2/unexpected-https-macos.sql
+++ b/detection/c2/unexpected-https-macos.sql
@@ -142,6 +142,7 @@ WHERE
     AND (
       p0_cmd LIKE '%/gcloud.py%'
       OR p0_cmd LIKE '%pip install%'
+      OR p0_cmd LIKE '%googlecloudsdk/core/metrics_reporter.py%'
     )
   )
   -- theScore and other iPhone apps
diff --git a/detection/evasion/unexpected-hidden-system-paths.sql b/detection/evasion/unexpected-hidden-system-paths.sql
index f698a12..52f20da 100644
--- a/detection/evasion/unexpected-hidden-system-paths.sql
+++ b/detection/evasion/unexpected-hidden-system-paths.sql
@@ -8,8 +8,7 @@
 --
 -- platform: posix
 -- tags: persistent filesystem state
-SELECT
-  file.path,
+SELECT file.path,
   file.inode,
   file.directory,
   uid,
@@ -22,12 +21,10 @@ SELECT
   size,
   hash.sha256,
   magic.data
-FROM
-  file
+FROM file
   LEFT JOIN hash ON file.path = hash.path
   LEFT JOIN magic ON file.path = magic.path
-WHERE
-  (
+WHERE (
     file.path LIKE '/lib/.%'
     OR file.path LIKE '/.%'
     OR file.path LIKE '/bin/%/.%'
@@ -67,28 +64,37 @@ WHERE
     '/etc/selinux/.config_backup',
     '/etc/skel/.mozilla/',
     '/.file',
+    '/.lesshst',
     '/lib/jvm/.java-1.17.0-openjdk-amd64.jinfo',
+    '/tmp/.accounts-agent/',
+    '/tmp/.audio-agent/',
     '/tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress',
+    '/tmp/.content-agent/',
     '/tmp/._contentbarrier_installed',
+    '/tmp/.docker/',
+    '/tmp/.docker-tmp/',
     '/tmp/.dotnet/',
     '/tmp/.dracula-tmux-data',
     '/tmp/.dracula-tmux-weather.lock',
     '/tmp/.DS_Store',
+    '/tmp/.eos-update-notifier.log',
+    '/tmp/.featureflags-agent/',
     '/tmp/.font-unix/',
     '/tmp/.go-version',
     '/tmp/.ICE-unix/',
+    '/tmp/.last_survey_prompt.yaml',
+    '/tmp/.last_update_check.json',
+    '/tmp/.metrics-agent/',
+    '/tmp/.settings-agent/',
     '/tmp/.terraform/',
     '/tmp/.terraform.lock.hcl',
-    '/tmp/.last_update_check.json',
-    '/tmp/.last_survey_prompt.yaml',
     '/tmp/.Test-unix/',
-    '/tmp/.docker/',
-    '/tmp/.docker-tmp/',
+    '/tmp/.ui-agent/',
+    '/tmp/.updater-agent/',
     '/tmp/.vbox-t-ipc/',
     '/tmp/.X0-lock',
     '/tmp/.X11-unix/',
     '/tmp/.X1-lock',
-    '/tmp/.eos-update-notifier.log',
     '/tmp/.X2-lock',
     '/tmp/.XIM-unix/',
     '/usr/lib/jvm/.java-1.17.0-openjdk-amd64.jinfo',
@@ -97,29 +103,20 @@ WHERE
     '/var/db/.com.apple.iokit.graphics',
     '/var/db/.GKRearmTimer',
     '/var/db/.LastGKApp',
-    '/tmp/.accounts-agent/',
-    '/tmp/.content-agent/',
-    '/tmp/.audio-agent/',
-    '/tmp/.ui-agent/',
-    '/tmp/.featureflags-agent/',
-    '/tmp/.settings-agent/',
-    '/tmp/.metrics-agent/',
-    '/tmp/.updater-agent/',
     '/var/db/.LastGKReject',
     '/var/db/.MASManifest',
     '/var/db/.SoftwareUpdateOptions',
     '/var/db/.StagedAppleUpgrade',
     '/var/db/.SystemPolicy-default',
     '/var/.ntw_cache',
-    '/var/setup/.TemporaryItems',
     '/var/.Parallels_swap/',
     '/var/.pwd_cache',
-    '/var/root/.lesshst',
     '/var/root/.bash_history',
     '/var/root/.bash_profile',
     '/var/root/.cache/',
     '/var/root/.CFUserTextEncoding',
     '/var/root/.forward',
+    '/var/root/.lesshst',
     '/var/root/.nix-channels',
     '/var/root/.nix-defexpr/',
     '/var/root/.nix-profile/',
@@ -130,6 +127,7 @@ WHERE
     '/var/run/.sim_diagnosticd_socket',
     '/var/run/.vfs_rsrc_streams_0x2b725bbfb94ba4ef0/',
     '/var/setup/.AppleSetupUser',
+    '/var/setup/.TemporaryItems',
     '/var/setup/.TemporaryItems/',
     '/.vol/',
     '/.VolumeIcon.icns'
@@ -169,8 +167,7 @@ WHERE
     AND file.gid = 0
     AND file.mode IN ('0755', '0700')
     AND file.size < 4
-  )
-  -- Ecamm Live
+  ) -- Ecamm Live
   AND NOT (
     file.path LIKE "/tmp/.elive%"
     AND file.size < 7
@@ -190,4 +187,4 @@ WHERE
   AND NOT (
     file.path = '/var/root/.oracle_jre_usage/'
     AND file.size = 96
-  )
+  )
\ No newline at end of file
diff --git a/detection/execution/unexpected-fetcher-parents.sql b/detection/execution/unexpected-fetcher-parents.sql
index 296f566..3b8df82 100644
--- a/detection/execution/unexpected-fetcher-parents.sql
+++ b/detection/execution/unexpected-fetcher-parents.sql
@@ -58,6 +58,7 @@ WHERE -- NOTE: The remainder of this query is synced with unexpected-fetcher-par
     'curl,500,bash,zsh',
     'curl,500,env,env',
     'curl,500,eos-connection-,eos-update-noti',
+    'curl,0,eos-rankmirrors,eos-rankmirrors',
     'curl,500,fish,gnome-terminal-',
     'curl,500,launchd,kernel_task',
     'curl,500,makepkg,yay',
diff --git a/detection/privesc/unexpected-elevated-children-events_macos.sql b/detection/privesc/unexpected-elevated-children-events_macos.sql
index cf01e74..910698d 100644
--- a/detection/privesc/unexpected-elevated-children-events_macos.sql
+++ b/detection/privesc/unexpected-elevated-children-events_macos.sql
@@ -110,6 +110,7 @@ WHERE
     'containermanagerd,262,com.docker.backend,Docker',
     'sysextd,0,LogiTune,launchd',
     'biometrickitd,0,LogiTune,launchd',
+    'suhelperd,0,LogiTune,launchd',
     'amfid,0,com.docker.backend,Docker',
     'dprivacyd,0,com.docker.backend,Docker',
     'com.apple.geod,262,com.docker.backend,Docker',