False positives: melange, ~/dev, debian-sa1, AdBlock, cover, kubelr, etc

detection/c2/unexpected-https-client-linux.sql

@@ -131,6 +131,7 @@ WHERE
     '500,/usr/cosign,500u,500g,cosign',
     '500,/usr/curl,0u,0g,curl',
     '500,/usr/electron,0u,0g,electron',
+    '500,/usr/evolution-addressbook-factory,0u,0g,evolution-addre',
     '500,/usr/evolution-calendar-factory,0u,0g,evolution-calen',
     '500,/usr/firefox,0u,0g,firefox',
     '500,/usr/firefox,0u,0g,.firefox-wrappe',
@@ -158,6 +159,7 @@ WHERE
     '500,/usr/lens,0u,0g,lens',
     '500,/usr/nautilus,0u,0g,nautilus',
     '500,/usr/obs,0u,0g,obs',
+    '500,/usr/python3,0u,0g,python3',
     '500,/usr/reporter-ureport,0u,0g,reporter-urepor',
     '500,/usr/rpi-imager,0u,0g,rpi-imager',
     '500,/usr/signal-desktop,0u,0g,signal-desktop',
@@ -167,6 +169,7 @@ WHERE
     '500,/usr/syncthing,0u,0g,syncthing',
     '500,/usr/teams,0u,0g,teams',
     '500,/usr/terraform,0u,0g,terraform',
+    '500,/usr/thunderbird,0u,0g,thunderbird',
     '500,/usr/trivy,0u,0g,trivy',
     '500,/usr/WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
     '500,/usr/xmobar,0u,0g,xmobar',
@@ -174,6 +177,7 @@ WHERE
   )
   -- Exceptions where we have to be more flexible for the process name
   AND NOT exception_key LIKE '500,/usr/node,0u,0g,npm exec %'
+  AND NOT exception_key LIKE '500,/usr/node,0u,0g,npm install %'
   AND NOT exception_key LIKE '500,%/terraform-provider-%,500u,500g,terraform-provi'
   -- stay weird, NixOS (Fastly nix mirror)
   AND NOT (

detection/c2/unexpected-talkers-linux.sql

@@ -92,7 +92,9 @@ WHERE
     '27035,6,500,/home/steam,500u,100g,steam',
     '32768,6,0,/usr/tailscaled,0u,0g,tailscaled',
     '32768,6,500,/usr/ssh,0u,0g,ssh',
+    '22,6,500,/home/cargo,500u,500g,cargo',
     '3443,6,500,/opt/chrome,0u,0g,chrome',
+    '3478,6,500,/usr/chrome,0u,0g,chrome',
     '3478,6,500,/opt/chrome,0u,0g,chrome',
     '3478,6,500,/usr/firefox,0u,0g,firefox',
     '4070,6,500,/opt/spotify,0u,0g,spotify',

detection/discovery/unexpected-pcap-user-linux.sql

@@ -23,15 +23,16 @@ SELECT
   pp.cwd AS parent_cwd,
   pp.euid AS parent_euid,
   ph.sha256 AS parent_sha256
+  -- Using processes is much faster than process_memory_map
 FROM
-  process_memory_map pmm
-  LEFT JOIN processes p ON pmm.pid = p.pid
+  processes p
+  LEFT JOIN process_memory_map pmm ON p.pid = pmm.pid
   LEFT JOIN hash h ON p.path = h.path
   LEFT JOIN processes pp ON p.parent = pp.pid
   LEFT JOIN hash AS ph ON pp.path = ph.path
 WHERE
-  pmm.path LIKE '%libpcap%'
-  AND p.euid = 0
+  p.euid = 0
+  AND pmm.path LIKE '%libpcap%'
   AND child_path NOT LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd'
   AND child_path NOT LIKE '/nix/store/%-systemd-%/lib/systemd/systemd%'
   AND child_path NOT LIKE '/nix/store/%-systemd-%/bin/udevadm'
@@ -50,4 +51,4 @@ WHERE
   )
   AND child_cmd NOT LIKE '/usr/bin/python3 -s%/usr/sbin/firewalld%'
 GROUP BY
-  pmm.pid
+  p.pid

detection/discovery/unexpected-pcap-user-macos.sql

@@ -26,15 +26,17 @@ SELECT
   s.authority,
   s.identifier
 FROM
-  process_memory_map pmm
+  processes p
+  LEFT JOIN process_memory_map pmm ON p.pid = pmm.pid
   LEFT JOIN processes p ON pmm.pid = p.pid
   LEFT JOIN hash h ON p.path = h.path
   LEFT JOIN processes pp ON p.parent = pp.pid
   LEFT JOIN hash AS ph ON pp.path = ph.path
   LEFT JOIN signature s ON p.path = s.path
 WHERE
-  pmm.path LIKE '%libpcap%'
-  AND p.euid = 0 -- These are all protected directories
+  p.euid = 0
+  AND pmm.path LIKE '%libpcap%'
+  -- These are all protected directories
   AND child_path NOT LIKE '/System/%'
   AND child_path NOT LIKE '/usr/libexec/%'
   AND child_path NOT LIKE '/usr/sbin/%'
@@ -49,4 +51,4 @@ WHERE
     'Developer ID Application: Docker Inc (9BNSXJN65R)'
   )
 GROUP BY
-  pmm.pid
+  p.pid

detection/evasion/empty_root_environ_macos.sql

@@ -36,7 +36,8 @@ FROM
   LEFT JOIN hash ON p.path = hash.path
   LEFT JOIN signature ON p.path = signature.path
 WHERE
-  p.euid = 0 AND
+  p.euid = 0
+  AND
   -- This time should match the interval
   p.start_time > (strftime('%s', 'now') - 601) -- Filter out transient processes that may not have an envs entry by the time we poll for it
   AND p.start_time < (strftime('%s', 'now') - 1)

detection/evasion/hidden-executable.sql

@@ -26,6 +26,9 @@ FROM
   LEFT JOIN users u ON p.uid = u.uid
   LEFT JOIN hash ON p.path = hash.path
 WHERE
-  (p.name LIKE '.%' OR f.filename LIKE '.%')
-AND NOT f.path LIKE '/nix/store/%/%-wrapped'
-AND NOT p.name = '.firefox-wrappe'
+  (
+    p.name LIKE '.%'
+    OR f.filename LIKE '.%'
+  )
+  AND NOT f.path LIKE '/nix/store/%/%-wrapped'
+  AND NOT p.name = '.firefox-wrappe'

detection/evasion/touched-executable-macos.sql

@@ -88,8 +88,7 @@ WHERE
       OR p.path LIKE '/Applications/%.app/Contents/MacOS/%'
       OR p.path LIKE '/opt/homebrew/Cellar/%/bin/%'
       OR p.path LIKE '/opt/homebrew/Caskroom/%/bin/%'
-      OR p.path LIKE '/Users/%/google-cloud-sdk/bin/kubectl'
-      OR p.path LIKE '/Users/%/Library/Application Support/cloud-code/installer/google-cloud-sdk/bin/%'
+      OR p.path LIKE '/Users/%/google-cloud-sdk/bin/%'
     )
   )
   AND NOT (

detection/evasion/unexpected-etc-executables.sql

@@ -124,6 +124,7 @@ WHERE
     '/etc/update-motd.d',
     '/etc/vmware-tools',
     '/etc/vpnc',
+    '/etc/localtime',
     '/etc/wpa_supplicant',
     '/etc/X11',
     '/etc/X11/xinit',

detection/evasion/unexpected-tmp-executables.sql

@@ -94,7 +94,8 @@ WHERE
   AND NOT file.directory LIKE '/tmp/UpdateBrain-%/AssetData/com.apple.MobileSoftwareUpdate.UpdateBrainService.xpc/Contents/MacOS/'
   -- terraform
   AND NOT (
-    uid > 500 AND file.path LIKE '/tmp/terraform_%/terraform'
+    uid > 500
+    AND file.path LIKE '/tmp/terraform_%/terraform'
   )
   AND NOT (
     file.path LIKE '/tmp/%compressed'

detection/execution/exotic-command-events-linux.sql

@@ -24,6 +24,7 @@ SELECT
   p.euid,
   p.parent,
   p.syscall,
+  pp.cgroup_path,
   hash.sha256,
   pp.path AS parent_path,
   pp.name AS parent_name,
@@ -79,7 +80,10 @@ WHERE
     OR cmd LIKE '%systemctl stop firewalld%'
     OR cmd LIKE '%systemctl disable firewalld%'
     OR cmd LIKE '%pkill -f%'
-    OR (cmd LIKE '%xargs kill -9%' AND p.euid=0)
+    OR (
+      cmd LIKE '%xargs kill -9%'
+      AND p.euid = 0
+    )
     OR cmd LIKE '%rm -f%/tmp%'
     OR cmd LIKE '%rm -rf /boot%'
     OR cmd LIKE '%nohup /bin/bash%'
@@ -149,3 +153,4 @@ WHERE
   AND NOT cmd LIKE 'rm -f /var/lib/update-notifier/tmp%'
   -- Invalid command from someones tmux environment
   AND NOT cmd LIKE 'pkill -f cut -c3%'
+  AND NOT cmd LIKE 'dirname %history'

detection/execution/exotic-command-events-macos.sql

@@ -76,11 +76,15 @@ WHERE
     OR cmd LIKE '%nohup%tmp%'
     OR cmd LIKE '%killall Terminal%'
     OR cmd LIKE '%iptables stop'
-    OR cmd LIKE '%pkill -f%'
+    OR (
+      p.euid = 0
+      AND (
+        cmd LIKE '%pkill -f%'
+        OR cmd LIKE '%xargs kill -9%'
+      )
+    )
     OR cmd LIKE '%rm -f /var/tmp%'
-    OR cmd LIKE '%rm -rf /boot%'
     OR cmd LIKE '%rm -f /tmp%'
-    OR (cmd LIKE '%xargs kill -9%' AND p.euid=0)
     OR cmd LIKE '%nohup /bin/bash%'
     OR cmd LIKE '%history'
     OR cmd LIKE '%echo%|%base64 --decode %|%'
@@ -101,8 +105,11 @@ WHERE
     OR cmd LIKE '%SOCK_STREAM%'
     OR (
       cmd LIKE '%Socket.%'
-      AND NOT basename IN ('compile', 'sed', 'mv')
+      AND NOT basename IN ('compile', 'sed', 'mv', 'cover')
       AND NOT cmd LIKE "%sys/socket.h%"
+      AND NOT cmd LIKE "%websocket%"
+      AND NOT cmd LIKE "%socket.go%"
+      AND NOT cmd LIKE "%socket.cpython%"
     )
   ) -- Things that could reasonably happen at boot.
   AND NOT (
@@ -115,17 +122,17 @@ WHERE
   )
   AND NOT (
     cmd IN (
-      '/usr/bin/csrutil status',
-      '/usr/bin/csrutil report',
+      '/bin/launchctl asuser 0 /bin/launchctl list',
       '/bin/launchctl list',
-      'launchctl list com.parallels.desktop.launchdaemon',
-      'launchctl list us.zoom.ZoomDaemon',
-      'sudo launchctl list us.zoom.ZoomDaemon',
       '/bin/launchctl list com.logi.optionsplus.update',
       '/bin/launchctl list homebrew.mxcl.yabai',
-      'xpcproxy com.apple.Safari.History',
+      'launchctl list com.parallels.desktop.launchdaemon',
+      'launchctl list us.zoom.ZoomDaemon',
       '/Library/Apple/System/Library/StagedFrameworks/Safari/SafariShared.framework/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History',
-      '/bin/launchctl asuser 0 /bin/launchctl list'
+      'sudo launchctl list us.zoom.ZoomDaemon',
+      '/usr/bin/csrutil report',
+      '/usr/bin/csrutil status',
+      'xpcproxy com.apple.Safari.History'
     )
     -- The source of these commands is still a mystery to me.
     OR p.parent = -1
@@ -137,3 +144,5 @@ WHERE
   AND NOT cmd LIKE '/bin/cp %history%sessions/%'
   AND NOT cmd LIKE 'touch -r /tmp/KSInstallAction.%'
   AND NOT cmd LIKE '%find /Applications/LogiTuneInstaller.app -type d -exec chmod 777 {}%'
+  AND NOT cmd LIKE '/bin/rm -f /tmp/com.adobe.%.updater/%'
+  AND NOT cmd LIKE 'dirname %history'

detection/execution/recently-created-executables-linux.sql

@@ -56,6 +56,7 @@ WHERE
     '/usr/bin/docker',
     '/usr/bin/dockerd',
     '/usr/bin/docker-proxy',
+    '/usr/lib/flatpak-session-helper',
     '/usr/bin/gedit',
     '/usr/bin/gnome-keyring-daemon',
     '/usr/bin/kbfsfuse',

detection/execution/unexpected-execdir-events-macos.sql

@@ -116,6 +116,7 @@ WHERE
   AND top_homedir NOT IN (
     '~/Applications/',
     '~/bin/',
+    '~/.cargo/',
     '~/code/',
     '~/.config/',
     '~/go/',
@@ -123,8 +124,8 @@ WHERE
     '~/Library/',
     '~/.local/',
     '~/projects/',
-    '~/src/',
     '~/.pyenv/',
+    '~/src/',
     '~/.tflint.d/',
     '~/.vscode/',
     '~/.vs-kubernetes/'

detection/execution/unexpected-execdir-linux.sql

@@ -73,4 +73,4 @@ WHERE
     dirname = ''
     AND p.name LIKE 'runc%'
   )
-  AND p.path NOT LIKE '/tmp/terraform_%/terraform'
+  AND p.path NOT LIKE '/tmp/terraform_%/terraform'

detection/execution/unexpected-execdir-macos.sql

@@ -112,6 +112,7 @@ WHERE
     '~/.config/',
     '~/git/',
     '~/go/',
+    '~/.kuberlr/',
     '~/google-cloud-sdk/',
     '~/homebrew/',
     '~/Library/',

detection/persistence/unexpected-chrome-extensions.sql

@@ -69,6 +69,7 @@ WHERE
     'true,All uBlock contributors,uBlock - free ad blocker,epcnnfbjfcgphgdmggkamkmgojdagdnn,contextMenus, storage, tabs, unlimitedStorage, webNavigation, webRequest, webRequestBlocking, <all_urls>',
     'true,,Bardeen - automate workflows with one click,ihhkmalpkhkoedlmcnilbbhhbhnicjga,<all_urls>, webNavigation, unlimitedStorage, notifications, activeTab, tabs, storage, *://*/*, history, bookmarks, contextMenus',
     'true,BetaFish,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom,tabs, <all_urls>, contextMenus, webRequest, webRequestBlocking, webNavigation, storage, unlimitedStorage, notifications, idle, alarms',
+    'true,Adblock, Inc.,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom,tabs, <all_urls>, contextMenus, webRequest, webRequestBlocking, webNavigation, storage, unlimitedStorage, notifications, idle, alarms',
     'true,Bitwarden Inc.,Bitwarden - Free Password Manager,nngceckbapebfimnlniiiahkandclblb,tabs, contextMenus, storage, unlimitedStorage, clipboardRead, clipboardWrite, idle, http://*/*, https://*/*, webRequest, webRequestBlocking',
     'true,,BrowserStack Local,mfiddfehmfdojjfdpfngagldgaaafcfo,https://*.bsstag.com/*, https://*.browserstack.com/*, , clipboardWrite, app.window, storage',
     'true,,Capital One Shopping: Add to Chrome for Free,nenlahapcbofgnanklpelkaejcehkggg,tabs, contextMenus, storage, cookies, webRequest, webRequestBlocking, <all_urls>',

detection/persistence/unexpected-cron-entries.sql

@@ -20,3 +20,4 @@ WHERE
   AND command NOT LIKE '%zfs-linux%'
   AND command NOT LIKE '%anacron start%'
   AND command NOT LIKE '%/usr/lib/php/sessionclean%'
+  AND command NOT LIKE 'root command -v debian-sa1%'

detection/persistence/unexpected-listening-port-linux.sql

@@ -153,7 +153,7 @@ WHERE
     AND lp.port > 1024
     and lp.protocol = 6
   )
-    -- Exclude processes running inside of Docker containers
+  -- Exclude processes running inside of Docker containers
   AND NOT p.cgroup_path LIKE '/system.slice/docker-%'
 GROUP BY
   exception_key

detection/persistence/unexpected-listening-port-macos.sql

@@ -151,7 +151,10 @@ WHERE
     AND lp.protocol = 6
   )
   AND NOT (
-    p.cwd LIKE '/Users/%/src/%'
+    (
+      p.cwd LIKE '/Users/%/src/%'
+      OR p.cwd LIKE '/Users/%/dev/%'
+    )
     AND p.cmdline LIKE './%'
     AND lp.port > 1024
     AND lp.protocol = 6

detection/persistence/unexpected-uid0-daemon-linux.sql

@@ -139,4 +139,4 @@ WHERE
   AND p.path NOT LIKE '/nix/store/%/libexec/%'
   AND p.path NOT LIKE '/snap/snapd/%/usr/lib/snapd/snapd'
   -- Exclude processes running inside of Docker containers
-  AND NOT p.cgroup_path LIKE '/system.slice/docker-%'
+  AND NOT p.cgroup_path LIKE '/system.slice/docker-%'

detection/privesc/unexpected-privileged-containers.sql

@@ -30,6 +30,7 @@ WHERE
   AND image NOT IN (
     'cgr.dev/chainguard/melange',
     'wolfi:test',
+    'distroless.dev/melange',
     'distroless.dev/melange:latest'
   )
   AND command NOT LIKE '/usr/bin/melange build %'