From 9c87838b9fab85d7b3716f99b49976f73b5baaa2 Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Fri, 12 May 2023 16:41:17 -0400
Subject: [PATCH] fpr: Chrome, Kolide

---
 .../evasion/unexpected-tmp-executables-linux.sql  |  1 +
 detection/execution/unexpected-sysutils-macos.sql | 15 ++++++++-------
 detection/privesc/unexpected-setxid-process.sql   |  3 +++
 3 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/detection/evasion/unexpected-tmp-executables-linux.sql b/detection/evasion/unexpected-tmp-executables-linux.sql
index 187dc8e..6c50cc3 100644
--- a/detection/evasion/unexpected-tmp-executables-linux.sql
+++ b/detection/evasion/unexpected-tmp-executables-linux.sql
@@ -90,6 +90,7 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
         OR file.path LIKE "%/lib/%.so.%"
         OR file.path LIKE "%/lib64/%.so.%"
         OR file.path LIKE "%/lib64/%.so"
+        OR file.path LIKE '/tmp/staged-updates%launcher'
         OR file.path LIKE "%/melange%"
         OR file.path LIKE "%/sbin/%"
         OR file.path LIKE "%/bin/busybox"
diff --git a/detection/execution/unexpected-sysutils-macos.sql b/detection/execution/unexpected-sysutils-macos.sql
index 9353d86..bff0dfb 100644
--- a/detection/execution/unexpected-sysutils-macos.sql
+++ b/detection/execution/unexpected-sysutils-macos.sql
@@ -73,15 +73,16 @@ WHERE
   AND pe.cmdline IS NOT NULL
   AND pe.status == 0
   AND pe.path IN (
-    '/usr/sbin/sysctl',
-    '/usr/bin/security',
-    '/usr/libexec/security_authtrampoline',
-    '/usr/bin/openssl',
-    '/usr/bin/uuidgen',
+    '/usr/bin/dscl',
     '/usr/bin/funzip',
-    '/usr/sbin/ioreg',
+    '/usr/bin/openssl',
+    '/usr/bin/security',
     '/usr/bin/sqlite3',
-    '/usr/bin/sw_vers'
+    '/usr/bin/sw_vers',
+    '/usr/bin/uuidgen',
+    '/usr/libexec/security_authtrampoline',
+    '/usr/sbin/ioreg',
+    '/usr/sbin/sysctl'
   )
   AND p.parent > 0
   AND NOT p0_cmd IN (
diff --git a/detection/privesc/unexpected-setxid-process.sql b/detection/privesc/unexpected-setxid-process.sql
index c16c63a..345debd 100644
--- a/detection/privesc/unexpected-setxid-process.sql
+++ b/detection/privesc/unexpected-setxid-process.sql
@@ -32,6 +32,7 @@ WHERE
     '/Library/DropboxHelperTools/Dropbox_u501/dbkextd',
     '/opt/1Password/1Password-BrowserSupport',
     '/opt/1Password/1Password-KeyringHelper',
+    '/opt/google/chrome/chrome-sandbox',
     '/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent',
     '/usr/bin/doas',
     '/usr/bin/fusermount',
@@ -44,7 +45,9 @@ WHERE
     '/usr/bin/su',
     '/usr/bin/sudo',
     '/usr/bin/top',
+    '/usr/lib/electron/chrome-sandbox',
     '/usr/lib/polkit-1/polkit-agent-helper-1',
+    '/usr/lib/slack/chrome-sandbox',
     '/usr/lib/xf86-video-intel-backlight-helper',
     '/usr/lib/Xorg.wrap',
     '/usr/sbin/traceroute'