Merge pull request #307 from tstromberg/fpr-sep14

fpr: sourcegraph, nginx, factorio, fan control, emacs, nushell

detection/c2/unexpected-dns-traffic-events.sql

@@ -77,6 +77,7 @@ WHERE
     'com.docker.backend,8.8.8.8,53',
     'ZoomPhone,8.8.8.8,53',
     'ZaloCall,8.8.8.8,53',
+    'Telegram,8.8.8.8,53',
     'Meeting Center,8.8.8.8,53',
     'signal-desktop,8.8.8.8,53',
     'slack,8.8.8.8,53',

detection/c2/unexpected-https-linux.sql

@@ -262,6 +262,7 @@ WHERE
     '500,slirp4netns,500u,500g,slirp4netns',
     '500,snap-store,0u,0g,snap-store',
     '500,spotify,0u,0g,spotify',
+    '500,chrome_crashpad_handler,0u,0g,chrome_crashpad',
     '500,spotify,500u,500g,spotify',
     '500,spotify,u,g,spotify',
     '500,steam,500u,100g,steam',

detection/c2/unexpected-https-macos.sql

@@ -175,6 +175,7 @@ WHERE
     '500,cosign,cosign,0u,500g',
     '500,cosign,cosign,500u,20g',
     '500,cosign,cosign,500u,80g',
+    '500,git-credential-osxkeychain,git-credential-osxkeychain,500u,80g',
     '500,cpu,cpu,500u,20g',
     '500,crane,crane,0u,500g',
     '500,crane,crane,500u,80g',

detection/c2/unexpected-talkers-macos.sql

@@ -125,6 +125,7 @@ WHERE
     '500,17,9000,Meeting Center,Meeting Center,Developer ID Application: Cisco (DE8Y96K9QP),com.webex.meetingmanager',
     '500,6,22,Cyberduck,Cyberduck,Developer ID Application: David Kocher (G69SCX94XU),ch.sudo.cyberduck',
     '500,6,22,goland,goland,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland',
+    '500,6,8080,goland,goland,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland',
     '500,6,22,Transmit,Transmit,Developer ID Application: Panic, Inc. (VE8FC488U5),com.panic.Transmit',
     '500,6,2869,Spotify,Spotify,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client',
     '500,6,32000,Spotify Helper,Spotify Helper,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client.helper',
@@ -192,6 +193,11 @@ WHERE
     alt_exception_key LIKE '500,6,%,syncthing,syncthing,0u,500g'
     AND remote_port > 79
   )
+  AND NOT (
+    alt_exception_key LIKE '500,6,%,nuclei,nuclei,500u,80g'
+    AND remote_port > 20
+    AND remote_port < 32000
+  )
   AND NOT (
     exception_key LIKE '500,6,%,syncthing,syncthing,Developer ID Application: Jakob Borg (LQE5SYM783),syncthing'
     AND remote_port > 79

detection/discovery/unexpected-netutil-calls-linux.sql

@@ -80,7 +80,7 @@ WHERE
   AND pe.time > (strftime('%s', 'now') -300)
   AND NOT (
     pe.euid > 500
-    AND p1_name IN ('sh', 'fish', 'zsh', 'bash', 'dash')
+    AND p1_name IN ('sh', 'fish', 'zsh', 'bash', 'dash', 'nu')
     AND p2_name IN (
       'alacritty',
       'gnome-terminal-',

detection/evasion/hidden-cwd.sql

@@ -152,6 +152,7 @@ WHERE
     OR dir LIKE '%/.gradle'
     OR dir LIKE '%/.github/%'
     OR dir LIKE '%/.github'
+    OR dir LIKE '%/.venv'
     OR dir LIKE '/home/build/.cache%'
     OR dir LIKE '~/.%'
     OR dir LIKE '~/.gradle/%'

detection/evasion/hidden-executable.sql

@@ -55,6 +55,7 @@ WHERE
   AND NOT f.directory LIKE '%/.nvm/versions/%/bin'
   AND NOT f.directory LIKE '%/.goenv/%/bin'
   AND NOT f.directory LIKE '%/.pnpm/%'
+  AND NOT f.directory LIKE '%/.yardstick/%'
   AND NOT f.directory LIKE '%/.go/bin'
   AND NOT f.directory LIKE '%/.rustup/%'
   AND NOT f.directory LIKE '%/.terraform'

detection/evasion/parent-missing-from-disk-linux.sql

@@ -52,6 +52,7 @@ WHERE
     '/opt/brave.com/brave/brave',
     '/opt/google/chrome/chrome',
     '/usr/bin/alacritty',
+    '/usr/bin/roxterm',
     '/usr/bin/doas',
     '/usr/bin/dockerd',
     '/usr/bin/fusermount3',

detection/evasion/parent-missing-from-disk-macos.sql

@@ -73,7 +73,8 @@ WHERE
       AND pp.path NOT IN (
         "",
         "/sbin/launchd",
-        "/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper (Plugin).app/Contents/MacOS/Code Helper (Plugin)"
+        "/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper (Plugin).app/Contents/MacOS/Code Helper (Plugin)",
+        "/Applications/Visual Studio Code.app/Contents/Frameworks/Code Helper.app/Contents/MacOS/Code Helper"
       )
       AND pp.on_disk != 1
   );

detection/evasion/unexpected-alf-exceptions-macos.sql

@@ -96,7 +96,7 @@ WHERE
   AND NOT exception_key LIKE ',a.out,/Users/%/dev/%,501'
   AND NOT exception_key LIKE ',org.python.python,/opt/homebrew/Cellar/python@%/Frameworks/Python.framework/Versions/3.11/Resources/Python.app/,501'
   AND NOT exception_key LIKE ',a.out,/opt/homebrew/Cellar/podman/%/libexec/podman/gvproxy,501'
-  AND NOT exception_key LIKE ',net.java.openjdk.java,/opt/homebrew/Cellar/openjdk/%/libexec/openjdk.jdk/Contents/Home/bin/java,501'
+  AND NOT exception_key LIKE ',net.java.openjdk.java,/opt/homebrew/Cellar/openjdk%/libexec/openjdk.jdk/Contents/Home/bin/java,501'
   AND NOT exception_key LIKE ',a.out,/private/var/folders/%/T/GoLand/%,501'
   AND NOT exception_key LIKE ',a.out,/Users/%/GolandProjects/documentation-code-examples/debuggingTutorial/myApp,501'
   AND NOT exception_key LIKE ',node,/opt/homebrew/Cellar/nvm/%/versions/node/v%/bin/node,501'

detection/evasion/unexpected-hidden-system-paths.sql

@@ -104,6 +104,8 @@ WHERE
     '/tmp/.X0-lock',
     '/tmp/.X11-unix/',
     '/tmp/.X1-lock',
+    '/var/db/.intl8859cache.db',
+    '/var/db/.lvm_setupdone',
     '/tmp/.X2-lock',
     '/tmp/.XIM-unix/',
     '/usr/lib/jvm/.java-1.17.0-openjdk-amd64.jinfo',
@@ -125,6 +127,8 @@ WHERE
     '/var/root/.bash_history',
     '/var/root/.bash_profile',
     '/var/root/.cache/',
+    '/tmp/.SIGN.RSA.wolfi-signing.rsa.pub',
+    '/tmp/.SIGN.RSA.local-melange.rsa.pub',
     '/var/root/.CFUserTextEncoding',
     '/var/root/.docker/',
     '/var/root/.forward',

detection/evasion/unexpected-tmp-executables-macos.sql

@@ -73,6 +73,7 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
           OR file.path LIKE '%/ko/%'
           OR file.path LIKE '%/nix/%'
           OR file.path LIKE '%/kots/%'
+          OR file.path LIKE '/tmp/KSInstallAction.%/m/.keystone_install'
           OR file.path LIKE '/tmp/%/AdobePIM.dylib'
           OR file.path LIKE "%/lib/%.so"
           OR file.path LIKE '/tmp/melange%'

detection/execution/exotic-commands-macos.sql

@@ -106,5 +106,7 @@ WHERE
     AND p1_cmd LIKE '%pipenv shell'
   )
   AND NOT p0_cmd IN ('pkill -f Jabra Direct')
+  AND NOT p0_cmd LIKE "%dd if=/dev/stdin conv=unblock cbs=79"
+  AND NOT p1_path LIKE '/Applications/Emacs.app/Contents/MacOS/Emacs-arm64-%'
 GROUP BY
   p0.pid;

detection/execution/recently-created-executables-long-lived-macos.sql

@@ -113,6 +113,7 @@ WHERE
         '~/bin',
         '~/code/bin',
         '~/go/bin',
+        '~/melange',
         '~/Library/Application Support/cloud-code/installer/google-cloud-sdk/bin',
         '/usr/local/kolide-k2/Kolide.app/Contents/MacOS',
         '~/Library/Application Support/dev.warp.Warp-Stable',
@@ -166,6 +167,7 @@ WHERE
     'Developer ID Application: GitHub (VEKTX9H2N7)',
     'Developer ID Application: Google LLC (EQHXZ8M8AV)',
     'Developer ID Application: GPGTools GmbH (PKV8ZPD836)',
+    'Developer ID Application: Tailscale Inc. (W5364U7YZB)',
     'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)',
     'Developer ID Application: Kandji, Inc. (P3FGV63VK7)',
     'Developer ID Application: Keybase, Inc. (99229SGT5K)',

detection/execution/unexpected-env-values-macos.sql

@@ -40,6 +40,7 @@ WHERE -- This time should match the interval
     AND NOT pe.value = '/System/Library/PrivateFrameworks/PreviewsInjection.framework/PreviewsInjection'
     AND NOT pe.value LIKE '/opt/homebrew/Cellar/r/4.%/lib/R/lib/libR.dylib'
     AND NOT pe.value LIKE '%/libsamply_mac_preload.dylib'
+    AND NOT pe.value LIKE '%/Steam/Steam.AppBundle/Steam/Contents/MacOS/steamloader.dylib:%/Steam/Steam.AppBundle/Steam/Contents/MacOS/gameoverlayrenderer.dylib'
   )
   OR (
     key = 'DYLD_FRAMEWORK_PATH' -- sort of obsolete, but may affect SIP abusers

detection/execution/unexpected-execdir-events-macos.sql

@@ -143,7 +143,9 @@ WHERE
     '/Library/Application Support/GPGTools',
     '/Library/Application Support/com.canonical.multipass',
     '/Library/Application Support/org.pqrs',
+    '~/Library/Application Support/Steam',
     '/Library/Developer/CommandLineTools',
+    '/Library/Screen Savers/XScreenSaverUpdater.app',
     '/Library/Google/GoogleSoftwareUpdate',
     '/Library/Java/JavaVirtualMachines',
     '/Library/Plug-Ins/FxPlug',

detection/execution/unexpected-sysutils-macos.sql

@@ -108,6 +108,7 @@ WHERE
   AND NOT exception_key IN (
     'system_profiler,500,Google Drive,launchd',
     'system_profiler,500,bash,launchd',
+    'system_profiler,500,steam_osx,launchd',
     'system_profiler,500,bash,logioptionsplus_agent',
     'system_profiler,0,launcher,launchd'
   )

detection/exfil/high_disk_bytes_read.sql

@@ -87,6 +87,7 @@ WHERE
     'kue',
     'launcher',
     'LogiFacecamService',
+    'factorio',
     'mediawriter',
     'melange',
     'rpi-imager',
@@ -107,6 +108,8 @@ WHERE
     'steam',
     'systemd',
     'terraform-provider-apko',
+    'terraform',
+    'terraform-ls',
     'thunderbird',
     'tilt',
     'unattended-upgr',

detection/initial_access/unexpected-shell-parents.sql

@@ -103,6 +103,7 @@ WHERE
     'ko',
     'kubectl',
     'kue',
+    'nu',
     'lightdm',
     'LogiTune',
     'make',
@@ -116,6 +117,7 @@ WHERE
     'package_script_service',
     'pacman',
     'perl',
+    'OpenLens',
     'pia-daemon',
     'PK-Backend',
     'provisio',
@@ -165,6 +167,7 @@ WHERE
     '/Applications/RStudio.app/Contents/Resources/app/bin/rsession-arm64',
     '/Applications/Amazon Photos.app/Contents/MacOS/Amazon Photos',
     '/bin/dash',
+    '/usr/bin/networksetup',
     '/bin/sh',
     '/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent',
     '/Library/Application Support/Logitech.localized/LogiOptionsPlus/logioptionsplus_agent.app/Contents/MacOS/logioptionsplus_agent',

detection/persistence/unexpected-active-systemd-units.sql

@@ -49,6 +49,7 @@ WHERE
         'abrt-journal-core.service,Creates ABRT problems from coredumpctl messages,',
         'abrt-oops.service,ABRT kernel log watcher,',
         'abrt-xorg.service,ABRT Xorg log watcher,',
+        'swap.img.swap,/swap.img,',
         'abrtd.service,ABRT Automated Bug Reporting Tool,',
         'abrtd.service,ABRT Daemon,',
         'accounts-daemon.service,Accounts Service,',

detection/persistence/unexpected-chrome-extensions.sql

@@ -113,6 +113,7 @@ WHERE
     'true,,Copper CRM for Gmail™,hpfmedbkgaakgagknibnonpkimkibkla',
     'true,,crouton integration,gcpneefbbnfalgjniomfjknbcgkbijom',
     'true,Crowdcast, Inc.,Crowdcast Screensharing,kgmadhplahebfoiijgloflhakfjlkbpb',
+    'true,,Crunchbase - B2B Company & Contact Info,mdfjplgeknamfodpoghbmhhlcjoacnbp',
     'true,,CSS Scan,gieabiemggnpnminflinemaickipbebg',
     "true,Daniel Kladnik @ kiboke studio,I don't care about cookies,fihnjjcciajhdojfnbdddfaoknhalnja",
     'true,,Datanyze Chrome Extension,mlholfadgbpidekmhdibonbjhdmpmafd',
@@ -176,6 +177,7 @@ WHERE
     'true,,Markdown Preview Plus,febilkbfcbhebfnokafefeacimjdckgl',
     'true,Marker.io,Marker.io: Visual bug reporting for websites,jofhoojcehdmaiibilpcoofpdbbddkkl',
     'true,,Meta Pixel Helper,fdgfkebogiimcoedlicjlajpkdmockpc',
+    'true,Microsoft Corporation,Microsoft 365,ndjpnladcallmjemlbaebfadecfhkepb',
     'true,NortonLifeLock Inc,Norton Safe Web,fnpbeacklnhmkkilekogeiekaglbmmka',
     'true,,NoScript,doojmbjmlfjjnbmnoijecmcbfeoakpjm',
     'true,,Notion Web Clipper,knheggckgoiihginacbkhaalnibhilkk',
@@ -230,6 +232,7 @@ WHERE
     'true,,Tab Wrangler,egnjhciaieeiiohknchakcodbpgjnchh',
     'true,,Tag Assistant Legacy (by Google),kejbdjndbnbjgmefkgdddjlbokphdefk',
     'true,,Tampermonkey BETA,gcalenpjmijncebpfijmoaglllgpjagf',
+    'true,Team Octotree,Octotree - GitHub code tree,bkhaagjahfmjljalopjnoealnfndnagc',
     'true,Thomas Rientjes,Decentraleyes,ldpochfccmkkmhdbclfhpagapcfdljkj',
     'true,,TickTick - Todo & Task List,diankknpkndanachmlckaikddgcehkod',
     'true,,Todoist for Chrome,jldhpllghnbhlbpcmnajkpdmadaolakh',

detection/persistence/unexpected-launchd-program-arguments.sql

@@ -72,6 +72,7 @@ WHERE
     '/opt/homebrew/opt/dnsmasq/sbin/dnsmasq --keep-in-foreground -C /opt/homebrew/etc/dnsmasq.conf -7 /opt/homebrew/etc/dnsmasq.d,*.conf',
     '/opt/homebrew/opt/jenkins/bin/jenkins --httpListenAddress=127.0.0.1 --httpPort=8080',
     '/opt/homebrew/opt/mariadb/bin/mysqld_safe',
+    '/Applications/Tunnelblick.app/Contents/Resources/launchAtLogin.sh',
     '/opt/homebrew/bin/gitsign-credential-cache',
     '/opt/homebrew/opt/pueue/bin/pueued --verbose',
     '/opt/homebrew/opt/nginx/bin/nginx -g daemon off;',

detection/persistence/unexpected-listening-port-macos.sql

@@ -132,6 +132,7 @@ WHERE
     '631,6,0,cupsd,Software Signing',
     '67,17,0,bootpd,Software Signing',
     '67,17,0,launchd,Software Signing',
+    '81,6,500,nginx,',
     '68,17,0,configd,Software Signing',
     '7000,6,500,ControlCenter,Software Signing',
     '80,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)',
@@ -142,12 +143,14 @@ WHERE
     '24802,6,500,synergy-service,Developer ID Application: Symless Ltd (4HX897Y6GJ)',
     '88,17,0,kdc,Software Signing',
     '49152,6,500,Webcam-desktop,Developer ID Application: Shenzhen Arashi Vision Co., Ltd. (847R5ZLN8S)',
+    '3090,6,500,sourcegraph-backend,Developer ID Application: SOURCEGRAPH INC (74A5FJ7P96)',
     '8828,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
     '8829,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
     '8830,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
     '8831,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
     '8832,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
     '8833,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
+    '8123,6,500,Brackets-node,Developer ID Application: CORE.AI SCIENTIFIC TECHNOLOGIES PRIVATE LIMITED (8F632A866K)',
     '8834,6,0,nessusd,Developer ID Application: Tenable, Inc. (4B8J598M7U)',
     '8834,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
     '88,6,0,kdc,Software Signing',

detection/persistence/unexpected-uid0-daemon-linux.sql

@@ -107,6 +107,7 @@ WHERE
     'bluetoothd,/usr/lib/bluetooth/bluetoothd,0,system.slice,bluetooth.service,0755',
     'bluetoothd,/usr/libexec/bluetooth/bluetoothd,0,system.slice,bluetooth.service,0755',
     'boltd,/usr/lib/boltd,0,system.slice,bolt.service,0755',
+    'lightdm,/nix/store/__VERSION__/bin/lightdm,0,user.slice,user-78.slice,0555',
     'boltd,/usr/libexec/boltd,0,system.slice,bolt.service,0755',
     'bpfilter_umh,/bpfilter_umh,0,,,',
     'chainctl,/usr/local/bin/chainctl,0,user.slice,user-1000.slice,0755',

detection/persistence/unexpected-uid0-daemon-macos.sql

@@ -301,24 +301,25 @@ WHERE -- Focus on longer-running programs
     'Developer ID Application: Creative Labs Pte. Ltd. (5Q3552844F)',
     'Developer ID Application: Docker Inc (9BNSXJN65R)',
     'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)',
-    'Developer ID Application: OPENVPN TECHNOLOGIES, INC. (ACV7L3WCD8)',
     'Developer ID Application: Ecamm Network, LLC (5EJH68M642)',
     'Developer ID Application: Fortinet, Inc (AH4XFXJ7DK)',
     'Developer ID Application: Foxit Corporation (8GN47HTP75)',
     'Developer ID Application: Fumihiko Takayama (G43BCU2T37)',
     'Developer ID Application: Google LLC (EQHXZ8M8AV)',
+    'Developer ID Application: Ilya Parniuk (ACC5R6RH47)',
     'Developer ID Application: Kandji, Inc. (P3FGV63VK7)',
     'Developer ID Application: Keybase, Inc. (99229SGT5K)',
-    'Developer ID Application: Kolide Inc (YZ3EM74M78)',
     'Developer ID Application: Kolide, Inc (X98UFR7HA3)',
+    'Developer ID Application: Kolide Inc (YZ3EM74M78)',
     'Developer ID Application: Logitech Inc. (QED4VVPZWA)',
     'Developer ID Application: MacPaw Inc. (S8EX82NJP6)',
     'Developer ID Application: Mersive Technologies (63B5A5WDNG)',
     'Developer ID Application: Microsoft Corporation (UBF8T346G9)',
-    'Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
     'Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R)',
     'Developer ID Application: Objective-See, LLC (VBG97UB4TA)',
     'Developer ID Application: Opal Camera Inc (97Z3HJWCRT)',
+    'Developer ID Application: OPENVPN TECHNOLOGIES, INC. (ACV7L3WCD8)',
+    'Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
     'Developer ID Application: Parallels International GmbH (4C6364ACXT)',
     'Developer ID Application: Private Internet Access, Inc. (5357M5NW9W)',
     'Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL)',

detection/privesc/unexpected-privileged-containers.sql

@@ -27,6 +27,7 @@ WHERE
   AND image_name NOT IN (
     'cgr.dev/chainguard/melange',
     'cgr.dev/chainguard/apko',
+    'cgr.dev/chainguard/python',
     'cgr.dev/chainguard/sdk',
     'cgr.dev/chainguard/wolfi-base',
     'distroless.dev/melange',