fpr: xdg, docker, dbus, bpfilter_umh, docker, spotify, mage

detection/c2/unexpected-https-client-linux.sql

@@ -259,6 +259,10 @@ WHERE protocol IN (6, 17)
   AND NOT exception_key LIKE '500,node,0u,0g,npm install %'
   AND NOT exception_key LIKE '500,cosign-%,500u,500g,cosign-%'
   AND NOT exception_key LIKE '500,terraform-provider-%,500u,500g,terraform-provi' -- stay weird, NixOS (Fastly nix mirror)
+  AND NOT (
+    p.path = '/usr/bin/mage'
+    AND p.cmdline LIKE '/home/%/.magefile/%'
+  )
   AND NOT (
     pp.cmdline = '/run/current-system/sw/bin/bash'
     AND p.path LIKE '/nix/store/%'

detection/c2/unexpected-talkers-linux.sql

@@ -102,6 +102,7 @@ WHERE
     '3000,6,500,chrome,0u,0g,chrome',
     '32768,17,500,traceroute,0u,0g,traceroute',
     '32768,6,0,tailscaled,0u,0g,tailscaled',
+    '80,6,500,spotify,500u,500g,spotify',
     '32768,6,500,ssh,0u,0g,ssh',
     '3307,6,500,cloud_sql_proxy,0u,0g,cloud_sql_proxy',
     '3443,6,500,chrome,0u,0g,chrome',

detection/credentials/unexpected-dev-opener-linux.sql

@@ -162,6 +162,7 @@ WHERE
   )
   AND NOT path_exception IN (
     '/dev/autofs,systemd',
+    '/dev/video,guvcview',
     '/dev/cpu/0/msr,nvidia-powerd',
     '/dev/fb,Xorg',
     '/dev/hidraw,chrome',

detection/evasion/hidden-cwd.sql

@@ -133,29 +133,30 @@ WHERE
       '~/.zsh'
     )
     OR top_dir IN ('~/Sync')
-    OR dir LIKE '~/.%'
-    OR dir LIKE '%/.build'
-    OR dir LIKE '~/code/%'
-    OR dir LIKE '~/%/.config/nvim'
-    OR dir LIKE '~/dev/%/dots/%/.config%'
-    OR dir LIKE '~/%/.docker%'
-    OR dir LIKE '~/%/.git'
-    OR dir LIKE '~/%/.github%'
-    OR dir LIKE '~/%/github.com/%'
-    OR dir LIKE '~/%google-cloud-sdk/.install/.backup%'
-    OR dir LIKE '~/.gradle/%'
     OR dir LIKE '/Library/Apple/System/Library/InstallerSandboxes/.PKInstallSandboxManager-SystemSoftware/%'
-    OR dir LIKE '~/%/.modcache/%'
-    OR dir LIKE '~/%/node_modules/.pnpm/%'
     OR dir LIKE '/opt/homebrew/%/.cache/%'
     OR dir LIKE '/private/tmp/%/.git'
-    OR dir LIKE '~/%/src/%'
-    OR dir LIKE '~/src/%'
-    OR dir LIKE '~/%/.terraform%'
+    OR dir LIKE '/tmp/.mount_%'
     OR dir LIKE '/tmp/%/.git'
     OR dir LIKE '/tmp/%/.github/workflows'
-    OR dir LIKE '/tmp/.mount_%'
+    OR dir LIKE '%/.build'
+    OR dir LIKE '%/.git'
+    OR dir LIKE '%/.github'
+    OR dir LIKE '/home/build/.cache%'
+    OR dir LIKE '~/.%'
+    OR dir LIKE '~/.gradle/%'
+    OR dir LIKE '~/%/.config/nvim'
+    OR dir LIKE '~/%/.docker%'
+    OR dir LIKE '~/%/.modcache/%'
+    OR dir LIKE '~/%/.terraform%'
     OR dir LIKE '~/%/.vercel%'
+    OR dir LIKE '~/%/github.com/%'
+    OR dir LIKE '~/%/node_modules/.pnpm/%'
+    OR dir LIKE '~/%/src/%'
+    OR dir LIKE '~/%google-cloud-sdk/.install/.backup%'
+    OR dir LIKE '~/code/%'
+    OR dir LIKE '~/dev/%/dots/%/.config%'
+    OR dir LIKE '~/src/%'
     -- For sudo calls to other things
     OR (
       dir LIKE '/home/.terraform.d/%'

detection/evasion/unexpected-hidden-system-paths.sql

@@ -97,6 +97,14 @@ WHERE
     '/var/db/.com.apple.iokit.graphics',
     '/var/db/.GKRearmTimer',
     '/var/db/.LastGKApp',
+    '/tmp/.accounts-agent/',
+    '/tmp/.content-agent/',
+    '/tmp/.audio-agent/',
+    '/tmp/.ui-agent/',
+    '/tmp/.featureflags-agent/',
+    '/tmp/.settings-agent/',
+    '/tmp/.metrics-agent/',
+    '/tmp/.updater-agent/',
     '/var/db/.LastGKReject',
     '/var/db/.MASManifest',
     '/var/db/.SoftwareUpdateOptions',

detection/evasion/unexpected-tmp-executables-linux.sql

@@ -80,7 +80,18 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
           OR file.path LIKE '%/tmp/epdf%'
           OR file.path LIKE '/tmp/lima/%/out/%'
         )
-      ) -- Nix
+      )
+      AND NOT (
+          file.path LIKE "%/lib/%.so"
+          OR file.path LIKE "%/lib/%.so.%"
+          OR file.path LIKE "%/lib64/%.so.%"
+          OR file.path LIKE "%/lib64/%.so"
+          OR file.path LIKE "%/melange%"
+          OR file.path LIKE "%/sbin/%"
+          OR file.path LIKE "%/bin/busybox"
+          OR file.path LIKE "%/bin/bash"
+      )
+      -- Nix
       AND NOT (
         file.directory LIKE '/tmp/tmp%'
         AND gid = 0
@@ -144,6 +155,7 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
     AND (
       magic.data IN (
         "POSIX shell script, ASCII text executable",
+        "libtool library file, ASCII text",
         "JSON data"
       )
       OR magic.data LIKE "Unicode text%"
@@ -151,6 +163,18 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
       OR magic.data LIKE "gzip compressed data%" -- Exotic platforms
       OR magic.data LIKE 'ELF 64-bit MSB pie executable, IBM S/390%'
       OR magic.data LIKE 'ELF 32-bit LSB pie executable, ARM, EABI5%'
+      OR magic.data LIKE 'symbolic link to %'
+    )
+  )
+  AND NOT (
+    file.uid = 0
+    AND magic.data IS NOT NULL
+    AND (
+      magic.data LIKE 'symbolic link to %'
+      OR magic.data IN (
+        "ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-musl-x86_64.so.1, stripped",
+        "libtool library file, ASCII text"
+      )
     )
   )
   AND NOT (

detection/execution/exotic-command-events-macos.sql

@@ -170,6 +170,7 @@ WHERE
       'nc -h',
       'nc -uv 8.8.8.8 53',
       'nix profile history',
+      'dd if=/dev/stdin conv=unblock cbs=79',
       'rm -f /tmp/mysql.sock',
       'sh -c launchctl bootout system "/Library/LaunchDaemons/com.ecamm.EcammAudioXPCHelper.plist"',
       '/usr/bin/csrutil report',

detection/execution/unexpected-execdir-events-macos.sql

@@ -148,6 +148,50 @@ WHERE
   )
   AND dir NOT IN (
     '/bin',
+    '/Library/Application Support/Kandji/Kandji Menu/Kandji Menu.app/Contents/MacOS',
+    '/Library/Application Support/Logitech.localized/LogiOptionsPlus/logioptionsplus_agent.app/Contents/MacOS',
+    '/Library/Application Support/Logitech.localized/Logitech Options.localized/LogiMgrUpdater.app/Contents/Resources',
+    '/Library/Audio/Plug-Ins/HAL/ACE.driver/Contents/Resources',
+    '/Library/Audio/Plug-Ins/HAL/ACE.driver/Contents/Resources/aceagent.app/Contents/MacOS',
+    '/Library/DropboxHelperTools/Dropbox_u501',
+    '/Library/Filesystems/kbfuse.fs/Contents/Resources',
+    '/Library/Frameworks/Python.framework/Versions/3.10/bin',
+    '/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers.app/Contents/MacOS',
+    '/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateAgent.app/Contents/MacOS',
+    '/Library/Image Capture/Devices/EPSON Scanner.app/Contents/MacOS',
+    '/Library/Kandji/Kandji Agent.app/Contents/MacOS',
+    '/Library/Kandji/Kandji Agent.app/Contents/MacOS/',
+    '/Library/Printers/Brother/Utilities/Server/NETserver.app/Contents/MacOS',
+    '/Library/Printers/Brother/Utilities/Server/USBAppControl.app/Contents/MacOS',
+    '/Library/Printers/Brother/Utilities/Server/WorkflowAppControl.app/Contents/MacOS',
+    '/Library/Printers/DYMO/Utilities',
+    '/Library/PrivilegedHelperTools',
+    '/Library/TeX/texbin',
+    '/node_modules/.bin',
+    '/opt/homebrew/bin',
+    '/opt/usr/bin',
+    '/opt/X11/bin',
+    '/opt/X11/libexec',
+    '/run/current-system/sw/bin',
+    '/sbin',
+    '/usr/bin',
+    '/usr/lib',
+    '/usr/lib/bluetooth',
+    '/usr/lib/cups/notifier',
+    '/usr/lib/fwupd',
+    '/usr/lib/ibus',
+    '/usr/lib/system',
+    '/usr/libexec',
+    '/usr/libexec/ApplicationFirewall',
+    '/usr/libexec/AssetCache',
+    '/usr/libexec/firmwarecheckers',
+    '/usr/libexec/firmwarecheckers/eficheck',
+    '/usr/libexec/rosetta',
+    '/usr/local/bin',
+    '/usr/local/MacGPG2/bin',
+    '/usr/sbin',
+    '~/.local/bin',
+    '~/.magefile',
     '~/bin',
     '~/code/bin',
     '~/Downloads/google-cloud-sdk/bin',
@@ -155,50 +199,7 @@ WHERE
     '~/go/bin',
     '~/Library/Application Support/cloud-code/installer/google-cloud-sdk/bin',
     '~/Library/Application Support/dev.warp.Warp-Stable',
-    '/Library/Application Support/Kandji/Kandji Menu/Kandji Menu.app/Contents/MacOS',
-    '/Library/Kandji/Kandji Agent.app/Contents/MacOS/',
-    '/Library/Application Support/Logitech.localized/LogiOptionsPlus/logioptionsplus_agent.app/Contents/MacOS',
-    '/Library/Application Support/Logitech.localized/Logitech Options.localized/LogiMgrUpdater.app/Contents/Resources',
-    '/Library/Audio/Plug-Ins/HAL/ACE.driver/Contents/Resources',
-    '/Library/Audio/Plug-Ins/HAL/ACE.driver/Contents/Resources/aceagent.app/Contents/MacOS',
-    '/Library/Printers/Brother/Utilities/Server/WorkflowAppControl.app/Contents/MacOS',
-    '/Library/DropboxHelperTools/Dropbox_u501',
-    '/Library/Filesystems/kbfuse.fs/Contents/Resources',
-    '/Library/Frameworks/Python.framework/Versions/3.10/bin',
-    '/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers.app/Contents/MacOS',
-    '/Library/Printers/Brother/Utilities/Server/USBAppControl.app/Contents/MacOS',
-    '/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/GoogleSoftwareUpdateAgent.app/Contents/MacOS',
-    '/Library/Printers/Brother/Utilities/Server/NETserver.app/Contents/MacOS',
-    '/Library/Image Capture/Devices/EPSON Scanner.app/Contents/MacOS',
-    '/Library/Printers/DYMO/Utilities',
-    '/Library/PrivilegedHelperTools',
-    '/Library/TeX/texbin',
-    '~/.local/bin',
-    '~/.magefile',
-    '/node_modules/.bin',
-    '/opt/homebrew/bin',
-    '/opt/usr/bin',
-    '/opt/X11/bin',
-    '/opt/X11/libexec',
-    '~/projects/go/bin',
-    '/run/current-system/sw/bin',
-    '/sbin',
-    '/usr/bin',
-    '/usr/lib',
-    '/usr/lib/bluetooth',
-    '/usr/lib/cups/notifier',
-    '/usr/libexec',
-    '/usr/libexec/ApplicationFirewall',
-    '/usr/libexec/AssetCache',
-    '/usr/libexec/firmwarecheckers',
-    '/usr/libexec/firmwarecheckers/eficheck',
-    '/usr/libexec/rosetta',
-    '/usr/lib/fwupd',
-    '/usr/lib/ibus',
-    '/usr/lib/system',
-    '/usr/local/bin',
-    '/usr/local/MacGPG2/bin',
-    '/usr/sbin'
+    '~/projects/go/bin'
   ) -- Locally built executables
   AND NOT (
     s.identifier = 'a.out'

detection/execution/unexpected-execdir-macos.sql

@@ -97,6 +97,7 @@ WHERE
     '~/code/bin',
     '~/Downloads/google-cloud-sdk/bin',
     '~/go/bin',
+    '~/Library/Application Support/sourcegraph-sp/',
     '~/Library/Application Support/cloud-code/installer/google-cloud-sdk/bin',
     '~/Library/Application Support/dev.warp.Warp-Stable',
     '~/Library/Application Support/zoom.us/Plugins/aomhost.app/Contents/MacOS',

detection/initial_access/unexpected-diskimage-source-macos.sql

@@ -117,6 +117,7 @@ WHERE
     'zsa.io'
   )
   AND host NOT IN (
+    'arc.net',
     'balsamiq.com',
     'brave.com',
     'discord.com',

detection/initial_access/unexpected-shell-parents.sql

@@ -137,6 +137,7 @@ WHERE
     '/Applications/Parallels Desktop.app/Contents/MacOS/Parallels Service',
     '/Applications/Parallels Desktop.app/Contents/MacOS/prl_update_helper',
     '/Applications/RStudio.app/Contents/Resources/app/bin/rsession-arm64',
+    '/Applications/Amazon Photos.app/Contents/MacOS/Amazon Photos',
     '/bin/dash',
     '/bin/sh',
     '/Library/Application Support/Logitech.localized/LogiOptionsPlus/logioptionsplus_agent.app/Contents/MacOS/logioptionsplus_agent',

detection/persistence/unexpected-uid0-daemon-linux.sql

@@ -98,6 +98,7 @@ WHERE
     'bluetoothd,/usr/libexec/bluetooth/bluetoothd,0,system.slice,bluetooth.service,0755',
     'boltd,/usr/lib/boltd,0,system.slice,bolt.service,0755',
     'boltd,/usr/libexec/boltd,0,system.slice,bolt.service,0755',
+    'bpfilter_umh,/bpfilter_umh,0,,,',
     'containerd,/nix/store/__VERSION__/bin/containerd,0,system.slice,docker.service,0555',
     'containerd-shim,/usr/bin/containerd-shim-runc-v2,0,system.slice,containerd.service,0755',
     'containerd-shim,/usr/bin/containerd-shim-runc-v2,0,system.slice,docker.service,0755',
@@ -108,6 +109,7 @@ WHERE
     'cron,/usr/sbin/cron,0,system.slice,cron.service,0755',
     'cups-browsed,/usr/sbin/cups-browsed,0,system.slice,cups-browsed.service,0755',
     'cupsd,/usr/sbin/cupsd,0,system.slice,cups.service,0755',
+    'dbus-daemon,/usr/bin/dbus-daemon,0,user.slice,user-1000.slice,0755',
     'dhclient,/usr/sbin/dhclient,0,system.slice,networking.service,0755',
     'dhcpcd,/nix/store/__VERSION__/bin/dhcpcd,0,system.slice,dhcpcd.service,0555',
     'dnf,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755',
@@ -117,6 +119,7 @@ WHERE
     'dockerd,/usr/bin/dockerd,0,system.slice,docker.service,0755',
     'docker-proxy,/usr/bin/docker-proxy,0,system.slice,docker.service,0755',
     'docker-proxy,/usr/libexec/docker/docker-proxy,0,system.slice,docker.service,0755',
+    'docker,/usr/bin/docker,0,user.slice,user-1000.slice,0755',
     'firewalld,/usr/bin/python3.10,0,system.slice,firewalld.service,0755',
     'firewalld,/usr/bin/python__VERSION__,0,system.slice,firewalld.service,0755',
     'fish,/usr/bin/fish,0,user.slice,user-1000.slice,0755',
@@ -224,6 +227,8 @@ WHERE
     '/usr/bin/monito,/usr/bin/perl,0,system.slice,monitorix.service,0755',
     'wpa_supplicant,/usr/bin/wpa_supplicant,0,system.slice,wpa_supplicant.service,0755',
     'wpa_supplicant,/usr/sbin/wpa_supplicant,0,system.slice,wpa_supplicant.service,0755',
+    'xdg-desktop-por,/usr/libexec/xdg-desktop-portal,0,user.slice,user-1000.slice,0755',
+    'xdg-permission-,/usr/libexec/xdg-permission-store,0,user.slice,user-1000.slice,0755',
     'X,/nix/store/__VERSION__/bin/Xorg,0,system.slice,display-manager.service,0555',
     'Xorg,/usr/lib/Xorg,0,system.slice,lightdm.service,0755',
     'yum,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755',

detection/privesc/unexpected-privilege-escalation_linux.sql

@@ -52,15 +52,16 @@ WHERE
       euid < uid
       AND NOT path IN (
         '/bin/ps',
+        '/opt/1Password/1password',
         '/usr/bin/doas',
-        '/usr/lib/xorg/Xorg',
         '/usr/bin/fusermount',
         '/usr/bin/fusermount3',
-        '/usr/libexec/Xorg',
         '/usr/bin/login',
         '/usr/bin/su',
         '/usr/bin/sudo',
-        '/usr/bin/top'
+        '/usr/bin/top',
+        '/usr/libexec/Xorg',
+        '/usr/lib/xorg/Xorg'
       ) -- doas may be in the process of being upgraded
       AND NOT path LIKE '/nix/store/%/bin/sudo'
       AND NOT path LIKE '/nix/store/%/bin/dhcpcd'