fpr: Chrome, Kolide

detection/evasion/unexpected-tmp-executables-linux.sql

@@ -90,6 +90,7 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
         OR file.path LIKE "%/lib/%.so.%"
         OR file.path LIKE "%/lib64/%.so.%"
         OR file.path LIKE "%/lib64/%.so"
+        OR file.path LIKE '/tmp/staged-updates%launcher'
         OR file.path LIKE "%/melange%"
         OR file.path LIKE "%/sbin/%"
         OR file.path LIKE "%/bin/busybox"

detection/execution/unexpected-sysutils-macos.sql

@@ -73,15 +73,16 @@ WHERE
   AND pe.cmdline IS NOT NULL
   AND pe.status == 0
   AND pe.path IN (
-    '/usr/sbin/sysctl',
-    '/usr/bin/security',
-    '/usr/libexec/security_authtrampoline',
-    '/usr/bin/openssl',
-    '/usr/bin/uuidgen',
+    '/usr/bin/dscl',
     '/usr/bin/funzip',
-    '/usr/sbin/ioreg',
+    '/usr/bin/openssl',
+    '/usr/bin/security',
     '/usr/bin/sqlite3',
-    '/usr/bin/sw_vers'
+    '/usr/bin/sw_vers',
+    '/usr/bin/uuidgen',
+    '/usr/libexec/security_authtrampoline',
+    '/usr/sbin/ioreg',
+    '/usr/sbin/sysctl'
   )
   AND p.parent > 0
   AND NOT p0_cmd IN (

detection/privesc/unexpected-setxid-process.sql

@@ -32,6 +32,7 @@ WHERE
     '/Library/DropboxHelperTools/Dropbox_u501/dbkextd',
     '/opt/1Password/1Password-BrowserSupport',
     '/opt/1Password/1Password-KeyringHelper',
+    '/opt/google/chrome/chrome-sandbox',
     '/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent',
     '/usr/bin/doas',
     '/usr/bin/fusermount',
@@ -44,7 +45,9 @@ WHERE
     '/usr/bin/su',
     '/usr/bin/sudo',
     '/usr/bin/top',
+    '/usr/lib/electron/chrome-sandbox',
     '/usr/lib/polkit-1/polkit-agent-helper-1',
+    '/usr/lib/slack/chrome-sandbox',
     '/usr/lib/xf86-video-intel-backlight-helper',
     '/usr/lib/Xorg.wrap',
     '/usr/sbin/traceroute'