From 1c17532ae8ce8fee923d59d0aa1977b864c2b62b Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Fri, 25 Oct 2024 11:29:40 -0400
Subject: [PATCH] fpr: kubectl, zoom, /opt, chrome, Autodesk Fusion

---
 detection/c2/unexpected-https-macos.sql           |  1 +
 detection/c2/unexpected-talkers-linux.sql         |  5 +++++
 detection/c2/unexpected-talkers-macos.sql         |  1 +
 detection/evasion/hidden-cwd.sql                  |  8 +++++++-
 .../evasion/parent-missing-from-disk-linux.sql    |  2 ++
 ...cted-long-running-security-framework-macos.sql |  1 +
 detection/exfil/high_disk_bytes_read.sql          |  6 ++++--
 .../yara-unexpected-rust-http-exec-process.sql    | 12 ++++++++++++
 .../unexpected-diskimage-source-macos.sql         |  3 +++
 .../privesc/unexpected-privileged-containers.sql  | 15 ++++-----------
 10 files changed, 40 insertions(+), 14 deletions(-)

diff --git a/detection/c2/unexpected-https-macos.sql b/detection/c2/unexpected-https-macos.sql
index 433c545..bdbb39b 100644
--- a/detection/c2/unexpected-https-macos.sql
+++ b/detection/c2/unexpected-https-macos.sql
@@ -253,6 +253,7 @@ WHERE
   AND NOT alt_exception_key LIKE '500,terraform-provider-%,terraform-provider-%,500u,20g'
   AND NOT alt_exception_key LIKE '500,plugin_host-%,plugin_host-%,500u,20g'
   AND NOT alt_exception_key LIKE '500,sm-agent-%,sm-agent-%,500u,20g'
+  AND NOT alt_exception_key LIKE '500,kubectl%,kubectl%,500u,20g'
   AND NOT p0.path LIKE '/private/var/folders/%/T/GoLand/%'
   AND NOT (
     exception_key IN (
diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql
index 9e14791..39b9498 100644
--- a/detection/c2/unexpected-talkers-linux.sql
+++ b/detection/c2/unexpected-talkers-linux.sql
@@ -16,6 +16,7 @@ SELECT s.remote_address,
   p.path,
   p.cmdline AS child_cmd,
   p.cwd,
+  p.euid,
   pp.path AS parent_path,
   p.parent AS parent_pid,
   pp.cmdline AS parent_cmd,
@@ -110,6 +111,7 @@ WHERE protocol > 0
     '80,6,0,python3.11,0u,0g,yum',
     '80,6,0,python3.12,0u,0g,dnf',
     '80,6,0,python3.12,0u,0g,yum',
+    '89,6,500,chrome,0u,0g,chrome',
     '80,6,0,python3.9,u,g,yum',
     '80,6,0,rpm-ostree,0u,0g,rpm-ostree',
     '80,6,0,sort,0u,0g,sort',
@@ -164,8 +166,10 @@ WHERE protocol > 0
     '80,6,500,slirp4netns,500u,500g,slirp4netns',
     '80,6,500,spotify,0u,0g,spotify',
     '80,6,500,spotify,500u,500g,spotify',
+    '80,6,500,ZoomWebviewHost,0u,0g,ZoomWebviewHost',
     '80,6,500,spotify-launcher,0u,0g,spotify-launche',
     '80,6,500,spotify,u,g,spotify',
+    '80,6,0,dnf5,0u,0g,dnf5',
     '80,6,500,steam,500u,100g,steam',
     '80,6,500,steam,500u,500g,steam',
     '80,6,500,steamwebhelper,500u,500g,steamwebhelper',
@@ -207,6 +211,7 @@ WHERE protocol > 0
     AND (
       p.path LIKE '%/bin/%'
       OR p.path LIKE '/app/%'
+      OR p.path LIKE '/opt/%'
     )
   )
   AND NOT (
diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql
index f43ffa4..f5f233e 100644
--- a/detection/c2/unexpected-talkers-macos.sql
+++ b/detection/c2/unexpected-talkers-macos.sql
@@ -92,6 +92,7 @@ WHERE pos.pid IN (
   AND NOT signed_exception IN (
     '0,Developer ID Application: Tailscale Inc. (W5364U7YZB)',
     '500,Apple Mac OS Application Signing',
+    '500,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)',
     '500,Developer ID Application: Cisco (DE8Y96K9QP)',
     '500,Developer ID Application: Google LLC (EQHXZ8M8AV)',
     '500,Developer ID Application: Valve Corporation (MXGJJ98X76)'
diff --git a/detection/evasion/hidden-cwd.sql b/detection/evasion/hidden-cwd.sql
index 3343393..83e8389 100644
--- a/detection/evasion/hidden-cwd.sql
+++ b/detection/evasion/hidden-cwd.sql
@@ -73,6 +73,7 @@ WHERE p0.pid IN (
         'bindfs',
         'code',
         'Code Helper',
+        'Code Helper (Plugin)',
         'find',
         'git',
         'gitsign',
@@ -143,7 +144,12 @@ WHERE p0.pid IN (
       '~/.hunter/_Base',
       '~/.zsh'
     )
-    OR top_dir IN ('~/Sync', '~/src', '~/workspace')
+    OR top_dir IN (
+      '~/Sync',
+      '~/src',
+      '~/workspace',
+      '~/dev'
+    )
     OR dir LIKE '/Library/Apple/System/Library/InstallerSandboxes/.PKInstallSandboxManager-SystemSoftware/%'
     OR dir LIKE '/opt/homebrew/%/.cache/%'
     OR dir LIKE '~/%enterprise-packages/.chainguard'
diff --git a/detection/evasion/parent-missing-from-disk-linux.sql b/detection/evasion/parent-missing-from-disk-linux.sql
index 9d79035..7055af1 100644
--- a/detection/evasion/parent-missing-from-disk-linux.sql
+++ b/detection/evasion/parent-missing-from-disk-linux.sql
@@ -52,6 +52,7 @@ WHERE
   AND NOT p1_dirname IN (
     '/usr/lib/electron22',
     '/usr/bin',
+    '/opt/google/chrome',
     '/usr/libexec',
     '/usr/lib/systemd',
     '/usr/lib',
@@ -60,6 +61,7 @@ WHERE
   AND NOT p1.name IN (
     'bash',
     'dnf',
+    'chrome',
     'ninja',
     'make',
     'electron',
diff --git a/detection/execution/unexpected-long-running-security-framework-macos.sql b/detection/execution/unexpected-long-running-security-framework-macos.sql
index d42fb5a..623d863 100644
--- a/detection/execution/unexpected-long-running-security-framework-macos.sql
+++ b/detection/execution/unexpected-long-running-security-framework-macos.sql
@@ -62,6 +62,7 @@ WHERE -- Focus on longer-running programs
       AND NOT path LIKE '/Users/%/src/%'
       AND NOT path LIKE '/Users/%/bin/%'
       AND NOT path LIKE '/Users/%/Library/Application Support/com.elgato.StreamDeck/Plugins/%'
+      AND NOT path LIKE '/Users/%/Library/Application Support/Zed/supermaven/%'
       AND NOT path LIKE '/private/var/folders%/T/go-build%/exe/%'
       AND NOT path LIKE '/Users/%/.terraform/providers/%'
       AND NOT REGEX_MATCH (path, '(.*)/', 1) LIKE '%/bin'
diff --git a/detection/exfil/high_disk_bytes_read.sql b/detection/exfil/high_disk_bytes_read.sql
index 710918c..24800b0 100644
--- a/detection/exfil/high_disk_bytes_read.sql
+++ b/detection/exfil/high_disk_bytes_read.sql
@@ -50,8 +50,9 @@ WHERE
   bytes_read_rate > 2500000
   AND age > 180
   AND p0.path NOT LIKE '/Applications/%.app/Contents/%'
-  AND p0.path NOT LIKE '%/bin/%'
-  AND p0.path NOT LIKE '/usr/%'
+  AND p0.path NOT LIKE '/app/%'
+  -- Don't exclude /usr so that we find things like tar & rsync
+  AND p0.path NOT LIKE '/opt/%'
   AND p0.path NOT LIKE '/home/%/.local/share/Steam/steamapps/%'
   AND p0.path NOT LIKE '/Library/Apple/System/Library/%'
   AND p0.path NOT LIKE '/System/Applications/%'
@@ -59,6 +60,7 @@ WHERE
   AND p0.name NOT IN (
     'apko',
     'Autodesk Identity Manager',
+    'Autodesk Fusion 360',
     'baloo_file',
     'baloo_file_extr',
     'bash',
diff --git a/detection/exfil/yara-unexpected-rust-http-exec-process.sql b/detection/exfil/yara-unexpected-rust-http-exec-process.sql
index 78a25a5..5fedfc4 100644
--- a/detection/exfil/yara-unexpected-rust-http-exec-process.sql
+++ b/detection/exfil/yara-unexpected-rust-http-exec-process.sql
@@ -46,6 +46,18 @@ WHERE
     WHERE
       start_time > (strftime('%s', 'now') - 7200)
       AND path != ""
+      AND NOT path LIKE '/System/%'
+      AND NOT path LIKE '/usr/libexec/%'
+      AND NOT path LIKE '/usr/sbin/%' -- Regular apps
+      AND NOT path LIKE '/Applications/%.app/Contents/macOS/%'
+      AND NOT path LIKE '/opt/%'
+      AND NOT path LIKE '/Users/%/go/%'
+      AND NOT path LIKE '/Users/%/dev/%'
+      AND NOT path LIKE '/Users/%/src/%'
+      AND NOT path LIKE '/Users/%/bin/%'
+      AND NOT path LIKE '/Users/%/Library/Application Support/com.elgato.StreamDeck/Plugins/%'
+      AND NOT path LIKE '/private/var/folders%/T/go-build%/exe/%'
+      AND NOT path LIKE '/Users/%/.terraform/providers/%'
     GROUP BY
       path
   )
diff --git a/detection/initial_access/unexpected-diskimage-source-macos.sql b/detection/initial_access/unexpected-diskimage-source-macos.sql
index f60a70d..d027f0e 100644
--- a/detection/initial_access/unexpected-diskimage-source-macos.sql
+++ b/detection/initial_access/unexpected-diskimage-source-macos.sql
@@ -160,6 +160,7 @@ WHERE
     'webex.com',
     'whatsapp.com',
     'xtom.com',
+    'gitbutler.com',
     'xx.fbcdn.net',
     'yubico.com',
     'zoo.dev',
@@ -188,11 +189,13 @@ WHERE
     'emacsformacosx.com',
     'epson.com',
     'evernote.com',
+    'multipass.run',
     'fbcdn.net',
     'figma.com',
     'flipperzero.one',
     'getkap.co',
     'github.com',
+    'gitbutler.com',
     'go.dev',
     'imazing.com',
     'kittycad.io',
diff --git a/detection/privesc/unexpected-privileged-containers.sql b/detection/privesc/unexpected-privileged-containers.sql
index 0927db2..0204b9d 100644
--- a/detection/privesc/unexpected-privileged-containers.sql
+++ b/detection/privesc/unexpected-privileged-containers.sql
@@ -11,7 +11,7 @@
 -- where the kernel namespaces can be shared. These kind of attacks tend to be
 --
 -- platform: linux
--- tags: transient state container escalation
+-- tags: transient state container escalation extra
 SELECT
   command,
   image_id,
@@ -25,24 +25,17 @@ FROM
 WHERE
   privileged = 1
   AND image_name NOT IN (
-    'cgr.dev/chainguard-private/python',
-    'cgr.dev/chainguard/apko',
-    'cgr.dev/chainguard/k3s',
-    'cgr.dev/chainguard/melange',
-    'cgr.dev/chainguard/python',
-    'cgr.dev/chainguard/sdk',
-    'cgr.dev/chainguard/wolfi-base',
     'distroless.dev/melange',
     'docker.io/library/registry',
     'docker.io/rancher/k3s',
     'gcr.io/k8s-minikube/kicbase',
-    'ghcr.io/wolfi-dev/sdk',
-    'ghcr.io/wolfi-dev/sdk@sha256',
     'kindest/node',
     'ligfx/k3d-registry-dockerd',
     'moby/buildkit',
-    'wolfi'
+    'wolfi',
+    'jdk-crac'
   )
+  AND image NOT LIKE 'cgr.dev/chainguard%'
   AND image NOT LIKE 'ghcr.io/k3d-io/k3d-%'
   AND image NOT LIKE 'ghcr.io/wolfi-dev/%'
   AND image NOT LIKE 'melange-%'