New Years cleanup: monitorix, snap-confine, steam, spotify, etc

detection/c2/unexpected-https-client-linux.sql

@@ -87,16 +87,9 @@ WHERE
     '0,/usr/python3.11,0u,0g,yum',
     '0,/usr/rpi-imager,0u,0g,rpi-imager',
     '0,/usr/snapd,0u,0g,snapd',
-    '500,/sbin/apk,u,g,apk',
     '0,/usr/tailscaled,0u,0g,tailscaled',
     '0,/usr/tailscaled,500u,500g,tailscaled',
     '0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra',
-    '500,/usr/chainctl,500u,500g,chainctl',
-    '500,/usr/grype,0u,0g,grype',
-    '500,/home/krel,500u,500g,krel',
-    '500,/home/mconvert,500u,500g,mconvert',
-    '500,/usr/cosign-linux-amd64,0u,0g,cosign',
-    '500,/home/slirp4netns,500u,500g,slirp4netns',
     '105,/usr/http,0u,0g,https',
     '106,/usr/geoclue,0u,0g,geoclue',
     '500,/app/signal-desktop,u,g,signal-desktop',
@@ -111,13 +104,15 @@ WHERE
     '500,/home/cosign,500u,500g,cosign',
     '500,/home/gitsign,500u,500g,gitsign',
     '500,/home/go,500u,500g,go',
-    '500,/usr/obs-ffmpeg-mux,0u,0g,obs-ffmpeg-mux',
     '500,/home/grype,500u,500g,grype',
     '500,/home/java,500u,500g,java',
     '500,/home/jcef_helper,500u,500g,jcef_helper',
     '500,/home/ko,500u,500g,ko',
+    '500,/home/krel,500u,500g,krel',
+    '500,/home/mconvert,500u,500g,mconvert',
     '500,/home/promoter,500u,500g,promoter',
     '500,/home/python3,500u,500g,python3',
+    '500,/home/slirp4netns,500u,500g,slirp4netns',
     '500,/home/steam,500u,100g,steam',
     '500,/home/steamwebhelper,500u,100g,steamwebhelper',
     '500,/home/terraform,500u,500g,terraform',
@@ -136,9 +131,13 @@ WHERE
     '500,/opt/kubectl,0u,0g,kubectl',
     '500,/opt/slack,0u,0g,slack',
     '500,/opt/snap-store,0u,0g,snap-store',
+    '500,/usr/python3.11,0u,0g,prowler',
     '500,/opt/spotify,0u,0g,spotify',
+    '500,/home/steamwebhelper,500u,500g,steamwebhelper',
+    '500,/opt/spotify,500u,500g,spotify',
     '500,/opt/todoist,0u,0g,todoist',
     '500,/opt/zoom,0u,0g,zoom',
+    '500,/sbin/apk,u,g,apk',
     '500,/tmp/jetbrains-toolbox,u,g,jetbrains-toolb',
     '500,/tmp/obsidian,u,g,obsidian',
     '500,/tmp/terraform,500u,500g,terraform',
@@ -146,11 +145,11 @@ WHERE
     '500,/usr/bom,500u,500g,bom',
     '500,/usr/cargo,0u,0g,cargo',
     '500,/usr/chainctl,0u,0g,chainctl',
+    '500,/usr/chainctl,500u,500g,chainctl',
     '500,/usr/chrome,0u,0g,chrome',
     '500,/usr/code,0u,0g,code',
     '500,/usr/cosign,500u,500g,cosign',
-    '500,/usr/wget,0u,0g,wget',
-    '500,/home/slirp4netns,500u,500g,slirp4netns',
+    '500,/usr/cosign-linux-amd64,0u,0g,cosign',
     '500,/usr/curl,0u,0g,curl',
     '500,/usr/electron,0u,0g,electron',
     '500,/usr/evolution-addressbook-factory,0u,0g,evolution-addre',
@@ -170,6 +169,7 @@ WHERE
     '500,/usr/go,0u,0g,go',
     '500,/usr/go,500u,500g,go',
     '500,/usr/goa-daemon,0u,0g,goa-daemon',
+    '500,/usr/grype,0u,0g,grype',
     '500,/usr/gsd-datetime,0u,0g,gsd-datetime',
     '500,/usr/gvfsd-http,0u,0g,gvfsd-http',
     '500,/usr/io.elementary.appcenter,0u,0g,io.elementary.a',
@@ -178,12 +178,13 @@ WHERE
     '500,/usr/kbfsfuse,0u,0g,kbfsfuse',
     '500,/usr/keybase,0u,0g,keybase',
     '500,/usr/ko,u,g,ko',
-    '500,/usr/node,0u,0g,node',
     '500,/usr/kubectl,500u,500g,kubectl',
     '500,/usr/lens,0u,0g,lens',
     '500,/usr/nautilus,0u,0g,nautilus',
     '500,/usr/nix,0u,0g,nix',
+    '500,/usr/node,0u,0g,node',
     '500,/usr/obs,0u,0g,obs',
+    '500,/usr/obs-ffmpeg-mux,0u,0g,obs-ffmpeg-mux',
     '500,/usr/pacman,0u,0g,pacman',
     '500,/usr/python3,0u,0g,python3',
     '500,/usr/python3.10,0u,0g,python3',
@@ -200,6 +201,7 @@ WHERE
     '500,/usr/thunderbird,0u,0g,thunderbird',
     '500,/usr/trivy,0u,0g,trivy',
     '500,/usr/WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
+    '500,/usr/wget,0u,0g,wget',
     '500,/usr/xmobar,0u,0g,xmobar',
     '500,/usr/yay,0u,0g,yay'
   )

detection/c2/unexpected-talkers-linux.sql

@@ -154,8 +154,10 @@ WHERE
     '8801,17,500,/opt/zoom,0u,0g,zoom',
     '80,6,500,/usr/signal-desktop,0u,0g,signal-desktop',
     '80,6,0,/usr/python3.10,0u,0g,dnf-automatic',
+    '22,6,500,/home/terraform,500u,500g,terraform',
     '993,6,500,/app/thunderbird,u,g,thunderbird',
     '993,6,500,/usr/evolution,0u,0g,evolution',
+    '80,6,500,/home/steam,500u,500g,steam',
     '993,6,500,/usr/thunderbird,0u,0g,thunderbird'
   )
   AND NOT (

detection/credentials/unexpected-sensitive-file-access-linux.sql

@@ -81,6 +81,7 @@ WHERE
       'firefox,file:// Content,~/.mozilla/firefox',
       'firefox,firefox,~/.cache/mozilla',
       'firefox,firefox,~/.mozilla/firefox',
+      'vim,vim,~/.aws',
       'firefox,firefox,~/snap/firefox',
       'firefox,.firefox-wrappe,~/.cache/mozilla',
       'firefox,.firefox-wrappe,~/.mozilla/firefox',

detection/evasion/empty_root_environ_linux.sql

@@ -38,10 +38,12 @@ WHERE
     'dhcpcd',
     'modprobe',
     'dnf',
+    'systemd-udevd',
     'gdm-session-wor',
     'gpg-agent',
     'nginx',
     'sshd',
+    'ssh',
     'zypak-sandbox'
   )
   AND NOT (

detection/evasion/hidden-cwd.sql

@@ -110,6 +110,7 @@ WHERE
     OR dir LIKE '~/%/.modcache/%'
     OR dir LIKE '~/%/src/%'
     OR dir LIKE '~/src/%'
+    OR dir LIKE '~/%/node_modules/.pnpm/%'
     OR dir LIKE '~/%/.terraform%'
     OR dir LIKE '/tmp/.mount_%'
     -- For sudo calls to other things

detection/evasion/parent-missing-from-disk-linux.sql

@@ -43,6 +43,7 @@ WHERE
   AND NOT parent_path IN (
     '/opt/google/chrome/chrome',
     '/usr/lib/systemd/systemd',
+    '/usr/bin/alacritty',
     '/usr/bin/dockerd',
     '/usr/bin/gnome-shell'
   ) -- long-running launchers

detection/evasion/touched-executable-linux.sql

@@ -35,6 +35,7 @@ WHERE
   AND f.path NOT LIKE '/snap/%'
   AND f.path NOT LIKE '/tmp/go-build%/exe/main'
   AND f.path NOT LIKE '/usr/local/bin/%'
+  AND f.path NOT LIKE '/usr/local/aws-cli/%/dist/aws'
   AND f.path NOT LIKE '/usr/local/kolide-k2/bin/%-updates/%'
 GROUP by
   p.pid

detection/execution/exotic-command-events-macos.sql

@@ -138,6 +138,7 @@ WHERE
     -- The source of these commands is still a mystery to me.
     OR p.parent = -1
   )
+  AND NOT cmd LIKE '-history%'
   AND NOT cmd LIKE '/bin/rm -f /tmp/periodic.%'
   AND NOT cmd LIKE 'rm -f /tmp/locate%/_updatedb%'
   AND NOT cmd LIKE 'rm -f /tmp/locate%/mklocate%/_mklocatedb%'

detection/execution/recently-created-executables-linux.sql

@@ -113,6 +113,7 @@ WHERE
     '/usr/sbin/avahi-daemon',
     '/usr/sbin/chronyd',
     '/usr/sbin/cupsd',
+    '/usr/sbin/rngd',
     '/usr/sbin/tailscaled',
     '/usr/share/code/chrome_crashpad_handler',
     '/usr/share/code/code',

detection/execution/unexpected-execdir-events-macos.sql

@@ -131,6 +131,7 @@ WHERE
     '~/homebrew/',
     '~/.kuberlr/',
     '~/Library/',
+    '~/.gradle/',
     '~/.local/',
     '~/Parallels/',
     '~/projects/',

detection/execution/unexpected-osascript-calls.sql

@@ -51,12 +51,14 @@ WHERE
   AND p.time > (strftime('%s', 'now') -60)
   AND exception_key NOT IN (
     'com.vng.zalo,Developer ID Application: VNG ONLINE CO.,LTD (CVB6BX97VM),osascript -ss',
-    'install,Developer ID Application: Docker Inc (9BNSXJN65R),/usr/bin/osascript -e property exit_code: 0\x0Aproperty ',
     ',,osascript',
     ',,osascript openChrome.applescript https://localhost.ch'
   )
+  AND exception_key NOT LIKE 'install,Developer ID Application: Docker Inc (9BNSXJN65R),/usr/bin/osascript -e property exit_code: 0\x0Aproperty '
+
   AND cmd NOT IN ('osascript -e user locale of (get system info)')
   AND cmd NOT LIKE '/usr/bin/osascript /Users/%/Library/Caches/com.runningwithcrayons.Alfred/Workflow Scripts/%'
+
   -- We don't want to allow all of Python as an exception
   AND NOT (
     exception_key = 'org.python.python,,osascript'

detection/exfil/high_disk_bytes_read.sql

@@ -41,6 +41,7 @@ WHERE
     'firefox',
     'fish',
     'fleet_backend',
+    'kube-apiserver',
     'fsdaemon',
     'GoogleSoftwareUpdateAgent',
     'com.apple.NRD.UpdateBrainService',

detection/initial_access/unexpected-shell-parents.sql

@@ -1,4 +1,4 @@
--- Unexpected process that spawns shell processes
+-- Unexpected process that spawns shell processes (event based)
 --
 -- false positives:
 --   * IDE's
@@ -7,7 +7,8 @@
 --   * https://attack.mitre.org/techniques/T1059/ (Command and Scripting Interpreter)
 --   * https://attack.mitre.org/techniques/T1204/002/ (User Execution: Malicious File)
 --
--- tags: transient process state
+-- tags: process events
+-- interval: 60
 -- platform: posix
 SELECT
   p.name,
@@ -51,6 +52,7 @@ WHERE
     'find',
     'FinderSyncExtension',
     'fish',
+    'git',
     'go',
     'goland',
     'helm',
@@ -106,6 +108,7 @@ WHERE
     '/sbin/launchd',
     '/usr/lib/xorg/Xorg',
     '/usr/bin/alacritty',
+    '/Library/Developer/CommandLineTools/usr/bin/git',
     '/usr/bin/apt-get',
     '/usr/bin/bash',
     '/usr/bin/bwrap',

detection/persistence/unexpected-chrome-extensions.sql

@@ -183,6 +183,7 @@ WHERE
     'true,,Vimium,dbepggeogbaibhgnhhndojpepiihcmeb,tabs, bookmarks, history, clipboardRead, storage, sessions, notifications, webNavigation, <all_urls>',
     'true,,Vimium,dbepggeogbaibhgnhhndojpepiihcmeb,tabs, bookmarks, history, storage, sessions, notifications, webNavigation, <all_urls>',
     'true,,Vue.js devtools,nhdogjmejiglipccpnnnanhbledajbpd,<all_urls>, storage',
+    'true,,Vimcal,akopimcimmdmklcmegcflfidpfegngke,activeTab, storage, tabs, identity, https://maps.googleapis.com/*, https://*.vimcal.com/*, webNavigation, <all_urls>, background, history',
     'true,Wappalyzer,Wappalyzer - Technology profiler,gppongmhjkpfnbhagpmjfkannfbllamg,cookies, storage, tabs, webNavigation, webRequest',
     'true,Wappalyzer,Wappalyzer - Technology profiler,gppongmhjkpfnbhagpmjfkannfbllamg,cookies, storage, tabs, webRequest, webNavigation, http://*/*, https://*/*',
     'true,,Windscribe - Free Proxy and Ad Blocker,hnmpcagpplmpfojmgmnngilcnanddlhb,<all_urls>, proxy, management, tabs, webRequest, webRequestBlocking, activeTab, storage, unlimitedStorage, contextMenus, privacy, webNavigation, notifications, cookies',

detection/persistence/unexpected-listening-port-linux.sql

@@ -83,6 +83,7 @@ WHERE
     '4191,6,500,linkerd2-proxy',
     '443,6,500,jcef_helper',
     '4443,6,500,metrics-server',
+    '17,255,0,.tailscaled-wra',
     '5000,6,0,registry',
     '5000,6,500,ControlCenter',
     '5001,6,0,registry',

detection/persistence/unexpected-small-udev-entry.sql

@@ -32,6 +32,7 @@ WHERE
   AND file.path NOT IN (
     '/usr/lib/udev/rules.d/50-apport.rules',
     '/usr/lib/udev/rules.d/60-net.rules',
+    '/usr/lib/udev/rules.d/90-rdma-umad.rules',
     '/usr/lib/udev/rules.d/60-rfkill.rules',
     '/usr/lib/udev/rules.d/61-mutter.rules',
     '/usr/lib/udev/rules.d/66-saned.rules',

detection/persistence/unexpected-uid0-daemon-linux.sql

@@ -124,6 +124,7 @@ WHERE
     '/usr/sbin/gssproxy',
     '/usr/sbin/mcelog',
     '/usr/sbin/pcscd',
+    '/usr/sbin/pwrstatd',
     '/usr/sbin/sshd',
     '/usr/sbin/tailscaled',
     '/usr/sbin/thermald',
@@ -140,7 +141,8 @@ WHERE
     '/usr/bin/python3 /usr/sbin/execsnoop-bpfcc',
     '/usr/bin/python3 /usr/lib/pop-transition/service.py',
     '/usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal',
-    '/usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers'
+    '/usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers',
+    '/usr/bin/monitorix -c /etc/monitorix/monitorix.conf -p /run/monitorix.pid'
   )
   AND NOT p.cmdline LIKE '/usr/bin/python3 -s% /usr/sbin/firewalld%'
   AND NOT p.cmdline LIKE '/usr/bin/python3 /usr/bin/dnf %'

detection/privesc/unexpected-privilege-escalation_linux.sql

@@ -46,6 +46,7 @@ WHERE
   )
   AND p.path NOT LIKE '/nix/store/%/bin/sudo'
   AND p.path NOT LIKE '/nix/store/%/bin/dhcpcd'
+  AND p.path NOT LIKE '/snap/snapd/%/usr/lib/snapd/snap-confine'
   AND NOT (
     p.name = 'polkit-agent-he'
     AND parent_path = '/usr/bin/gnome-shell'