diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql index 189f8e7..c2d4763 100644 --- a/detection/c2/unexpected-talkers-linux.sql +++ b/detection/c2/unexpected-talkers-linux.sql @@ -88,6 +88,7 @@ WHERE '123,17,500,/usr/chronyd,0u,0g,chronyd', '143,6,500,/app/thunderbird,u,g,thunderbird', '143,6,500,/usr/thunderbird,0u,0g,thunderbird', + '19305,6,500,/usr/firefox,0u,0g,firefox', '22000,6,500,/usr/syncthing,0u,0g,syncthing', '22,6,0,/usr/ssh,0u,0g,ssh', '22,6,0,/usr/tailscaled,0u,0g,tailscaled', @@ -119,9 +120,8 @@ WHERE '80,6,0,/usr/bash,0u,0g,mkinitcpio', '80,6,0,/usr/bash,0u,0g,sh', '80,6,0,/usr/bash,0u,0g,update-ca-trust', - '80,6,100,/usr/http,0u,0g,http', + '80,6,0,/usr/cp,0u,0g,cp', '80,6,0,/usr/gpg,0u,0g,gpg', - '88,6,500,/usr/syncthing,0u,0g,syncthing', '80,6,0,/usr/kubelet,u,g,kubelet', '80,6,0,/usr/NetworkManager,0u,0g,NetworkManager', '80,6,0,/usr/packagekitd,0u,0g,packagekitd', @@ -131,10 +131,10 @@ WHERE '80,6,0,/usr/python3.10,0u,0g,yum', '80,6,0,/usr/python3.11,0u,0g,dnf', '80,6,0,/usr/python3.11,0u,0g,yum', - '80,6,0,/usr/cp,0u,0g,cp', '80,6,0,/usr/tailscaled,0u,0g,tailscaled', '80,6,0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra', '80,6,0,/usr/wget,0u,0g,wget', + '80,6,100,/usr/http,0u,0g,http', '80,6,105,/usr/http,0u,0g,http', '80,6,500,/app/signal-desktop,u,g,signal-desktop', '80,6,500,/app/spotify,u,g,spotify', @@ -167,6 +167,7 @@ WHERE '8443,6,500,/usr/firefox,0u,0g,firefox', '8801,17,500,/app/zoom.real,u,g,zoom.real', '8801,17,500,/opt/zoom,0u,0g,zoom', + '88,6,500,/usr/syncthing,0u,0g,syncthing', '993,6,500,/app/thunderbird,u,g,thunderbird', '993,6,500,/usr/evolution,0u,0g,evolution', '993,6,500,/usr/thunderbird,0u,0g,thunderbird'