Merge pull request #425 from tstromberg/nov19

fpr: mumble, gvproxy, chainlink, telegram, systemd, IRCCloud, nfsd

detection/c2/unexpected-talkers-linux.sql

@@ -197,6 +197,7 @@ WHERE
     '8080,6,500,chrome,0u,0g,chrome',
     '8080,6,500,firefox,0u,0g,firefox',
     '8080,6,500,idea,0u,0g,idea',
+    '32768,6,500,mumble,0u,0g,mumble',
     '8080,6,500,python3.11,0u,0g,speedtest-cli',
     '8080,6,500,speedtest,500u,500g,speedtest',
     '8080,6,500,bambu-studio,u,g,bambustu_main',

detection/c2/unexpected-talkers-macos.sql

@@ -111,26 +111,17 @@ WHERE
     unsigned_exception = '500,6,80,main,main'
     AND p0.path LIKE '/var/folders/%/T/go-build%/b001/exe/main'
   )
-  AND NOT (
-    unsigned_exception IN (
+  -- port 0 means the connection has come and gone since the original process_open_sockets entry
+  AND NOT unsigned_exception IN (
       '500,0,0,gvproxy,gvproxy',
       '500,6,0,gvproxy,gvproxy',
+      '500,17,53,gvproxy,gvproxy',
+      '500,17,53,gvproxy,gvproxy',
       '500,6,32768,gvproxy,gvproxy',
-      '500,17,123,gvproxy,gvproxy'
-    )
-    AND p0.path LIKE '/opt/homebrew/Cellar/podman/%/libexec/podman/gvproxy'
-  )
-  AND NOT (
-    unsigned_exception = '500,0,0,chainlink,chainlink'
-    AND p0.path LIKE '/var/folders/%/T/go-build%/b001/exe/chainlink'
-    AND remote_port = 0
-    AND protocol = 0
-  )
-  AND NOT (
-    unsigned_exception = '500,0,0,.Telegram-wrapped,.Telegram-wrapped'
-    AND p0.path LIKE '/nix/store/%-telegram-desktop-%'
-    AND remote_port = 0
-    AND protocol = 0
+      '500,0,0,chainlink,chainlink',
+      '500,17,123,gvproxy,gvproxy',
+      '500,0,0,,',
+      '500,0,0,.Telegram-wrapped,.Telegram-wrapped'
   )
 GROUP BY
   p0.cmdline

detection/credentials/unexpected-dev-opener-linux.sql

@@ -111,6 +111,7 @@ WHERE
     '/dev/snd/seq',
     '/dev/urandom',
     '/dev/vga_arbiter',
+    '/dev/udmabuf',
     '/dev/video10' -- workaround for poor regex management (ffmpeg)
   )
   AND pof.path NOT LIKE '/dev/pts/%'

detection/discovery/unexpected-bpf-user.sql

@@ -39,6 +39,7 @@ WHERE
   AND p.path NOT IN (
     '/usr/bin/qemu-system-x86_64',
     '/usr/lib/systemd/systemd',
+    '/usr/lib/systemd/systemd-nsresourced',
     '/var/opt/Elastic/Endpoint/elastic-endpoint',
     '/opt/Elastic/Endpoint/elastic-endpoint'
   )

detection/evasion/hidden-cwd.sql

@@ -154,40 +154,41 @@ WHERE
       '~/.zsh'
     )
     OR top_dir IN ('~/Sync', '~/src', '~/workspace', '~/dev')
-    OR dir LIKE '/Library/Apple/System/Library/InstallerSandboxes/.PKInstallSandboxManager-SystemSoftware/%'
-    OR dir LIKE '/opt/homebrew/%/.cache/%'
-    OR dir LIKE '~/%enterprise-packages/.chainguard'
-    OR dir LIKE '/private/tmp/%/.git'
-    OR dir LIKE '/tmp/.mount_%'
-    OR dir LIKE '/tmp/%/.git'
-    OR dir LIKE '~/%/.tests/%'
-    OR dir LIKE '/tmp/%/.github/workflows'
-    OR dir LIKE '~/%/.terragrunt-cache/%'
+    OR dir LIKE '~/.%'
     OR dir LIKE '%/.build'
+    OR dir LIKE '%/.cache/melange%'
     OR dir LIKE '%/.cargo/%'
+    OR dir LIKE '~/code/%'
+    OR dir LIKE '~/%/.config/nvim'
+    OR dir LIKE '~/dev/%/dots/%/.config%'
+    OR dir LIKE '~/%/.docker%'
+    OR dir LIKE '~/%enterprise-packages/.chainguard'
     OR dir LIKE '%/.git'
     OR dir LIKE '%/.git/%'
-    OR dir LIKE '%/.gradle'
-    OR dir LIKE '%/.github/%'
-    OR dir LIKE '%/node_modules/.bin'
-    OR dir LIKE '%/.cache/melange%'
     OR dir LIKE '%/.github'
-    OR dir LIKE '%/.venv'
-    OR dir LIKE '/home/build/.cache%'
-    OR dir LIKE '~/.%'
-    OR dir LIKE '~/.gradle/%'
-    OR dir LIKE '~/%/.config/nvim'
-    OR dir LIKE '~/%/.docker%'
-    OR dir LIKE '/.gradle/%'
-    OR dir LIKE '~/%/.modcache/%'
-    OR dir LIKE '~/%/.terraform%'
-    OR dir LIKE '~/%/.vercel%'
+    OR dir LIKE '%/.github/%'
     OR dir LIKE '~/%/github.com/%'
-    OR dir LIKE '~/%/node_modules/.pnpm/%'
-    OR dir LIKE '~/%/src/%'
     OR dir LIKE '~/%google-cloud-sdk/.install/.backup%'
-    OR dir LIKE '~/code/%'
-    OR dir LIKE '~/dev/%/dots/%/.config%'
+    OR dir LIKE '%/.gradle'
+    OR dir LIKE '/.gradle/%'
+    OR dir LIKE '~/.gradle/%'
+    OR dir LIKE '/home/build/%'
+    OR dir LIKE '/home/build/.%'
+    OR dir LIKE '/Library/Apple/System/Library/InstallerSandboxes/.PKInstallSandboxManager-SystemSoftware/%'
+    OR dir LIKE '~/%/.modcache/%'
+    OR dir LIKE '%/node_modules/.bin'
+    OR dir LIKE '~/%/node_modules/.pnpm/%'
+    OR dir LIKE '/opt/homebrew/%/.cache/%'
+    OR dir LIKE '/private/tmp/%/.git'
+    OR dir LIKE '~/%/src/%'
+    OR dir LIKE '~/%/.terraform%'
+    OR dir LIKE '~/%/.terragrunt-cache/%'
+    OR dir LIKE '~/%/.tests/%'
+    OR dir LIKE '/tmp/%/.git'
+    OR dir LIKE '/tmp/%/.github/workflows'
+    OR dir LIKE '/tmp/.mount_%'
+    OR dir LIKE '%/.venv'
+    OR dir LIKE '~/%/.vercel%'
     OR dir LIKE '~/src/%' -- For sudo calls to other things
     OR (
       dir LIKE '/home/.terraform.d/%'

detection/evasion/hidden-executable.sql

@@ -99,6 +99,7 @@ WHERE
   )
   AND NOT top3_dir IN (
     '~/.bin',
+    '~/.vscode/cli',
     '~/.bin-unwrapped',
     '~/.cache/gitstatus',
     '~/.cache/selenium',

detection/evasion/name_path_mismatch.sql

@@ -91,6 +91,7 @@ WHERE
   AND NOT exception_key IN (
     '0,udevadm,systemd-udevd',
     '0,udevadm,(udev-worker)',
+    '0,systemd-executor,(sd-pam)',
     '120,systemd-executor,(sd-pam)',
     '42,systemd-executor,(sd-pam)',
     '500,busybox,sh',

detection/evasion/unexpected-hidden-system-paths.sql

@@ -61,10 +61,11 @@ WHERE
   AND strftime('%s', 'now') - file.ctime > 20
   AND file.path NOT IN (
     '/.autorelabel',
+    '/.cache/',
+    '/dev/.blkid.tab',
     '/dev/.mdadm/',
     '/.equarantine/',
     '/etc/.bootcount',
-    '/dev/.blkid.tab',
     '/etc/.clean',
     '/etc/.java/',
     '/etc/.resolv.conf.systemd-resolved.bak',
@@ -79,11 +80,8 @@ WHERE
     '/.mozilla/',
     '/tmp/.accounts-agent/',
     '/tmp/.audio-agent/',
-    -- Xcode;
-    -- see https://github.com/pyenv/pyenv/issues/1066#issuecomment-536782897
-    -- and https://github.com/fyne-io/fyne-cross/issues/187#issuecomment-1666606946
-    '/tmp/.BBE72B41371180178E084EEAF106AED4F350939DB95D3516864A1CC62E7AE82F',
     '/tmp/.bazelci/',
+    '/tmp/.BBE72B41371180178E084EEAF106AED4F350939DB95D3516864A1CC62E7AE82F', -- Xcode
     '/tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress',
     '/tmp/.content-agent/',
     '/tmp/._contentbarrier_installed',
@@ -97,7 +95,6 @@ WHERE
     '/tmp/.eos-update-notifier.log',
     '/tmp/.featureflags-agent/',
     '/tmp/.font-unix/',
-    '/tmp/.SIGN.RSA.local-melange-enterprise.rsa.pub',
     '/tmp/.git/',
     '/tmp/.go-version',
     '/tmp/.helmrepo',
@@ -110,14 +107,13 @@ WHERE
     '/tmp/.ses',
     '/tmp/.settings-agent/',
     '/tmp/.SIGN.RSA.chainguard-enterprise.rsa.pub',
+    '/tmp/.SIGN.RSA.local-melange-enterprise.rsa.pub',
     '/tmp/.SIGN.RSA..local-melange.rsa.pub',
     '/tmp/.SIGN.RSA.local-melange.rsa.pub',
     '/tmp/.SIGN.RSA.wolfi-signing.rsa.pub',
     '/tmp/.s.PGSQL.5432',
-    '/var/root/.nx/',
     '/tmp/.s.PGSQL.5432.lock',
     '/tmp/.terraform/',
-    '/.cache/',
     '/tmp/.terraform.lock.hcl',
     '/tmp/.Test-unix/',
     '/tmp/.touchpaddefaults',
@@ -151,6 +147,7 @@ WHERE
     '/var/db/.StagedAppleUpgrade',
     '/var/db/.SystemPolicy-default',
     '/var/home/.duperemove.hash',
+    '/var/home/.snapshots',
     '/var/mail/.cache/',
     '/var/.ntw_cache',
     '/var/.Parallels_swap/',
@@ -158,8 +155,8 @@ WHERE
     '/var/root/.bash_history',
     '/var/root/.bash_profile',
     '/var/root/.cache/',
-    '/var/root/.config/',
     '/var/root/.CFUserTextEncoding',
+    '/var/root/.config/',
     '/var/root/.docker/',
     '/var/root/.forward',
     '/var/roothome/.bash_history',
@@ -173,11 +170,14 @@ WHERE
     '/var/roothome/.local/',
     '/var/roothome/.osquery/',
     '/var/roothome/.ssh/',
+    '/var/roothome/.var/',
+    '/var/home/.snapshots/',
     '/var/roothome/.viminfo',
     '/var/root/.lesshst',
     '/var/root/.nix-channels',
     '/var/root/.nix-defexpr/',
     '/var/root/.nix-profile/',
+    '/var/root/.nx/',
     '/var/root/.osquery/',
     '/var/root/.PenTablet/',
     '/var/root/.provisio',

detection/evasion/unexpected-ld-so-files-linux.sql

@@ -62,12 +62,15 @@ WHERE
     '/etc/ld.so.conf.d/llvm15-x86_64.conf,0644,22,30e995961d9e382d287469acce7e168d15811356bf20971fc17bb582a8d62afa',
     '/etc/ld.so.conf.d/llvm16-x86_64.conf,0644,22,3ddda874af4dd14e9e873da09d082031abfacd4b5094982c28f53e1fd50a5fe3',
     '/etc/ld.so.conf.d/llvm17-x86_64.conf,0644,22,3aceee0a4efb8cc2b0f981035cdbb6f28be48634f72f9b6fb98c1e282d32347c',
+    '/etc/ld.so.conf.d/llvm18-x86_64.conf,0644,22,a22fdfb5b0443aa1e820a319c56867529ebc54b0f11634c51e5dd847cd8f1b97',
     '/etc/ld.so.conf.d/mariadb-x86_64.conf,0644,17,598466b4954bc66c6f45f1f119211b0698d4a549f6c01b5d9a933a2511b82626',
+    '/etc/ld.so.conf.d/mingw32-hostlib.conf,0644,27,3cc2feee654c7193027397a7f6ab41bd1c6db13fda295278205a050f870f3f3d',
     '/etc/ld.so.conf.d/mingw64-hostlib.conf,0644,29,df1b65371bead6dddc703346f56dde023e22d52d9f071a3b646beaaec75a53c9',
     '/etc/ld.so.conf.d/nessus.conf,0644,16,5a9dc65a4a0daa50ce9dd70ff3973fcceef9660cc3fdf5bb0beec8e0b6c57708',
     '/etc/ld.so.conf.d/opencollada.conf,0644,21,2fc9656a2b881ca4528416daa91fc525adaa97d73e96a18b41aa7856270eba1f',
     '/etc/ld.so.conf.d/perf.conf,0644,14,c67f871bdc72182dc75c160b16ca3b5371fdab76a27199a29f14b52a5aed1d3f',
     '/etc/ld.so.conf.d/pipewire-jack-x86_64.conf,0644,30,cf4cb69feaa8ec8b99558c4e1123518831b3c56488981cbc34a662fe218ef221',
+    '/etc/ld.so.conf.d/pipewire-jack-x86_64-linux-gnu.conf,0644,45,b84c0e703c387e522837367d8db7b09d46aa3c39a476471643dda38faf5b226d',
     '/etc/ld.so.conf.d/tix-x86_64.conf,0644,18,b2ef4843990ded5fd96e417fc08027a785fac59bd70eca6a26dd7b057542273a',
     '/etc/ld.so.conf.d/x86_64-linux-gnu.conf,0644,100,f03e4740e6922b4f4a1181cd696b52f62f9f10d003740a8940f7121795c59c98',
     '/etc/ld.so.conf.d/zz_i386-biarch-compat.conf,0644,56,4e3c617050427d51497a0e5969b0159421580cf5e7c9649e39f45b5e2fcb47b6',

detection/evasion/unusual-process-name-linux.sql

@@ -40,6 +40,7 @@ FROM
   LEFT JOIN processes p2 ON p1.parent = p2.pid
   LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
 WHERE
+  p0.start_time < (strftime('%s', 'now') - 43200) AND
   (
     pname LIKE "%kthread%"
     OR pname LIKE "%-help"
@@ -98,6 +99,7 @@ WHERE
   AND basename NOT IN (
     "acpid",
     "busybox",
+    "cpulimit",
     "com.docker.backend",
     "com.docker.build",
     "com.docker.extensions",
@@ -126,6 +128,7 @@ WHERE
     "xwaylandvideobridge"
   )
   AND basename NOT LIKE '___Test%'
+  AND basename NOT LIKE '___2Test%'
   AND NOT (
     basename IN ('nm-dispatcher')
     AND p1_pid = 1

detection/evasion/unusual-process-name-macos.sql

@@ -43,6 +43,7 @@ FROM
   LEFT JOIN processes p2 ON p1.parent = p2.pid
   LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
 WHERE
+  p0.start_time < (strftime('%s', 'now') - 43200) AND
   (
     pname LIKE "%kthread%"
     OR pname LIKE "%-help"
@@ -105,6 +106,8 @@ WHERE
     'at.obdev.littlesnitch.networkextension',
     'com.microsoft.teams2.notificationcenter',
     'cpu',
+    'xdg-open',
+    'EncryptMe',
     'dynamiclinkmanager',
     'launchd_startx'
   )

detection/execution/exotic-commands-macos.sql

@@ -79,7 +79,7 @@ WHERE
       ) != "" -- suspicious things
       OR REGEX_MATCH (
         p.cmdline,
-        "(UserKnownHostsFile=/dev/null|ransom|malware|fsockopen|openssl.*quiet|pty.spawn|SOCK_STREAM)",
+        "(UserKnownHostsFile=/dev/null|ransom|fsockopen|openssl.*quiet|pty.spawn|SOCK_STREAM)",
         1
       ) != "" -- Crypto miners
       OR REGEX_MATCH (

detection/execution/unexpected-execdir-linux.sql

@@ -67,6 +67,7 @@ WHERE
       AND INSTR(path, "/var/kolide-k2/") != 1
       AND INSTR(path, "/usr/share/spotify") != 1
       AND INSTR(path, "/usr/share/code/") != 1
+      AND INSTR(path, "/usr/share/smartgit/") != 1
       AND INSTR(path, "/var/home/") != 1
       AND INSTR(path, "/usr/local/") != 1
       AND INSTR(path, "/tmp/go-build") != 1

detection/execution/unexpected-gatekeeper-approvals-macos.sql

@@ -30,6 +30,7 @@ WHERE
   AND gap.path NOT LIKE '/Users/%/%_darwin_a%64%'
   AND gap.path NOT LIKE '/Users/%/Downloads/cosign'
   AND gap.path NOT LIKE '/Users/%/Downloads/missp'
+  AND gap.path NOT LIKE '/Users/%/Downloads/twistcli'
   AND gap.path NOT LIKE '/Users/%/bom'
   AND gap.path NOT LIKE '/Users/%/configure'
   AND gap.path NOT LIKE '/Users/%/cosign-%'

detection/persistence/minimal-socket-client-linux.sql

@@ -36,20 +36,23 @@ WHERE
   p0.path != '' -- optimization: focus on longer running processes
   AND p0.start_time < (strftime('%s', 'now') - 900)
   AND p0.path NOT IN (
-    '/usr/bin/containerd',
-    '/usr/bin/fusermount3',
-    '/usr/sbin/acpid',
-    '/usr/bin/dash',
     '/opt/bitnami/redis/bin/redis-server',
-    '/usr/bin/kas',
-    '/usr/local/bin/gitary',
-    '/usr/bin/docker',
-    '/usr/sbin/mcelog',
-    '/usr/libexec/docker/docker-proxy',
-    '/usr/bin/docker-proxy',
     '/usr/bin/cat',
+    '/usr/bin/containerd',
+    '/usr/bin/dash',
+    '/usr/bin/docker',
+    '/usr/bin/docker-proxy',
+    '/usr/bin/fusermount3',
+    '/usr/bin/i3blocks',
+    '/usr/bin/kas',
+    '/usr/bin/vmalert',
     '/usr/lib/electron/chrome-sandbox',
-    '/usr/bin/i3blocks'
+    '/usr/libexec/docker/docker-proxy',
+    '/usr/lib/snapd/snapd',
+    '/usr/local/bin/containerd',
+    '/usr/local/bin/gitary',
+    '/usr/sbin/acpid',
+    '/usr/sbin/mcelog'
   )
   AND p0.name NOT IN (
     'chrome_crashpad',

detection/persistence/suspicious-systemd-unit.sql

@@ -226,6 +226,7 @@ rule usr_bin_execstop_shell : medium {
     $execstop = /ExecStop=\/bin\/sh .{0,64}/
     $not_podman_logging = "/usr/bin/podman $LOGGING"
     $not_stderr = /ExecStop=\/bin\/sh .{0,64}set -eu/
+    $not_nfs = /ExecStop=\/bin\/sh -c \'\/usr\/sbin\/nfsdctl /
   condition:
     filesize < 4096 and $execstop and none of ($not*)
 }

detection/persistence/unexpected-active-systemd-units.sql

@@ -59,9 +59,9 @@ WHERE
         'anacron.service,Run anacron jobs,',
         'anacron.timer,Trigger anacron every hour,',
         'apache2.service,The Apache HTTP Server,',
+        'apache-htcacheclean.service,Disk Cache Cleaning Daemon for Apache HTTP Server,www-data',
         'apcupsd.service,APC UPS Power Control Daemon for Linux,',
         'apparmor.service,Load AppArmor profiles,',
-        'vnstat.service,vnStat network traffic monitor,vnstat',
         'apport-autoreport.path,Process error reports when automatic reporting is enabled (file watch),',
         'apport-autoreport.service,Process error reports when automatic reporting is enabled,',
         'apport-autoreport.timer,Process error reports when automatic reporting is enabled (timer based),',
@@ -90,9 +90,9 @@ WHERE
         'bluetooth.service,Bluetooth service,',
         'bolt.service,Thunderbolt system service,',
         'bootupd.socket,bootupd.socket,',
-        'brew-upgrade.service,Upgrade Brew packages,1000',
         'brew-update.service,Auto update brew for mutable brew installs,1000',
         'brew-update.timer,Timer for brew update for mutable brew,',
+        'brew-upgrade.service,Upgrade Brew packages,1000',
         'brew-upgrade.timer,Timer for brew upgrade for on image brew,',
         'btrfs-dedup@var-home.timer,Weekly Btrfs deduplication on /var/home,',
         'ca-certificates.path,Watch for changes in CA certificates,',
@@ -175,7 +175,6 @@ WHERE
         'iscsiuio.socket,Open-iSCSI iscsiuio Socket,',
         'issue-generator.path,Watch for changes in issue snippets,',
         'iwd.service,Wireless service,',
-        'apache-htcacheclean.service,Disk Cache Cleaning Daemon for Apache HTTP Server,www-data',
         'jeos-firstboot.service,SUSE JeOS First Boot Wizard,',
         'jeos-firstboot-snapshot.service,SUSE JeOS First Boot Wizard - create system snapshot,',
         'kbdsettings.service,Apply settings from /etc/sysconfig/keyboard,',
@@ -327,9 +326,11 @@ WHERE
         'sshd.service,OpenSSH Daemon,',
         'sshd.service,OpenSSH server daemon,',
         'sshd.service,SSH Daemon,',
+        'sshd-unix-local.socket,OpenSSH Server Socket (systemd-ssh-generator, AF_UNIX Local),',
         'ssh.service,OpenBSD Secure Shell server,',
         'ssh.socket,OpenBSD Secure Shell server socket,',
         'sssd-kcm.service,SSSD Kerberos Cache Manager,',
+        'sssd-kcm.service,SSSD Kerberos Cache Manager,sssd',
         'sssd-kcm.socket,SSSD Kerberos Cache Manager responder socket,',
         'supergfxd.service,SUPERGFX,',
         'swapfile.swap,/swapfile,',
@@ -340,19 +341,23 @@ WHERE
         'sysstat-collect.timer,Run system activity accounting tool every 10 minutes,',
         'sysstat.service,Resets System Activity Logs,root',
         'sysstat-summary.timer,Generate summary of yesterday''s process accounting,',
+        'system-cups.slice,CUPS Slice,',
         'systemd-ask-password-console.path,Dispatch Password Requests to Console Directory Watch,',
         'systemd-ask-password-plymouth.path,Forward Password Requests to Plymouth Directory Watch,',
         'systemd-ask-password-wall.path,Forward Password Requests to Wall Directory Watch,',
         'systemd-binfmt.service,Set Up Additional Binary Formats,',
+        'systemd-bootctl.socket,Boot Entries Service Socket,',
         'systemd-boot-random-seed.service,Update Boot Loader Random Seed,',
         'systemd-boot-update.service,Automatic Boot Loader Update,',
         'systemd-coredump.socket,Process Core Dump Socket,',
+        'systemd-creds.socket,Credential Encryption/Decryption,',
         'systemd-fsckd.socket,fsck to fsckd communication Socket,',
         'systemd-fsck-root.service,File System Check on Root Device,',
         'systemd-growfs@-.service,Grow File System on /,',
         'systemd-homed-activate.service,Home Area Activation,',
         'systemd-homed.service,Home Area Manager,',
         'systemd-hostnamed.service,Hostname Service,',
+        'systemd-hostnamed.socket,Hostname Service Socket,',
         'systemd-hwdb-update.service,Rebuild Hardware Database,',
         'systemd-initctl.socket,initctl Compatibility Named Pipe,',
         'systemd-journal-catalog-update.service,Rebuild Journal Catalog,',
@@ -360,16 +365,20 @@ WHERE
         'systemd-journald-dev-log.socket,Journal Socket (/dev/log),',
         'systemd-journald.service,Journal Service,',
         'systemd-journald.socket,Journal Socket,',
+        'systemd-journald.socket,Journal Sockets,',
         'systemd-journal-flush.service,Flush Journal to Persistent Storage,',
         'systemd-localed.service,Locale Service,',
         'systemd-logind.service,User Login Management,',
         'systemd-machined.service,Virtual Machine and Container Registration Service,',
         'systemd-machine-id-commit.service,Commit a transient machine-id on disk,',
         'systemd-modules-load.service,Load Kernel Modules,',
+        'systemd-mountfsd.socket,DDI File System Mounter Socket,',
         'systemd-networkd.service,Network Configuration,systemd-network',
         'systemd-networkd.socket,Network Service Netlink Socket,',
         'systemd-networkd-wait-online.service,Wait for Network to be Configured,',
         'systemd-network-generator.service,Generate network units from Kernel command line,',
+        'systemd-nsresourced.service,Namespace Resource Manager,',
+        'systemd-nsresourced.socket,Namespace Resource Manager Socket,',
         'systemd-oomd.service,Userspace Out-Of-Memory (OOM) Killer,systemd-oom',
         'systemd-oomd.socket,Userspace Out-Of-Memory (OOM) Killer Socket,',
         'systemd-pcrmachine.service,TPM2 PCR Machine ID Measurement,',
@@ -383,6 +392,7 @@ WHERE
         'systemd-rfkill.socket,Load/Save RF Kill Switch Status /dev/rfkill Watch,',
         'systemd-suspend.service,System Suspend,',
         'systemd-sysctl.service,Apply Kernel Variables,',
+        'systemd-sysext.socket,System Extension Image Management,',
         'systemd-sysext.socket,System Extension Image Management (Varlink),',
         'systemd-sysusers.service,Create System Users,',
         'systemd-timedated.service,Time & Date Service,',
@@ -395,6 +405,7 @@ WHERE
         'systemd-udevd-control.socket,udev Control Socket,',
         'systemd-udevd-kernel.socket,udev Kernel Socket,',
         'systemd-udevd.service,Rule-based Manager for Device Events and Files,',
+        'systemd-udev-load-credentials.service,Load udev Rules from Credentials,',
         'systemd-udev-settle.service,Wait for udev To Complete Device Initialization,',
         'systemd-udev-trigger.service,Coldplug All udev Devices,',
         'systemd-update-done.service,Update is Completed,',
@@ -410,6 +421,8 @@ WHERE
         'thermald.service,Thermal Daemon Service,',
         'tlp.service,TLP system startup/shutdown,',
         'touchegg.service,Touchégg Daemon,',
+        'tuned-ppd.service,PPD-to-TuneD API Translation Daemon,',
+        'tuned.service,Dynamic System Tuning Daemon,',
         'ua-timer.timer,Ubuntu Advantage Timer for running repeated jobs,',
         'ua-timer.timer,Ubuntu Pro Timer for running repeated jobs,',
         'ublue-system-setup.service,Configure system,',
@@ -485,6 +498,7 @@ WHERE
         'virtvboxd-admin.socket,libvirt VirtualBox daemon admin socket,',
         'virtvboxd-ro.socket,libvirt VirtualBox daemon read-only socket,',
         'virtvboxd.socket,libvirt VirtualBox daemon socket,',
+        'vnstat.service,vnStat network traffic monitor,vnstat',
         'whoopsie.path,Start whoopsie on modification of the /var/crash directory,',
         'wickedd-auto4.service,wicked AutoIPv4 supplicant service,',
         'wickedd-dhcp4.service,wicked DHCPv4 supplicant service,',

detection/persistence/unexpected-chrome-extensions.sql

@@ -228,6 +228,7 @@ WHERE state = 1
     'true,Keepa GmbH,Keepa - Amazon Price Tracker,neebplgakaahbhdphmkckjjcegoiijjo',
     'true,LastPass,LastPass: Free Password Manager,hdokiejnpimakedhajhdlcegeplioahd',
     'true,Leadjet,Leadjet - Make your CRM work on LinkedIn,kojhcdejfimplnokhhhekhiapceggamn',
+    'true,,LeadIQ: Contact Data in One Click,befngoippmpmobkkpkdoblkmofpjihnk',
     'true,,Lever Hire Extension,dgbcohbjchndmjocioegkgdniaffcaia',
     'true,,Link to Text Fragment,pbcodcjpfjdpcineamnnmbkkmkdpajjg',
     'true,,Lolli: Earn Bitcoin When You Shop,fleenceagaplaefnklabikkmocalkcpo',

detection/persistence/unexpected-cron-entries.sql

@@ -27,4 +27,5 @@ WHERE
   AND command NOT LIKE 'gsutil %'
   AND command NOT LIKE 'root command -v debian-sa1%'
   AND command NOT LIKE 'root test -x /usr/bin/geoipupdate % && /usr/bin/geoipupdate'
-  AND command NOT LIKe 'root [ -d "/run/systemd/system" ] || /usr/share/atop/atop%'
+  AND command NOT LIKE 'root [ -d "/run/systemd/system" ] || /usr/share/atop/atop%'
+  AND command NOT IN ("ps -A | grep at.obdev.littlesnitch.networkextension | grep -v 'grep' | awk '{print $1}' | xargs kill")

detection/persistence/unexpected-device-linux.sql

@@ -60,39 +60,39 @@ WHERE (
   AND path NOT LIKE '%/./%'
   AND path NOT LIKE '%/../%'
   AND exception_key NOT IN (
-    '/dev/HID-SENSOR-e..auto,character',
-    '/dev/accel/,directory',
     '/dev/accel/accel,character',
+    '/dev/accel/,directory',
     '/dev/acpi_thermal_rel,character',
     '/dev/autofs,character',
     '/dev/binder,character',
-    '/dev/binderfs/,directory',
     '/dev/binderfs/binder,character',
     '/dev/binderfs/binder-control,character',
+    '/dev/binderfs/,directory',
     '/dev/binderfs/features,directory',
     '/dev/binderfs/hwbinder,character',
     '/dev/binderfs/vndbinder,character',
-    '/dev/block/,directory',
     '/dev/block/:,block',
-    '/dev/bsg/,directory',
+    '/dev/block/,directory',
     '/dev/bsg/:::,character',
+    '/dev/bsg/,directory',
     '/dev/btrfs-control,character',
     '/dev/bus/,directory',
     '/dev/bus/usb,directory',
     '/dev/cdrom,block',
     '/dev/cec,character',
-    '/dev/char/,directory',
     '/dev/char/:,character',
+    '/dev/char/,directory',
     '/dev/char/:,unknown',
     '/dev/console,character',
     '/dev/core,regular',
     '/dev/cpu/,directory',
-    '/dev/cpu/microcode',
     '/dev/cpu_dma_latency,character',
+    '/dev/cpu/microcode',
     '/dev/cros_ec,character',
     '/dev/cuse,character',
+    '/dev/data/,directory',
+    '/dev/data/root,block',
     '/dev/dbc,character',
-    '/dev/disk/,directory',
     '/dev/disk/by-diskseq,directory',
     '/dev/disk/by-dname,directory',
     '/dev/disk/by-id,directory',
@@ -103,12 +103,13 @@ WHERE (
     '/dev/disk/by-partuuid,directory',
     '/dev/disk/by-path,directory',
     '/dev/disk/by-uuid,directory',
-    '/dev/dm-,block',
+    '/dev/disk/,directory',
     '/dev/dma_heap/,directory',
     '/dev/dma_heap/system,character',
-    '/dev/dri/,directory',
+    '/dev/dm-,block',
     '/dev/dri/by-path,directory',
     '/dev/dri/card,character',
+    '/dev/dri/,directory',
     '/dev/dri/renderD,character',
     '/dev/drm_dp_aux,character',
     '/dev/ecryptfs,character',
@@ -123,6 +124,7 @@ WHERE (
     '/dev/fuse,character',
     '/dev/gpiochip,character',
     '/dev/hidraw,character',
+    '/dev/HID-SENSOR-e..auto,character',
     '/dev/hpet,character',
     '/dev/hugepages/,directory',
     '/dev/hugepages/libvirt,directory',
@@ -131,9 +133,9 @@ WHERE (
     '/dev/ic-,character',
     '/dev/iio:device,character',
     '/dev/initctl,fifo',
-    '/dev/input/,directory',
     '/dev/input/by-id,directory',
     '/dev/input/by-path,directory',
+    '/dev/input/,directory',
     '/dev/input/event,character',
     '/dev/input/js,character',
     '/dev/input/mice,character',
@@ -142,8 +144,8 @@ WHERE (
     '/dev/kfd,character',
     '/dev/kmsg,character',
     '/dev/kvm,character',
-    '/dev/libmtp--.,character',
     '/dev/libmtp--,character',
+    '/dev/libmtp--.,character',
     '/dev/log,socket',
     '/dev/loop,block',
     '/dev/loop-control,character',
@@ -153,9 +155,9 @@ WHERE (
     '/dev/mei,character',
     '/dev/mem,character',
     '/dev/mqueue/,directory',
+    '/dev/mtd/by-name,directory',
     '/dev/mtd,character',
     '/dev/mtd/,directory',
-    '/dev/mtd/by-name,directory',
     '/dev/mtdro,character',
     '/dev/net/,directory',
     '/dev/net/tun,character',
@@ -163,10 +165,10 @@ WHERE (
     '/dev/ntsync,character',
     '/dev/null,character',
     '/dev/nvidia,character',
+    '/dev/nvidiactl,character',
     '/dev/nvidia-modeset,character',
     '/dev/nvidia-uvm,character',
     '/dev/nvidia-uvm-tools,character',
-    '/dev/nvidiactl,character',
     '/dev/nvme,character',
     '/dev/nvmen,block',
     '/dev/nvmenp,block',
@@ -188,22 +190,23 @@ WHERE (
     '/dev/sdc,block',
     '/dev/sdd,block',
     '/dev/sde,block',
-    '/dev/serial/,directory',
     '/dev/serial/by-id,directory',
     '/dev/serial/by-path,directory',
+    '/dev/serial/,directory',
     '/dev/sg,character',
     '/dev/sgx_provision',
     '/dev/shm/,directory',
     '/dev/shm/envoy_shared_memory_,regular',
+    '/dev/shm/jack_db-,directory',
     '/dev/shm/libpod_lock,regular',
     '/dev/shm/libpod_rootless_lock_,regular',
     '/dev/shm/lttng-ust-wait-,regular',
     '/dev/shm/lttng-ust-wait--,regular',
     '/dev/snapshot,character',
-    '/dev/snd/,directory',
     '/dev/snd/by-id,directory',
     '/dev/snd/by-path,directory',
     '/dev/snd/controlC,character',
+    '/dev/snd/,directory',
     '/dev/snd/hwCD,character',
     '/dev/snd/pcmCDc,character',
     '/dev/snd/pcmCDp,character',
@@ -219,10 +222,10 @@ WHERE (
     '/dev/tee,character',
     '/dev/tpm,character',
     '/dev/tpmrm,character',
-    '/dev/tty,character',
     '/dev/ttyACM,character',
-    '/dev/ttyS,character',
+    '/dev/tty,character',
     '/dev/ttyprintk,character',
+    '/dev/ttyS,character',
     '/dev/ubuntu-vg/,directory',
     '/dev/udmabuf,character',
     '/dev/uhid,character',
@@ -233,8 +236,8 @@ WHERE (
     '/dev/usbmon,character',
     '/dev/userfaultfd,character',
     '/dev/userio,character',
-    '/dev/vcs,character',
     '/dev/vcsa,character',
+    '/dev/vcs,character',
     '/dev/vcsu,character',
     '/dev/vfio/,directory',
     '/dev/vfio/vfio,character',
@@ -251,11 +254,11 @@ WHERE (
     '/dev/vhost-vsock',
     '/dev/vhost-vsock,character',
     '/dev/video,character',
-    '/dev/vl-subdev,character',
-    '/dev/vl/,directory',
     '/dev/vl/by-id,directory',
     '/dev/vl/by-path,directory',
+    '/dev/vl/,directory',
     '/dev/vlloopback,character',
+    '/dev/vl-subdev,character',
     '/dev/vndbinder,character',
     '/dev/vsock,character',
     '/dev/watchdog,character',
@@ -276,6 +279,7 @@ WHERE (
   AND NOT path LIKE '/dev/shm/sem.mp-%'
   AND NOT path LIKE '/dev/shm/u%-Shm_%'
   AND NOT path LIKE '/dev/shm/.com.google.Chrome.%'
+  AND NOT path LIKE '/dev/shm/.com.microsoft.Edge.%'
   AND NOT path LIKE '/dev/shm/libv4l-%'
   AND NOT path LIKE '/dev/shm/u%-ValveIPC%'
   AND NOT path LIKE '/dev/%-vg/%-lv'

detection/persistence/unexpected-listening-port-macos.sql

@@ -99,6 +99,7 @@ WHERE
     '3306,6,500,mariadbd,',
     '3306,6,74,mysqld,Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
     '33333,6,500,Ultimate,',
+    '49152,6,500,Windsurf Helper (Plugin),Developer ID Application: EXAFUNCTION, INC. (83Z2LHX6XW)',
     '3400,6,500,Sonos,Developer ID Application: Sonos, Inc. (2G4LW83Q3E)',
     '3491,6,500,MuteDeck,Developer ID Application: Martijn Smit (GX645XXEAX)',
     '3492,6,500,MuteDeck,Developer ID Application: Martijn Smit (GX645XXEAX)',

detection/persistence/yara-suspicious-strings-process-linux.sql

@@ -1,5 +1,5 @@
 -- Currently running program with Linux red flags
--- 
+--
 -- reference:
 --   * https://github.com/timb-machine/linux-malware/blob/725aad34e216cc024c93b04964b289f10f819e6e/defensive/yara/personal-malware-bazaar/unixredflags3.yara
 --
@@ -53,7 +53,7 @@ WHERE
     GROUP BY
       path
   )
-  AND yara.sigrule = '    
+  AND yara.sigrule = '
     rule redflags {
     strings:
         $bash_history = ".bash_history"
@@ -103,6 +103,7 @@ WHERE
     '/bin/fish',
     '/bin/dash',
     '/bin/sh',
+    '/usr/lib/systemd/systemd-executor',
     '/usr/bin/bash',
     '/usr/lib/snapd/snapd',
     '/usr/bin/snap',

detection/privesc/unexpected-setxid-process.sql

@@ -34,6 +34,7 @@ WHERE
     '/usr/lib/opt/1Password/1Password-BrowserSupport',
     '/opt/1Password/1Password-KeyringHelper',
     '/opt/google/chrome/chrome-sandbox',
+    '/opt/IRCCloud/chrome-sandbox',
     '/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent',
     '/usr/bin/doas',
     '/usr/bin/crontab',