FPR: Meta Pixel Helper, systemctl, pia-daemon, 1Passwd, iTerm, Brave

detection/c2/unexpected-talkers-linux.sql

@@ -146,6 +146,9 @@ WHERE
     '80,6,500,/home/terraform,500u,500g,terraform',
     '80,6,500,/opt/brave,0u,0g,brave',
     '80,6,500,/opt/chrome,0u,0g,chrome',
+    '3000,6,500,/opt/brave,0u,0g,brave',
+    '3000,6,500,/opt/chrome,0u,0g,chrome'
+    '5006,6,500,/opt/brave,0u,0g,brave',
     '80,6,500,/opt/firefox,0u,0g,firefox',
     '80,6,500,/opt/spotify,0u,0g,spotify',
     '80,6,500,/usr/chrome,0u,0g,chrome',

detection/c2/unexpected-talkers-macos.sql

@@ -220,6 +220,7 @@ WHERE
     '443,6,500,kubectl,a.out,',
     '443,6,500,limactl,,',
     '443,6,500,main,a.out,',
+    '443,6,500,aws,e956a0-aws,Developer ID Application: AMZN Mobile LLC (94KV3E626L)',
     '443,6,500,melange,a.out,',
     '443,6,500,minikube,,',
     '443,6,500,ngrok,darwin_amd64,Developer ID Application: ngrok LLC (TEX8MHRDQ9)',
@@ -285,8 +286,11 @@ WHERE
   -- There are many signing hashes for git
   AND NOT exception_key LIKE '443,6,500,git-remote-http,git-remote-http-%'
   AND NOT exception_key LIKE '443,6,500,cargo,cargo-%'
+  -- aws
+  AND NOT exception_key LIKE '443,6,500,aws,%-aws,Developer ID Application: AMZN Mobile LLC (94KV3E626L)'
   -- Github actions-runner
   AND NOT exception_key LIKE '443,6,500,Runner.Worker,apphost-%'
+  AND NOT exception_key LIKE '443,6,500,Runner.Listener,apphost-%'
   --
   -- nix-shell infects children with open connections
   AND NOT (

detection/credentials/unexpected-sensitive-file-access-linux.sql

@@ -21,7 +21,6 @@ SELECT
   pp.name AS parent_name,
   pp.cwd AS parent_cwd,
   pp.path AS parent_path,
-  hp.sha256 AS parent_sha256,
   pf.filename AS program_base,
   hash.sha256,
   REPLACE(f.directory, u.directory, '~') AS dir,
@@ -45,8 +44,9 @@ SELECT
     )
   ) AS exception_key
 FROM
-  process_open_files pof
-  LEFT JOIN processes p ON pof.pid = p.pid
+  -- Starting with processes is just slightly faster than starting with pof
+  processes p
+  LEFT JOIN process_open_files pof ON p.pid = pof.pid
   LEFT JOIN processes pp ON p.parent = pp.pid
   LEFT JOIN file f ON pof.path = f.path
   LEFT JOIN file pf ON p.path = pf.path
@@ -54,8 +54,11 @@ FROM
   LEFT JOIN hash ON p.path = hash.path
   LEFT JOIN hash hp ON pp.path = hp.path
 WHERE
-  f.uid != ''
+  -- minor optimization: filtering out low parents saves us another 5% of runtime
+  p.parent > 2
+  -- Large files are probably not secrets
   AND pf.filename != ''
+  AND f.size < 1000000
   AND (
     pof.path IN ('/var/run/docker.sock')
     OR pof.path LIKE '/home/%/.ssh/%'
@@ -79,9 +82,9 @@ WHERE
       'chrome_crashpad_handler,chrome_crashpad,~/.config/google-chrome',
       'firefox,file:// Content,~/.cache/mozilla',
       'firefox,file:// Content,~/.mozilla/firefox',
+      'firefox,file:// Content,~/snap/firefox',
       'firefox,firefox,~/.cache/mozilla',
       'firefox,firefox,~/.mozilla/firefox',
-      'vim,vim,~/.aws',
       'firefox,firefox,~/snap/firefox',
       'firefox,.firefox-wrappe,~/.cache/mozilla',
       'firefox,.firefox-wrappe,~/.mozilla/firefox',
@@ -108,7 +111,8 @@ WHERE
       'python3,python3,~/.config/gcloud',
       'slack,slack,~/.config/Slack',
       'slack,slack,~/snap/slack',
-      'soffice.bin,soffice.bin,~/.mozilla/firefox'
+      'soffice.bin,soffice.bin,~/.mozilla/firefox',
+      'vim,vim,~/.aws'
     )
   )
 GROUP BY

detection/evasion/unexpected-tmp-executables-linux.sql

@@ -50,6 +50,8 @@ WHERE (
       OR file.path LIKE '/tmp/%/ci/%'
       OR file.path LIKE '/tmp/kots/%'
       OR file.path LIKE '/tmp/bin/%'
+      OR file.path LIKE '/tmp/%/target/%'
+      OR file.path LIKE '/tmp/%/debug/%'
       OR file.path LIKE '/tmp/%/github/%'
       OR file.path LIKE '/tmp/terraformer/%'
       OR file.path LIKE '/tmp/tmp.%'

detection/evasion/unexpected-var-executables-macos.sql

@@ -45,7 +45,8 @@ WHERE
   AND file.path NOT LIKE '/var/folders/%/C/com.apple.FontRegistry/annex_aux'
   AND file.path NOT LIKE '/var/folders/%/T/go.%.%.sum'
   AND file.path NOT LIKE '/var/folders/%/T/pulumi-go.%'
-  AND file.path NOT LIKE '/var/folders%/T/sp_relauncher'
+  AND file.path NOT LIKE '/var/folders/%/T/sp_relauncher'
+  AND file.path NOT LIKE '/var/folders/%/T/iTerm2-script%'
   AND file.path NOT LIKE '/var/tmp/epdfinfo%'
   AND file.path NOT LIKE '/var/folders/%/T/jansi-%-libjansi.jnilib'
   AND file.path NOT LIKE '/var/tmp/IN_PROGRESS_sysdiagnose_%.tmp/mddiagnose.mdsdiagnostic/diagnostic.log'

detection/execution/exotic-commands.sql

@@ -107,6 +107,7 @@ WHERE
     AND NOT p.path = '/usr/bin/docker'
     AND NOT parent_name IN ('sh', 'java', 'containerd-shim')
     AND NOT parent_cmd LIKE '%pipenv shell'
+    AND NOT p.cgroup_path LIKE '/system.slice/docker-%'
   )
   OR cmd LIKE '%socat%'
   OR cmd LIKE '%SOCK_STREAM%'

detection/execution/unexpected-xattr-calls-macos.sql

@@ -53,6 +53,11 @@ WHERE pe.path = '/usr/bin/xattr'
   AND pe.time > (strftime('%s', 'now') -60)
   AND cmd NOT IN (
     '/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app',
+    '/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app/Contents/Library/LoginItems/1Password Launcher.app',
+    '/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app/Contents/XPCServices/OP Updater Service.xpc',
+    '/usr/bin/xattr -r -d com.apple.quarantine /Applications/1Password.app',
+    '/usr/bin/xattr -d -r com.apple.quarantine /Applications/iTerm.app',
+    '/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app/Contents/XPCServices/OP Updater Service.xpc/Contents/Helpers/1Password Updater.app',
     '/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app/Contents/Frameworks/1Password Helper.app',
     '/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app/Contents/Frameworks/1Password Helper (GPU).app',
     '/usr/bin/xattr -d com.apple.quarantine /Applications/1Password.app/Contents/Frameworks/1Password Helper (Plugin).app',

detection/initial_access/unexpected-shell-parents.sql

@@ -74,6 +74,7 @@ WHERE
     'make',
     'monorail',
     'ninja',
+    'pia-daemon',
     'update-notifier',
     'nix',
     'nix-build',

detection/persistence/unexpected-chrome-extensions.sql

@@ -143,6 +143,7 @@ WHERE
     'true,,Lucidchart Diagrams,apboafhkiegglekeafbckfjldecefkhn,unlimitedStorage, notifications, clipboardRead, clipboardWrite',
     'true,,Markdown Preview Plus,febilkbfcbhebfnokafefeacimjdckgl,storage, clipboardWrite, <all_urls>',
     'true,Marker.io,Marker.io: Visual bug reporting for websites,jofhoojcehdmaiibilpcoofpdbbddkkl,<all_urls>, notifications, contextMenus, desktopCapture',
+    'true,,Meta Pixel Helper,fdgfkebogiimcoedlicjlajpkdmockpc,storage, tabs, activeTab, webRequest, unlimitedStorage, webNavigation',
     'true,NortonLifeLock Inc,Norton Safe Web,fnpbeacklnhmkkilekogeiekaglbmmka,tabs, background, webNavigation, storage, <all_urls>, webRequest, webRequestBlocking, downloads, notifications',
     'true,NortonLifeLock Inc,Norton Safe Web,fnpbeacklnhmkkilekogeiekaglbmmka,tabs, background, webNavigation, storage, scripting, alarms, webRequest, declarativeNetRequest, declarativeNetRequestFeedback, downloads, notifications',
     'true,,NoScript,doojmbjmlfjjnbmnoijecmcbfeoakpjm,contextMenus, storage, tabs, unlimitedStorage, webNavigation, webRequest, webRequestBlocking, <all_urls>',

detection/persistence/unexpected-systemctl-calls.sql

@@ -75,6 +75,10 @@ WHERE
   )
   AND NOT child_cmd IN (
     'systemctl status kubelet',
+    'systemctl restart cups.service',
+    'systemctl --user import-environment DISPLAY XAUTHORITY',
+    'systemctl -p LoadState show cups.service',
+    'systemctl --quiet is-enabled cups.service',
     'systemctl stop kubelet',
     '/sbin/runlevel'
   )
@@ -82,6 +86,7 @@ WHERE
   AND NOT child_cmd LIKE 'systemctl is-active -q %.service'
   AND NOT child_cmd LIKE 'systemctl show --property=%'
   AND NOT child_cmd LIKE 'systemctl % snap-kubectl-%.mount'
+  AND NOT child_cmd LIKE '/usr/bin/systemctl --user set-environment DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/%/bus'
 
 GROUP BY
   pe.pid