fpr: lghub, brew, pve, chrome exts, etc

detection/c2/unexpected-https-client-linux.sql

@@ -92,9 +92,11 @@ WHERE
     '105,http,0u,0g,https',
     '106,geoclue,0u,0g,geoclue',
     '129,fwupdmgr,0u,0g,fwupdmgr',
+    '500,node,0u,0g,npm install',
     '500,1password,0u,0g,1password',
     '500,abrt-action-generate-core-backtrace,0u,0g,abrt-action-gen',
     '500,act,0u,0g,act',
+    '500,Logseq,u,g,Logseq',
     '500,apk,500u,500g,apk',
     '500,apko,500u,500g,apko',
     '500,apko,u,g,apko',

detection/c2/unexpected-talkers-macos.sql

@@ -162,6 +162,7 @@ WHERE
     '443,17,500,Slack Helper,,',
     '443,17,500,Slack Helper,com.tinyspeck.slackmacgap.helper,Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL)',
     '443,6,0,Adobe Installer,com.adobe.AAMHelper,Developer ID Application: Adobe Inc. (JQ525L2MZD)',
+    '443,6,0,AGSService,com.adobe.ags,Developer ID Application: Adobe Inc. (JQ525L2MZD)',
     '443,6,0,com.apple.MobileSoftwareUpdate.UpdateBrainService,com.apple.MobileSoftwareUpdate.UpdateBrainService,Software Signing',
     '443,6,0,com.apple.NRD.UpdateBrainService,com.apple.NRD.UpdateBrainService,Software Signing',
     '443,6,0,com.google.one.NetworkExtension,com.google.one.NetworkExtension,Developer ID Application: Google LLC (EQHXZ8M8AV)',
@@ -176,7 +177,6 @@ WHERE
     '443,6,0,launcher,launcher,Developer ID Application: Kolide Inc (YZ3EM74M78)',
     '443,6,0,nessusd,nessusd,Developer ID Application: Tenable, Inc. (4B8J598M7U)',
     '443,6,0,nix,nix,',
-    '80,6,500,Code Helper (Plugin),com.github.Electron.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
     '443,6,0,OneDrivePkgTelemetry,com.microsoft.OneDrivePkgTelemetry,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
     '443,6,0,Setup,com.adobe.acc.Setup,Developer ID Application: Adobe Inc. (JQ525L2MZD)',
     '443,6,307,curl,curl,',
@@ -184,7 +184,6 @@ WHERE
     '443,6,500,Acrobat Update Helper,com.adobe.ARMDCHelper,Developer ID Application: Adobe Inc. (JQ525L2MZD)',
     '443,6,500,Amazon Photos Installer,com.amazon.clouddrive.mac.installer,Developer ID Application: AMZN Mobile LLC (94KV3E626L)',
     '443,6,500,apko,a.out,',
-    '443,6,0,AGSService,com.adobe.ags,Developer ID Application: Adobe Inc. (JQ525L2MZD)',
     '443,6,500,aws,37c466-aws,Developer ID Application: AMZN Mobile LLC (94KV3E626L)',
     '443,6,500,aws,e956a0-aws,Developer ID Application: AMZN Mobile LLC (94KV3E626L)',
     '443,6,500,bash,bash,',
@@ -248,6 +247,7 @@ WHERE
     '443,6,500,gvproxy,a.out,',
     '443,6,500,helm,,',
     '443,6,500,helm,a.out,',
+    '443,6,500,hugo,a.out,',
     '443,6,500,Install,com.adobe.cc.Install,Developer ID Application: Adobe Inc. (JQ525L2MZD)',
     '443,6,500,istioctl,a.out,',
     '443,6,500,java,net.java.openjdk.java,Developer ID Application: Eclipse Foundation, Inc. (JCDTMS22B4)',
@@ -277,7 +277,6 @@ WHERE
     '443,6,500,policy-tester,a.out,',
     '443,6,500,prober,a.out,',
     '443,6,500,provisio,,',
-    '443,6,500,hugo,a.out,',
     '443,6,500,pulumi-resource-gcp,a.out,',
     '443,6,500,pulumi-resource-github,a.out,',
     '443,6,500,python2.7,python2.7,',
@@ -289,6 +288,7 @@ WHERE
     '443,6,500,Reflect,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)',
     '443,6,500,Reflect Helper,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)',
     '443,6,500,release-notes,a.out,',
+    '443,6,500,rumble,a.out,',
     '443,6,500,sample,com.apple.dt.SamplingTools.sample,Software Signing',
     '443,6,500,scorecard-darwin-amd64,,',
     '443,6,500,sdaudioswitch,,',
@@ -300,8 +300,8 @@ WHERE
     '443,6,500,Slack Helper,,',
     '443,6,500,Slack Helper,com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
     '443,6,500,Slack Helper,com.tinyspeck.slackmacgap.helper,Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL)',
-    '443,6,500,snyk,snyk_darwin_amd64,Developer ID Application: Snyk Limited (97QYW7LHSF)',
     '443,6,500,snyk-ls_darwin_arm64,a.out,',
+    '443,6,500,snyk,snyk_darwin_amd64,Developer ID Application: Snyk Limited (97QYW7LHSF)',
     '443,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
     '443,6,500,steampipe-plugin-aws.plugin,a.out,',
     '443,6,500,step,step,',
@@ -327,12 +327,14 @@ WHERE
     '6000,6,500,ssh,ssh-55554944fbf65684ab9b37c2bad3a27ef78b23f4,',
     '80,6,0,com.apple.MobileSoftwareUpdate.UpdateBrainService,com.apple.MobileSoftwareUpdate.UpdateBrainService,Software Signing',
     '80,6,0,com.google.one.NetworkExtension,com.google.one.NetworkExtension,Developer ID Application: Google LLC (EQHXZ8M8AV)',
+    '80,6,500,Code Helper (Plugin),com.github.Electron.helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
     '80,6,500,curl,com.apple.curl,Software Signing',
     '80,6,500,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV)',
     '80,6,500,mconvert,a.out,',
     '80,6,500,ngrok,darwin_amd64,Developer ID Application: ngrok LLC (TEX8MHRDQ9)',
     '80,6,500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
     '80,6,500,webhook.test,a.out,',
+    '443,6,500,cloud-sql-proxy,a.out,',
     '8801,17,500,zoom.us,us.zoom.xos,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)',
     '9418,6,500,git,com.apple.git,Software Signing'
   )
@@ -342,6 +344,8 @@ WHERE
   AND NOT exception_key LIKE '80,6,500,ZwiftAppMetal,ZwiftAppMetal-%,%'
   AND NOT exception_key LIKE '443,6,500,git-remote-http,git-remote-http-%'
   AND NOT exception_key LIKE '443,6,500,cargo,cargo-%'
+  -- JetBrains
+  AND NOT exception_key LIKE '443,6,500,___%_%,a.out,'
   -- aws
   AND NOT exception_key LIKE '443,6,500,aws,%-aws,Developer ID Application: AMZN Mobile LLC (94KV3E626L)'
   -- Github actions-runner

detection/evasion/parent-missing-from-disk-linux.sql

@@ -62,6 +62,7 @@ WHERE
     '/usr/bin/kitty',
     '/usr/bin/tmux',
     '/usr/share/code/code',
+    '/opt/brave.com/brave/brave',
     '/usr/libexec/gdm-wayland-session',
     '/usr/bin/osqueryd',
     '/usr/bin/sudo',

detection/evasion/unexpected-alf-exceptions-macos.sql

@@ -49,6 +49,7 @@ WHERE
   AND file.filename NOT NULL
   AND exception_key NOT IN (
     ',a.out,/opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/kubectl,501',
+    'Apple Mac OS Application Signing,com.anydo.mac,/Applications/Anydo.app/,0',
     'Apple Mac OS Application Signing,com.apple.garageband10,/Applications/GarageBand.app/,0',
     'Apple Mac OS Application Signing,com.utmapp.QEMULauncher,/Applications/UTM.app/Contents/XPCServices/QEMUHelper.xpc/Contents/MacOS/QEMULauncher.app/,0',
     'Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension,/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/,0',
@@ -61,6 +62,7 @@ WHERE
     'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.SketchMirrorHelper,/Applications/Sketch.app/Contents/XPCServices/SketchMirrorHelper.xpc/,501',
     'Developer ID Application: Brother Industries, LTD. (5HCL85FLGW),com.brother.utility.WorkflowAppControlServer,/Library/Printers/Brother/Utilities/Server/WorkflowAppControl.app/,0',
     'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5),com.elgato.WaveLink,/Applications/WaveLink.app/,0',
+    'Developer ID Application: Cypress.Io, Inc. (7D655LWGLY),com.electron.cypress,/Users/garrying/Library/Caches/Cypress/12.9.0/Cypress.app/,501',
     'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK),com.getdropbox.dropbox,/Applications/Dropbox.app/,501',
     'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland,/Applications/GoLand.app/,501',
     'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.pycharm,/Applications/PyCharm.app/,501',
@@ -72,7 +74,6 @@ WHERE
     'Developer ID Application: VNG ONLINE CO.,LTD (CVB6BX97VM),com.vng.zalo,/Applications/Zalo.app/,501',
     'Developer ID Application: Voicemod Sociedad Limitada. (S2MC4XQDSM),net.voicemod.desktop,/Applications/Voicemod.app/,0',
     ',dnsmasq,/opt/homebrew/Cellar/dnsmasq/2.88/sbin/dnsmasq,0',
-    'Developer ID Application: Cypress.Io, Inc. (7D655LWGLY),com.electron.cypress,/Users/garrying/Library/Caches/Cypress/12.9.0/Cypress.app/,501',
     ',iodined-55554944d1ffcb236a84363d9b667be6a1742a17,/usr/local/sbin/iodined,501',
     ',java,/opt/homebrew/Cellar/openjdk/19/libexec/openjdk.jdk/Contents/Home/bin/java,501',
     ',org.python.python,/opt/homebrew/Cellar/python@3.10/3.10.9/Frameworks/Python.framework/Versions/3.10/Resources/Python.app/,501',
@@ -86,7 +87,6 @@ WHERE
     'Software Signing,com.apple.xartstorageremoted,/usr/libexec/xartstorageremoted,0',
     '/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/',
     ',,/usr/local/sbin/iodined,501'
-
   )
   AND NOT exception_key LIKE ',a.out,/opt/homebrew/Cellar/podman/%/libexec/podman/gvproxy,501'
   AND NOT exception_key LIKE ',a.out,/private/var/folders/%/T/GoLand/%,501'

detection/evasion/unexpected-dev-entries.sql

@@ -41,6 +41,7 @@ WHERE
       OR file.path LIKE '/dev/shm/pulse-shm-%'
       OR file.path LIKE '/dev/shm/u1000-Shm%'
       OR file.path LIKE '/dev/shm/u1000-Valve%'
+      OR file.path LIKE '/dev/shm/aomshm.%'
       OR file.path LIKE '/dev/shm/jack_db%'
     )
   )

detection/evasion/unexpected-tmp-executables-linux.sql

@@ -157,6 +157,7 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
       magic.data IN (
         "POSIX shell script, ASCII text executable",
         "libtool library file, ASCII text",
+        "ASCII text",
         "JSON data"
       )
       OR magic.data LIKE "Unicode text%"

detection/execution/recently-created-executables-macos.sql

@@ -76,10 +76,11 @@ WHERE
       AND NOT path LIKE '/Users/%/bin/%'
       AND NOT path LIKE '/Users/%/code/%'
       AND NOT path LIKE '/Users/%/dev/%'
-      AND NOT path LIKE '/Users/%/Library/Application Support/snyk-ls/snyk-ls_darwin_%'
       AND NOT path LIKE '/Users/%/Library/Application Support/%/Contents/MacOS/%'
       AND NOT path LIKE '/Users/%/Library/Application Support/iTerm2/iTermServer-%'
+      AND NOT path LIKE '/Users/%/Library/Application Support/snyk-ls/snyk-ls_darwin_%'
       AND NOT path LIKE '/Users/%/Library/Caches/%/Contents/MacOS/%'
+      AND NOT PATH LIKE '/Users/%/Library/Caches/JetBrains/GoLand2023.1/tmp/GoLand/___%'
       AND NOT path LIKE '/Users/%/Library/Caches/snyk/%/snyk-macos'
       AND NOT path LIKE '/Users/%/Library/Developer/Xcode/UserData/Previews/Simulator Devices/%/data/Containers/Bundle/Application/%'
       AND NOT path LIKE '/Users/%/Library/Google/%.bundle/Contents/Helpers/%'

detection/execution/unexpected-execdir-events-macos.sql

@@ -228,6 +228,7 @@ WHERE
   AND pe.path NOT LIKE '/Users/%/Library/Caches/%/org.sparkle-project.Sparkle/Launcher/%/Updater.app/Contents/MacOS/Updater'
   AND dir NOT LIKE '/Applications/%'
   AND dir NOT LIKE '~/%/bin'
+  AND dir NOT LIKE '~/%/node_modules/.bin/%'
   AND dir NOT LIKE '/opt/%/bin'
   AND dir NOT LIKE '~/%/google-cloud-sdk/bin/%'
   AND dir NOT LIKE '~/Library/Caches/ms-playwright/%'

detection/execution/unexpected-execdir-macos.sql

@@ -144,6 +144,7 @@ WHERE
     '/Library/Application Support/EcammLive',
     '~/Library/Application Support/Foxit Software/',
     '~/Library/Application Support/JetBrains/',
+    '~/Library/Caches/JetBrains/',
     '~/Library/Application Support/OpenLens',
     '~/Library/Application Support/sourcegraph-sp/',
     '~/Library/Application Support/Zwift/',

detection/execution/unexpected-fetcher-parent-events.sql

@@ -76,6 +76,7 @@ WHERE
     'curl,500,bash,zsh',
     'curl,500,env,env',
     'curl,500,fish,gnome-terminal-',
+    'curl,500,bash,yay',
     'curl,500,ruby,zsh',
     'curl,500,ShellLauncher,',
     'curl,500,ShellLauncher,login',

detection/execution/unexpected-security-framework-program-macos.sql

@@ -62,6 +62,7 @@ WHERE
       -- Other oddball binary paths
       AND NOT path LIKE '/opt/homebrew/Cellar/%'
       AND NOT path LIKE '/usr/local/Cellar/%/bin/%'
+      AND NOT path LIKE '/Users/%/go/src/%/%.test'
       AND NOT (
         path LIKE '/Users/%/homebrew/Cellar/%'
         AND name IN ('limactl', 'Python', 'bash')
@@ -77,66 +78,65 @@ WHERE
     '0,nix,nix,',
     '0,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
     '500,bash,com.apple.bash,Software Signing',
+    '500,Bazecor Helper,,',
     '500,Bitwarden,com.bitwarden.desktop,Apple Mac OS Application Signing',
     '500,Bitwarden Helper,com.bitwarden.desktop.helper,Apple Mac OS Application Signing',
     '500,Bitwarden Helper (GPU),com.bitwarden.desktop.helper.GPU,Apple Mac OS Application Signing',
     '500,Bitwarden Helper (Renderer),com.bitwarden.desktop.helper.Renderer,Apple Mac OS Application Signing',
+    '500,BloomRPC Helper,,',
     '500,bufls,a.out,',
-    '500,stern,a.out,',
-    '500,registry,a.out,',
-    '500,mattermost,a.out,',
-    '500,plugin-darwin-arm64,a.out,',
-    '500,testing,com.yourcompany.testing,', -- Xcode iPhone emulator
     '500,.cargo-wrapped,.cargo-wrapped,',
+    '500,chainctl,a.out,',
+    '500,cloud-sql-proxy,a.out,',
     '500,cloud_sql_proxy,a.out,',
+    '500,cloud-sql-proxy.darwin.arm64,a.out,',
+    '500,copilot-agent-macos-arm64,copilot-agent-macos-arm64-5555494405ae226b796431f588804b65cad1040e,',
     '500,CopyClip,com.fiplab.clipboard,Apple Mac OS Application Signing',
     '500,cosign,a.out,',
-    '500,hugo,a.out,',
-    '500,chainctl,a.out,',
     '500,cpu,cpu-555549441132dc6b7af538428ce3359ae94eab37,',
+    '500,crane,a.out,',
+    '500,debug.test,a.out,',
+    '500,dive,a.out,',
     '500,Divvy,com.mizage.Divvy,Apple Mac OS Application Signing',
+    '500,dlv,a.out,',
+    '500,Duckly,Electron,',
+    '500,Duckly Helper,Electron Helper,',
+    '500,Duckly Helper (Renderer),Electron Helper (Renderer),',
     '500,Emacs-arm64-11,Emacs-arm64-11,Developer ID Application: Galvanix (5BRAQAFB8B)',
     '500,epdfinfo,epdfinfo,',
     '500,esbuild,a.out,',
     '500,fake,a.out,',
     '500,Final Cut Pro,com.apple.FinalCut,Apple Mac OS Application Signing',
+    '500,git,git,',
     '500,gitsign-credential-cache,a.out,',
     '500,GitterHelperApp,com.troupe.gitter.mac.GitterHelperApp,Developer ID Application: Troupe Technology Limited (A86QBWJ43W)',
+    '500,go,a.out,',
     '500,gopls,a.out,',
     '500,gopls,gopls,',
-    '500,dive,a.out,',
-    '500,snyk-ls_darwin_arm64,a.out,',
     '500,gpg-agent,gpg-agent,',
+    '500,hugo,a.out,',
     '500,InternalFiltersXPC,com.apple.InternalFiltersXPC,Apple Mac OS Application Signing',
     '500,ipcserver,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
     '500,ipcserver.old,,',
-    '500,debug.test,a.out,',
-    '500,Bazecor Helper,,',
-    '500,cloud-sql-proxy.darwin.arm64,a.out,',
     '500,ko,a.out,',
     '500,kubectl,a.out,',
-    '500,crane,a.out,',
     '500,lua-language-server,lua-language-server,',
     '500,Magnet,com.crowdcafe.windowmagnet,Apple Mac OS Application Signing',
+    '500,mattermost,a.out,',
     '500,Mattermost Helper (GPU),Mattermost.Desktop.helper.GPU,Apple Mac OS Application Signing',
     '500,Mattermost Helper,Mattermost.Desktop.helper,Apple Mac OS Application Signing',
     '500,Mattermost Helper (Renderer),Mattermost.Desktop.helper.Renderer,Apple Mac OS Application Signing',
     '500,Mattermost,Mattermost.Desktop,Apple Mac OS Application Signing',
-    '500,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
-    '500,PrinterProxy,com.apple.print.PrinterProxy,',
-    '500,BloomRPC Helper,,',
     '500,melange-run,a.out,',
-    '500,dlv,a.out,',
-    '500,copilot-agent-macos-arm64,copilot-agent-macos-arm64-5555494405ae226b796431f588804b65cad1040e,',
-    '500,Duckly Helper,Electron Helper,',
+    '500,osqueryd,osqueryd,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
+    '500,plugin-darwin-arm64,a.out,',
+    '500,PrinterProxy,com.apple.print.PrinterProxy,',
+    '500,registry,a.out,',
     '500,registry-redirect,a.out,',
-    '500,Duckly Helper (Renderer),Electron Helper (Renderer),',
     '500,Runner.Listener,apphost-55554944a938bab90f04347d83659c53dd1197d6,',
     '500,rust-analyzer,rust_analyzer-d11ae4e1bae4360d,',
     '500,scdaemon,scdaemon,',
     '500,sdaudioswitch,,',
-    '500,Duckly,Electron,',
-    '500,git,git,',
     '500,sdaudioswitch,sdaudioswitch,',
     '500,sdzoomplugin,,',
     '500,Slack,com.tinyspeck.slackmacgap,Apple Mac OS Application Signing',
@@ -144,17 +144,19 @@ WHERE
     '500,Slack Helper (GPU),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
     '500,Slack Helper (Plugin),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
     '500,Slack Helper (Renderer),com.tinyspeck.slackmacgap.helper,Apple Mac OS Application Signing',
+    '500,snyk-ls_darwin_arm64,a.out,',
     '500,Steam Helper,com.valvesoftware.steam.helper,Developer ID Application: Valve Corporation (MXGJJ98X76)',
     '500,steam_osx,com.valvesoftware.steam,Developer ID Application: Valve Corporation (MXGJJ98X76)',
+    '500,stern,a.out,',
     '500,syncthing,syncthing,',
     '500,Telegram,ru.keepcoder.Telegram,Apple Mac OS Application Signing',
+    '500,testing,com.yourcompany.testing,', -- Xcode iPhone emulator
     '500,Todoist,com.todoist.mac.Todoist,Apple Mac OS Application Signing',
     '500,Todoist Helper,com.todoist.mac.Todoist.helper,Apple Mac OS Application Signing',
     '500,Todoist Helper (GPU),com.todoist.mac.Todoist.helper.GPU,Apple Mac OS Application Signing',
     '500,Todoist Helper (Renderer),com.todoist.mac.Todoist.helper.Renderer,Apple Mac OS Application Signing',
     '500,TwitchStudioStreamDeck,TwitchStudioStreamDeck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
     '500,vim,,',
-    '500,go,a.out,',
     '500,vim,vim,',
     '500,WinAppHelper,,',
     '500,WinAppHelper,WinAppHelper,'

detection/execution/unexpected-setuid-binaries.sql

@@ -231,6 +231,7 @@ FROM
           '/sbin/mullvad-exclude',
           '/bin/mullvad-exclude',
           '/usr/bin/su',
+          '/usr/local/bin/doas',
           '/usr/bin/sudo',
           '/usr/bin/sudoedit',
           '/usr/bin/keybase-redirector',

detection/exfil/high_disk_bytes_read.sql

@@ -174,6 +174,7 @@ WHERE
     p0.name = ""
     AND p1.name = "nvim"
   )
+  AND NOT p0_cmd LIKE '%/gcloud.py components update'
   AND NOT (p0.path LIKE '/home/%/Apps/PhpStorm%/jbr/bin/java')
   AND NOT p0.cgroup_path LIKE '/system.slice/docker-%'
 GROUP BY

detection/initial_access/sketchy-mounted-diskimage.sql

@@ -113,6 +113,7 @@ WHERE
       file.symlink = 1
       AND magic.data != 'symbolic link to /Applications'
       AND magic.data != 'symbolic link to /Applications/'
+      AND magic.data != 'symbolic link to .'
       AND magic.data NOT LIKE 'symbolic link to /Users/%/My Drive'
       AND magic.data NOT LIKE 'symbolic link to /Library/Application Support/Apple/Safari/SafariForWebKitDevelopment'
     )

detection/initial_access/unexpected-diskimage-source-macos.sql

@@ -119,6 +119,7 @@ WHERE
   -- NOTE: Do not put all of storage.googleapis.com or similarly generic hosts here
   AND host NOT IN (
     'arc.net',
+    'adoptium.net',
     'balsamiq.com',
     'brave.com',
     'discord.com',

detection/initial_access/unexpected-shell-parent-events.sql

@@ -278,6 +278,7 @@ WHERE
     OR p0_cmd LIKE '/bin/bash /usr/bin/xdg-settings check %'
     OR p0_cmd LIKE '/bin/bash /usr/local/Homebrew/%'
     OR p0_cmd LIKE '/bin/sh %/bin/gcloud%config config-helper%'
+    OR p0_cmd LIKE '/bin/sh %/google-cloud-sdk/bin/gcloud config get project'
     OR p0_cmd LIKE '/bin/sh -c pkg-config %'
     OR p0_cmd LIKE '/bin/sh %/docker-credential-gcloud get'
     OR p0_cmd LIKE '/bin/bash %git credential-osxkeychain get'
@@ -291,6 +292,7 @@ WHERE
     OR p0_cmd LIKE '%sh -c ntia-checker %'
     OR p0_cmd LIKE '%/google-chrome% --flag-switches-begin % --product-version'
     OR p1_cmd LIKE '%/bin/pipenv shell'
+    OR p1_cmd LIKE '/System/Library/Frameworks/Ruby.framework/Versions/2.6/usr/bin/ruby -W1 --disable=gems,rubyopt -- /Users/%/homebrew/Library/Homebrew/build.rb%'
     OR p1_cmd LIKE 'gcloud% auth%login%'
     OR p1_cmd LIKE '/%google-cloud-sdk/lib/gcloud.py%'
     OR (

detection/initial_access/unexpected-volume-contents.sql

@@ -83,6 +83,7 @@ WHERE
     '.angular-config.json',
     '.mysql_history',
     '.lesshst',
+    'pve-installer.squashfs',
     '.gitconfig',
     '.flyrc',
     '.dbshell',

detection/persistence/unexpected-active-systemd-units.sql

@@ -456,6 +456,9 @@ WHERE
         'zfs-scrub.timer,zfs-scrub.timer,,0',
         'zfs-share.service,ZFS file system shares,,225',
         'zfs-share.service,ZFS file system shares,,450',
+        'zfs-snapshot-daily.service,ZFS auto-snapshotting every day,,900',
+        'zfs-snapshot-frequent.service,ZFS auto-snapshotting every 15 mins,,900',
+        'zfs-snapshot-hourly.service,ZFS auto-snapshotting every hour,,900',
         'zfs.target,ZFS startup target,,0',
         'zfs-volumes.target,ZFS volumes are ready,,0',
         'zfs-volume-wait.service,Wait for ZFS Volume (zvol) links in /dev,,225',

detection/persistence/unexpected-chrome-extensions.sql

@@ -52,7 +52,6 @@ WHERE
     -- Deprecated Google Extension
     'false,Anthony Feddersen - Chainguard, Inc.,Chainguard On-Call Chrome Extension,',
     'false,,base64 encode or decode selected text,',
-    'false,,NVD Cleaner,',
     'false,,Google Chat,chfbpgnooceecdoohagngmjnndbbaeip',
     'false,,Google Chat,mdpkiolbdkhdjpekfbkbmhigcaggjagi',
     'false,,Google Cloud,gmdcbpephenfeelhagpbceidhdbobfpk',
@@ -60,6 +59,7 @@ WHERE
     'false,,Google Photos,ncmjhecbjeaamljdfahankockkkdmedg',
     'false,julienv3@gmail.com,treasure-clicker,',
     'false,juverm@chainguard.dev,auto-close-gitsign,',
+    'false,,NVD Cleaner,',
     'false,,Trotto go links,nkeoojidblilnkcbbmfhaeebndapehjk',
     'false,,YouTube,agimnkijcaahngcdmfeangaknmldooml',
     'true,Adaware,Safe Torrent Scanner,aegnopegbbhjeeiganiajffnalhlkkjb',
@@ -101,6 +101,7 @@ WHERE
     'true,,DealFinder by VoucherCodes,jhgicjdnnonfaedodemjjinbgcoeiajo',
     'true,,DEPRECATED Secure Shell App,pnhechapfaindjhompbnflcldabbghjo',
     'true,,Disconnect,jeoacafpbcihiomhlakheieifhpjdfeo',
+    'true,,Distill Web Monitor,inlikjemeeknofckkjolnjbpehgadgge',
     'true,,DuckDuckGo Privacy Essentials,bkdgflcldnnnapblkhphbgpggdiikppg',
     'true,,EditThisCookie,fngmhnnpilhplaeedifhccceomclgfbg',
     'true,,Endpoint Verification,callobklhcbilhphinckomhgkigmfocg',
@@ -166,7 +167,12 @@ WHERE
     'true,Rakuten,Rakuten: Get Cash Back For Shopping,chhjbpecpncaggjpdakmflnfcopglcmi',
     'true,Raymond Hill & contributors,uBlock Origin,cjpalhdlnbpafiamejdnhcphjbkeiagm',
     'true,,React Developer Tools,fmkadmapgofadopljbjfkapdkoienihi',
+    'true,,Acorns Earn,facncfnojagdpibmijfjdmhkklabakgd',
+    'true,,Universal Video Downloader,cogmkaeijeflocngklepoknelfjpdjng',
+    'true,,Sendspark Video and Screen Recorder,blimjkpadkhcpmkeboeknjcmiaogbkph',
+    'true,,Yesware Sales Engagement,gkjnkapjmjfpipfcccnjbjcbgdnahpjp',
     'true,,Reader Mode,llimhhconnjiflfimocjggfjdlmlhblm',
+    'true,,RetailMeNot Deal Finder\xE2\x84\xA2\xEF\xB8\x8F,jjfblogammkiefalfpafidabbnamoknm',
     'true,,Readwise Highlighter,jjhefcfhmnkfeepcpnilbbkaadhngkbi',
     'true,Reddit Enhancement Suite contributors,Reddit Enhancement Suite,kbmfpngjjgdllneeigpgjifpgocmfgmb',
     'true,,RSS Subscription Extension (by Google),nlbjncdgjeocebhnmkbbbdekmmmcbfjd',
@@ -203,6 +209,7 @@ WHERE
     'true,,Vimium,dbepggeogbaibhgnhhndojpepiihcmeb',
     'true,,Vue.js devtools,nhdogjmejiglipccpnnnanhbledajbpd',
     'true,Wappalyzer,Wappalyzer - Technology profiler,gppongmhjkpfnbhagpmjfkannfbllamg',
+    'true,,WAVE Evaluation Tool,jbbplnpkjmmeebjpijfedlgcdilocofh',
     'true,,Windscribe - Free Proxy and Ad Blocker,hnmpcagpplmpfojmgmnngilcnanddlhb',
     'true,,WiseStamp email signature,pbcgnkmbeodkmiijjfnliicelkjfcldg',
     'true,,writeGPT - ChatGPT Prompt Engineer Assistant,dflcdbibjghipieemcligeelbmackgco',

detection/persistence/unexpected-device.sql

@@ -62,6 +62,7 @@ WHERE
     '/dev/cdrom',
     '/dev/char/',
     '/dev/char/:',
+    '/dev/cec',
     '/dev/console',
     '/dev/core',
     '/dev/cpu/',

detection/persistence/unexpected-launchd-program-macos.sql

@@ -36,6 +36,7 @@ WHERE
     'Developer ID Application: Logitech Inc. (QED4VVPZWA)',
     'Developer ID Application: Microsoft Corporation (UBF8T346G9)',
     'Developer ID Application: Objective Development Software GmbH (MLZF7K7B5R)',
+    'Developer ID Application: Louis Pontoise (QXD7GW8FHY)',
     'Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
     'Developer ID Application: Valve Corporation (MXGJJ98X76)',
     'Developer ID Application: Wireshark Foundation, Inc. (7Z6EMTD2C6)',

detection/persistence/unexpected-listening-port-linux.sql

@@ -92,6 +92,7 @@ WHERE
     '3000,6,500,grafana-server',
     '3000,6,500,node',
     '32768,6,0,tailscaled',
+    '32768,6,500,java',
     '32768,6,0,.tailscaled-wra',
     '32768,6,500,com.docker.backend',
     '32768,6,500,dleyna-renderer',

policy/gcp-service-account-keys-mdfind.sql

@@ -44,6 +44,7 @@ WHERE
     REPLACE(LOWER(TRIM(u.description)), " ", "-")
   ) == 1
   -- Common locations of test or demo keys
+  AND NOT file.path = '/Users/Shared/LGHUB/keys.json'
   AND NOT file.directory LIKE '%/pkg/%'
   AND NOT file.directory LIKE '%/go/src/%'
   AND NOT file.directory LIKE '%/pkg/mod/%'
@@ -82,6 +83,7 @@ WHERE
     '81bce2313cd00ffc42303fbf7c08e4d068fccc9c0076867903ef94616d795e12',
     '4b4be8c1bc7e3bc7ea1f02932a024466db5faf3eaad885cf31ac7383484b1b1c',
     'af1a2f8e9d581bb1504e3d8801d15d962fdf12ee7ebcf2bb9c475c8b92da6472',
+    'bc4c0ad21d79fea9050e75e80f13dd54bfdc867236342ede901d15d815f31988',
     '6e55f3eccad59a615189c82cbcbd1133ce94509f7c5d42e3e7fbd00e65f0731f',
     '11ffc5141b4b0071c0796914deef68d012c4f4c289931c5587fe89d7d6dca0a1',
     '6e55f3eccad59a615189c82cbcbd1133ce94509f7c5d42e3e7fbd00e65f0731f',