fpr: docker, fish, Stream Deck, rsync, lima, macOS

detection/c2/unexpected-dns-traffic-events.sql

@@ -79,6 +79,7 @@ WHERE
     'ZaloCall,8.8.8.8,53',
     'Telegram,8.8.8.8,53',
     'Meeting Center,8.8.8.8,53',
+    'limactl,8.8.8.8,53',
     'signal-desktop,8.8.8.8,53',
     'slack,8.8.8.8,53',
     'EpicWebHelper,8.8.4.4,53',

detection/c2/unexpected-https-linux.sql

@@ -172,6 +172,7 @@ WHERE
     '500,git,0u,0g,git',
     '500,git-remote-http,0u,0g,git-remote-http',
     '500,git-remote-http,u,g,git-remote-http',
+    '500,com.docker.backend,0u,0g,com.docker.back',
     '500,gitsign,0u,0g,gitsign',
     '500,gitsign,500u,0g,gitsign',
     '500,gitsign,500u,500g,gitsign',

detection/c2/unexpected-talker-events.sql

@@ -100,7 +100,9 @@ WHERE
   )
   AND NOT exception_key IN (
     '500,0,123,sntp',
+    '500,0,443,com.google.one.NetworkExtension',
     '500,0,22,ssh',
+    '500,0,443,com.apple.NRD.UpdateBrainService',
     '500,0,31488,sntp',
     '500,0,32768,ksfetch',
     '500,0,32768,syncthing',
@@ -132,14 +134,25 @@ WHERE
     '500,500,32768,cloud-sql-proxy',
     '500,500,32768,ksfetch',
     '500,500,4318,Code Helper (Plugin)',
+    '500,500,80,Code Helper (Plugin)',
     '500,500,443,aws',
     '500,500,443,cloud_sql_proxy',
     '500,500,443,Code Helper (Plugin)',
     '500,500,443,Code Helper',
+    '500,500,443,grype',
     '500,500,443,copilot-agent-macos-arm64',
     '500,500,443,Electron',
+    '500,500,443,chainctl',
+    '500,0,80,http',
+    '500,500,443,figma_agent',
+    '500,0,443,fwupdmgr',
+    '500,500,443,GitX',
+    '500,0,110,syncthing',
+    '500,500,80,Code Helper (Plugin)',
+    '500,500,80,ksfetch',
     '500,500,443,gitsign',
     '500,500,443,go',
+    '500,0,443,OneDriveStandaloneUpdater',
     '500,500,443,ksfetch',
     '500,500,443,node',
     '500,500,443,old',
@@ -148,6 +161,8 @@ WHERE
     '500,500,80,copilot-agent-macos-arm64',
     '500,500,80,node'
   )
+  AND NOT exception_key LIKE '500,500,443,terraform%'
+  AND NOT exception_key LIKE '500,0,%,chrome'
   AND NOT (
     basename = "Python"
     AND (

detection/c2/unexpected-talkers-linux.sql

@@ -237,10 +237,17 @@ WHERE
     AND s.protocol = 6
     AND p.euid > 500
   )
+  AND NOT (
+    p.name = 'ruby'
+    AND p.cmdline LIKE '%fluentd%'
+    AND s.remote_port > 1024
+    AND s.protocol = 6
+    AND p.euid > 500
+  )
   AND NOT (
     p.name = 'java'
     AND p.cmdline LIKE '/home/%/PhpStorm%'
-    AND s.remote_port > 1024
+    AND s.remote_port > 79
     AND s.protocol = 6
     AND p.euid > 500
   )

detection/evasion/hidden-cwd-events-linux.sql

@@ -71,6 +71,8 @@ WHERE
         )
         OR exception_key LIKE '%sh,~/.Trash'
     )
+    AND NOT pe.cwd LIKE '%/build/%'
+    AND NOT pe.cwd LIKE '%/out/%'
 GROUP BY
     p.cmdline,
     p.cwd;

detection/evasion/unexpected-user-shared-entries.sql

@@ -79,6 +79,7 @@ WHERE
       '/Users/Shared/Relocated Items',
       '/Users/Shared/TechSmith'
     )
+    OR file.path LIKE '/Users/Shared/Epic Games/%'
     OR file.path LIKE "/Users/Shared/Previously Relocated Items %/%"
     OR (
       file.path LIKE "%.plist"

detection/evasion/unusual-process-name-linux.sql

@@ -94,6 +94,7 @@ WHERE
     "xdg-permission-store",
     "xdg-desktop-portal",
     "xdg-document-portal",
+    'udevadm',
     "xdg-desktop-portal-gnome",
     "xdg-desktop-portal-gtk",
     "nm-applet",

detection/execution/exotic-commands-macos.sql

@@ -95,7 +95,7 @@ WHERE
   )
   AND NOT (
     p0_cmd LIKE '%UserKnownHostsFile=/dev/null%'
-    AND p1.name LIKE 'limactl%'
+    AND p0_cmd LIKE "%lima/%"
   )
   AND NOT (
     p0_cmd LIKE '%UserKnownHostsFile=/dev/null%'

detection/exfil/high_disk_bytes_read.sql

@@ -106,6 +106,7 @@ WHERE
     'Safari',
     'sh',
     'plasmashell',
+    'rsync',
     'slack',
     'spotify',
     'steam',
@@ -131,6 +132,7 @@ WHERE
     '/app/libexec/mediawriter/helper',
     '/usr/bin/darktable',
     '/usr/libexec/snapd/snapd',
+    '/usr/bin/rsync',
     '/usr/bin/dockerd',
     '/usr/bin/gnome-shell',
     '/usr/bin/teskdisk',

detection/exfil/yara-unexpected-rust-http-exec-process.sql

@@ -51,6 +51,7 @@ WHERE
   AND yara.count > 0
   AND p0.name NOT IN (
     'old',
+    'stable',
     'fig-darwin-universal',
     'wezterm-gui'
   )

detection/initial_access/unexpected-diskimage-source-macos.sql

@@ -144,6 +144,7 @@ WHERE
     'flipperzero.one',
     'dl.google.com',
     'duckduckgo.com',
+    'go.dev',
     'dygma.com',
     'emacsformacosx.com',
     'getkap.co',

detection/persistence/minimal-socket-client-linux.sql

@@ -46,7 +46,8 @@ WHERE p0.path != '' -- optimization: focus on longer running processes
         '/usr/lib/electron/chrome-sandbox',
         '/usr/bin/i3blocks'
     )
-    AND p0.name NOT IN ('chrome_crashpad', 'dhcpcd', 'Brackets-node') -- optimization: minimalistic daemons typically only run 1 pid per path
+    AND p0.name NOT IN ('chrome_crashpad', 'dhcpcd', 'stern', 'Brackets-node') -- optimization: minimalistic daemons typically only run 1 pid per path
+    AND p0.path NOT LIKE '/home/%/go/bin/%'
     AND pos.family != 1
     AND pos.pid > 0
     AND pos.state != 'LISTEN'

detection/persistence/unexpected-launchd-program-macos.sql

@@ -34,6 +34,7 @@ WHERE
     'Developer ID Application: Canonical Group Limited (X4QN7LTP59)',
     'Developer ID Application: Creative Labs Pte. Ltd. (5Q3552844F)',
     'Developer ID Application: Docker Inc (9BNSXJN65R)',
+    'Developer ID Application: Jonathan Bullard (Z2SG5H3HC8)',
     'Developer ID Application: Ilya Parniuk (ACC5R6RH47)',
     'Developer ID Application: Fortinet, Inc (AH4XFXJ7DK)',
     'Developer ID Application: Hercules Labs Inc. (B8PC799ZGU)',

detection/persistence/unexpected-listening-port-macos.sql

@@ -125,6 +125,7 @@ WHERE
     '53,6,65,mDNSResponder,Software Signing',
     '5454,6,0,xrdd,Developer ID Application: X-Rite, Incorporated (2K7GT73B4R)',
     '546,17,0,configd,Software Signing',
+    '49152,6,500,Stream Deck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
     '547,17,500,dhcp6d,Software Signing',
     '5900,6,0,launchd,Software Signing',
     '5900,6,0,screensharingd,Software Signing',

detection/persistence/unexpected-uid0-daemon-linux.sql

@@ -76,6 +76,7 @@ WHERE
   AND exception_key NOT IN (
     '(sd-pam),/usr/lib/systemd/systemd,0,user.slice,user-0.slice,0755',
     'sshd,/usr/sbin/sshd,0,user.slice,user-501.slice,0755',
+    'docker,/usr/local/bin/docker,0,user.slice,user-1000.slice,0755',
     'launcher,/usr/local/kolide-k2/bin/launcher,0,system.slice,launcher.kolide-k2.service,0755',
     '.tailscaled-wra,/nix/store/__VERSION__/bin/.tailscaled-wrapped,0,system.slice,tailscaled.service,0555',
     '/usr/bin/monito,/usr/bin/perl,0,system.slice,monitorix.service,0755',

detection/persistence/yara-suspicious-strings-process-linux.sql

@@ -67,7 +67,7 @@ WHERE
         $avahi = "avahi-daemon:"
         $redhat4 = "Red Hat 4"
     condition:
-        filesize < 10MB and 2 of them
+        filesize < 25MB and 3 of them
 }'
   AND yara.count > 0
   AND p0.name NOT IN (
@@ -88,12 +88,18 @@ WHERE
     '/usr/bin/bash',
     '/usr/bin/gnome-software',
     '/usr/bin/gpg-agent',
+    '/bin/fish',
+    '/usr/bin/fish',
     '/usr/bin/ibus-daemon',
     '/usr/bin/make',
+    '/usr/bin/docker-proxy',
     '/usr/bin/NetworkManager',
     '/usr/bin/nvidia-persistenced',
+    '/usr/lib/systemd/systemd-machined',
     '/usr/bin/pulseaudio',
     '/usr/bin/udevadm',
+    '/usr/sbin/crond',
+    '/usr/sbin/gdm',
     '/usr/bin/update-notifier',
     '/usr/bin/Xwayland',
     '/usr/lib/bluetooth/bluetoothd',