Merge pull request #445 from tstromberg/fpr-jan21

fpr: Chrome, bwrap, rsyslogd, gmail, rust
chainguard-dev · Jan 21, 2025 · ade0dc5 · ade0dc5
2 parents 9ca8f8f + ad3fde0
commit ade0dc5
Show file tree

Hide file tree

Showing 11 changed files with 25 additions and 12 deletions.
diff --git a/detection/c2/unexpected-dns-traffic-events.sql b/detection/c2/unexpected-dns-traffic-events.sql
@@ -152,6 +152,7 @@ WHERE
     'io.tailscale.ipn.macsys.network-extension',
     'IPNExtension',
     'Jabra Direct Helper',
+    'java',
     'limactl',
     'mDNSResponder',
     'melange',

diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql
@@ -101,20 +101,21 @@ WHERE
     '0,Developer ID Application: Tailscale Inc. (W5364U7YZB)',
     '0,Developer ID Application: Y Soft Corporation, a.s. (3CPED8WGS9)',
     '500,Apple Mac OS Application Signing',
-    '500,Software Signing',
     '500,Developer ID Application: Autodesk (XXKJ396S2Y)',
     '500,Developer ID Application: Blackmagic Design Inc (9ZGFBWLSYP)',
     '500,Developer ID Application: Cisco (DE8Y96K9QP)',
     '500,Developer ID Application: David Kocher (G69SCX94XU)',
     '500,Developer ID Application: Google LLC (EQHXZ8M8AV)',
     '500,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
     '500,Developer ID Application: ngrok LLC (TEX8MHRDQ9)',
+    '500,Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
     '500,Developer ID Application: Sky UK Limited (GJ24C8864F)',
     '500,Developer ID Application: Spotify (2FNC3A47ZF)',
     '500,Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G)',
     '500,Developer ID Application: Valve Corporation (MXGJJ98X76)',
     '500,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)',
-    '500,Developer ID Application: Zwift, Inc (C2GM8Y9VFM)'
+    '500,Developer ID Application: Zwift, Inc (C2GM8Y9VFM)',
+    '500,Software Signing'
   )
   AND NOT (
     unsigned_exception = '500,6,80,main,main'

diff --git a/detection/credentials/unexpected-dev-opener-macos.sql b/detection/credentials/unexpected-dev-opener-macos.sql
@@ -135,5 +135,7 @@ WHERE
     '/dev/xcpm,systemstats,Software Signing,com.apple.systemstats',
     '/dev/xcpm,thermald,Software Signing,com.apple.thermald'
   )
+  -- Keyboard flashing
+  AND NOT exception_key LIKE '/dev/cu.usbmodem%,Google Chrome,Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.Chrome'
 GROUP BY
   pof.pid
diff --git a/detection/evasion/hidden-cwd.sql b/detection/evasion/hidden-cwd.sql
@@ -173,6 +173,7 @@ WHERE
     OR dir LIKE '%/.build'
     OR dir LIKE '%/.cache/melange%'
     OR dir LIKE '%/.cargo/%'
+    OR dir LIKE '%/.cargo-arm64%'
     OR dir LIKE '~/code/%'
     OR dir LIKE '~/%/.config/nvim'
     OR dir LIKE '~/dev/%/dots/%/.config%'

diff --git a/detection/evasion/unexpected-process-extension-linux.sql b/detection/evasion/unexpected-process-extension-linux.sql
@@ -46,6 +46,7 @@ FROM
 WHERE
   extension IS NOT NULL
   AND extension NOT IN (
+    '0',
     '1',
     '2',
     '3',

diff --git a/detection/evasion/unusual-process-name-macos.sql b/detection/evasion/unusual-process-name-macos.sql
@@ -99,22 +99,23 @@ WHERE
     AND pext NOT IN ("", "gui", "cli", "us", "node", "com")
   )
   AND NOT pname IN (
+    'at.obdev.littlesnitch.endpointsecurity',
+    'at.obdev.littlesnitchmini.networkextension',
+    'at.obdev.littlesnitch.networkextension',
     'BetterTouchToolAppleScriptRunner',
     'BetterTouchToolAppleScriptRunner3',
     'BetterTouchToolShellScriptRunner',
-    'EcammLiveVideoOutAssistantXPCHelper',
-    'ThingsWidgetExtensionMacAppStore',
-    'TwitterNotificationServiceExtension',
-    'at.obdev.littlesnitch.endpointsecurity',
-    'at.obdev.littlesnitch.networkextension',
     'com.microsoft.teams2.notificationcenter',
     'cpu',
-    'xdg-open',
-    'EncryptMe',
     'dynamiclinkmanager',
+    'dynamiclinkmediaserver',
+    'EcammLiveVideoOutAssistantXPCHelper',
+    'EncryptMe',
     'launchd_startx',
+    'ThingsWidgetExtensionMacAppStore',
+    'TwitterNotificationServiceExtension',
     'usercontextservice',
-    'at.obdev.littlesnitchmini.networkextension'
+    'xdg-open'
   )
   -- example: 85C27NK92C.com.flexibits.fantastical2.mac.helper
   AND NOT pname LIKE '___1Test%'

diff --git a/detection/execution/unexpected-chmod-exec-event-linux.sql b/detection/execution/unexpected-chmod-exec-event-linux.sql
@@ -124,5 +124,6 @@ WHERE
   AND p1_cgroup NOT LIKE '/user.slice/user-1000.slice/[email protected]/user.slice/nerdctl-%'
   AND p2_cgroup NOT LIKE '/system.slice/docker-%'
   AND p2_cgroup NOT LIKE '/user.slice/user-1000.slice/[email protected]/user.slice/nerdctl-%'
+  AND NOT exception_key IN ('chmod,500,bash,gnome-terminal-server')
 GROUP BY
   p0_pid
diff --git a/detection/exfil/yara-unexpected-rust-http-exec-process.sql b/detection/exfil/yara-unexpected-rust-http-exec-process.sql
@@ -75,16 +75,17 @@ WHERE
     'atuin',
     'cargo',
     'Cody',
-    'i3status-rs',
     'deno',
     'DevPod',
     'fig-darwin-universal',
     'figma_agent',
+    'i3status-rs',
     'i3status-rust',
     'nvim',
     'old',
     'OrbStack Helper',
     'rpm-ostree',
+    'rustc',
     'sg-nvim-agent',
     'sm-agent',
     'stable',

diff --git a/detection/initial_access/unexpected-webmail-downloads.sql b/detection/initial_access/unexpected-webmail-downloads.sql
@@ -49,6 +49,7 @@ WHERE
     'jpg',
     'json',
     'key',
+    'loaded_1',
     'md',
     'mov',
     'mp3',
@@ -80,7 +81,7 @@ WHERE
     'xlsm',
     'xlsx',
     'xml',
-    'yml',
     'yaml',
+    'yml',
     'zip'
   )
diff --git a/detection/persistence/unexpected-listening-port-linux.sql b/detection/persistence/unexpected-listening-port-linux.sql
@@ -169,6 +169,7 @@ WHERE
     '6443,6,0,kube-apiserver',
     '6443,6,500,kube-apiserver',
     '67,17,114,dnsmasq',
+    '1601,6,500,rsyslogd',
     '67,17,130,dnsmasq',
     '67,17,500,dnsmasq',
     '68,17,0,dhclient',
@@ -240,5 +241,6 @@ WHERE
   AND NOT p.cgroup_path LIKE '/system.slice/docker-%'
   AND NOT p.cgroup_path LIKE '/user.slice/user-%.slice/user@%.service/user.slice/nerdctl-%'
   AND NOT p.cgroup_path LIKE '/user.slice/user-1000.slice/[email protected]/user.slice/libpod-%'
+  AND NOT p1_cmd LIKE 'bwrap --bind%'
 GROUP BY
   exception_key
diff --git a/detection/privesc/unexpected-setxid-process.sql b/detection/privesc/unexpected-setxid-process.sql
@@ -62,6 +62,7 @@ WHERE
     '/usr/sbin/traceroute',
     '/usr/bin/bwrap'
   )
+  AND f.filename != 'chrome-sandbox'
   AND f.path NOT LIKE '/Users/%/homebrew/Cellar/socket_vmnet/%/bin/socket_vmnet'
   AND f.path NOT LIKE '/opt/homebrew/Cellar/dnsmasq/%/sbin/dnsmasq'
   AND f.path NOT LIKE '/opt/homebrew/Cellar/socket_vmnet/%/bin/socket_vmnet'
-Original file line number
+Diff line change
@@ Expand Up / @@ -46,6 +46,7 @@ FROM @@
     WHERE
       extension IS NOT NULL
       AND extension NOT IN (
+        '0',
         '1',
         '2',
         '3',
@@ Expand Down @@