fpr: Chrome, UBlue, Debian, Canon, ExpressVPN, etc.

detection/c2/unexpected-dns-traffic-events.sql

@@ -62,16 +62,21 @@ WHERE
   )
   -- Some applications hard-code a safe DNS resolver, or allow the user to configure one
   AND s.remote_address NOT IN (
-    '1.1.1.1', -- Cloudflare
     '100.100.100.100', -- Tailscale Magic DNS
+    '1.0.0.1', -- Cloudflare
+    '1.1.1.1', -- Cloudflare
+    '1.1.1.2', -- Cloudflare
+    '185.125.190.31', -- Canonical
+    '185.125.190.77', -- Canonical
     '208.67.220.123', -- OpenDNS FamilyShield
+    '208.67.222.222', -- OpenDNS
+    '34.160.111.32', -- wolfi.dev
+    '68.105.28.13', -- Cox
     '75.75.75.75', -- Comcast
     '75.75.76.76', -- Comcast
-    '68.105.28.13', -- Cox
     '80.248.7.1', -- 21st Century (NG)
-    '34.160.111.32', -- wolfi.dev
-    '185.125.190.31', -- Canonical
-    '185.125.190.77' -- Canonical
+    '8.8.4.4', -- Google (backup)
+    '8.8.8.8' -- Google
   )
   -- Exceptions that specifically talk to one server
   AND exception_key NOT IN (
@@ -81,10 +86,13 @@ WHERE
     'CapCut,8.8.8.8,53',
     'cg,108.177.98.95,53',
     'ChatGPT,8.8.8.8,53',
+    'Code Helper (Plugin),1.0.0.1,53',
     'com.docker.backend,8.8.8.8,53',
     'com.docker.vpnkit,8.8.8.8,53',
+    'com.docker.buil,35.190.88.7,53', -- licensing exfil via Bugsnag?
     'coredns,0.0.0.0,53',
     'coredns,8.8.8.8,53',
+    'io.tailscale.ipn.macsys.network-extension,8.8.8.8,53',
     'Creative Cloud Content Manager.node,8.8.4.4,53',
     'Creative Cloud Content Manager.node,8.8.8.8,53',
     'distnoted,8.8.4.4,53',
@@ -95,6 +103,7 @@ WHERE
     'gvproxy,170.247.170.2,53',
     'helm,185.199.108.133,53',
     'limactl,8.8.8.8,53',
+    'Code Helper (Plugin),1.0.0.1,53',
     'Meeting Center,8.8.8.8,53',
     'msedge,8.8.4.4,53',
     'msedge,8.8.8.8,53',
@@ -114,6 +123,7 @@ WHERE
     'Socket Process,8.8.8.8,53',
     'syncthing,46.162.192.181,53',
     'Telegram,8.8.8.8,53',
+    'vunnel,8.8.8.8,53',
     'WebexHelper,8.8.8.8,53',
     'WhatsApp,1.1.1.1,53',
     'yum,208.67.222.222,53',
@@ -126,30 +136,34 @@ WHERE
   -- Local DNS servers and custom clients go here
   AND basename NOT IN (
     'adguard_dns',
-    'apk',
     'agentbeat',
+    'apk',
     'apko',
     'canonical-livep',
+    'cg',
     'chrome',
     'com.apple.WebKit.Networking',
     'com.docker.backend',
     'go',
-    'wolfictl',
-    'gvproxy',
     'grype',
-    'incusd',
+    'gvproxy',
     'helm',
-    'terraform-provi',
+    'incusd',
+    'io.tailscale.ipn.macsys.network-extension',
     'IPNExtension',
     'Jabra Direct Helper',
     'limactl',
     'mDNSResponder',
     'melange',
-    'syncthing',
     'nessusd',
     'nuclei',
+    'syncthing',
     'systemd-resolved',
-    'WhatsApp'
+    'tailscaled',
+    'terraform-ls',
+    'terraform-provi',
+    'WhatsApp',
+    'wolfictl'
   )
   AND p.name NOT IN ('Jabra Direct Helper', 'terraform-provi')
   -- Chromium/Electron apps seem to send stray packets out like nobodies business

detection/c2/unexpected-talkers-linux.sql

@@ -85,23 +85,28 @@ WHERE
     AND exception_key = '32768,6,%,sshd,0u,0g,sshd'
   )
   AND NOT exception_key IN (
-    '123,17,500,chronyd,0u,0g,chronyd',
+    '123,17,106,chronyd,0u,0g,chronyd',
+    '4460,6,125,chronyd,0u,0g,chronyd',
+    '4433,6,500,openssl,0u,0g,openssl',
     '123,17,473,chronyd,0u,0g,chronyd',
+    '123,17,500,chronyd,0u,0g,chronyd',
+    '123,17,125,chronyd,0u,0g,chronyd',
     '19305,6,500,msedge,0u,0g,msedge',
     '21,6,0,rpm-ostree,0u,0g,rpm-ostree',
     '27018,6,500,pasta.avx2,0u,0g,pasta.avx2',
+    '32768,6,500,mumble,0u,0g,mumble',
     '32768,6,500,slirp4netns,0u,0g,slirp4netns',
-    '4070,6,500,spotify,u,g,spotify',
     '4070,6,500,spotify,0u,0g,spotify',
+    '4070,6,500,spotify,u,g,spotify',
     '49152,6,500,ContinuityCaptureAgent,Software Signing',
+    '5222,6,500,msedge,0u,0g,msedge',
     '587,6,500,perl,0u,0g,git-send-email',
     '67,17,0,NetworkManager,0u,0g,NetworkManager',
     '8000,6,500,brave,0u,0g,brave',
     '8000,6,500,chrome,0u,0g,chrome',
     '8000,6,500,firefox,0u,0g,firefox',
-    '80,6,500,vlc,0u,0g,vlc',
-    '80,6,500,telegram-desktop,u,g,telegram-deskto',
     '80,6,0,dnf5,0u,0g,dnf',
+    '80,6,0,dnf5,0u,0g,dnf5',
     '80,6,0,grep,0u,0g,grep',
     '80,6,0,incusd,0u,0g,incusd',
     '80,6,0,kmod,0u,0g,depmod',
@@ -115,24 +120,23 @@ WHERE
     '80,6,0,python2.7,500u,500g,yum',
     '80,6,0,python3.10,0u,0g,dnf',
     '80,6,0,python3.10,0u,0g,dnf-automatic',
-    '80,6,0,python3.12,500u,500g,dnf-automatic',
     '80,6,0,python3.10,0u,0g,yum',
     '80,6,0,python3.11,0u,0g,dnf',
-    '123,17,106,chronyd,0u,0g,chronyd',
-    '5222,6,500,msedge,0u,0g,msedge',
     '80,6,0,python3.11,0u,0g,dnf-automatic',
     '80,6,0,python3.11,0u,0g,yum',
+    '80,6,0,python3.12,0u,0g,apport-gtk',
     '80,6,0,python3.12,0u,0g,dnf',
-    '80,6,0,python3.12,0u,0g,yum',
     '80,6,0,python3.12,0u,0g,dnf-automatic',
-    '89,6,500,chrome,0u,0g,chrome',
+    '80,6,0,python3.12,0u,0g,yum',
+    '80,6,0,python3.12,500u,500g,dnf-automatic',
     '80,6,0,python3.9,u,g,yum',
     '80,6,0,rpm-ostree,0u,0g,rpm-ostree',
     '80,6,0,sort,0u,0g,sort',
     '80,6,0,systemd-hwdb,0u,0g,systemd-hwdb',
     '80,6,0,tailscaled,0u,0g,tailscaled',
     '80,6,0,wget,0u,0g,wget',
     '80,6,0,zstd,0u,0g,zstd',
+    '80,6,0,zypper,0u,0g,Zypp-main',
     '80,6,100,http,0u,0g,http',
     '80,6,105,http,0u,0g,http',
     '80,6,42,http,0u,0g,http',
@@ -172,7 +176,6 @@ WHERE
     '80,6,500,python3.11,0u,0g,dnf',
     '80,6,500,python3.11,0u,0g,yum',
     '80,6,500,python3.12,0u,0g,pull-lp-source',
-    '80,6,0,python3.12,0u,0g,dnf-automatic',
     '80,6,500,qemu-system-x86_64,0u,0g,qemu-system-x86',
     '80,6,500,qemu-system-x86_64,500u,500g,qemu-system-x86',
     '80,6,500,rpi-imager,0u,0g,rpi-imager',
@@ -182,54 +185,55 @@ WHERE
     '80,6,500,slirp4netns,500u,500g,slirp4netns',
     '80,6,500,spotify,0u,0g,spotify',
     '80,6,500,spotify,500u,500g,spotify',
-    '80,6,500,ZoomWebviewHost,0u,0g,ZoomWebviewHost',
     '80,6,500,spotify-launcher,0u,0g,spotify-launche',
     '80,6,500,spotify,u,g,spotify',
-    '80,6,0,dnf5,0u,0g,dnf5',
     '80,6,500,steam,500u,100g,steam',
     '80,6,500,steam,500u,500g,steam',
     '80,6,500,steamwebhelper,500u,500g,steamwebhelper',
+    '80,6,500,telegram-desktop,u,g,telegram-deskto',
     '80,6,500,terraform,0u,0g,terraform',
     '80,6,500,terraform,500u,500g,terraform',
     '80,6,500,thunderbird,0u,0g,thunderbird',
+    '80,6,500,thunderbird-bin,0u,0g,thunderbird-bin',
     '80,6,500,thunderbird-bin,u,g,thunderbird-bin',
     '80,6,500,thunderbird,u,g,thunderbird',
+    '80,6,500,vlc,0u,0g,vlc',
     '80,6,500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
     '80,6,500,wget,0u,0g,wget',
     '80,6,500,wine64-preloader,0u,0g,control.exe',
     '80,6,500,zen,u,g,zen',
     '80,6,500,zoom,0u,0g,zoom',
     '80,6,500,zoom.real,u,g,zoom.real',
-    '80,6,0,zypper,0u,0g,Zypp-main',
+    '80,6,500,ZoomWebviewHost,0u,0g,ZoomWebviewHost',
+    '8080,6,500,bambu-studio,u,g,bambustu_main',
     '8080,6,500,brave,0u,0g,brave',
     '8080,6,500,chrome,0u,0g,chrome',
     '8080,6,500,firefox,0u,0g,firefox',
     '8080,6,500,goland,500u,500g,goland',
     '8080,6,500,idea,0u,0g,idea',
     '8080,6,500,java,u,g,java',
+    '80,6,500,dropbox,500u,500g,dropbox',
+    '8080,6,500,msedge,0u,0g,msedge',
     '8080,6,500,pycharm,500u,500g,pycharm',
-    '32768,6,500,mumble,0u,0g,mumble',
     '8080,6,500,python3.11,0u,0g,speedtest-cli',
     '8080,6,500,python3.12,u,g,hass',
     '8080,6,500,speedtest,500u,500g,speedtest',
-    '8080,6,500,bambu-studio,u,g,bambustu_main',
-    '8080,6,500,goland,500u,500g,goland',
     '8443,6,500,chrome,0u,0g,chrome',
     '8443,6,500,firefox,0u,0g,firefox',
     '8801,17,500,zoom,0u,0g,zoom',
     '8801,17,500,zoom.real,u,g,zoom.real',
-    '8883,6,500,bambu-studio,u,g,bambustu_main',
     '88,6,500,syncthing,0u,0g,syncthing',
+    '8883,6,500,bambu-studio,u,g,bambustu_main',
+    '8883,6,500,WebKitWebProcess,u,g,WebKitWebProces',
+    '89,6,500,chrome,0u,0g,chrome',
     '8987,6,500,whois,0u,0g,whois',
     '9,17,0,launcher,0u,0g,launcher',
+    '9418,6,0,git,0u,0g,git',
     '9418,6,500,git,0u,0g,git',
     '993,6,500,evolution,0u,0g,evolution',
     '993,6,500,thunderbird,0u,0g,thunderbird',
-    '993,6,500,thunderbird,u,g,thunderbird',
     '993,6,500,thunderbird-bin,0u,0g,thunderbird-bin',
-    '80,6,500,thunderbird-bin,0u,0g,thunderbird-bin',
-    '8883,6,500,WebKitWebProcess,u,g,WebKitWebProces',
-    '9418,6,0,git,0u,0g,git',
+    '993,6,500,thunderbird,u,g,thunderbird',
     '9999,6,500,firefox,0u,0g,firefox'
   )
   AND NOT exception_key LIKE '80,6,500,terraform_1.1.5,500u,500g,terraform'

detection/c2/unexpected-talkers-macos.sql

@@ -101,17 +101,20 @@ WHERE
     '0,Developer ID Application: Tailscale Inc. (W5364U7YZB)',
     '0,Developer ID Application: Y Soft Corporation, a.s. (3CPED8WGS9)',
     '500,Apple Mac OS Application Signing',
-    '500,Developer ID Application: David Kocher (G69SCX94XU)',
-    '500,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)',
+    '500,Software Signing',
+    '500,Developer ID Application: Autodesk (XXKJ396S2Y)',
+    '500,Developer ID Application: Blackmagic Design Inc (9ZGFBWLSYP)',
     '500,Developer ID Application: Cisco (DE8Y96K9QP)',
+    '500,Developer ID Application: David Kocher (G69SCX94XU)',
     '500,Developer ID Application: Google LLC (EQHXZ8M8AV)',
+    '500,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
+    '500,Developer ID Application: ngrok LLC (TEX8MHRDQ9)',
     '500,Developer ID Application: Sky UK Limited (GJ24C8864F)',
-    '500,Developer ID Application: Valve Corporation (MXGJJ98X76)',
-    '500,Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G)',
-    '500,Developer ID Application: Autodesk (XXKJ396S2Y)',
-    '500,Developer ID Application: Zwift, Inc (C2GM8Y9VFM)',
     '500,Developer ID Application: Spotify (2FNC3A47ZF)',
-    '500,Developer ID Application: Microsoft Corporation (UBF8T346G9)'
+    '500,Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G)',
+    '500,Developer ID Application: Valve Corporation (MXGJJ98X76)',
+    '500,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)',
+    '500,Developer ID Application: Zwift, Inc (C2GM8Y9VFM)'
   )
   AND NOT (
     unsigned_exception = '500,6,80,main,main'
@@ -126,8 +129,11 @@ WHERE
     '500,0,0,gvproxy,gvproxy',
     '500,0,0,Python,Python',
     '500,6,0,gvproxy,gvproxy',
+    '500,0,0,git,git',
+    '500,6,9418,git,git',
     '500,6,5223,apsd,apsd',
     '500,6,80,chainlink,chainlink',
+    '500,6,443,.Telegram-wrapped,.Telegram-wrapped',
     '500,17,53,gvproxy,gvproxy',
     '500,17,53,gvproxy,gvproxy',
     '500,6,443,gvproxy,gvproxy',

detection/credentials/macos_keyboard_sniffer.sql

@@ -64,24 +64,26 @@ WHERE
     'BetterDisplay,pro.betterdisplay.BetterDisplay,Developer ID Application: Istvan Toth (299YSU96J7)',
     'BetterTouchTool,com.hegenberg.BetterTouchTool,Developer ID Application: folivora.AI GmbH (DAFVSXZ82P)',
     'Contexts,com.contextsformac.Contexts,Developer ID Application: Usman Khalid (RZ7E748ZSC)',
+    'deskflow-client,deskflow-client,',
+    'deskflow-server,deskflow-server,',
+    'Display Pilot 2,com.benq.DisplayPilot2,Developer ID Application: BenQ Corporation (3YMZ8E4Y5W)',
     'Grammarly Desktop,com.grammarly.ProjectLlama,Developer ID Application: Grammarly, Inc (W8F64X92K3)',
     'HueSync,com.lighting.huesync,Developer ID Application: Signify Netherlands B.V. (PREPN2W95S)',
     'Hyperkey,com.knollsoft.Hyperkey,Developer ID Application: Ryan Hanson (XSYZ3E4B7D)',
-    'Lunar,fyi.lunar.Lunar,Developer ID Application: Alin Panaitiu (RDDXV84A73)',
-    'Magnet,com.crowdcafe.windowmagnet,Apple Mac OS Application Signing',
-    'MonitorControl,me.guillaumeb.MonitorControl,Developer ID Application: Joni Van Roost (CYC8C8R4K9)',
-    'Rocket,net.matthewpalmer.Rocket,Developer ID Application: Matthew Palmer (Z4JV2M65MH)',
-    'Superkey,com.knollsoft.Superkey,Developer ID Application: Ryan Hanson (XSYZ3E4B7D)',
-    'TextExpander,com.smileonmymac.textexpander,Developer ID Application: SmileOnMyMac, LLC (7PKJ6G4DXL)',
     'iTerm2,com.googlecode.iterm2,Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D)',
     'lghub_agent,com.logi.ghub.agent,Developer ID Application: Logitech Inc. (QED4VVPZWA)',
+    'LinearMouse,com.lujjjh.LinearMouse,Developer ID Application: Jiahao Lu (C5686NKYJ7)',
     'logioptionsplus_agent,com.logi.cp-dev-mgr,Developer ID Application: Logitech Inc. (QED4VVPZWA)',
+    'Lunar,fyi.lunar.Lunar,Developer ID Application: Alin Panaitiu (RDDXV84A73)',
+    'Magnet,com.crowdcafe.windowmagnet,Apple Mac OS Application Signing',
+    'MonitorControl,me.guillaumeb.MonitorControl,Developer ID Application: Joni Van Roost (CYC8C8R4K9)',
     'osqueryd,io.osquery.agent,Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
     'polyrecorder,polyrecorder,Developer ID Application: Adam Pietrasiak (SXF593CX2N)',
+    'Rocket,net.matthewpalmer.Rocket,Developer ID Application: Matthew Palmer (Z4JV2M65MH)',
     'skhd,skhd,',
-    'LinearMouse,com.lujjjh.LinearMouse,Developer ID Application: Jiahao Lu (C5686NKYJ7)',
+    'Superkey,com.knollsoft.Superkey,Developer ID Application: Ryan Hanson (XSYZ3E4B7D)',
     'synergy-core,synergy-core,Developer ID Application: Symless Ltd (4HX897Y6GJ)',
-    'deskflow-server,deskflow-server,'
+    'TextExpander,com.smileonmymac.textexpander,Developer ID Application: SmileOnMyMac, LLC (7PKJ6G4DXL)'
   )
 GROUP BY
   p0.path

detection/credentials/unexpected-dev-opener-linux.sql

@@ -89,6 +89,7 @@ FROM
 WHERE
   pof.path LIKE '/dev/%'
   AND pof.path NOT IN (
+    '/dev/console',
     '/dev/dri/card0',
     '/dev/dri/card1',
     '/dev/dri/card2',
@@ -250,7 +251,9 @@ WHERE
     '/dev/zfs,zpool'
   )
   AND path_exception NOT LIKE '/dev/shm/%'
+  AND path_exception NOT LIKE '/dev/video%,chrome'
   AND path_exception NOT LIKE '/dev/cpu_dma_latency,python%'
+  AND path_exception NOT LIKE '/dev/bus/usb/%,scdaemon'
   AND NOT (
     pof.path = "/dev/uinput"
     AND p0.name LIKE "solaar%"

detection/evasion/hidden-cwd.sql

@@ -83,6 +83,7 @@ WHERE
         'find',
         'git',
         'gitsign',
+        'mc',
         'nvim',
         'terraform',
         'updatedb',
@@ -100,13 +101,17 @@ WHERE
       'bash,~/.Trash',
       'bash,~/.local/share',
       'bash,~/go/src',
+      'bash,/var/lib/incus',
       'bash,/var/home/linuxbrew',
+      'java,/root/.gradle/daemon',
+      'bash,/var/tmp/.vscode-server',
       'telegram-deskto,~/snap/telegram-desktop',
       'c++,~/.cache/yay',
       'cc1,/home/build/.cache',
       'cc1plus,~/.cache/yay',
       'cgo,~/.gimme/versions',
       'clangd,/private/var/folders',
+      'curl,/var/home/linuxbrew',
       'conmon,/var~/.local/share',
       'dirhelper,/private/var/folders',
       'exe,/var~/.local/share',
@@ -142,6 +147,7 @@ WHERE
       '~/.local/bin',
       '/home/build',
       '/var/home/linuxbrew/.linuxbrew/Cellar',
+      '/var/home/linuxbrew/.linuxbrew/Homebrew',
       '~/.vim',
       '~/dev/extra-packages/.chainguard',
       '~/.provisio',
@@ -156,7 +162,13 @@ WHERE
       '~/.hunter/_Base',
       '~/.zsh'
     )
-    OR top_dir IN ('~/Sync', '~/src', '~/workspace', '~/dev')
+    OR top_dir IN (
+      '~/Sync',
+      '~/src',
+      '~/workspace',
+      '~/dev',
+      '/var~/.local'
+    )
     OR dir LIKE '~/.%'
     OR dir LIKE '%/.build'
     OR dir LIKE '%/.cache/melange%'
@@ -168,6 +180,7 @@ WHERE
     OR dir LIKE '~/%enterprise-packages/.chainguard'
     OR dir LIKE '%/.git'
     OR dir LIKE '%/.git/%'
+    OR dir LIKE '%/.venv/%'
     OR dir LIKE '/run/.ro%'
     OR dir LIKE '%/.github'
     OR dir LIKE '%/.github/%'