fpr: eksctl, Chrome Extensions, Vanta, sway, etc

detection/c2/unexpected-dns-traffic.sql

@@ -101,6 +101,8 @@ WHERE
     '/usr/sbin/mDNSResponder'
   )
   AND p.path NOT LIKE '%/podman/gvproxy'
+  AND p.path NOT LIKE '%/eksctl'
+  AND p.path NOT LIKE '/opt/homebrew/Cellar/lima/%/bin/limactl'
   AND p.path NOT LIKE '%/Steam/Steam.AppBundle/Steam/Contents/MacOS/Frameworks/Steam Helper.app/Contents/MacOS/Steam Helper'
   AND p.path NOT LIKE '/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/%/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper'
   -- Workaround for the GROUP_CONCAT subselect adding a blank ent

detection/c2/unexpected-talkers-linux.sql

@@ -91,12 +91,15 @@ WHERE
     '123,17,500,chronyd,0u,0g,chronyd',
     '19305,6,500,msedge,0u,0g,msedge',
     '21,6,0,rpm-ostree,0u,0g,rpm-ostree',
+    '25565,6,500,java,500u,500g,java',
     '27018,6,500,pasta.avx2,0u,0g,pasta.avx2',
     '32768,6,500,mumble,0u,0g,mumble',
     '32768,6,500,slirp4netns,0u,0g,slirp4netns',
+    '32768,6,0,tailscaled,0u,0g,tailscaled',
     '4070,6,500,spotify,0u,0g,spotify',
     '4070,6,500,spotify,u,g,spotify',
     '4433,6,500,openssl,0u,0g,openssl',
+    '4460,6,106,chronyd,0u,0g,chronyd',
     '4460,6,125,chronyd,0u,0g,chronyd',
     '49152,6,500,ContinuityCaptureAgent,Software Signing',
     '5222,6,500,msedge,0u,0g,msedge',
@@ -109,21 +112,22 @@ WHERE
     '80,6,0,kmod,0u,0g,depmod',
     '80,6,0,kubelet,u,g,kubelet',
     '80,6,0,ldconfig,0u,0g,ldconfig',
+    '80,6,0,melange,500u,500g,melange',
     '80,6,0,NetworkManager,0u,0g,NetworkManager',
     '80,6,0,packagekit-dnf-refresh-repo,0u,0g,packagekit-dnf-',
     '80,6,0,packagekitd,0u,0g,packagekitd',
     '80,6,0,pacman,0u,0g,pacman',
     '80,6,0,pdftex,0u,0g,pdftex',
     '80,6,0,python2.7,500u,500g,yum',
-    '80,6,0,python3.10,0u,0g,dnf-automatic',
     '80,6,0,python3.10,0u,0g,dnf',
+    '80,6,0,python3.10,0u,0g,dnf-automatic',
     '80,6,0,python3.10,0u,0g,yum',
-    '80,6,0,python3.11,0u,0g,dnf-automatic',
     '80,6,0,python3.11,0u,0g,dnf',
+    '80,6,0,python3.11,0u,0g,dnf-automatic',
     '80,6,0,python3.11,0u,0g,yum',
     '80,6,0,python3.12,0u,0g,apport-gtk',
-    '80,6,0,python3.12,0u,0g,dnf-automatic',
     '80,6,0,python3.12,0u,0g,dnf',
+    '80,6,0,python3.12,0u,0g,dnf-automatic',
     '80,6,0,python3.12,0u,0g,yum',
     '80,6,0,python3.12,500u,500g,dnf-automatic',
     '80,6,0,python3.9,u,g,yum',
@@ -142,18 +146,18 @@ WHERE
     '80,6,500,chrome,0u,0g,chrome',
     '80,6,500,chrome,u,g,chrome',
     '80,6,500,cloud_sql_proxy,0u,0g,cloud_sql_proxy',
-    '80,6,500,code-oss,u,g,code-oss',
     '80,6,500,code,0u,0g,code',
+    '80,6,500,code-oss,u,g,code-oss',
     '80,6,500,copilot-agent-linux,500u,500g,copilot-agent-l',
     '80,6,500,curl,0u,0g,curl',
     '80,6,500,dotnet,u,g,dotnet',
     '80,6,500,dropbox,500u,500g,dropbox',
     '80,6,500,electron,0u,0g,electron',
+    '80,6,500,firefox,0u,0g,.firefox-wrappe',
+    '80,6,500,firefox,0u,0g,firefox',
     '80,6,500,firefox-bin,0u,0g,firefox-bin',
     '80,6,500,firefox-bin,500u,500g,firefox-bin',
     '80,6,500,firefox-bin,u,g,firefox-bin',
-    '80,6,500,firefox,0u,0g,.firefox-wrappe',
-    '80,6,500,firefox,0u,0g,firefox',
     '80,6,500,flatpak,0u,0g,flatpak',
     '80,6,500,git-remote-http,0u,0g,git-remote-http',
     '80,6,500,gnome-software,0u,0g,gnome-software',
@@ -162,11 +166,14 @@ WHERE
     '80,6,500,java,0u,0g,java',
     '80,6,500,java,u,g,java',
     '80,6,500,main,500u,500g,main',
+    '80,6,500,mateweather-applet,0u,0g,mateweather-app',
     '80,6,500,mconvert,500u,500g,mconvert',
     '80,6,500,mediawriter,u,g,mediawriter',
     '80,6,500,melange,500u,500g,melange',
+    '80,6,500,minecraft-launcher,500u,500g,minecraft-launc',
     '80,6,500,msedge,0u,0g,msedge',
     '80,6,500,obs-browser-page,u,g,obs-browser-pag',
+    '80,6,500,ocsp.test,u,g,ocsp.test',
     '80,6,500,pacman,0u,0g,pacman',
     '80,6,500,python3.10,0u,0g,aws',
     '80,6,500,python3.10,0u,0g,yum',
@@ -181,20 +188,20 @@ WHERE
     '80,6,500,signal-desktop,u,g,signal-desktop',
     '80,6,500,slack,0u,0g,slack',
     '80,6,500,slirp4netns,500u,500g,slirp4netns',
-    '80,6,500,spotify-launcher,0u,0g,spotify-launche',
     '80,6,500,spotify,0u,0g,spotify',
     '80,6,500,spotify,500u,500g,spotify',
     '80,6,500,spotify,u,g,spotify',
+    '80,6,500,spotify-launcher,0u,0g,spotify-launche',
     '80,6,500,steam,500u,100g,steam',
     '80,6,500,steam,500u,500g,steam',
     '80,6,500,steamwebhelper,500u,500g,steamwebhelper',
     '80,6,500,telegram-desktop,u,g,telegram-deskto',
     '80,6,500,terraform,0u,0g,terraform',
     '80,6,500,terraform,500u,500g,terraform',
-    '80,6,500,thunderbird-bin,0u,0g,thunderbird-bin',
-    '80,6,500,thunderbird-bin,u,g,thunderbird-bin',
     '80,6,500,thunderbird,0u,0g,thunderbird',
     '80,6,500,thunderbird,u,g,thunderbird',
+    '80,6,500,thunderbird-bin,0u,0g,thunderbird-bin',
+    '80,6,500,thunderbird-bin,u,g,thunderbird-bin',
     '80,6,500,updater,500u,500g,updater',
     '80,6,500,vlc,0u,0g,vlc',
     '80,6,500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
@@ -214,9 +221,7 @@ WHERE
     '8080,6,500,goland,500u,500g,goland',
     '8080,6,500,idea,0u,0g,idea',
     '8080,6,500,java,u,g,java',
-    '80,6,500,minecraft-launcher,500u,500g,minecraft-launc',
     '8080,6,500,msedge,0u,0g,msedge',
-    '80,6,500,ocsp.test,u,g,ocsp.test',
     '8080,6,500,pycharm,500u,500g,pycharm',
     '8080,6,500,python3.11,0u,0g,speedtest-cli',
     '8080,6,500,python3.12,u,g,hass',
@@ -234,9 +239,9 @@ WHERE
     '9418,6,0,git,0u,0g,git',
     '9418,6,500,git,0u,0g,git',
     '993,6,500,evolution,0u,0g,evolution',
-    '993,6,500,thunderbird-bin,0u,0g,thunderbird-bin',
     '993,6,500,thunderbird,0u,0g,thunderbird',
     '993,6,500,thunderbird,u,g,thunderbird',
+    '993,6,500,thunderbird-bin,0u,0g,thunderbird-bin',
     '9999,6,500,firefox,0u,0g,firefox'
   )
   AND NOT exception_key LIKE '%,6,500,nuclei,500u,500g,nuclei'
@@ -324,8 +329,6 @@ WHERE
       OR p.cgroup_path LIKE '/user.slice/user-%.slice/user@%.service/user.slice/nerdctl-%'
     )
   )
-  AND NOT parent_cmd IN (
-    '/opt/microsoft/msedge/msedge'
-  )
+  AND NOT parent_cmd IN ('/opt/microsoft/msedge/msedge')
 GROUP BY
   p.cmdline

detection/c2/unexpected-talkers-macos.sql

@@ -86,9 +86,11 @@ WHERE
       AND remote_address NOT LIKE 'fdfd:%'
       AND state != 'LISTEN'
   ) -- Ignore most common application paths
+  AND protocol > 0
   AND p0.path NOT LIKE '/Applications/%.app/Contents/%/MacOS/%'
   AND p0.path NOT LIKE '/Applications/%.app/Contents/MacOS/%'
   AND p0.path NOT LIKE '/Applications/%.app/Contents/Resources/%'
+  AND p0.path NOT LIKE '/Users/%/Applications/%.app/Contents/MacOS/%'
   AND p0.path NOT LIKE '/Library/Apple/%'
   AND p0.path NOT LIKE '/Library/Application Support/%/Contents/%'
   AND p0.path NOT LIKE '/opt/%/bin/%'
@@ -130,6 +132,7 @@ WHERE
   AND NOT unsigned_exception IN (
     '500,0,0,,',
     '500,0,0,.Telegram-wrapped,.Telegram-wrapped',
+    '500,6,80,.Telegram-wrapped,.Telegram-wrapped',
     '500,0,0,chainlink,chainlink',
     '500,0,0,git,git',
     '500,0,0,gvproxy,gvproxy',

detection/credentials/unexpected-dev-opener-linux.sql

@@ -156,6 +156,7 @@ WHERE
     '/dev/shm,Melvor Idle',
     '/dev/shm,msedge',
     '/dev/shm,osqueryd',
+    '/dev/input,sway',
     '/dev/shm,reaper',
     '/dev/shm,slack',
     '/dev/shm,spotify',

detection/credentials/unexpected-dev-opener-macos.sql

@@ -137,5 +137,6 @@ WHERE
   )
   -- Keyboard flashing
   AND NOT exception_key LIKE '/dev/cu.usbmodem%,Google Chrome,Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.Chrome'
+  AND NOT exception_key LIKE '/dev/tty.usbserial-%,java,,net.java.openjdk.java'
 GROUP BY
   pof.pid

detection/evasion/empty_root_environ_linux.sql

@@ -54,6 +54,7 @@ WHERE
     'launcher',
     'modprobe',
     'nginx',
+    'osqueryd',
     'osqueryi',
     'packagekit-dnf-',
     'realmd',

detection/evasion/missing-from-disk-linux.sql

@@ -33,6 +33,7 @@ FROM
 WHERE
   p.on_disk != 1
   AND p.path != ''
+  AND p.start_time < (strftime('%s', 'now') - 3600)
   -- use osquery as the reference mount namespace
   AND mnt_namespace IN (
     SELECT DISTINCT

detection/evasion/parent-missing-from-disk-linux.sql

@@ -100,6 +100,7 @@ WHERE
   AND p1.cgroup_path NOT LIKE '/user.slice/user-1000.slice/[email protected]/app.slice/app-steam@%'
   AND p1.cgroup_path NOT LIKE '/user.slice/user-1000.slice/[email protected]/user.slice/libpod-%'
   AND p1.cgroup_path NOT LIKE '/user.slice/user-1000.slice/[email protected]/user.slice/nerdctl-%'
+  AND p1.cgroup_path NOT LIKE '/user.slice/user-1000.slice/[email protected]/user.slice/docker-%'
   AND p1.path NOT LIKE '/opt/homebrew/Cellar/%'
   AND p1.path NOT LIKE '/tmp/.mount_%/%'
   AND p1.path NOT LIKE '%google-cloud-sdk/.install/.backup%'

detection/evasion/unexpected-hidden-system-paths.sql

@@ -41,6 +41,7 @@ WHERE
     OR file.path LIKE '/sbin/.%'
     OR file.path LIKE '/sbin/%/.%'
     OR file.path LIKE '/tmp/.%'
+    OR file.path LIKE '/tmp/.gradle%'
     OR file.path LIKE '/usr/bin/.%'
     OR file.path LIKE '/usr/lib/.%'
     OR file.path LIKE '/usr/lib/%/.%'
@@ -114,8 +115,8 @@ WHERE
     '/tmp/.melange.yaml',
     '/tmp/.metrics-agent/',
     '/tmp/.PKGINFO',
-    '/tmp/.s.PGSQL.5432.lock',
     '/tmp/.s.PGSQL.5432',
+    '/tmp/.s.PGSQL.5432.lock',
     '/tmp/.searcher.tmp/',
     '/tmp/.ses',
     '/tmp/.settings-agent/',
@@ -141,6 +142,7 @@ WHERE
     '/tmp/.X2-lock',
     '/tmp/.XIM-unix/',
     '/usr/lib/jvm/.java-1.17.0-openjdk-amd64.jinfo',
+    '/usr/lib/nvidia-visual-profiler/.eclipseproduct',
     '/usr/local/bin/.swtpm',
     '/usr/local/libexec/.ksysguard/',
     '/var/.ntw_cache',
@@ -208,8 +210,8 @@ WHERE
     '/var/setup/.fseventsd/',
     '/var/setup/.TemporaryItems',
     '/var/setup/.TemporaryItems/',
-    '/var/tmp/.ses.bak',
-    '/var/tmp/.ses'
+    '/var/tmp/.ses',
+    '/var/tmp/.ses.bak'
   )
   AND file.directory NOT IN (
     '/etc/etckeeper/commit.d',

detection/evasion/unexpected-tmp-executables-linux.sql

@@ -43,16 +43,14 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
         AND (
           file.path LIKE '%/go-build%'
           OR file.directory LIKE '/tmp/%/out'
-          OR file.path IN (
-            '/tmp/mission',
-            '/tmp/mkinitramfs'
-          )
+          OR file.path IN ('/tmp/mission', '/tmp/mkinitramfs')
           OR file.path LIKE '/tmp/GoLand/___go_build_%_go'
           OR file.path LIKE '/tmp/ko%/out'
           OR file.path LIKE '/tmp/lima/%/out/%'
           OR file.path LIKE '/tmp/wolfi%'
           OR file.path LIKE '%-release%/%'
           OR file.path LIKE '%/bin/%'
+          OR file.path LIKE '/tmp/%.sh'
           OR file.path LIKE '%/checkout/%'
           OR file.path LIKE '%/ci/%'
           OR file.path LIKE '%/configure'

detection/evasion/unexpected-var-executables-linux.sql

@@ -50,6 +50,7 @@ WHERE
     '/var/lib/colord',
     '/var/ossec/agentless',
     '/var/ossec/bin',
+    '/var/vanta',
     '/var/ossec/wodles',
     '/var/run/booted-system',
     '/var/run/current-system'

detection/evasion/unexpected-var-run-linux.sql

@@ -58,6 +58,7 @@ WHERE
     'lxcfs.pid',
     'machine-id',
     'mcelog.pid',
+    'metalauncher.pid',
     'motd.dynamic',
     'motd',
     'multipathd.pid',

detection/evasion/unusual-process-name-linux.sql

@@ -99,7 +99,9 @@ WHERE
   AND basename NOT IN (
     "acpid",
     "busybox",
+    "nm-openvpn-auth",
     "com.docker.backend",
+    "nm-openvpn-service",
     "com.docker.build",
     "com.docker.extensions",
     "cpulimit",

detection/execution/sketchy-fetcher.sql

@@ -55,6 +55,7 @@ WHERE
   AND p0.cmdline LIKE '%/%'
   AND (
     ip NOT IN ('', '127.0.0.1', '::1')
+    AND ip NOT LIKE '172.17.%'
     OR port != ''
     OR tld NOT IN (
       '',

detection/execution/unexpected-execdir-linux.sql

@@ -76,13 +76,16 @@ WHERE
       AND INSTR(path, "/var/lib/snapd/") != 1
       AND INSTR(path, "/var/opt/") != 1
       AND INSTR(path, "/var/usrlocal/bin/") != 1
+      AND INSTR(path, "/var/cache/melange") != 1
+      AND INSTR(path, "/var/vanta/") != 1
       AND path NOT LIKE "%/.terraform%"
       AND path != '/bpfilter_umh'
       AND NOT path LIKE '/tmp/%/osqtool'
       AND NOT path LIKE '/tmp/GoLand/___go_build_%_go'
       AND NOT cgroup_path LIKE '/system.slice/docker-%' -- Interactive terminal
       AND NOT cgroup_path LIKE '/user.slice/user-1000.slice/[email protected]/user.slice/libpod-%'
       AND NOT cgroup_path LIKE '/user.slice/user-1000.slice/[email protected]/user.slice/nerdctl-%'
+      AND NOT cgroup_path LIKE '/kubepods.slice/%'
       AND NOT (
         cgroup_path LIKE '/user.slice/user-1000.slice/[email protected]/app.slice/app-gnome-Alacritty-%.scope'
         AND path LIKE '/tmp/%'

detection/execution/unexpected-execdir-macos.sql

@@ -121,6 +121,7 @@ WHERE
     '~/.tflint.d/',
     '~/.terraform.d/',
     '~/.Trash/',
+    '~/chainguard-dev/',
     '~/.vs-kubernetes/',
     '~/.vscode/',
     '~/Applications (Parallels)/',
@@ -224,8 +225,14 @@ WHERE
   AND NOT (
     s.identifier = "a.out"
     AND homedir LIKE '~/%'
-    AND p1.name LIKE '%sh'
-    AND p2.name = 'login'
+    AND (
+      p1.name LIKE '%sh'
+      OR p1.name = 'make'
+    )
+    AND (
+      p2.name = 'login'
+      OR p2.name LIKE '%sh'
+    )
     AND p0.path NOT LIKE '%/Cache%'
     AND p0.path NOT LIKE '%/Library/%'
     AND p0.path NOT LIKE '%/.%'

detection/execution/unexpected-executable-permissions.sql

@@ -72,7 +72,10 @@ WHERE
     AND f.uid > 500
   )
   AND NOT (
-    f.path = '/Applications/EA app.app/Contents/Applications/EABackgroundService.app/Contents/MacOS/EABackgroundService'
+    f.path IN (
+      '/Applications/EA app.app/Contents/Applications/EABackgroundService.app/Contents/MacOS/EABackgroundService',
+      '/Applications/EA app.app/Contents/Applications/EABackgroundAgent.app/Contents/MacOS/EABackgroundAgent'
+    )
     AND f.mode = '0777'
     AND f.uid = 0
   )

detection/execution/unexpected-long-running-security-framework-macos.sql

@@ -86,6 +86,7 @@ WHERE -- Focus on longer-running programs
   AND NOT s.authority IN (
     'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
     'Developer ID Application: Google, Inc. (EQHXZ8M8AV)',
+    'Developer ID Application: Google LLC (EQHXZ8M8AV)',
     'Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)',
     'Developer ID Application: Valve Corporation (MXGJJ98X76)'
   )