Merge pull request #351 from tstromberg/fpr-jan22

Fpr jan22

detection/c2/unexpected-dns-traffic-events.sql

@@ -79,6 +79,7 @@ WHERE
     'ZaloCall,8.8.8.8,53',
     'Telegram,8.8.8.8,53',
     'com.docker.vpnkit,8.8.8.8,53',
+    'WebexHelper,8.8.8.8,53',
     'Meeting Center,8.8.8.8,53',
     'nuclei,1.0.0.1,53',
     'limactl,8.8.8.8,53',

detection/c2/unexpected-https-macos.sql

@@ -107,78 +107,24 @@ WHERE
   )
   AND NOT exception_key IN (
     '0,AGSService,AGSService,Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.ags',
-    '0,EdgeUpdater,EdgeUpdater,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.EdgeUpdater',
-    '0,Install,Install,Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.Install',
-    '0,Setup,Setup,Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.acc.Setup',
-    '0,com.fortinet.forticlient.macos.vpn.nwextension,com.fortinet.forticlient.macos.vpn.nwextension,Developer ID Application: Fortinet, Inc (AH4XFXJ7DK),com.fortinet.forticlient.macos.vpn.nwextension',
-    '0,com.google.one.NetworkExtension,com.google.one.NetworkExtension,Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.one.NetworkExtension',
-    '0,elastic-agent,elastic-agent,Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z),co.elastic.elastic-agent',
-    '0,elastic-endpoint,elastic-endpoint,Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z),co.elastic.endpoint',
-    '0,filebeat,filebeat,Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z),filebeat',
-    '0,io.tailscale.ipn.macsys.network-extension,io.tailscale.ipn.macsys.network-extension,Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension',
-    '0,ir_agent,ir_agent,Developer ID Application: Rapid7 LLC (UL6CGN7MAL),ir_agent',
-    '0,kandji-daemon,kandji-daemon,Developer ID Application: Kandji, Inc. (P3FGV63VK7),kandji-daemon',
-    '0,kandji-library-manager,kandji-library-manager,Developer ID Application: Kandji, Inc. (P3FGV63VK7),kandji-library-manager',
-    '0,kandji-parameter-agent,kandji-parameter-agent,Developer ID Application: Kandji, Inc. (P3FGV63VK7),kandji-parameter-agent',
-    '0,launcher,launcher,Developer ID Application: Kolide, Inc (X98UFR7HA3),com.kolide.agent',
-    '0,logioptionsplus_installer,logioptionsplus_installer,Developer ID Application: Logitech Inc. (QED4VVPZWA),com.logi.optionsplus.installer',
-    '0,metricbeat,metricbeat,Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z),metricbeat',
-    '0,multipassd,multipassd,Developer ID Application: Canonical Group Limited (X4QN7LTP59),com.canonical.multipass.multipassd',
-    '0,nessusd,nessusd,Developer ID Application: Tenable, Inc. (4B8J598M7U),nessusd',
     '500,Authy,Authy,Apple iPhone OS Application Signing,com.authy',
-    '500,Code Helper (Plugin),Code Helper (Plugin),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
-    '500,Code Helper (Renderer),Code Helper (Renderer),Developer ID Application: Microsoft Corporation (UBF8T346G9),com.github.Electron.helper',
-    '500,Code Helper,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode.helper',
-    '500,Ecamm Live Stream Deck Plugin,Ecamm Live Stream Deck Plugin,Developer ID Application: Ecamm Network, LLC (5EJH68M642),Ecamm Live Stream Deck Plugin',
-    '500,Electron,Electron,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode',
-    '500,Elgato Capture Device Utility,Elgato Capture Device Utility,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5),com.elgato.CaptureDeviceUtility',
     '500,Fleet,~/Library/Caches/JetBrains/Fleet',
-    '500,GitX,GitX,Developer ID Application: Farhan Ahmed (4RZN52RN5P),net.phere.GitX',
-    '500,Google Chrome Helper,Google Chrome Helper,Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.Chrome.helper',
-    '500,Install Spotify,Install Spotify,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.installer',
     '500,IterableRichNotifications,IterableRichNotifications,Apple iPhone OS Application Signing,com.plexapp.plex.IterableRichNotifications',
     '500,Java Updater,Java Updater,Developer ID Application: Oracle America, Inc. (VB5E2TV963),com.oracle.java.Java-Updater',
     '500,Kindle,Kindle,TestFlight Beta Distribution,com.amazon.Lassen',
-    '500,OneDriveStandaloneUpdater,OneDriveStandaloneUpdater,Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.OneDriveStandaloneUpdater',
-    '500,PSI Bridge Secure Browser Helper,PSI Bridge Secure Browser Helper,Developer ID Application: PSI Services LLC (73AT498HPV),com.psiexams.psi-bridge-secure-browser.helper',
     '500,Paintbrush,Paintbrush,Developer ID Application: Michael Schreiber (G966ML7VBG),com.soggywaffles.paintbrush',
     '500,Plex,Plex,Developer ID Application: Plex Inc. (K4QJ56KR4A),tv.plex.desktop',
     '500,PlexMobile,PlexMobile,Apple iPhone OS Application Signing,com.plexapp.plex',
-    '500,ZwiftAppSilicon,ZwiftAppSilicon,Developer ID Application: Zwift, Inc (C2GM8Y9VFM),ZwiftAppSilicon',
     '500,Realm,Realm,Apple iPhone OS Application Signing,camera.youpi.metareal',
-    '500,Reflect Helper,Reflect Helper,Developer ID Application: Reflect App, LLC (789ULN5MZB),app.reflect.ReflectDesktop',
-    '500,Reflect,Reflect,Developer ID Application: Reflect App, LLC (789ULN5MZB),app.reflect.ReflectDesktop',
-    '500,Signal Helper (Renderer),Signal Helper (Renderer),Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR),org.whispersystems.signal-desktop.helper.Renderer',
-    '500,Slack Helper,Slack Helper,Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL),com.tinyspeck.slackmacgap.helper',
-    '500,Slack,Slack,Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL),com.tinyspeck.slackmacgap',
-    '500,SteelSeriesEngine,SteelSeriesEngine,Developer ID Application: SteelSeries (6WGL6CHFH2),SteelSeriesEngine',
-    '500,SteelSeriesGG,SteelSeriesGG,Developer ID Application: SteelSeries (6WGL6CHFH2),SteelSeriesGG',
-    '500,Transmit,Transmit,Developer ID Application: Panic, Inc. (VE8FC488U5),com.panic.Transmit',
-    '500,TwitchStudioStreamDeck,TwitchStudioStreamDeck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5),TwitchStudioStreamDeck',
     '500,bash,bash,,bash',
-    '500,chrome_crashpad_handler,chrome_crashpad_handler,Developer ID Application: Microsoft Corporation (UBF8T346G9),chrome_crashpad_handler',
     '500,cloud_sql_proxy,cloud_sql_proxy,,a.out',
-    '0,ir_agent,ir_agent,Developer ID Application: Rapid7 LLC (UL6CGN7MAL),bootstrap',
     '500,git-remote-http,git-remote-http,,git-remote-http-55554944748a32c47cdc35cfa7f071bb69a39ce4',
-    '500,go,go,Developer ID Application: Google LLC (EQHXZ8M8AV),org.golang.go',
-    '500,grype,grype,Developer ID Application: ANCHORE, INC. (9MJHKYX5AT),grype',
-    '500,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV),ksfetch',
-    '0,com.bitdefender.cst.net.dci.dci-network-extension,com.bitdefender.cst.net.dci.dci-network-extension,Developer ID Application: Bitdefender SRL (GUNFMW623Y),com.bitdefender.cst.net.dci.dci-network-extension',
     '500,melange,melange,,a.out',
-    '500,ngrok,ngrok,Developer ID Application: ngrok LLC (TEX8MHRDQ9),a.out',
-    '500,ngrok,ngrok,Developer ID Application: ngrok LLC (TEX8MHRDQ9),darwin_amd64',
     '500,node,node,Developer ID Application: Node.js Foundation (HX7739G8FX),node',
-    '500,old,old,Developer ID Application: Denver Technologies, Inc (2BBY89MBSN),dev.warp.Warp-Stable',
-    '500,op,op,Developer ID Application: AgileBits Inc. (2BUA8C4S2C),com.1password.op',
-    '500,plugin_host-3.3,plugin_host-3.3,Developer ID Application: Sublime HQ Pty Ltd (Z6D26JE4Y4),plugin_host-3',
     '500,sdaudioswitch,sdaudioswitch,,sdaudioswitch',
     '500,snyk-ls_darwin_arm64,snyk-ls_darwin_arm64,,a.out',
-    '500,steam_osx,steam_osx,Developer ID Application: Valve Corporation (MXGJJ98X76),com.valvesoftware.steam',
-    '500,syncthing,syncthing,,syncthing',
-    '500,terraform,terraform,Developer ID Application: Hashicorp, Inc. (D38WU7D763),terraform',
-    '500,zoom.us,zoom.us,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3),us.zoom.xos'
+    '500,syncthing,syncthing,,syncthing'
   )
-  AND NOT exception_key LIKE '500,tor-%-darwin-brave-%,tor-%-darwin-brave-%,Developer ID Application: Brave Software, Inc. (KL8N8XSYF4),tor-%-darwin-brave-%'
   AND NOT alt_exception_key IN (
     '0,velociraptor,velociraptor,0u,0g',
     '0,velociraptor,velociraptor,0u,80g',
@@ -219,6 +165,41 @@ WHERE
     '500,vim,vim,0u,500g',
     '500,wolfictl,wolfictl,500u,20g'
   )
+  AND NOT s.authority IN (
+    'Developer ID Application: ANCHORE, INC. (9MJHKYX5AT)',
+    'Developer ID Application: Adobe Inc. (JQ525L2MZD)',
+    'Developer ID Application: AgileBits Inc. (2BUA8C4S2C)',
+    'Developer ID Application: Bitdefender SRL (GUNFMW623Y)',
+    'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4)',
+    'Developer ID Application: Canonical Group Limited (X4QN7LTP59)',
+    'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
+    'Developer ID Application: Denver Technologies, Inc (2BBY89MBSN)',
+    'Developer ID Application: Ecamm Network, LLC (5EJH68M642)',
+    'Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z)',
+    'Developer ID Application: Farhan Ahmed (4RZN52RN5P)',
+    'Developer ID Application: Fortinet, Inc (AH4XFXJ7DK)',
+    'Developer ID Application: Google LLC (EQHXZ8M8AV)',
+    'Developer ID Application: Hashicorp, Inc. (D38WU7D763)',
+    'Developer ID Application: Kandji, Inc. (P3FGV63VK7)',
+    'Developer ID Application: Kolide, Inc (X98UFR7HA3)',
+    'Developer ID Application: Logitech Inc. (QED4VVPZWA)',
+    'Developer ID Application: Michael Schreiber (G966ML7VBG)',
+    'Developer ID Application: Microsoft Corporation (UBF8T346G9)',
+    'Developer ID Application: PSI Services LLC (73AT498HPV)',
+    'Developer ID Application: Panic, Inc. (VE8FC488U5)',
+    'Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR)',
+    'Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
+    'Developer ID Application: Reflect App, LLC (789ULN5MZB)',
+    'Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL)',
+    'Developer ID Application: Spotify (2FNC3A47ZF)',
+    'Developer ID Application: SteelSeries (6WGL6CHFH2)',
+    'Developer ID Application: Sublime HQ Pty Ltd (Z6D26JE4Y4)',
+    'Developer ID Application: Tailscale Inc. (W5364U7YZB)',
+    'Developer ID Application: Tenable, Inc. (4B8J598M7U)',
+    'Developer ID Application: Valve Corporation (MXGJJ98X76)',
+    'Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)',
+    'Developer ID Application: Zwift, Inc (C2GM8Y9VFM)'
+  )
   AND NOT alt_exception_key LIKE '500,terraform-provider-%,terraform-provider-%,500u,20g'
   AND NOT alt_exception_key LIKE '500,plugin_host-%,plugin_host-%,500u,20g'
   AND NOT p0.path LIKE '/private/var/folders/%/T/GoLand/%'

detection/c2/unexpected-talker-events.sql

@@ -119,6 +119,7 @@ WHERE
     '500,0,32768,com.apple.NRD.UpdateBrainService',
     '500,0,32768,elastic-endpoint',
     '500,0,32768,firefox',
+    '500,0,53,firefox',
     '500,0,32768,io.tailscale.ipn.macsys.network-extension',
     '500,0,32768,ksfetch',
     '500,0,32768,networkQuality',
@@ -233,19 +234,37 @@ WHERE
     '500,500,443,grype',
     '500,500,443,istioctl',
     '500,500,443,ksfetch',
+    '500,0,80,slack',
     '500,500,443,kubectl',
     '500,500,443,minikube',
     '500,500,443,node',
+    '500,500,443,wolfibump',
     '500,500,443,old',
+    '500,500,443,sublime_text',
+    '500,500,32768,DropboxMacUpdate',
+    '500,500,53,Google Chrome Helper',
     '500,500,443,syft',
     '500,500,443,webexmtaV2',
+    '500,500,20480,Google Chrome Helper',
+    '500,99,32768,Slack Helper',
+    '500,99,13568,Slack Helper',
     '500,500,443,wolfictl',
     '500,500,53,Code Helper',
+    '500,0,80,ir_agent',
+    '500,500,3307,cloud_sql_proxy',
+    '500,0,443,com.adguard.mac.adguard.network-extension',
+    '500,0,32768,com.adguard.mac.adguard.network-extension',
     '500,500,53,Meeting Center',
     '500,500,53,gitsign',
+    '500,0,443,BDCoreIssues',
+    '500,0,32768,Authy',
+    '500,0,443,BDLDaemon',
+    '500,0,443,Python',
+    '500,0,443,filebeat',
     '500,500,80,Code Helper (Plugin)',
     '500,500,80,Code Helper',
     '500,500,80,Google Chrome Helper',
+    '500,0,443,rapid7_endpoint_broker',
     '500,500,80,GoogleUpdater',
     '500,500,80,cloud_sql_proxy',
     '500,500,80,copilot-agent-macos-arm64',
@@ -256,14 +275,18 @@ WHERE
     '500,99,443,Slack'
   )
   AND NOT exception_key LIKE '500,500,443,terraform%'
+  AND NOT exception_key LIKE '500,500,80,terraform%'
   AND NOT exception_key LIKE '500,0,%,syncthing'
   AND NOT exception_key LIKE '500,0,%,chrome'
+  AND NOT exception_key LIKE '500,500,443,___%_%'
   AND NOT exception_key LIKE '500,500,%,chrome'
+  AND NOT exception_key LIKE '500,500,%,Google Chrome Helper'
   AND NOT exception_key LIKE '500,500,443,kubectl.%'
 
   AND NOT p0_path LIKE '/Users/%/code/%'
   AND NOT p0_path LIKE '/Users/%/go/%'
   AND NOT p0_path LIKE '/Users/%/src/%'
+  AND NOT p0_path LIKE '/Users/%/Library/Caches/JetBrains/GoLand%'
   AND NOT p0_path LIKE '/Users/%/dev/%'
   AND NOT p0_path LIKE '/System/%'
   AND NOT p0_path LIKE '/private/var/folders/%/T/AppTranslocation/%/%.app/Contents/MacOS/%'

detection/c2/unexpected-talkers-macos.sql

@@ -131,6 +131,7 @@ WHERE
     '500,6,22,goland,goland,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland',
     '500,6,8080,goland,goland,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland',
     '500,6,22,Transmit,Transmit,Developer ID Application: Panic, Inc. (VE8FC488U5),com.panic.Transmit',
+    '500,6,4317,flyctl,flyctl,,a.out',
     '500,6,2869,Spotify,Spotify,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client',
     '500,6,32000,Spotify Helper,Spotify Helper,Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client.helper',
     '500,6,32400,PlexMobile,PlexMobile,Apple iPhone OS Application Signing,com.plexapp.plex',
@@ -241,6 +242,8 @@ WHERE
       'Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D),com.googlecode.iterm2',
       'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.Chrome.helper',
       'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.GoogleUpdater',
+      'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.teams2.helper',
+      'Developer ID Application: Bitdefender SRL (GUNFMW623Y),com.bitdefender.cst.net.dci.dci-network-extension',
       'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.one.NetworkExtension',
       'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.edgemac.helper',
       'Developer ID Application: Microsoft Corporation (UBF8T346G9),net.java.openjdk.java',

detection/collection/high-disk-bytes-written.sql

@@ -198,4 +198,5 @@ WHERE
   AND p0.path NOT LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd'
   AND p0.path NOT LIKE '/nix/store/%kolide-launcher-%/bin/launcher'
   AND NOT p0.cmdline LIKE '%/lib/gcloud.py components update'
+  AND NOT p0.cmdline LIKE '%/gsutil %rsync%'
   AND NOT p0.cgroup_path LIKE '/system.slice/docker-%'

detection/credentials/unexpected-dev-opener-macos.sql

@@ -83,7 +83,9 @@ WHERE
     '/dev/auditsessions,authd,Software Signing,com.apple.authd',
     '/dev/auditsessions,securityd,Software Signing,com.apple.securityd',
     '/dev/autofs,automountd,Software Signing,com.apple.automountd',
+    '/dev/bpf,BDLDaemon,Developer ID Application: Bitdefender SRL (GUNFMW623Y),com.bitdefender.epsecurity.BDLDaemonApp',
     '/dev/bpf,airportd,Software Signing,com.apple.airport.airportd',
+    '/dev/bpf,core,Developer ID Application: TPZ Solucoes Digitais Ltda (X37R283V2T),com.topaz.warsaw.core',
     '/dev/console,dbeaver,Developer ID Application: DBeaver Corporation (42B6MDKMW8),org.jkiss.dbeaver.core.product',
     '/dev/console,kernelmanagerd,Software Signing,com.apple.kernelmanagerd',
     '/dev/console,launchd,Software Signing,com.apple.xpc.launchd',
@@ -114,7 +116,7 @@ WHERE
     '/dev/macfuse,gcsfuse,,a.out',
     '/dev/macfuse,rclone,,a.out',
     '/dev/oslog,logd,Software Signing,com.apple.logd',
-    '/dev/bpf,BDLDaemon,Developer ID Application: Bitdefender SRL (GUNFMW623Y),com.bitdefender.epsecurity.BDLDaemonApp',
+    '/dev/shm,python3',
     '/dev/tty.usbmodem21430,Bazecor Helper (Renderer),,',
     '/dev/xcpm,PerfPowerServices,Software Signing,com.apple.PerfPowerServices',
     '/dev/xcpm,systemstats,Software Signing,com.apple.systemstats',

detection/evasion/hidden-cwd.sql

@@ -104,8 +104,10 @@ WHERE
       'dirhelper,/private/var/folders',
       'Electron,~/.vscode/extensions',
       'fish,~/.local/share',
+      'clangd,/private/var/folders',
       'rustc,/home/build/.cargo',
       'fish,~/.Trash',
+      'arduino-language-server,/private/var/folders',
       'Arduino IDE Helper,/private/var/folders',
       'git,~/.local/share',
       'fileproviderd,~/Library/Mobile Documents',

detection/evasion/hidden-executable.sql

@@ -65,7 +65,9 @@ WHERE
   AND NOT f.directory LIKE '%/.tflint.d/%'
   AND NOT f.directory LIKE '%/.vs-kubernetes/%'
   AND NOT f.directory LIKE '%/.vscode/extensions/%'
+  AND NOT f.directory LIKE '/Users/%/Library/Application Support/Code/User/globalStorage/ms-dotnettools.vscode-dotnet-runtime/.dotnet/%'
   AND NOT f.directory LIKE '%/.vscode-insiders/extensions/%'
+  AND NOT f.directory LIKE '%/Applications/PSI Bridge Secure Browser.app/Contents/Resources/.apps/darwin/%'
   AND NOT f.path LIKE '/home/%/.config/bluejeans-v2/BluejeansHelper'
   AND NOT f.path LIKE '/nix/store/%/%-wrapped'
   AND NOT (

detection/evasion/unexpected-alf-exceptions-macos.sql

@@ -51,6 +51,7 @@ WHERE
     ',,/Applications/Google%20Chrome.app/,',
     ',,/Applications/IntelliJ%20IDEA.app/,',
     ',,/Applications/ProtonMail%20Bridge.app/,',
+    ',,/usr/local/sbin/iodined,501',
     ',,/Applications/Visual%20Studio%20Code.app/,',
     ',,/Applications/Visual%20Studio%20Code.app/Contents/Frameworks/Code%20Helper.app/,',
     ',a.out,/opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/kubectl,501',

detection/evasion/unexpected-tmp-executables-macos.sql

@@ -67,6 +67,7 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
           OR file.path LIKE '/tmp/GoLand/___Test%.test'
           OR file.path LIKE '%/git/%'
           OR file.path LIKE '%/github/%'
+          OR file.path LIKE '%/elastic-agent-%'
           OR file.path LIKE '%/go.%.sum'
           OR file.path LIKE "%/%/gradlew"
           OR file.path LIKE '%/guile-%/guile-%'

detection/evasion/unexpected-user-executables-macos.sql

@@ -163,26 +163,27 @@ WHERE
     '~/.zsh_snap/zsh-snap'
   )
   AND NOT top2_homedir IN (
+    '/Users/Shared/LGHUB/cache',
+    '/Users/Shared/LogiOptionsPlus/cache',
+    '/Users/Shared/Red Giant/Uninstall',
+    '~/.antigen',
+    '~/.fzf/test',
     '~/.iterm2',
+    '~/.magefile',
+    '~/.nvm',
+    '~/.revox/updates',
+    '~/.terraform.d',
+    '~/.terraform.versions',
     '~/Library/Application Support',
     '~/Library/Caches',
-    '~/Library/helm',
-    '~/Library/pnpm',
     '~/Library/Printers',
     '~/Library/Python',
     '~/Library/QuickLook',
     '~/Library/Screen Savers',
     '~/Library/Services',
     '~/Library/Thunderbird',
-    '~/.fzf/test',
-    '~/.revox/updates',
-    '~/.magefile',
-    '~/.nvm',
-    '~/.terraform.d',
-    '~/.terraform.versions',
-    '/Users/Shared/LGHUB/cache',
-    '/Users/Shared/LogiOptionsPlus/cache',
-    '/Users/Shared/Red Giant/Uninstall'
+    '~/Library/helm',
+    '~/Library/pnpm'
   )
   AND NOT f.directory LIKE '/Users/%/.docker/cli-plugins'
   AND NOT f.directory LIKE '/Users/%/.nix-profile/bin'

detection/evasion/unusual-executable-name-macos.sql

@@ -101,6 +101,7 @@ WHERE
   )
   AND NOT pname LIKE '.%-wrapped'
   AND NOT pname LIKE 'cody-engine-%'
+  AND NOT pname LIKE '__%go_build_%'
   -- example: 85C27NK92C.com.flexibits.fantastical2.mac.helper
   AND NOT pname LIKE "%.com.flexibits.fantastical2.mac.helper"
   AND NOT s.authority = "Software Signing"

detection/execution/exotic-command-events-macos.sql

@@ -198,6 +198,7 @@ WHERE
   AND NOT p0_cmd LIKE 'rm -f /tmp/locate%/mklocate%/_mklocatedb%'
   AND NOT p0_cmd LIKE 'rm -f /tmp/insttmp_%'
   AND NOT p0_cmd LIKE '%nc localhost%'
+  AND NOT p0_cmd LIKE '%nc -vz localhost%'
   AND NOT p0_cmd LIKE '/bin/cp %history%sessions/%'
   AND NOT p0_cmd LIKE '%ssh %/lima/%'
   AND NOT p0_cmd LIKE 'touch -r /tmp/KSInstallAction.%'
@@ -206,6 +207,7 @@ WHERE
   AND NOT p0_name IN ('cc1', 'compile', 'yara')
   AND NOT exception_key IN (
     'dd,500,zsh,login',
+    'bash,500,idea,launchd',
     'yara,500,bash,fish',
     'ssh,500,limactl.ventura,launchd',
     'git,500,zsh,login',