Merge pull request #343 from tstromberg/fpr-jan9

fpr: syncthing, sourcegraph, phantombuster, iterm, cody, stickers
chainguard-dev · Jan 9, 2024 · 1462745 · 1462745
2 parents 16dd48b + 27a0d55
commit 1462745
Show file tree

Hide file tree

Showing 20 changed files with 72 additions and 39 deletions.
diff --git a/detection/c2/unexpected-dns-traffic-events.sql b/detection/c2/unexpected-dns-traffic-events.sql
@@ -80,6 +80,7 @@ WHERE
     'Telegram,8.8.8.8,53',
     'com.docker.vpnkit,8.8.8.8,53',
     'Meeting Center,8.8.8.8,53',
+    'nuclei,1.0.0.1,53',
     'limactl,8.8.8.8,53',
     'signal-desktop,8.8.8.8,53',
     'slack,8.8.8.8,53',

diff --git a/detection/c2/unexpected-https-linux.sql b/detection/c2/unexpected-https-linux.sql
@@ -63,6 +63,8 @@ WHERE
     '0,elastic-endpoint,0u,0g,elastic-endpoin',
     '0,bash,0u,0g,bash',
     '0,filebeat,0u,0g,filebeat',
+    '500,gobuster,500u,500g,gobuster',
+    '500,nuclei,500u,500g,nuclei',
     '0,bash,0u,0g,mkinitcpio',
     '0,bash,0u,0g,sh',
     '0,chainctl,0u,0g,chainctl',

diff --git a/detection/c2/unexpected-https-macos.sql b/detection/c2/unexpected-https-macos.sql
@@ -182,6 +182,7 @@ WHERE
     '500,nodegizmo,nodegizmo,500u,20g',
     '500,apko,apko,0u,0g',
     '500,apko,apko,500u,20g',
+    '500,wolfibump,wolfibump,500u,20g',
     '500,wolfictl,wolfictl,0u,0g',
     '500,istioctl,istioctl,500u,20g',
     '500,aws,aws,0u,0g',

diff --git a/detection/c2/unexpected-talker-events.sql b/detection/c2/unexpected-talker-events.sql
@@ -194,7 +194,9 @@ WHERE
     '500,500,32768,Electron',
     '500,500,32768,GoogleUpdater',
     '500,500,32768,java',
+    '500,99,443,Slack Helper',
     '500,500,32768,ksfetch',
+    '500,0,32768,elastic-endpoint',
     '500,500,32768,melange',
     '500,500,32768,node',
     '500,500,4318,Code Helper (Plugin)',
@@ -249,6 +251,7 @@ WHERE
   AND NOT p0_path LIKE '/Users/%/go/%'
   AND NOT p0_path LIKE '/Users/%/src/%'
   AND NOT p0_path LIKE '/Users/%/dev/%'
+  AND NOT p0_path LIKE '/System/%'
   AND NOT p0_path LIKE '/private/var/folders/%/T/AppTranslocation/%/%.app/Contents/MacOS/%'
   AND NOT (
     basename = "Python"

diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql
@@ -233,6 +233,7 @@ WHERE
     '9999,6,500,firefox,0u,0g,firefox'
   )
   AND NOT exception_key LIKE '80,6,500,terraform_1.1.5,500u,500g,terraform'
+  AND NOT exception_key LIKE '%,6,500,nuclei,500u,500g,nuclei'
   AND NOT (
     p.name = 'java'
     AND p.cmdline LIKE '/home/%/.local/share/JetBrains/Toolbox/%'

diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql
@@ -208,9 +208,13 @@ WHERE
     AND remote_port > 20
     AND remote_port < 32000
   )
+  AND NOT (
+    exception_key LIKE '500,6,%,syncthing,syncthing,Developer ID Application: Kastelo AB (LQE5SYM783),syncthing'
+    AND remote_port > 24
+  )
   AND NOT (
     exception_key LIKE '500,6,%,syncthing,syncthing,Developer ID Application: Jakob Borg (LQE5SYM783),syncthing'
-    AND remote_port > 79
+    AND remote_port > 24
   )
   AND NOT (
     alt_exception_key = '500,6,80,main,main,500u,20g'

diff --git a/detection/evasion/executables-from-the-future.sql b/detection/evasion/executables-from-the-future.sql
@@ -22,6 +22,10 @@ SELECT
   f.mtime > (strftime('%s', 'now') + 43200) AS mtime_newer,
   f.ctime > (strftime('%s', 'now') + 43200) AS ctime_newer,
   f.btime > (strftime('%s', 'now') + 43200) AS btime_newer,
+  f.mtime - strftime('%s', 'now') AS mtime_diff,
+  f.ctime - strftime('%s', 'now') AS ctime_diff,
+  f.btime - strftime('%s', 'now') AS btime_diff,
+  strftime('%s', 'now') AS current_time,
   hash.sha256 AS child_hash256,
   pp.path AS parent_path,
   pp.cmdline AS parent_cmd,

diff --git a/detection/evasion/hidden-cwd-events-linux.sql b/detection/evasion/hidden-cwd-events-linux.sql
@@ -68,6 +68,7 @@ WHERE
       '.kotlin',
       '.npm',
       '.git',
+      '.linuxbrew',
       '.gimme',
       '.vscode',
       '.vim',

diff --git a/detection/evasion/hidden-cwd.sql b/detection/evasion/hidden-cwd.sql
@@ -75,16 +75,17 @@ WHERE
     WHERE
       cwd LIKE '%/.%'
       AND NOT name IN (
+        'apfsd',
         'bindfs',
-        'vim',
+        'code',
+        'Code Helper',
         'find',
+        'git',
+        'gitsign',
         'nvim',
         'terraform',
-        'code',
         'updatedb',
-        'git',
-        'gitsign',
-        'Code Helper'
+        'vim'
       )
       AND NOT cgroup_path LIKE '/system.slice/docker-%'
       AND NOT cgroup_path LIKE '/system.slice/system.slice:docker:%'
@@ -105,6 +106,7 @@ WHERE
       'fish,~/.local/share',
       'rustc,/home/build/.cargo',
       'fish,~/.Trash',
+      'Arduino IDE Helper,/private/var/folders',
       'git,~/.local/share',
       'fileproviderd,~/Library/Mobile Documents',
       'java,/home/build/.gradle',

diff --git a/detection/evasion/hidden-home-library-dir.sql b/detection/evasion/hidden-home-library-dir.sql
@@ -43,6 +43,7 @@ WHERE
     '~/Library/Finance/.finance_cloud_SUPPORT/_EXTERNAL_DATA',
     '~/Library/Finance/.finance_dropbox_SUPPORT/_EXTERNAL_DATA',
     '~/Library/Finance/.finance_local_SUPPORT/_EXTERNAL_DATA',
+    '~/Library/Stickers/.stickers_SUPPORT/_EXTERNAL_DATA',
     '~/Library/GroupContainersAlias/.SiriTodayViewExtension',
     '~/Library/GroupContainersAlias/.SiriTodayViewExtension/Library',
     '~/Library/Group Containers/.SiriTodayViewExtension',
@@ -55,3 +56,4 @@ WHERE
   )
   AND NOT homedir LIKE '~/Library/.icedove/%'
   AND NOT homedir LIKE '~/Library/Mobile Documents/.Trash%'
+  AND NOT homedir LIKE '~/Library/%/.%_SUPPORT/_EXTERNAL_DATA'
diff --git a/detection/evasion/unexpected-alf-exceptions-macos.sql b/detection/evasion/unexpected-alf-exceptions-macos.sql
@@ -62,6 +62,7 @@ WHERE
     ',,/Applications/ProtonMail%20Bridge.app/,',
     ',,/Applications/Visual%20Studio%20Code.app/,',
     ',,/Applications/Visual%20Studio%20Code.app/Contents/Frameworks/Code%20Helper.app/,',
+    'Developer ID Application: Any.DO inc. (FW4RAPJ9FF),com.anydo.mac,/Applications/Anydo.app/,501',
     'Developer ID Application: Bearly Inc (NK6K4BACCF),com.bearly.app,/Applications/Bearly.app/,501',
     'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.sketch3,/Applications/Sketch.app/,501',
     'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.SketchMirrorHelper,/Applications/Sketch.app/Contents/XPCServices/SketchMirrorHelper.xpc/,501',
@@ -77,6 +78,7 @@ WHERE
     'Developer ID Application: Loom, Inc (QGD2ZPXZZG),com.loom.desktop,/Applications/Loom.app/,501',
     'Developer ID Application: Opentest, Inc. (QGD2ZPXZZG),com.loom.desktop,/Applications/Loom.app/,501',
     'Developer ID Application: Postdot Technologies, Inc (H7H8Q7M5CK),com.postmanlabs.mac,/Applications/Postman.app/,501',
+    'Developer ID Application: Raycast Technologies Inc (SY64MV22J9),com.raycast.macos,/Applications/Raycast.app/,501',
     'Developer ID Application: RescueTime, Inc (FSY4RB8H39),com.rescuetime.RescueTime,/Applications/RescueTime.app/,0',
     'Developer ID Application: Sonos, Inc. (2G4LW83Q3E),com.sonos.macController,/Applications/Sonos.app/,501',
     'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client,/Applications/Spotify.app/,501',
@@ -88,6 +90,7 @@ WHERE
     ',java,/opt/homebrew/Cellar/openjdk/19/libexec/openjdk.jdk/Contents/Home/bin/java,501',
     ',org.python.python,/opt/homebrew/Cellar/python@3.10/3.10.9/Frameworks/Python.framework/Versions/3.10/Resources/Python.app/,501',
     ',org.python.python,/opt/homebrew/Cellar/python@3.11/3.11.2_1/Frameworks/Python.framework/Versions/3.11/Resources/Python.app/,501',
+    ',org.python.python,/opt/homebrew/Cellar/python@3.12/3.12.1/Frameworks/Python.framework/Versions/3.12/Resources/Python.app/,501',
     'Software Signing,com.apple.audio.InfoHelper,/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.InfoHelper.xpc/,0',
     'Software Signing,com.apple.controlcenter,/System/Library/CoreServices/ControlCenter.app/,0',
     'Software Signing,com.apple.Music,/System/Applications/Music.app/,0',
@@ -96,8 +99,7 @@ WHERE
     'Software Signing,com.apple.WebKit.Networking,/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/,0',
     'Software Signing,com.apple.WebKit.Networking,/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/,0',
     'Software Signing,com.apple.xartstorageremoted,/usr/libexec/xartstorageremoted,0',
-    '/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/',
-    ',,/usr/local/sbin/iodined,501'
+    '/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/'
   )
   AND NOT exception_key LIKE ',a.out,/Users/%/dev/%,501'
   AND NOT exception_key LIKE ',org.python.python,/opt/homebrew/Cellar/python@%/Frameworks/Python.framework/Versions/3.11/Resources/Python.app/,501'

diff --git a/detection/evasion/unusual-process-name-macos.sql b/detection/evasion/unusual-process-name-macos.sql
@@ -107,4 +107,6 @@ WHERE
   )
   -- example: 85C27NK92C.com.flexibits.fantastical2.mac.helper
   AND NOT pname LIKE "%.com.flexibits.fantastical2.mac.helper"
+  AND NOT pname LIKE 'cody-engine-%'
+  AND NOT pname LIKE '%-macos-arm64'
   AND NOT s.authority IN ("Software Signing","Apple Mac OS Application Signing")
diff --git a/detection/execution/unexpected-execdir-events-macos.sql b/detection/execution/unexpected-execdir-events-macos.sql
@@ -313,6 +313,7 @@ WHERE
     'Apple Mac OS Application Signing',
     'Developer ID Application: Azul Systems, Inc. (TDTHCUPYFR)',
     'Developer ID Application: Adobe Inc. (JQ525L2MZD)',
+    'Developer ID Application: Rogue Amoeba Software, LLC (7266XEXAPM)',
     'Developer ID Application: Brother Industries, LTD. (5HCL85FLGW)',
     'Developer ID Application: Canonical Group Limited (X4QN7LTP59)',
     'Developer ID Application: Cisco (DE8Y96K9QP)',

diff --git a/detection/execution/unexpected-sysutils-macos.sql b/detection/execution/unexpected-sysutils-macos.sql
@@ -112,6 +112,7 @@ WHERE
     'system_profiler,500,bash,launchd',
     'system_profiler,500,Ultimate,launchd',
     'system_profiler,500,steam_osx,launchd',
+    'ioreg,500,bash,Alfred Preferences',
     'system_profiler,500,bash,logioptionsplus_agent',
     'system_profiler,0,launcher,launchd'
   )

diff --git a/detection/exfil/high_disk_bytes_read.sql b/detection/exfil/high_disk_bytes_read.sql
@@ -163,6 +163,8 @@ WHERE
     '/usr/sbin/spindump',
     '/usr/sbin/systemstats'
   )
+  AND NOT p0.path LIKE '/Library/SystemExtensions/%/io.kandji.KandjiAgent.ESF-Extension.systemextension/Contents/MacOS/io.kandji.KandjiAgent.ESF-Extension'
+
   AND NOT (
     p0.name = 'bindfs'
     AND p0.cmdline LIKE 'bindfs%-o fsname=%'

diff --git a/detection/exfil/yara-recently-downloaded-go-crypt-exec.sql b/detection/exfil/yara-recently-downloaded-go-crypt-exec.sql
@@ -33,12 +33,13 @@ WHERE
   AND yara.sigrule = '    
     rule cryptexec {
     strings:
-        $cbc = "crypto/cipher.newCBC" ascii
-        $aes = "crypto/aes.newCipher"
-        $run = "os/exec.(*Cmd).Run" ascii
-        $exec = "os/exec.Command" ascii
+        $s_cbc = "crypto/cipher.newCBC" ascii
+        $s_aes = "crypto/aes.newCipher"
+        $s_run = "os/exec.(*Cmd).Run" ascii
+        $s_exec = "os/exec.Command" ascii
+        $not_analysis = "Dynamic Section"
     condition:
-        3 of them
+        3 of ($s*) and none of ($not*)
 }'
   AND yara.count > 0
   AND file.path NOT LIKE '/Users/%/Downloads/chainctl%'

diff --git a/detection/initial_access/unexpected-shell-parent-events.sql b/detection/initial_access/unexpected-shell-parent-events.sql
@@ -192,6 +192,7 @@ WHERE
       'zsh'
     )
     OR p1_name LIKE 'terraform-provider-%'
+    OR p1_name LIKE 'iTermServer-%'
     -- Do not add shells to this list if you want your query to detect
     -- bad programs that were started from a shell.
     OR p2_name IN ('env', 'git')

diff --git a/detection/persistence/unexpected-chrome-extensions.sql b/detection/persistence/unexpected-chrome-extensions.sql
@@ -226,6 +226,7 @@ WHERE
     'true,,Todoist for Gmail,clgenfnodoocmhnlnpknojdbjjnmecff',
     'true,,Cisco Umbrella Chromebook client (Ext),jcdhmojfecjfmbdpchihbeilohgnbdci',
     'true,,Media Hint,akipcefbjlmpbcejgdaopmmidpnjlhnb',
+    'true,,PhantomBuster,mdlnjfcpdiaclglfbdkbleiamdafilil',
     'true,,uBlock,epcnnfbjfcgphgdmggkamkmgojdagdnn',
     'true,,writeGPT - ChatGPT Prompt Engineer Assistant,dflcdbibjghipieemcligeelbmackgco',
     'true,Adaware,Safe Torrent Scanner,aegnopegbbhjeeiganiajffnalhlkkjb',

diff --git a/detection/persistence/unexpected-listening-port-macos.sql b/detection/persistence/unexpected-listening-port-macos.sql
@@ -54,7 +54,6 @@ WHERE
   AND NOT exception_key IN (
     '10011,6,0,launchd,Software Signing',
     '10011,6,0,webfilterproxyd,Software Signing',
-    '22000,6,500,syncthing,Developer ID Application: Kastelo AB (LQE5SYM783)',
     '1024,6,0,systemmigrationd,Software Signing',
     '1313,6,500,hugo,',
     '1338,6,500,registry,',
@@ -64,28 +63,26 @@ WHERE
     '138,17,222,netbiosd,Software Signing',
     '16587,6,500,RescueTime,Developer ID Application: RescueTime, Inc (FSY4RB8H39)',
     '17500,6,500,Dropbox,Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)',
+    '1824,6,500,WaveLink,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
     '1834,6,500,Camera Hub,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
     '2112,6,500,fake,',
     '2112,6,500,rekor-server,',
     '2112,6,500,timestamp-server,',
-    '22,6,0,launchd,Software Signing',
     '22000,6,500,syncthing,',
     '22000,6,500,syncthing,Developer ID Application: Jakob Borg (LQE5SYM783)',
+    '22000,6,500,syncthing,Developer ID Application: Kastelo AB (LQE5SYM783)',
+    '22,6,0,launchd,Software Signing',
     '2345,6,500,dlv,',
     '24678,6,500,node,',
     '24802,6,500,synergy-service,Developer ID Application: Symless Ltd (4HX897Y6GJ)',
     '27036,6,500,steam_osx,Developer ID Application: Valve Corporation (MXGJJ98X76)',
     '28197,6,500,Stream Deck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
     '28198,6,500,Stream Deck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
     '2968,6,500,EEventManager,Developer ID Application: Seiko Epson Corporation (TXAEAV5RN4)',
-    '3080,6,500,sourcegraph-backend,Developer ID Application: SOURCEGRAPH INC (74A5FJ7P96)',
-    '3090,6,500,sourcegraph-backend,Developer ID Application: SOURCEGRAPH INC (74A5FJ7P96)',
-    '3180,6,500,sourcegraph-backend,Developer ID Application: SOURCEGRAPH INC (74A5FJ7P96)',
-    '3181,6,500,sourcegraph-backend,Developer ID Application: SOURCEGRAPH INC (74A5FJ7P96)',
-    '3182,6,500,sourcegraph-backend,Developer ID Application: SOURCEGRAPH INC (74A5FJ7P96)',
+    '33060,6,74,mysqld,Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
     '3306,6,500,mariadbd,',
     '3306,6,74,mysqld,Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
-    '33060,6,74,mysqld,Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
+    '33333,6,500,Ultimate,',
     '3400,6,500,Sonos,Developer ID Application: Sonos, Inc. (2G4LW83Q3E)',
     '41949,6,500,IPNExtension,Apple Mac OS Application Signing',
     '43398,6,500,IPNExtension,Apple Mac OS Application Signing',
@@ -98,33 +95,34 @@ WHERE
     '49152,6,0,launchd,Software Signing',
     '49152,6,0,remoted,Software Signing',
     '49152,6,0,remotepairingdeviced,Software Signing',
+    '49152,6,500,CaptureCoreService,Developer ID Application: Capture One A/S (5WTDB5F65L)',
+    '49152,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)',
+    '49152,6,500,com.docker.supervisor,Developer ID Application: Docker Inc (9BNSXJN65R)',
+    '49152,6,500,dbeaver,Developer ID Application: DBeaver Corporation (42B6MDKMW8)',
     '49152,6,500,EcammLiveRemoteXPCServer,Developer ID Application: Ecamm Network, LLC (5EJH68M642)',
     '49152,6,500,GarageBand,Apple Mac OS Application Signing',
     '49152,6,500,IPNExtension,Apple Mac OS Application Signing',
+    '49152,6,500,java,Developer ID Application: Eclipse Foundation, Inc. (JCDTMS22B4)',
+    '49152,6,500,java,Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
+    '49152,6,500,jetbrains-toolbox,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)',
     '49152,6,500,LogiMgrDaemon,Developer ID Application: Logitech Inc. (QED4VVPZWA)',
+    '49152,6,500,logioptionsplus_agent,Developer ID Application: Logitech Inc. (QED4VVPZWA)',
     '49152,6,500,Luna Display,Developer ID Application: Astro HQ LLC (8356ZZ8Y5K)',
     '49152,6,500,Music,Software Signing',
+    '49152,6,500,node,',
+    '49152,6,500,qemu-system-aarch64,',
+    '49152,6,500,rapportd,Software Signing',
     '49152,6,500,Resolve,Developer ID Application: Blackmagic Design Inc (9ZGFBWLSYP)',
-    '49152,6,500,Signal Helper (Renderer),Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR)',
     '49152,6,500,Signal,Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR)',
+    '49152,6,500,Signal Helper (Renderer),Developer ID Application: Quiet Riddle Ventures LLC (U68MSDN6DR)',
     '49152,6,500,Sketch,Developer ID Application: Bohemian Coding (WUGMZZ5K46)',
     '49152,6,500,SketchMirrorHelper,Developer ID Application: Bohemian Coding (WUGMZZ5K46)',
     '49152,6,500,Spotify,Developer ID Application: Spotify (2FNC3A47ZF)',
     '49152,6,500,Stream Deck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
-    '49152,6,500,Webcam-desktop,Developer ID Application: Shenzhen Arashi Vision Co., Ltd. (847R5ZLN8S)',
-    '49152,6,500,WorkflowAppControl,Developer ID Application: Brother Industries, LTD. (5HCL85FLGW)',
-    '49152,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)',
-    '49152,6,500,com.docker.supervisor,Developer ID Application: Docker Inc (9BNSXJN65R)',
-    '49152,6,500,java,Developer ID Application: Eclipse Foundation, Inc. (JCDTMS22B4)',
-    '49152,6,500,java,Developer ID Application: Oracle America, Inc. (VB5E2TV963)',
-    '49152,6,500,jetbrains-toolbox,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)',
-    '49152,6,500,logioptionsplus_agent,Developer ID Application: Logitech Inc. (QED4VVPZWA)',
-    '49152,6,500,node,',
-    '49152,6,500,qemu-system-aarch64,',
-    '33333,6,500,Ultimate,',
-    '49152,6,500,rapportd,Software Signing',
     '49152,6,500,telepresence,',
     '49152,6,500,vpnkit-bridge,Developer ID Application: Docker Inc (9BNSXJN65R)',
+    '49152,6,500,Webcam-desktop,Developer ID Application: Shenzhen Arashi Vision Co., Ltd. (847R5ZLN8S)',
+    '49152,6,500,WorkflowAppControl,Developer ID Application: Brother Industries, LTD. (5HCL85FLGW)',
     '5000,6,500,ControlCenter,Software Signing',
     '5001,6,500,crane,',
     '5001,6,500,gvproxy,',
@@ -137,7 +135,6 @@ WHERE
     '546,17,0,configd,Software Signing',
     '547,17,500,dhcp6d,Software Signing',
     '5900,6,0,launchd,Software Signing',
-    '8125,6,500,Brackets-node,Developer ID Application: CORE.AI SCIENTIFIC TECHNOLOGIES PRIVATE LIMITED (8F632A866K)',
     '5900,6,0,screensharingd,Software Signing',
     '5990,6,500,goland,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)',
     '6000,6,500,X11.bin,Developer ID Application: Apple Inc. - XQuartz (NA574AWV7E)',
@@ -146,17 +143,16 @@ WHERE
     '67,17,0,launchd,Software Signing',
     '68,17,0,configd,Software Signing',
     '7000,6,500,ControlCenter,Software Signing',
+    '7265,6,500,Raycast,Developer ID Application: Raycast Technologies Inc (SY64MV22J9)',
     '80,6,500,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R)',
     '80,6,500,limactl,',
     '8081,6,500,crane,',
-    '81,6,500,nginx,',
     '8123,6,500,Brackets-node,Developer ID Application: CORE.AI SCIENTIFIC TECHNOLOGIES PRIVATE LIMITED (8F632A866K)',
+    '8125,6,500,Brackets-node,Developer ID Application: CORE.AI SCIENTIFIC TECHNOLOGIES PRIVATE LIMITED (8F632A866K)',
+    '81,6,500,nginx,',
     '8770,6,500,sharingd,Software Signing',
     '8771,6,500,sharingd,Software Signing',
     '88,17,0,kdc,Software Signing',
-    '49152,6,500,dbeaver,Developer ID Application: DBeaver Corporation (42B6MDKMW8)',
-    '88,6,0,kdc,Software Signing',
-    '49152,6,500,CaptureCoreService,Developer ID Application: Capture One A/S (5WTDB5F65L)',
     '8828,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
     '8829,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
     '8830,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
@@ -165,9 +161,12 @@ WHERE
     '8833,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
     '8834,6,0,nessusd,Developer ID Application: Tenable, Inc. (4B8J598M7U)',
     '8834,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)',
+    '88,6,0,kdc,Software Signing',
     '8888,6,500,otel-desktop-viewer,',
     '9101,6,500,github_actions_exporter,'
   )
+  AND NOT exception_key LIKE '3%,6,500,sourcegraph-backend,Developer ID Application: SOURCEGRAPH INC (74A5FJ7P96)'
+  AND NOT exception_key LIKE '88%,6,500,Code Helper,Developer ID Application: Microsoft Corporation (UBF8T346G9)'
   AND NOT (
     signature.authority = 'Developer ID Application: Linear Orbit, Inc. (7VZ2S3V9RV)'
     AND lp.port > 1024

diff --git a/detection/privesc/unexpected-privileged-containers.sql b/detection/privesc/unexpected-privileged-containers.sql
@@ -32,6 +32,7 @@ WHERE
     'cgr.dev/chainguard/wolfi-base',
     'distroless.dev/melange',
     'docker.io/rancher/k3s',
+    'ghcr.io/wolfi-dev/sdk@sha256',
     'cgr.dev/chainguard-private/python',
     'gcr.io/k8s-minikube/kicbase',
     'ghcr.io/wolfi-dev/sdk',
@@ -42,5 +43,6 @@ WHERE
     'wolfi'
   )
   AND image NOT LIKE 'ghcr.io/k3d-io/k3d-%'
+  AND image NOT LIKE 'ghcr.io/wolfi-dev/%'
   AND image NOT LIKE 'melange-%'
   AND command NOT LIKE '/usr/bin/melange build %'