Fix errors

detection/c2/unexpected-https-linux.sql

@@ -288,7 +288,6 @@ WHERE
     '500,zdup,500u,500g,zdup',
     '500,zoom,0u,0g,zoom',
     '500,zoom.real,u,g,zoom.real'
-
   ) -- Exceptions where we have to be more flexible for the process name
   AND NOT exception_key LIKE '500,node,0u,0g,npm exec %'
   AND NOT exception_key LIKE '500,node,0u,0g,npm install %'

detection/c2/unexpected-https-macos.sql

@@ -156,7 +156,6 @@ WHERE
     '500,syncthing,syncthing,,syncthing',
     '500,terraform,terraform,Developer ID Application: Hashicorp, Inc. (D38WU7D763),terraform',
     '500,zoom.us,zoom.us,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3),us.zoom.xos'
-
   )
   AND NOT exception_key LIKE '500,tor-%-darwin-brave-%,tor-%-darwin-brave-%,Developer ID Application: Brave Software, Inc. (KL8N8XSYF4),tor-%-darwin-brave-%'
   AND NOT alt_exception_key IN (

detection/evasion/hidden-home-libappsupport.sql

@@ -63,15 +63,15 @@ WHERE
     '~/Library/Application Support/Slack',
     '~/Library/Application Support/ZaloApp',
     '~/Library/Application Support/ZaloData',
-    '~/Library/Application Support/ZaloPC'
+    '~/Library/Application Support/ZaloPC',
     '~/Library/Application Support/com.apple.spotlight',
     '~/Library/Application Support/com.bohemiancoding.sketch3',
     '~/Library/Application Support/com.intelliscapesolutions.caffeine',
     '~/Library/Application Support/com.operasoftware.Opera',
     '~/Library/Application Support/com.psiexams.psi-bridge-secure-browser',
     '~/Library/Application Support/com.tinyapp.TablePlus',
     '~/Library/Application Support/discord',
-    '~/Library/Application Support/lghub',
+    '~/Library/Application Support/lghub'
   )
   AND NOT homepath IN (
     '~/Library/Application Support/.Shadowland5.5',

detection/evasion/unexpected-alf-exceptions-macos.sql

@@ -53,7 +53,7 @@ WHERE
     ',,/Applications/ProtonMail%20Bridge.app/,',
     ',,/Applications/Visual%20Studio%20Code.app/,',
     ',,/Applications/Visual%20Studio%20Code.app/Contents/Frameworks/Code%20Helper.app/,',
-    ',,/usr/local/sbin/iodined,501'
+    ',,/usr/local/sbin/iodined,501',
     ',a.out,/opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/kubectl,501',
     ',a.out,/opt/homebrew/Cellar/go/1.20.4/libexec/pkg/tool/darwin_arm64/trace,501',
     ',dnsmasq,/opt/homebrew/Cellar/dnsmasq/2.88/sbin/dnsmasq,0',
@@ -91,8 +91,7 @@ WHERE
     'Software Signing,com.apple.controlcenter,/System/Library/CoreServices/ControlCenter.app/,0',
     'Software Signing,com.apple.nc,/usr/bin/nc,0',
     'Software Signing,com.apple.python3,/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.9/Resources/Python.app/,0',
-    'Software Signing,com.apple.xartstorageremoted,/usr/libexec/xartstorageremoted,0',
-
+    'Software Signing,com.apple.xartstorageremoted,/usr/libexec/xartstorageremoted,0'
   )
   AND NOT exception_key LIKE ',a.out,/opt/homebrew/Cellar/podman/%/libexec/podman/gvproxy,501'
   AND NOT exception_key LIKE ',a.out,/private/var/folders/%/T/GoLand/%,501'
@@ -123,7 +122,7 @@ WHERE
   AND NOT (
     signature.identifier = 'nix'
     AND ae.path LIKE '/nix/store/%-nix-%/bin/nix'
-  )  
+  )
   AND NOT (
     ae.path LIKE '/Users/%/Library/Application%20Support/Steam/Steam.AppBundle/Steam/'
   )

detection/evasion/unexpected-process-extension-linux.sql

@@ -8,7 +8,6 @@
 --
 -- tags: persistent process state
 -- platform: linux
-
 SELECT
   -- Child
   p0.pid AS p0_pid,
@@ -80,4 +79,4 @@ WHERE
     'ext'
   )
   AND NOT basename LIKE 'python3.%'
-  AND NOT basename LIKE 'python2.%'  
+  AND NOT basename LIKE 'python2.%'

detection/execution/unexpected-execdir-events-macos.sql

@@ -203,7 +203,7 @@ WHERE
     '/Library/Printers/EPSON/InkjetPrinter2/Filter/commandtoescp.app/Contents/MacOS',
     '/Library/PrivilegedHelperTools',
     '/Library/TeX/texbin',
-    '/Volumes/Grammarly/Grammarly Installer.app/Contents/MacOS'
+    '/Volumes/Grammarly/Grammarly Installer.app/Contents/MacOS',
     '/bin',
     '/node_modules/.bin',
     '/opt/X11/bin',
@@ -247,8 +247,7 @@ WHERE
     '~/code/bin',
     '~/go/bin',
     '~/melange',
-    '~/projects/go/bin',
-
+    '~/projects/go/bin'
   ) -- Locally built executables
   AND NOT (
     s.identifier = 'a.out'

detection/execution/unexpected-osascript-calls.sql

@@ -113,7 +113,7 @@ WHERE
       OR (
         p1_authority = 'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)'
         AND p0_cmd = 'osascript'
-      )      
+      )
     )
   )
   -- The following apply to all uids

detection/execution/unexpected-security-framework-program-macos.sql

@@ -122,7 +122,7 @@ WHERE
     '500,Todoist,com.todoist.mac.Todoist,Apple Mac OS Application Signing',
     '500,TwitchStudioStreamDeck,TwitchStudioStreamDeck,Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
     '500,WinAppHelper,,',
-    '500,WinAppHelper,WinAppHelper,'
+    '500,WinAppHelper,WinAppHelper,',
     '500,bash,bash,',
     '500,bash,com.apple.bash,Software Signing',
     '500,bufls,a.out,',

detection/persistence/unexpected-active-systemd-units.sql

@@ -15,13 +15,7 @@ SELECT --  description AS 'desc',
   hash.sha256,
   file.ctime,
   file.size,
-  CONCAT (
-    id,
-    ',',
-    description,
-    ',',
-    user
-  ) AS exception_key
+  CONCAT (id, ',', description, ',', user) AS exception_key
 FROM
   systemd_units
   LEFT JOIN hash ON systemd_units.fragment_path = hash.path
@@ -374,7 +368,6 @@ WHERE
         'znapzend.service,ZnapZend - ZFS Backup System,root',
         'zpool-trim.service,ZFS pools trim,',
         'zpool-trim.timer,zpool-trim.timer,'
-
       )
       OR exception_key LIKE 'machine-qemu%.scope,Virtual Machine qemu%,'
       OR exception_key LIKE 'zfs-snapshot-%.timer,zfs-snapshot-%.timer,'

detection/persistence/unexpected-device.sql

@@ -224,7 +224,7 @@ WHERE
     '/dev/vgubuntu/root',
     '/dev/vgubuntu/swap_',
     '/dev/vhci',
-    '/dev/disk/by-dname'
+    '/dev/disk/by-dname',
     '/dev/vhost-net',
     '/dev/vhost-vsock',
     '/dev/video',
@@ -241,7 +241,6 @@ WHERE
     '/dev/zram',
     '/dev/zvol/',
     '/dev/zvol/rpool'
-
   )
   AND NOT path LIKE '/dev/mapper/%'
   AND NOT path LIKE '/dev/shm/sem.rpc%'

detection/persistence/unexpected-global-lock.sql

@@ -8,40 +8,43 @@
 --
 -- tags: persistent filesystem state seldom
 -- platform: posix
-SELECT *,
-    CONCAT(
-        MIN(file.uid, 500),
-        ",",
-        file.gid,
-        ",",
-        file.path,
-        ",",
-        file.type,
-        ',',
-        mode
-    ) AS exception_key
-FROM file
-WHERE (
-        path LIKE "/tmp/%.lock"
-        OR path LIKE "/var/run/%.lock"
-        OR path LIKE "/var/tmp/%.lock"
-        OR path LIKE "/dev/shm/%.lock"
-        OR path LIKE "/dev/mqueue/%.lock"
-        OR path LIKE "/tmp/.%.lock"
-        OR path LIKE "/var/run/.%.lock"
-        OR path LIKE "/var/tmp/.%.lock"
-        OR path LIKE "/dev/shm/.%.lock"
-        OR path LIKE "/dev/mqueue/.%.lock"
-    )
-    AND exception_key NOT IN (
-        '0,0,/var/run/unattended-upgrades.lock,regular,0640',
-        '500,0,/tmp/mysql.sock.lock,regular,0600',
-        '500,0,/tmp/mysqlx.sock.lock,regular,0600',
-        '0,0,/var/run/xtables.lock,regular,0600',
-        '0,0,/var/run/dnf-metadata.lock,regular,0644',
-        '0,0,/var/run/ufw.lock,regular,0644',
-        '0,0,/var/run/apport.lock,regular,0600',
-        '74,0,/tmp/mysql.sock.lock,regular,0600',
-        '74,0,/tmp/mysqlx.sock.lock,regular,0600',
-        '500,1001,/tmp/nwg-dock.lock,regular,0600'
-    )
+SELECT
+  *,
+  CONCAT (
+    MIN(file.uid, 500),
+    ",",
+    file.gid,
+    ",",
+    file.path,
+    ",",
+    file.type,
+    ',',
+    mode
+  ) AS exception_key
+FROM
+  file
+WHERE
+  (
+    path LIKE "/tmp/%.lock"
+    OR path LIKE "/var/run/%.lock"
+    OR path LIKE "/var/tmp/%.lock"
+    OR path LIKE "/dev/shm/%.lock"
+    OR path LIKE "/dev/mqueue/%.lock"
+    OR path LIKE "/tmp/.%.lock"
+    OR path LIKE "/var/run/.%.lock"
+    OR path LIKE "/var/tmp/.%.lock"
+    OR path LIKE "/dev/shm/.%.lock"
+    OR path LIKE "/dev/mqueue/.%.lock"
+  )
+  AND exception_key NOT IN (
+    '0,0,/var/run/unattended-upgrades.lock,regular,0640',
+    '500,0,/tmp/mysql.sock.lock,regular,0600',
+    '500,0,/tmp/mysqlx.sock.lock,regular,0600',
+    '0,0,/var/run/xtables.lock,regular,0600',
+    '0,0,/var/run/dnf-metadata.lock,regular,0644',
+    '0,0,/var/run/ufw.lock,regular,0644',
+    '0,0,/var/run/apport.lock,regular,0600',
+    '74,0,/tmp/mysql.sock.lock,regular,0600',
+    '74,0,/tmp/mysqlx.sock.lock,regular,0600',
+    '500,1001,/tmp/nwg-dock.lock,regular,0600'
+  )

detection/persistence/unexpected-uid0-daemon-linux.sql

@@ -262,7 +262,7 @@ WHERE
     'zfs,/nix/store/__VERSION__/bin/zfs,0,system.slice,zfs-snapshot-hourly.service,0555',
     'zfs,/nix/store/__VERSION__/bin/zfs,0,system.slice,znapzend.service,0555',
     'zfs-auto-snapsh,/nix/store/__VERSION__/bin/ruby,0,system.slice,zfs-snapshot-frequent.service,0555',
-    'zfs-auto-snapsh,/nix/store/__VERSION__/bin/ruby,0,system.slice,zfs-snapshot-hourly.service,0555',
+    'zfs-auto-snapsh,/nix/store/__VERSION__/bin/ruby,0,system.slice,zfs-snapshot-hourly.service,0555'
   )
   AND NOT exception_key LIKE 'abrt-dbus,/usr/sbin/abrt-dbus,0,system.slice,system-dbus%org.freedesktop.problems.slice,0755'
   AND NOT exception_key LIKE 'fusermount3,/usr/bin/fusermount3,%,user.slice,user-%.slice,4755'

detection/persistence/unexpected-uid0-daemon-macos.sql

@@ -267,7 +267,7 @@ WHERE -- Focus on longer-running programs
         '/usr/sbin/BTLEServer',
         '/usr/sbin/BlueTool',
         '/usr/sbin/KernelEventAgent',
-        '/usr/sbin/WirelessRadioManagerd'
+        '/usr/sbin/WirelessRadioManagerd',
         '/usr/sbin/aslmanager',
         '/usr/sbin/audioclocksyncd',
         '/usr/sbin/auditd',
@@ -282,8 +282,7 @@ WHERE -- Focus on longer-running programs
         '/usr/sbin/sshd',
         '/usr/sbin/syslogd',
         '/usr/sbin/systemsoundserverd',
-        '/usr/sbin/systemstats',
-
+        '/usr/sbin/systemstats'
       )
       AND NOT path LIKE '/nix/store/%-nix-%/bin/nix'
       AND NOT path LIKE '/opt/homebrew/Cellar/htop/%/bin/htop'