Merge pull request #336 from tstromberg/dec5

fpr: Capture One, Grammarly, Mullvad, etc
chainguard-dev · Dec 8, 2023 · 1aaf59c · 1aaf59c
2 parents 803f21c + 310e51d
commit 1aaf59c
Show file tree

Hide file tree

Showing 37 changed files with 100 additions and 33 deletions.
diff --git a/detection/c2/unexpected-https-linux.sql b/detection/c2/unexpected-https-linux.sql
@@ -271,6 +271,7 @@ WHERE
     '500,spotify,u,g,spotify',
     '500,steam,500u,100g,steam',
     '500,steam,500u,500g,steam',
+    '500,ubuntu-report,0u,0g,ubuntu-report',
     '500,steamwebhelper,500u,100g,steamwebhelper',
     '500,steamwebhelper,500u,500g,steamwebhelper',
     '500,step,500u,500g,step',

diff --git a/detection/c2/unexpected-https-macos.sql b/detection/c2/unexpected-https-macos.sql
@@ -145,11 +145,13 @@ WHERE
     '500,bash,bash,,bash',
     '500,Google Chrome Helper,Google Chrome Helper,Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.Chrome.helper',
     '500,Slack Helper,Slack Helper,Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL),com.tinyspeck.slackmacgap.helper',
+    '500,Slack,Slack,Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL),com.tinyspeck.slackmacgap',
     '0,io.tailscale.ipn.macsys.network-extension,io.tailscale.ipn.macsys.network-extension,Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension',
     '500,chrome_crashpad_handler,chrome_crashpad_handler,Developer ID Application: Microsoft Corporation (UBF8T346G9),chrome_crashpad_handler',
     '500,cloud_sql_proxy,cloud_sql_proxy,,a.out',
     '500,git-remote-http,git-remote-http,,git-remote-http-55554944748a32c47cdc35cfa7f071bb69a39ce4',
     '500,go,go,Developer ID Application: Google LLC (EQHXZ8M8AV),org.golang.go',
+    '500,PSI Bridge Secure Browser Helper,PSI Bridge Secure Browser Helper,Developer ID Application: PSI Services LLC (73AT498HPV),com.psiexams.psi-bridge-secure-browser.helper',
     '500,grype,grype,Developer ID Application: ANCHORE, INC. (9MJHKYX5AT),grype',
     '500,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV),ksfetch',
     '500,melange,melange,,a.out',
@@ -169,8 +171,10 @@ WHERE
   AND NOT alt_exception_key IN (
     '0,velociraptor,velociraptor,0u,0g',
     '0,velociraptor,velociraptor,0u,80g',
+    '500,nodegizmo,nodegizmo,500u,20g',
     '500,apko,apko,0u,0g',
     '500,apko,apko,500u,20g',
+    '500,wolfictl,wolfictl,0u,0g',
     '500,istioctl,istioctl,500u,20g',
     '500,aws,aws,0u,0g',
     '500,cargo,cargo,500u,80g',

diff --git a/detection/c2/unexpected-talker-events.sql b/detection/c2/unexpected-talker-events.sql
@@ -56,7 +56,7 @@ FROM
 WHERE
   s.time > (strftime('%s', 'now') -600)
   AND s.action = "connect"
-  AND s.remote_port > 0
+  AND s.remote_port > 10
   AND s.remote_address NOT IN (
     '127.0.0.1',
     '::ffff:127.0.0.1',
@@ -70,6 +70,7 @@ WHERE
   AND s.remote_address NOT LIKE '100.7%'
   AND s.remote_address NOT LIKE '172.1%'
   AND s.remote_address NOT LIKE '172.2%'
+  AND s.remote_address NOT LIKE '0000:%'
   AND s.remote_address NOT LIKE '172.30.%'
   AND s.remote_address NOT LIKE '172.31.%'
   AND s.remote_address NOT LIKE '::ffff:172.%'
@@ -112,8 +113,10 @@ WHERE
     '500,0,1234,spotify',
     '500,0,123,sntp',
     '500,0,20480,io.tailscale.ipn.macsys.network-extension',
+    '500,0,32768,com.apple.MobileSoftwareUpdate.UpdateBrainService',
     '500,0,22,ssh',
     '500,0,31488,sntp',
+    '500,0,443,go',
     '500,0,32768,com.apple.NRD.UpdateBrainService',
     '500,0,32768,firefox',
     '500,0,32768,io.tailscale.ipn.macsys.network-extension',
@@ -216,6 +219,7 @@ WHERE
     '500,500,443,istioctl',
     '500,500,443,ksfetch',
     '500,500,443,kubectl',
+    '500,99,443,Slack',
     '500,500,443,minikube',
     '500,500,443,node',
     '500,500,443,old',
@@ -236,6 +240,8 @@ WHERE
   AND NOT exception_key LIKE '500,500,443,terraform%'
   AND NOT exception_key LIKE '500,0,%,syncthing'
   AND NOT exception_key LIKE '500,0,%,chrome'
+  AND NOT exception_key LIKE '500,500,443,kubectl.%'
+
   AND NOT p0_path LIKE '/Users/%/code/%'
   AND NOT p0_path LIKE '/Users/%/go/%'
   AND NOT p0_path LIKE '/Users/%/src/%'

diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql
@@ -202,6 +202,7 @@ WHERE
     '80,6,500,spotify,0u,0g,spotify',
     '80,6,500,spotify,500u,500g,spotify',
     '80,6,500,spotify-launcher,0u,0g,spotify-launche',
+    '80,6,0,python3.12,0u,0g,yum',
     '80,6,500,spotify,u,g,spotify',
     '80,6,500,steam,500u,100g,steam',
     '80,6,500,steam,500u,500g,steam',

diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql
@@ -157,7 +157,10 @@ WHERE
     '500,6,80,Google Drive Helper,Google Drive Helper,Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.drivefs.helper',
     '500,6,80,IPNExtension,IPNExtension,Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension',
     '500,6,80,Jabra Direct,Jabra Direct,Developer ID Application: GN Audio AS (55LV32M29R),com.jabra.directonline',
+    '500,6,5222,WhatsApp,WhatsApp,Developer ID Application: WhatsApp Inc. (57T9237FN3),net.whatsapp.WhatsApp',
+    '500,6,993,Spark Desktop Helper,Spark Desktop Helper,Developer ID Application: Readdle Technologies Limited (3L68KQB4HG),com.readdle.SparkDesktop.helper',
     '500,6,80,jcef Helper,jcef Helper,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),org.jcef.jcef.helper',
+    '500,6,8080,Speedtest,Speedtest,Apple Mac OS Application Signing,com.ookla.speedtest-macos',
     '500,6,80,KakaoTalk,KakaoTalk,Apple Mac OS Application Signing,com.kakao.KakaoTalkMac',
     '500,6,80,ksfetch,ksfetch,Developer ID Application: Google LLC (EQHXZ8M8AV),ksfetch',
     '500,6,80,launcher-Helper,launcher-Helper,Developer ID Application: Mojang AB (HR992ZEAE6),com.mojang.mclauncher.helper',
@@ -182,6 +185,7 @@ WHERE
   AND NOT alt_exception_key IN (
     '0,6,80,tailscaled,tailscaled,500u,80g',
     '500,6,22,ssh,ssh,0u,500g',
+    '500,6,5432,psql,psql,500u,80g',
     '500,6,22,ssh,ssh,500u,0g',
     '500,6,80,qemu-system-x86_64,qemu-system-x86_64,500u,80g',
     '500,6,22,ssh,ssh,500u,20g',
@@ -214,12 +218,14 @@ WHERE
   ) -- Known Web Browsers
   AND NOT (
     (
-      pos.remote_port IN (80, 999)
+      pos.remote_port IN (80, 587, 999)
       OR pos.remote_port > 1024
     )
     AND id_exception_key IN (
       'Apple Mac OS Application Signing,com.microsoft.OneDrive-mac',
       'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.Reader',
+      'Apple Mac OS Application Signing,com.ookla.speedtest-macos',
+      'Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird',
       'Developer ID Application: Bookry Ltd (4259LE8SU5),com.bookry.wavebox.helper',
       'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4),com.brave.Browser.helper',
       'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.AdobeResourceSynchronizer',

diff --git a/detection/collection/high-disk-bytes-written.sql b/detection/collection/high-disk-bytes-written.sql
@@ -146,6 +146,7 @@ WHERE
     'firefox',
     'fsdaemon',
     'mediawriter',
+    'grype',
     'go',
     'goland',
     'golangci-lint-v',

diff --git a/detection/evasion/hidden-cwd.sql b/detection/evasion/hidden-cwd.sql
@@ -95,6 +95,7 @@ WHERE
       'bash,~/go/src',
       'bash,~/.local/share',
       'bash,~/.Trash',
+      'rm,/private/var/folders',
       'cc1,/home/build/.cache',
       'cc1plus,~/.cache/yay',
       'c++,~/.cache/yay',

diff --git a/detection/evasion/name_path_mismatch.sql b/detection/evasion/name_path_mismatch.sql
@@ -90,6 +90,7 @@ WHERE
     '0,udevadm,(udev-worker)',
     '500,netcat,nc',
     '500,nc.openbsd,nc',
+    '500,systemd-executor,(sd-pam)',
     '500,busybox,sh',
     '500,coreutils,tail',
     '500,gjs-console,gnome-character',

diff --git a/detection/evasion/parent-missing-from-disk-linux.sql b/detection/evasion/parent-missing-from-disk-linux.sql
@@ -13,8 +13,7 @@
 --   * none observed
 --
 -- tags: persistent daemon
-SELECT
-  -- Child
+SELECT -- Child
   p0.pid AS p0_pid,
   p0.path AS p0_path,
   p0.name AS p0_name,
@@ -36,15 +35,13 @@ SELECT
   p2.path AS p2_path,
   p2.cmdline AS p2_cmd,
   p2_hash.sha256 AS p2_sha256
-FROM
-  processes p0
+FROM processes p0
   LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
   LEFT JOIN processes p1 ON p0.parent = p1.pid
   LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
   LEFT JOIN processes p2 ON p1.parent = p2.pid
   LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
-WHERE
-  p1.on_disk != 1
+WHERE p1.on_disk != 1
   AND p0.on_disk = 1
   AND NOT p0.pid IN (1, 2)
   AND NOT p1.pid IN (1, 2) -- launchd, kthreadd
@@ -96,7 +93,10 @@ WHERE
   )
   AND NOT p2.name = 'bwrap'
   AND p1.cgroup_path NOT LIKE '/system.slice/docker-%'
-  AND p1.cgroup_path != '/system.slice/docker.service'
+  AND p1.cgroup_path NOT IN (
+    '/system.slice/docker.service',
+    '/system.slice/containerd.service'
+  )
   AND p1.cgroup_path NOT LIKE '/user.slice/user-1000.slice/user@1000.service/user.slice/nerdctl-%'
   AND p1.cgroup_path NOT LIKE '/user.slice/user-1000.slice/user@1000.service/user.slice/libpod-%'
   AND p1.path NOT LIKE '/opt/homebrew/Cellar/%'
@@ -105,4 +105,4 @@ WHERE
   AND NOT (
     p1.name LIKE 'kworker/%+events_unbound'
     AND p0.name IN ('modprobe')
-  )
+  )
diff --git a/detection/evasion/unexpected-alf-exceptions-macos.sql b/detection/evasion/unexpected-alf-exceptions-macos.sql
@@ -48,31 +48,26 @@ WHERE
   -- Ignore files that ahve already been removed
   AND file.filename NOT NULL
   AND exception_key NOT IN (
-    ',,/Applications/Google%20Chrome.app/,',
-    ',,/Applications/IntelliJ%20IDEA.app/,',
-    ',,/Applications/ProtonMail%20Bridge.app/,',
-    ',,/Applications/Visual%20Studio%20Code.app/,',
-    ',,/Applications/Visual%20Studio%20Code.app/Contents/Frameworks/Code%20Helper.app/,',
-    ',,/usr/local/sbin/iodined,501',
     ',a.out,/opt/homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/kubectl,501',
     ',a.out,/opt/homebrew/Cellar/go/1.20.4/libexec/pkg/tool/darwin_arm64/trace,501',
-    ',dnsmasq,/opt/homebrew/Cellar/dnsmasq/2.88/sbin/dnsmasq,0',
-    ',iodined-55554944d1ffcb236a84363d9b667be6a1742a17,/usr/local/sbin/iodined,501',
-    ',java,/opt/homebrew/Cellar/openjdk/19/libexec/openjdk.jdk/Contents/Home/bin/java,501',
-    ',org.python.python,/opt/homebrew/Cellar/python@3.10/3.10.9/Frameworks/Python.framework/Versions/3.10/Resources/Python.app/,501',
-    ',org.python.python,/opt/homebrew/Cellar/python@3.11/3.11.2_1/Frameworks/Python.framework/Versions/3.11/Resources/Python.app/,501',
-    '/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/',
     'Apple Mac OS Application Signing,com.anydo.mac,/Applications/Anydo.app/,0',
     'Apple Mac OS Application Signing,com.apple.garageband10,/Applications/GarageBand.app/,0',
     'Apple Mac OS Application Signing,com.busymac.busycal3,/Applications/BusyCal.app/,0',
     'Apple Mac OS Application Signing,com.joeallen.teleprompter.mac,/Applications/Teleprompter.app/,0',
     'Apple Mac OS Application Signing,com.utmapp.QEMULauncher,/Applications/UTM.app/Contents/XPCServices/QEMUHelper.xpc/Contents/MacOS/QEMULauncher.app/,0',
     'Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension,/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/,0',
+    'Apple Mac OS Application Signing,io.tailscale.ipn.macos.network-extension,/Applications/Tailscale.localized/Tailscale.app/Contents/PlugIns/IPNExtension.appex/,0',
+    ',,/Applications/Google%20Chrome.app/,',
+    ',,/Applications/IntelliJ%20IDEA.app/,',
+    ',,/Applications/ProtonMail%20Bridge.app/,',
+    ',,/Applications/Visual%20Studio%20Code.app/,',
+    ',,/Applications/Visual%20Studio%20Code.app/Contents/Frameworks/Code%20Helper.app/,',
     'Developer ID Application: Bearly Inc (NK6K4BACCF),com.bearly.app,/Applications/Bearly.app/,501',
-    'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.SketchMirrorHelper,/Applications/Sketch.app/Contents/XPCServices/SketchMirrorHelper.xpc/,501',
     'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.sketch3,/Applications/Sketch.app/,501',
+    'Developer ID Application: Bohemian Coding (WUGMZZ5K46),com.bohemiancoding.SketchMirrorHelper,/Applications/Sketch.app/Contents/XPCServices/SketchMirrorHelper.xpc/,501',
     'Developer ID Application: Brother Industries, LTD. (5HCL85FLGW),com.brother.utility.WorkflowAppControlServer,/Library/Printers/Brother/Utilities/Server/WorkflowAppControl.app/,0',
     'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5),com.elgato.WaveLink,/Applications/WaveLink.app/,0',
+    'Developer ID Application: Crul, Inc. (5PTD6R25S6),com.electron.crul,/Applications/crul.app/,501',
     'Developer ID Application: Cypress.Io, Inc. (7D655LWGLY),com.electron.cypress,/Users/garrying/Library/Caches/Cypress/12.9.0/Cypress.app/,501',
     'Developer ID Application: DBeaver Corporation (42B6MDKMW8),org.jkiss.dbeaver.core.product,/Applications/DBeaver.app/,501',
     'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker.docker,/Applications/Docker.app/,501',
@@ -81,20 +76,28 @@ WHERE
     'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.pycharm,/Applications/PyCharm.app/,501',
     'Developer ID Application: Loom, Inc (QGD2ZPXZZG),com.loom.desktop,/Applications/Loom.app/,501',
     'Developer ID Application: Opentest, Inc. (QGD2ZPXZZG),com.loom.desktop,/Applications/Loom.app/,501',
+    'Developer ID Application: Postdot Technologies, Inc (H7H8Q7M5CK),com.postmanlabs.mac,/Applications/Postman.app/,501',
     'Developer ID Application: RescueTime, Inc (FSY4RB8H39),com.rescuetime.RescueTime,/Applications/RescueTime.app/,0',
     'Developer ID Application: Sonos, Inc. (2G4LW83Q3E),com.sonos.macController,/Applications/Sonos.app/,501',
     'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client,/Applications/Spotify.app/,501',
     'Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension,/Library/SystemExtensions/A30AF854-E980-4345-A658-17000BF66D00/io.tailscale.ipn.macsys.network-extension.systemextension/,0',
     'Developer ID Application: VNG ONLINE CO.,LTD (CVB6BX97VM),com.vng.zalo,/Applications/Zalo.app/,501',
     'Developer ID Application: Voicemod Sociedad Limitada. (S2MC4XQDSM),net.voicemod.desktop,/Applications/Voicemod.app/,0',
-    'Software Signing,com.apple.Music,/System/Applications/Music.app/,0',
-    'Software Signing,com.apple.WebKit.Networking,/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/,0',
-    'Software Signing,com.apple.WebKit.Networking,/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/,0',
+    ',dnsmasq,/opt/homebrew/Cellar/dnsmasq/2.88/sbin/dnsmasq,0',
+    ',iodined-55554944d1ffcb236a84363d9b667be6a1742a17,/usr/local/sbin/iodined,501',
+    ',java,/opt/homebrew/Cellar/openjdk/19/libexec/openjdk.jdk/Contents/Home/bin/java,501',
+    ',org.python.python,/opt/homebrew/Cellar/python@3.10/3.10.9/Frameworks/Python.framework/Versions/3.10/Resources/Python.app/,501',
+    ',org.python.python,/opt/homebrew/Cellar/python@3.11/3.11.2_1/Frameworks/Python.framework/Versions/3.11/Resources/Python.app/,501',
     'Software Signing,com.apple.audio.InfoHelper,/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.InfoHelper.xpc/,0',
     'Software Signing,com.apple.controlcenter,/System/Library/CoreServices/ControlCenter.app/,0',
+    'Software Signing,com.apple.Music,/System/Applications/Music.app/,0',
     'Software Signing,com.apple.nc,/usr/bin/nc,0',
     'Software Signing,com.apple.python3,/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.9/Resources/Python.app/,0',
-    'Software Signing,com.apple.xartstorageremoted,/usr/libexec/xartstorageremoted,0'
+    'Software Signing,com.apple.WebKit.Networking,/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/,0',
+    'Software Signing,com.apple.WebKit.Networking,/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/,0',
+    'Software Signing,com.apple.xartstorageremoted,/usr/libexec/xartstorageremoted,0',
+    '/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/',
+    ',,/usr/local/sbin/iodined,501'
   )
   AND NOT exception_key LIKE ',a.out,/Users/%/dev/%,501'
   AND NOT exception_key LIKE ',org.python.python,/opt/homebrew/Cellar/python@%/Frameworks/Python.framework/Versions/3.11/Resources/Python.app/,501'

diff --git a/detection/evasion/unexpected-hidden-system-paths.sql b/detection/evasion/unexpected-hidden-system-paths.sql
@@ -116,6 +116,7 @@ WHERE
     '/usr/lib/jvm/.java-1.17.0-openjdk-amd64.jinfo',
     '/var/.Parallels_swap/',
     '/var/.ntw_cache',
+    '/var/db/.RunLanguageChooserToo',
     '/var/.pwd_cache',
     '/var/db/.AppleInstallType.plist',
     '/var/db/.AppleUpgrade',
@@ -187,7 +188,7 @@ WHERE
   )
   AND NOT (
     type = 'regular'
-    AND filename = '.placeholder'
+    AND filename IN ('.placeholder', '.abignore', '.gitignore')
   ) -- A curious addition seen on NixOS and Fedora machines
   AND NOT (
     file.path = '/.cache/'

diff --git a/detection/evasion/unexpected-kernel-extensions-macos.sql b/detection/evasion/unexpected-kernel-extensions-macos.sql
@@ -22,6 +22,7 @@ WHERE
   )
   AND exception_key NOT IN (
     '/Library/StagedExtensions/Library/Extensions/CalDigitUSBHubSupport.kext,com.CalDigit.USBHubSupport,1,<3>',
+    '/Library/StagedExtensions/Library/Filesystems/macfuse.fs/Contents/Extensions/14/macfuse.kext,io.macfuse.filesystems.macfuse,2128.20,<1 3 4 5 7>',
     '/Library/StagedExtensions/Library/Filesystems/kbfuse.fs/Contents/Extensions/13/kbfuse.kext,com.github.kbfuse.filesystems.kbfuse,2113.21,<1 3 4 5 7>'
   )
   AND exception_key NOT LIKE '/Library/StagedExtensions/Library/Extensions/ufsd_NTFS.kext,com.paragon-software.filesystems.ntfs,%'

diff --git a/detection/evasion/unexpected-ld-so-files-linux.sql b/detection/evasion/unexpected-ld-so-files-linux.sql
@@ -33,6 +33,7 @@ WHERE
     '/etc/ld.so.conf,0644,34,d4b198c463418b493208485def26a6f4c57279467b9dfa491b70433cedb602e8',
     '/etc/ld.so.conf.d/000_cuda.conf,0644,41,a9327cff9435220eac872cffedc7f6144d915bdcb70d985304c72f4c3cb9a7d3',
     '/etc/ld.so.conf.d/989_cuda-11.conf,0644,44,915b1ed4caa95cf65a62a74d8255c5ef80ef864cc2767933c85e240a78957167',
+    '/etc/ld.so.conf.d/llvm16-x86_64.conf,0644,22,3ddda874af4dd14e9e873da09d082031abfacd4b5094982c28f53e1fd50a5fe3',
     '/etc/ld.so.conf.d/bind-export-x86_64.conf,0644,26,efeec53def06657c947f064463d5ebdb68f7c6f9e40cc2e72fc11c263484942e',
     '/etc/ld.so.conf.d/cuda.conf,0644,66,a65f7d96e2447eb40b1be9586b90eb0bd776a8938c93d21f9606d2880b548b28',
     '/etc/ld.so.conf.d/dyninst-x86_64.conf,0644,19,a4c740c1f59176d816ba18d429ba823317d3db416accf6d79a9cb0ac845d9d50',

diff --git a/detection/evasion/unexpected-tmp-executables-macos.sql b/detection/evasion/unexpected-tmp-executables-macos.sql
@@ -88,7 +88,7 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
           OR file.path LIKE '/tmp/com.apple.installer%'
           OR file.path LIKE '%/tmp/epdf%'
           OR file.path LIKE '/tmp/flow/%.npmzS_cacachezStmpzSgit-clone%'
-          OR file.filename IN ('mysqld_exporter', 'goreleaser')
+          OR file.filename IN ('mysqld_exporter', 'goreleaser', 'golangci-lint', 'cosign', 'grype', 'chainctl', 'configure')
         )
       )
       -- Melange
@@ -137,7 +137,10 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
         AND file.size = 90921938
       )
   )
-  AND NOT signature.authority = 'Developer ID Application: Adobe Inc. (JQ525L2MZD)'
+  AND NOT signature.authority IN (
+    'Developer ID Application: Adobe Inc. (JQ525L2MZD)',
+    'Developer ID Application: Docker Inc (9BNSXJN65R)'
+  )
   AND NOT (
     magic.data IS NOT NULL
     AND (

diff --git a/detection/evasion/unusual-executable-name-linux.sql b/detection/evasion/unusual-executable-name-linux.sql
@@ -93,7 +93,9 @@ WHERE
     "xdg-document-portal",
     "xdg-desktop-portal-gnome",
     "xdg-desktop-portal-gtk",
+    "xdg-dbus-proxy",
     "nm-applet",
+    "nm-dispatcher",
     "acpid",
     "kactivitymanagerd",
     "gmenudbusmenuproxy",

diff --git a/detection/evasion/unusual-executable-name-macos.sql b/detection/evasion/unusual-executable-name-macos.sql
@@ -92,6 +92,7 @@ WHERE
   AND NOT pname IN (
     'cpu',
     'BetterTouchToolAppleScriptRunner',
+    'TwitterNotificationServiceExtension',
     'ThingsWidgetExtensionMacAppStore',
     'com.microsoft.teams2.notificationcenter',
     'BetterTouchToolShellScriptRunner',

diff --git a/detection/evasion/unusual-process-name-linux.sql b/detection/evasion/unusual-process-name-linux.sql
@@ -99,6 +99,7 @@ WHERE
     "acpid",
     'firefox',
     "gmenudbusmenuproxy",
+    "systemd-executor",
     "irqbalance",
     "kactivitymanagerd",
     "nm-applet",

diff --git a/detection/execution/unexpected-execdir-events-macos.sql b/detection/execution/unexpected-execdir-events-macos.sql
@@ -141,9 +141,11 @@ WHERE
     '/Library/Application Support/EcammLive',
     '/Library/Application Support/Fortinet',
     '/Library/Application Support/GPGTools',
+    '/Library/Application Support/AdGuard Software',
     '/Library/Application Support/com.canonical.multipass',
     '/Library/Application Support/org.pqrs',
     '/Library/Developer/CommandLineTools',
+    '~/Library/Application Support/Code',
     '/Library/Google/GoogleSoftwareUpdate',
     '/Library/Java/JavaVirtualMachines',
     '/Library/Plug-Ins/FxPlug',

diff --git a/detection/execution/unexpected-execdir-macos.sql b/detection/execution/unexpected-execdir-macos.sql
@@ -65,7 +65,7 @@ WHERE
     SELECT
       pid
     FROM
-      processes
+      processesP
     WHERE
       pid > 0
       AND REGEX_MATCH (
@@ -140,6 +140,8 @@ WHERE
     '/Library/Application Support/EcammLive',
     '~/Library/Caches/com.mimestream.Mimestream/',
     '~/Library/Caches/com.sempliva.Tiles/',
+    '~/.local/share/bob/',
+    '~/anaconda3/Anaconda-Navigator.app/Contents/',
     '~/Library/Services/UE4EditorServices.app/',
     '~/Library/Caches/com.grammarly.ProjectLlama/',
     '~/Library/Caches/JetBrains/',