Merge pull request #329 from chainguard-dev/fpr-oct25

fpr: mtr, vscode, cpptools, cron, firefox
chainguard-dev · Oct 25, 2023 · 3e25510 · 3e25510
2 parents 7b76585 + 7d9aced
commit 3e25510
Show file tree

Hide file tree

Showing 8 changed files with 85 additions and 60 deletions.
diff --git a/detection/c2/unexpected-talker-events.sql b/detection/c2/unexpected-talker-events.sql
@@ -103,22 +103,20 @@ WHERE
   AND NOT homedir = '~/Library/Application Support/Foxit Software/Addon/Foxit PDF Reader/FoxitPDFReaderUpdateService.app/Contents/MacOS'
   AND NOT exception_key IN (
     '500,0,110,syncthing',
-    '500,0,123,sntp',
-    '500,0,53,spotify',
-    '500,500,443,Signal',
-    '500,500,443,Google Chrome Helper',
-    '500,500,443,Signal Helper (Renderer)',
     '500,0,1234,spotify',
-    '500,500,443,apk',
+    '500,0,123,sntp',
     '500,0,20480,io.tailscale.ipn.macsys.network-extension',
     '500,0,22,ssh',
     '500,0,31488,sntp',
     '500,0,32768,com.apple.NRD.UpdateBrainService',
     '500,0,32768,io.tailscale.ipn.macsys.network-extension',
     '500,0,32768,ksfetch',
+    '500,0,32768,networkQuality',
     '500,0,32768,syncthing',
-    '500,0,443,OneDriveStandaloneUpdater',
+    '500,0,43,whois',
+    '500,0,443,Brackets',
     '500,0,443,chrome',
+    '500,0,443,chrome_crashpad_handler',
     '500,0,443,com.apple.MobileSoftwareUpdate.UpdateBrainService',
     '500,0,443,com.apple.NRD.UpdateBrainService',
     '500,0,443,com.google.one.NetworkExtension',
@@ -128,79 +126,85 @@ WHERE
     '500,0,443,git-remote-http',
     '500,0,443,gnome-software',
     '500,0,443,http',
-    '500,0,443,Brackets',
-    '500,500,80,Google Chrome Helper',
-    '500,500,443,minikube',
     '500,0,443,io.tailscale.ipn.macsys.network-extension',
     '500,0,443,ksfetch',
     '500,0,443,launcher',
     '500,0,443,nessusd',
-    '500,500,443,kubectl',
+    '500,0,443,networkQuality',
     '500,0,443,node',
+    '500,0,443,OneDriveStandaloneUpdater',
     '500,0,443,slack',
-    '500,0,443,ssh',
-    '500,500,53,Code Helper',
-    '500,0,43,whois',
-    '500,0,443,spotify',
     '500,0,443,snapd',
+    '500,0,443,spotify',
+    '500,0,443,ssh',
     '500,0,443,syncthing',
     '500,0,443,velociraptor',
     '500,0,443,wget',
-    '500,0,443,chrome_crashpad_handler',
     '500,0,5228,chrome',
-    '500,0,443,gnome-software',
-    '500,0,53,NetworkManager',
     '500,0,53,chrome',
     '500,0,53,git',
-    '500,500,443,GoogleUpdater',
     '500,0,53,launcher',
+    '500,0,53,NetworkManager',
     '500,0,53,slack',
+    '500,0,53,spotify',
     '500,0,53,wget',
     '500,0,5632,ssh',
     '500,0,80,chrome',
     '500,0,80,com.apple.NRD.UpdateBrainService',
     '500,0,80,firefox',
     '500,0,80,http',
-    '500,500,20480,GoogleUpdater',
     '500,0,80,io.tailscale.ipn.macsys.network-extension',
     '500,0,80,ksfetch',
     '500,0,9,launcher',
     '500,500,13568,Code Helper',
+    '500,500,20480,Code Helper',
+    '500,500,20480,GoogleUpdater',
     '500,500,20480,ksfetch',
     '500,500,22,ssh',
     '500,500,2304,cloud_sql_proxy',
-    '500,500,32768,Electron',
     '500,500,32768,cloud-sql-proxy',
+    '500,500,32768,Electron',
+    '500,500,32768,GoogleUpdater',
     '500,500,32768,java',
     '500,500,32768,ksfetch',
+    '500,500,32768,node',
     '500,500,4318,Code Helper (Plugin)',
+    '500,500,443,apk',
+    '500,500,443,aws',
+    '500,500,443,chainctl',
     '500,500,443,Cisco WebEx Start',
     '500,500,443,CleanMyMac X Updater',
+    '500,500,443,cloud_sql_proxy',
+    '500,500,443,Code Helper',
     '500,500,443,Code Helper (Plugin)',
     '500,500,443,Code Helper (Renderer)',
-    '500,500,443,Code Helper',
+    '500,500,443,copilot-agent-macos-arm64',
     '500,500,443,DropboxMacUpdate',
     '500,500,443,Electron',
-    '500,500,443,GitX',
-    '500,500,443,aws',
-    '500,500,443,chainctl',
-    '500,500,443,cloud_sql_proxy',
-    '500,500,443,copilot-agent-macos-arm64',
     '500,500,443,figma_agent',
     '500,500,443,gh',
     '500,500,443,git-remote-http',
     '500,500,443,gitsign',
+    '500,500,443,GitX',
     '500,500,443,go',
+    '500,500,443,Google Chrome Helper',
+    '500,500,443,GoogleUpdater',
     '500,500,443,grype',
     '500,500,443,ksfetch',
+    '500,500,443,kubectl',
+    '500,500,443,minikube',
     '500,500,443,node',
     '500,500,443,old',
+    '500,500,443,Signal',
+    '500,500,443,Signal Helper (Renderer)',
     '500,500,443,syft',
     '500,500,443,wolfictl',
     '500,500,53,Code Helper',
-    '500,500,80,Code Helper (Plugin)',
     '500,500,80,cloud_sql_proxy',
+    '500,500,80,Code Helper',
+    '500,500,80,Code Helper (Plugin)',
     '500,500,80,copilot-agent-macos-arm64',
+    '500,500,80,Google Chrome Helper',
     '500,500,80,ksfetch',
     '500,500,80,node'
   )

diff --git a/detection/evasion/unexpected-dev-entries.sql b/detection/evasion/unexpected-dev-entries.sql
@@ -8,7 +8,8 @@
 --
 -- tags: persistent state filesystem
 -- platform: posix
-SELECT file.path,
+SELECT
+  file.path,
   file.type,
   file.size,
   file.mtime,
@@ -17,10 +18,12 @@ SELECT file.path,
   file.gid,
   hash.sha256,
   magic.data
-FROM file
+FROM
+  file
   LEFT JOIN hash ON file.path = hash.path
   LEFT JOIN magic ON file.path = magic.path
-WHERE (
+WHERE
+  (
     file.path LIKE '/dev/shm/%%'
     OR file.path LIKE '/dev/%/.%'
     OR file.path LIKE '/dev/.%'
@@ -34,6 +37,7 @@ WHERE (
       file.path LIKE '/dev/shm/.com.google.%'
       OR file.path LIKE '/dev/shm/.org.chromium.%'
       OR file.path LIKE '/dev/shm/wayland.mozilla.%'
+      OR file.path LIKE '/dev/shm/byobu-%'
       OR file.path LIKE '/dev/shm/shm-%-%-%'
       OR file.path LIKE '/dev/shm/pulse-shm-%'
       OR file.path LIKE '/dev/shm/u1000-Shm%'
@@ -47,4 +51,4 @@ WHERE (
   AND file.path NOT LIKE '/dev/shm/libpod_rootless_lock_%'
   AND file.path NOT LIKE '%/../%'
   AND file.path NOT LIKE '%/./%'
-  AND file.path NOT IN ('/dev/.mdadm/', '/dev/shm/libpod_lock')
+  AND file.path NOT IN ('/dev/.mdadm/', '/dev/shm/libpod_lock')
diff --git a/detection/evasion/unexpected-hidden-system-paths.sql b/detection/evasion/unexpected-hidden-system-paths.sql
@@ -152,7 +152,11 @@ WHERE
     '/var/tmp/.ses',
     '/var/tmp/.ses.bak'
   )
-  AND file.directory NOT IN ('/etc/skel', '/etc/skel/.config')
+  AND file.directory NOT IN (
+    '/etc/skel',
+    '/etc/skel/.config',
+    '/var/root/.provisio'
+  )
   AND file.path NOT LIKE '/%bin/bootstrapping/.default_components'
   AND file.path NOT LIKE '/tmp/.#%'
   AND file.path NOT LIKE '/tmp/.lark_cache_%'

diff --git a/detection/evasion/unusual-process-name-linux.sql b/detection/evasion/unusual-process-name-linux.sql
@@ -7,7 +7,10 @@
 SELECT
   p0.name AS pname,
   COALESCE(REGEX_MATCH (p0.path, '.*/(.*)', 1), p0.path) AS basename,
-  COALESCE(REGEX_MATCH (p0.name, '.*/.*\.([a-z]{2,4})$', 1), "") AS pext,
+  COALESCE(
+    REGEX_MATCH (p0.name, '.*/.*\.([a-z]{2,4})$', 1),
+    ""
+  ) AS pext,
   -- Child
   p0.pid AS p0_pid,
   p0.path AS p0_path,
@@ -90,18 +93,21 @@ WHERE
   )
   AND NOT p1_pid = 2
   AND NOT p0_pid = 2
+  AND NOT pname LIKE '.%-wrap%'
+  AND p0.path NOT LIKE "/nix/store/%/.%-wrapped"
   AND basename NOT IN (
-    "xdg-permission-store",
-    "xdg-desktop-portal",
-    "xdg-document-portal",
+    "acpid",
+    'firefox',
+    "gmenudbusmenuproxy",
+    "irqbalance",
+    "kactivitymanagerd",
+    "nm-applet",
+    "perl",
+    "systemd",
     'udevadm',
+    "xdg-desktop-portal",
     "xdg-desktop-portal-gnome",
     "xdg-desktop-portal-gtk",
-    "perl",
-    "nm-applet",
-    "acpid",
-    "systemd",
-    "kactivitymanagerd",
-    "gmenudbusmenuproxy",
-    "irqbalance"
+    "xdg-document-portal",
+    "xdg-permission-store"
   )
diff --git a/detection/evasion/unusual-process-name-macos.sql b/detection/evasion/unusual-process-name-macos.sql
@@ -7,7 +7,10 @@
 SELECT
   p0.name AS pname,
   COALESCE(REGEX_MATCH (p0.path, '.*/(.*)', 1), p0.path) AS basename,
-  COALESCE(REGEX_MATCH (p0.name, '.*/.*\.([a-z]{2,4})$', 1), "") AS pext,
+  COALESCE(
+    REGEX_MATCH (p0.name, '.*/.*\.([a-z]{2,4})$', 1),
+    ""
+  ) AS pext,
   -- Child
   p0.pid AS p0_pid,
   p0.path AS p0_path,
@@ -33,7 +36,7 @@ SELECT
   p2_hash.sha256 AS p2_sha256
 FROM
   processes p0
-  LEFT JOIN signature s ON p0.path = s.path  
+  LEFT JOIN signature s ON p0.path = s.path
   LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
   LEFT JOIN processes p1 ON p0.parent = p1.pid
   LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
@@ -91,8 +94,9 @@ WHERE
     )
     AND pext NOT IN ("", "gui", "cli", "us", "node", "com")
   )
- AND NOT pname IN (
+  AND NOT pname IN (
     'cpu',
+    'com.microsoft.teams2.notificationcenter',
     'BetterTouchToolAppleScriptRunner',
     'BetterTouchToolShellScriptRunner',
     'TwitterNotificationServiceExtension',

diff --git a/detection/exfil/high_disk_bytes_read.sql b/detection/exfil/high_disk_bytes_read.sql
@@ -55,18 +55,22 @@ WHERE
   AND p0.path NOT LIKE '/Library/Apple/System/Library/%'
   AND p0.path NOT LIKE '/home/%/.local/share/Steam/steamapps/%'
   AND p0.name NOT IN (
+    'baloo_file',
+    'baloo_file_extr',
     'bash',
     'bwrap',
     'cargo',
     'chrome',
     'clamscan',
     'code',
-    'kandji-parameter-agent',
+    'com.apple.MobileSoftwareUpdate.UpdateBrainService',
     'com.apple.NRD.UpdateBrainService',
+    'cpptools',
     'dnf',
     'docker',
     'electron',
     'emacs',
+    'factorio',
     'firefox',
     'fish',
     'fleet_backend',
@@ -76,52 +80,49 @@ WHERE
     'go',
     'golangci-lint',
     'GoogleSoftwareUpdateAgent',
-    'com.apple.MobileSoftwareUpdate.UpdateBrainService',
-    'UpdateBrainService',
     'gopls',
     'grype',
     'java',
+    'kandji-parameter-agent',
     'kube-apiserver',
     'kube-controller',
     'kube-scheduler',
     'kue',
     'launcher',
     'LogiFacecamService',
-    'factorio',
     'mediawriter',
     'melange',
-    'rpi-imager',
     'nautilus',
     'nessusd',
     'nix',
     'nix-daemon',
     'nvim',
     'osqueryd',
     'osqueryi',
-    'baloo_file',
-    'baloo_file_extr',
+    'plasmashell',
     'qemu-system-aarch64',
     'qemu-system-x86',
     'qemu-system-x86-64',
+    'rpi-imager',
+    'rsync',
     'Safari',
     'sh',
-    'plasmashell',
-    'rsync',
     'slack',
     'spotify',
     'steam',
     'systemd',
-    'terraform-provider-apko',
     'terraform',
     'terraform-ls',
+    'terraform-provider-apko',
     'thunderbird',
     'tilt',
     'unattended-upgr',
+    'UpdateBrainService',
     'vim',
     'wineserver',
     'yay',
-    'yum',
     'ykman-gui',
+    'yum',
     'zsh',
     'ZwiftAppMetal'
   )

diff --git a/detection/persistence/unexpected-cron-entries.sql b/detection/persistence/unexpected-cron-entries.sql
@@ -22,3 +22,4 @@ WHERE
   AND command NOT LIKE '%/usr/lib/php/sessionclean%'
   AND command NOT LIKE 'root command -v debian-sa1%'
   AND command NOT LIKE '%rsync%'
+  AND command NOT LIKE 'gsutil %'
diff --git a/detection/persistence/unexpected-uid0-daemon-macos.sql b/detection/persistence/unexpected-uid0-daemon-macos.sql
@@ -285,11 +285,12 @@ WHERE -- Focus on longer-running programs
         '/usr/sbin/systemstats'
       )
       AND NOT path LIKE '/nix/store/%-nix-%/bin/nix'
-      AND NOT path LIKE '/opt/homebrew/Cellar/htop/%/bin/htop'
       AND NOT path LIKE '/opt/homebrew/Cellar/btop/%/bin/btop'
+      AND NOT path LIKE '/opt/homebrew/Cellar/htop/%/bin/htop'
+      AND NOT path LIKE '/opt/homebrew/Cellar/mtr/%/sbin/%'
       AND NOT path LIKE '/opt/homebrew/Cellar/socket_vmnet/%/bin/socket_vmnet'
-      AND NOT path LIKE '/usr/local/Cellar/htop/%/bin/htop'
       AND NOT path LIKE '/usr/local/Cellar/btop/%/bin/btop'
+      AND NOT path LIKE '/usr/local/Cellar/htop/%/bin/htop'
       AND NOT path LIKE '/usr/local/kolide-k2/bin/launcher-updates/%/Kolide.app/Contents/MacOS/launcher'
       AND NOT path LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd'
     GROUP BY