fpr: tune-ppd, lightdm, nami, gradle, etc

detection/c2/unexpected-dns-traffic-events.sql

@@ -69,7 +69,8 @@ WHERE
     '75.75.76.76', -- Comcast
     '68.105.28.13', -- Cox
     '80.248.7.1', -- 21st Century (NG)
-    '34.160.111.32' -- wolfi.dev
+    '34.160.111.32', -- wolfi.dev
+    '185.125.190.31' -- Canonical
   )
   -- Exceptions that specifically talk to one server
   AND exception_key NOT IN (
@@ -90,6 +91,7 @@ WHERE
     'distnoted,8.8.8.8,53',
     'limactl,8.8.8.8,53',
     'msedge,8.8.8.8,53',
+    'brave,8.8.8.8,53',
     'adguard_dns,1.0.0.1,53',
     'helm,185.199.108.133,53',
     'coredns,8.8.8.8,53',
@@ -115,6 +117,7 @@ WHERE
     'go',
     'wolfictl',
     'gvproxy',
+    'grype',
     'incusd',
     'helm',
     'terraform-provi',

detection/c2/unexpected-https-macos.sql

@@ -112,6 +112,7 @@ WHERE
     '500,Authy,Authy,Apple iPhone OS Application Signing,com.authy',
     '500,podman,podman,Developer ID Application: Red Hat, Inc. (HYSCB8KRL2),podman',
     '500,bash,bash,,bash',
+    '500,nami,nami,,a.out',
     '500,CrossyRoad,CrossyRoad,Apple iPhone OS Application Signing,com.hipsterwhale.crossy',
     '500,cloud_sql_proxy,cloud_sql_proxy,,a.out',
     '500,com.docker.backend,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R),com.docker.docker',

detection/evasion/empty_root_environ_linux.sql

@@ -71,6 +71,7 @@ WHERE
   AND NOT pp.name IN (
     'systemd-userdbd',
     'crond',
+    'dpkg',
     'systemd',
     'systemd-udevd',
     '(udev-worker)',
@@ -85,6 +86,7 @@ WHERE
   AND NOT p.cmdline LIKE '%--type=zygote%'
   AND NOT p.cmdline LIKE '%--disable-seccomp-filter-sandbox%'
   AND NOT p.cgroup_path LIKE '/system.slice/docker-%'
+  AND NOT pp.path LIKE '/usr/bin/%'
   AND NOT (
     p.name = 'sh'
     AND p.cgroup_path = '/system.slice/znapzend.service'

detection/evasion/hidden-cwd.sql

@@ -8,8 +8,7 @@
 --
 -- tags: transient often
 -- platform: posix
-SELECT
-  REPLACE(p0.cwd, u.directory, '~') AS dir,
+SELECT REPLACE(p0.cwd, u.directory, '~') AS dir,
   REGEX_MATCH (
     REPLACE(p0.cwd, u.directory, '~'),
     '([/~].*?/.*?)/',
@@ -56,8 +55,7 @@ SELECT
   p2.path AS p2_path,
   p2.cmdline AS p2_cmd,
   p2_hash.sha256 AS p2_sha256
-FROM
-  processes p0
+FROM processes p0
   LEFT JOIN file f ON p0.path = f.path
   LEFT JOIN users u ON p0.uid = u.uid
   LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
@@ -66,14 +64,10 @@ FROM
   LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
   LEFT JOIN processes p2 ON p1.parent = p2.pid
   LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
-WHERE
-  p0.pid IN (
-    SELECT DISTINCT
-      pid
-    FROM
-      processes
-    WHERE
-      cwd LIKE '%/.%'
+WHERE p0.pid IN (
+    SELECT DISTINCT pid
+    FROM processes
+    WHERE cwd LIKE '%/.%'
       AND NOT name IN (
         'apfsd',
         'bindfs',
@@ -93,33 +87,34 @@ WHERE
   AND NOT (
     exception_key IN (
       'Arduino IDE Helper,/private/var/folders',
-      'Electron,~/.vscode/extensions',
       'arduino-language-server,/private/var/folders',
       'as,~/.cache/yay',
-      'bash,~/.Trash',
-      'bash,~/.local/share',
       'bash,~/go/src',
-      'c++,~/.cache/yay',
+      'bash,~/.local/share',
+      'bash,~/.Trash',
       'cc1,/home/build/.cache',
       'cc1plus,~/.cache/yay',
+      'c++,~/.cache/yay',
       'cgo,~/.gimme/versions',
       'clangd,/private/var/folders',
       'conmon,/var~/.local/share',
-      'mysqld,/var~/.local/share',
       'dirhelper,/private/var/folders',
+      'Electron,~/.vscode/extensions',
       'fileproviderd,~/Library/Mobile Documents',
-      'fish,~/.Trash',
       'fish,~/.local/share',
+      'fish,~/.Trash',
       'git,~/.local/share',
+      'java,~/.gradle/daemon',
       'java,/home/build/.gradle',
       'java,/home/build/.kotlin',
-      'java,~/.gradle/daemon',
       'java,~/.local/share',
       'make,~/.cache/yay',
       'makepkg,~/.cache/yay',
       'mysqld,~/.local/share',
+      'mysqld,/var~/.local/share',
       'npm install,~/.npm/_cacache',
       'opera_autoupdate,/private/var/folders',
+      'postinstall,/Library/InstallerSandboxes/.PKInstallSandboxManager',
       'rm,/private/var/folders',
       'rust-analyzer-p,~/.cargo/registry',
       'rustc,/home/build/.cargo',
@@ -183,12 +178,10 @@ WHERE
     OR dir LIKE '~/%google-cloud-sdk/.install/.backup%'
     OR dir LIKE '~/code/%'
     OR dir LIKE '~/dev/%/dots/%/.config%'
-    OR dir LIKE '~/src/%'
-    -- For sudo calls to other things
+    OR dir LIKE '~/src/%' -- For sudo calls to other things
     OR (
       dir LIKE '/home/.terraform.d/%'
       AND p0.euid = 0
     )
   )
-GROUP BY
-  p0.pid
+GROUP BY p0.pid

detection/evasion/hidden-executable.sql

@@ -71,6 +71,10 @@ WHERE (
     '~/.pnpm',
     '~/.rbenv',
     '~/.rustup',
+    '~/Code',
+    '~/code',
+    '~/Projects',
+    '~/src',
     '~/.sdkman',
     '~/.supermaven',
     '~/.terraform',
@@ -93,6 +97,7 @@ WHERE (
     '~/.docker/cli-plugins',
     '~/.fig/bin',
     '~/.go/bin',
+    '/home/linuxbrew/.linuxbrew',
     '~/.linkerd2/bin',
     '~/.linuxbrew/Cellar',
     '~/node_modules/.bin',
@@ -106,6 +111,7 @@ WHERE (
   )
   AND NOT dir LIKE '~/Library/Application Support/Code/User/globalStorage/ms-dotnettools.vscode-dotnet-runtime/.dotnet/%'
   AND NOT dir LIKE '%/.terraform/providers/%'
+  AND NOT dir LIKE '%/node_modules/.pnpm/%'
   AND NOT f.directory LIKE '/Applications/Corsair iCUE5 Software/.cuepkg-%'
   AND NOT f.directory LIKE '%/Applications/PSI Bridge Secure Browser.app/Contents/Resources/.apps/darwin/%'
   AND NOT f.directory LIKE '/var/home/linuxbrew/.linuxbrew/Cellar/%'

detection/evasion/missing-from-disk-linux.sql

@@ -49,8 +49,6 @@ WHERE
   -- Snap packages?
   AND p.path NOT LIKE '/tmp/.mount_%'
   AND p.path NOT LIKE '/home/%/.cache/yay/1password-cli/pkg/1password-cli/usr/bin/op'
-  AND p.path NOT IN (
-    '/usr/bin/python3.10',
-    '/opt/google/chrome/nacl_helper',
-    '/opt/Synergy/resources/synergy-tray'
-  )
+  -- Probably just an upgrade
+  AND p.path NOT LIKE '/usr/bin/%'
+  AND p.path NOT LIKE '/opt/%'

detection/evasion/unexpected-hidden-system-paths.sql

@@ -92,6 +92,7 @@ WHERE
     '/tmp/.eos-update-notifier.log',
     '/tmp/.featureflags-agent/',
     '/tmp/.font-unix/',
+    '/tmp/.SIGN.RSA.local-melange-enterprise.rsa.pub',
     '/tmp/.git/',
     '/tmp/.go-version',
     '/tmp/.helmrepo',

detection/execution/recently-created-executables-long-lived-linux.sql

@@ -44,7 +44,7 @@ FROM
 WHERE
   p0.start_time > 0
   AND f.ctime > 0
-  AND p0.start_time > (strftime('%s', 'now') - 43200)
+  AND p0.start_time < (strftime('%s', 'now') - 43200)
   AND (p0.start_time - MAX(f.ctime, f.btime)) < 10800
   AND p0.start_time >= MAX(f.ctime, f.ctime)
   AND NOT f.directory IN ('/usr/lib/firefox', '/usr/local/kolide-k2/bin') -- Typically daemons or long-running desktop apps

detection/execution/unexpected-env-values-linux.sql

@@ -75,6 +75,7 @@ WHERE -- This time should match the interval
   OR (
     LENGTH(pe.value) > 1024
     AND pe.key != 'LS_COLORS'
+    AND pe.key != 'HTTP_AUTH'
     AND f.mode IS NOT NULL
     AND f.mode NOT LIKE '0%'
   )

detection/exfil/yara-unexpected-rust-http-exec-process.sql

@@ -67,9 +67,10 @@ WHERE
     'figma_agent',
     'nvim',
     'old',
-    'rpm-ostree',
     'OrbStack Helper',
+    'rpm-ostree',
     'sg-nvim-agent',
+    'sm-agent',
     'stable',
     'wezterm-gui',
     'zed'

detection/persistence/listening-from-unusual-location.sql

@@ -102,6 +102,7 @@ WHERE
   AND NOT homepath LIKE "~/.%"
   AND NOT homecwd LIKE "~/.%"
   AND NOT homecwd LIKE '/Users/%/.gradle/daemon/%'
+  AND NOT homecwd LIKE '/home/%/.gradle/daemon/%'
   AND NOT f.directory IN (
     '/Applications/Keybase.app/Contents/SharedSupport/bin',
     '/opt/docker-desktop/bin'

detection/persistence/unexpected-chrome-extensions.sql

@@ -101,6 +101,8 @@ WHERE
     'true,Benjamin Hollis,JSONView,gmegofmjomhknnokphhckolhcffdaihd',
     'true,BetaFish,AdBlock — best ad blocker,gighmmpiobklfepjocnamgkkbiglidom',
     'true,,Bionic Reading,kdfkejelgkdjgfoolngegkhkiecmlflj',
+    'true,,Gem,bnbpceglddpnehbopmdjegpfinikcaoh',
+    'true,,Chrome Capture - screenshot & GIF,ggaabchcecdbomdcnbahdfddfikjmphe',
     'true,Bitwarden Inc.,Bitwarden - Free Password Manager,nngceckbapebfimnlniiiahkandclblb',
     'true,Bitwarden Inc.,Bitwarden Password Manager,nngceckbapebfimnlniiiahkandclblb',
     'true,,BlockSite: Block Websites & Stay Focused,eiimnmioipafcokbfikbljfdeojpcgbh',

detection/persistence/unexpected-device-linux.sql

@@ -210,6 +210,7 @@ WHERE (
     '/dev/stderr,fifo',
     '/dev/stderr,character',
     '/dev/stdin,character',
+    '/dev/stdin,fifo',
     '/dev/stdout,fifo',
     '/dev/stdout,character',
     '/dev/tee,character',

detection/persistence/unexpected-launchd-program-arguments.sql

@@ -41,11 +41,11 @@ WHERE
     'Developer ID Application: Cloudflare Inc. (68WVV388M8)',
     'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
     'Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z)',
+    'Developer ID Application: EnterpriseDB Corporation (26QKX55P9K)',
     'Developer ID Application: Foxit Corporation (8GN47HTP75)',
     'Developer ID Application: Fumihiko Takayama (G43BCU2T37)',
     'Developer ID Application: Google, Inc. (EQHXZ8M8AV)',
     'Developer ID Application: Google LLC (EQHXZ8M8AV)',
-    'Developer ID Application: Ubiquiti Inc. (4P645293E8)',
     'Developer ID Application: Grammarly, Inc (W8F64X92K3)',
     'Developer ID Application: Hercules Labs Inc. (B8PC799ZGU)',
     'Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3)',
@@ -73,6 +73,7 @@ WHERE
     'Developer ID Application: Sanford, L.P. (N3S6676K3E)', -- DYMO
     'Developer ID Application: Seiko Epson Corporation (TXAEAV5RN4)',
     'Developer ID Application: Tenable, Inc. (4B8J598M7U)',
+    'Developer ID Application: Ubiquiti Inc. (4P645293E8)',
     'Developer ID Application: X-Rite, Incorporated (2K7GT73B4R)',
     'Software Signing', -- Apple
     'yabai-cert'

detection/persistence/unexpected-listening-port-macos.sql

@@ -5,8 +5,7 @@
 --
 -- tags: persistent state net low
 -- platform: darwin
-SELECT
-  lp.address,
+SELECT lp.address,
   lp.port,
   lp.protocol,
   p.uid,
@@ -28,13 +27,11 @@ SELECT
     ',',
     signature.authority
   ) AS exception_key
-FROM
-  listening_ports lp
+FROM listening_ports lp
   LEFT JOIN processes p ON lp.pid = p.pid
   LEFT JOIN hash ON p.path = hash.path
   LEFT JOIN signature ON p.path = signature.path
-WHERE
-  port != 0
+WHERE port != 0
   AND lp.address NOT IN ('224.0.0.251', '::1')
   AND lp.address NOT LIKE '127.0.0.%'
   AND lp.address NOT LIKE '172.1%'
@@ -220,7 +217,7 @@ WHERE
     AND lp.port > 5000
   )
   AND NOT (
-    exception_key LIKE  '3%,6,500,java,'
+    exception_key LIKE '3%,6,500,java,'
     AND p.cwd LIKE '/Users/%'
   )
   AND NOT (
@@ -229,18 +226,23 @@ WHERE
     and lp.protocol = 6
   )
   AND NOT (
-    p.name IN (
-      'caddy',
-      'com.docker.backend',
-      'controller',
-      'crane',
-      'crc',
-      'OrbStack Helper',
-      'docker-proxy',
-      'hugo',
-      'kubectl',
-      'node',
-      'webhook'
+    (
+      p.name IN (
+        'caddy',
+        'com.docker.backend',
+        'controller',
+        'crane',
+        'crc',
+        'OrbStack Helper',
+        'docker-proxy',
+        'hugo',
+        'kubectl',
+        'ssh',
+        'node',
+        'webhook'
+      )
+      OR p.name LIKE 'kubectl.%'
+      OR p.name LIKE '__%_go'
     )
     AND lp.port > 1024
     and lp.protocol = 6
@@ -266,5 +268,4 @@ WHERE
       AND lp.protocol = 6
     )
   )
-GROUP BY
-  exception_key
+GROUP BY exception_key