Merge pull request #384 from tstromberg/fpr-aug27

fpr: the largest of 2024 🎉
chainguard-dev · Aug 27, 2024 · df577d4 · df577d4
2 parents 73f76d5 + edc1710
commit df577d4
Show file tree

Hide file tree

Showing 64 changed files with 632 additions and 457 deletions.
diff --git a/detection/c2/unexpected-dns-traffic-events.sql b/detection/c2/unexpected-dns-traffic-events.sql
@@ -85,11 +85,13 @@ WHERE
     'Meeting Center,8.8.8.8,53',
     'ServiceExtension,8.8.8.8,53',
     'nuclei,1.0.0.1,53',
+    'distnoted,8.8.8.8,53',
     'limactl,8.8.8.8,53',
     'adguard_dns,1.0.0.1,53',
     'coredns,8.8.8.8,53',
     'signal-desktop,8.8.8.8,53',
     'slack,8.8.8.8,53',
+    'zed,8.8.8.8,53',
     'EpicWebHelper,8.8.4.4,53',
     'EpicWebHelper,8.8.8.8,53',
     'Signal Helper (Renderer),8.8.8.8,53',
@@ -99,22 +101,23 @@ WHERE
   )
   -- Local DNS servers and custom clients go here
   AND basename NOT IN (
+    'adguard_dns',
+    'apk',
+    'apko',
     'chrome',
-    'gvproxy',
+    'com.apple.WebKit.Networking',
     'com.docker.backend',
-    'WhatsApp',
+    'go',
+    'gvproxy',
+    'IPNExtension',
     'Jabra Direct Helper',
-    'nessusd',
     'limactl',
-    'apko',
-    'nuclei',
-    'adguard_dns',
-    'IPNExtension',
     'mDNSResponder',
     'melange',
-    'com.apple.WebKit.Networking',
-    'apk',
-    'systemd-resolved'
+    'nessusd',
+    'nuclei',
+    'systemd-resolved',
+    'WhatsApp'
   )
   AND p.name NOT IN ('Jabra Direct Helper')
   -- Chromium/Electron apps seem to send stray packets out like nobodies business

diff --git a/detection/c2/unexpected-dns-traffic.sql b/detection/c2/unexpected-dns-traffic.sql
@@ -89,6 +89,7 @@ WHERE
     '/Applications/Slack.app/Contents/Frameworks/Slack Helper.app/Contents/MacOS/Slack Helper',
     '/Applications/Spotify.app/Contents/Frameworks/Spotify Helper.app/Contents/MacOS/Spotify Helper',
     '/Applications/Tailscale.app/Contents/PlugIns/IPNExtension.appex/Contents/MacOS/IPNExtension',
+    '/opt/podman/bin/gvproxy',
     '/System/Volumes/Preboot/Cryptexes/Incoming/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/Contents/MacOS/com.apple.WebKit.Networking',
     '/usr/bin/tailscaled',
     '/usr/lib/systemd/systemd-resolved',

diff --git a/detection/c2/unexpected-https-linux.sql b/detection/c2/unexpected-https-linux.sql
@@ -302,10 +302,14 @@ WHERE
     '500,slirp4netns,500u,500g,slirp4netns',
     '500,snap-store,0u,0g,snap-store',
     '500,snyk,500u,500g,snyk',
+    '500,plasmashell,0u,0g,plasmashell',
     '500,spotify,0u,0g,spotify',
     '500,spotify,500u,500g,spotify',
     '500,spotify,u,g,spotify',
+    '500,limactl,500u,500g,limactl',
+    '500,tidal-hifi,u,g,tidal-hifi',
     '500,steam,500u,100g,steam',
+    '0,skopeo,0u,0g,skopeo',
     '500,steam,500u,500g,steam',
     '500,steamwebhelper,500u,100g,steamwebhelper',
     '500,steamwebhelper,500u,500g,steamwebhelper',
@@ -328,6 +332,7 @@ WHERE
     '500,trivy,500u,500g,trivy',
     '500,ubuntu-report,0u,0g,ubuntu-report',
     '500,wget,0u,0g,wget',
+    '500,ssh,0u,0g,ssh',
     '500,wine64-preloader,500u,500g,DaveTheDiver.ex',
     '500,wine64-preloader,500u,500g,Root.exe',
     '500,wolfictl,500u,500g,wolfictl',
@@ -340,6 +345,7 @@ WHERE
   AND NOT exception_key LIKE '0,python3.%,0u,0g,dnf'
   AND NOT exception_key LIKE '0,python3.%,0u,0g,dnf-automatic'
   AND NOT exception_key LIKE '0,python3.%,0u,0g,yum'
+  AND NOT exception_key LIKE '500,python3.%,0u,0g,update-manager'
   AND NOT exception_key LIKE '500,cosign-%,500u,500g,cosign-%'
   AND NOT exception_key LIKE '500,node,0u,0g,npm exec %'
   AND NOT exception_key LIKE '500,node,0u,0g,npm install %'

diff --git a/detection/c2/unexpected-https-macos.sql b/detection/c2/unexpected-https-macos.sql
@@ -108,41 +108,46 @@ WHERE
   AND NOT exception_key IN (
     '0,AGSService,AGSService,Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.ags',
     '0,licenseDaemon,licenseDaemon,Developer ID Application: PACE Anti-Piracy, Inc. (TFZ8226T6X),com.paceap.eden.licenseDaemon',
-    '500,.Telegram-wrapped,.Telegram-wrapped,,Telegram',
-    '500,Authy,Authy,Apple iPhone OS Application Signing,com.authy',
-    '500,Fleet,~/Library/Caches/JetBrains/Fleet',
-    '500,IterableRichNotifications,IterableRichNotifications,Apple iPhone OS Application Signing,com.plexapp.plex.IterableRichNotifications',
-    '500,Java Updater,Java Updater,Developer ID Application: Oracle America, Inc. (VB5E2TV963),com.oracle.java.Java-Updater',
-    '500,Kindle,Kindle,TestFlight Beta Distribution,com.amazon.Lassen',
-    '500,Paintbrush,Paintbrush,Developer ID Application: Michael Schreiber (G966ML7VBG),com.soggywaffles.paintbrush',
-    '500,Plex,Plex,Developer ID Application: Plex Inc. (K4QJ56KR4A),tv.plex.desktop',
-    '500,PlexMobile,PlexMobile,Apple iPhone OS Application Signing,com.plexapp.plex',
-    '500,PowerPoint,PowerPoint,Apple Development: Zack Hoherchak (SS9PSPF8UF),PowerPoint',
-    '500,Realm,Realm,Apple iPhone OS Application Signing,camera.youpi.metareal',
-    '500,Skitch,Skitch,Developer ID Application: Skitch Inc (J8RPQ294UB),com.skitch.skitch',
-    '500,Sky Go,Sky Go,Developer ID Application: Sky UK Limited (GJ24C8864F),com.bskyb.skygoplayer',
-    '500,WebexHelper,WebexHelper,Developer ID Application: Cisco (DE8Y96K9QP),Cisco-Systems.SparkHelper',
     '500,agent,agent,Developer ID Application: Datadog, Inc. (JKFCB4CN7C),agent',
+    '500,Authy,Authy,Apple iPhone OS Application Signing,com.authy',
     '500,bash,bash,,bash',
+    '500,CrossyRoad,CrossyRoad,Apple iPhone OS Application Signing,com.hipsterwhale.crossy',
     '500,cloud_sql_proxy,cloud_sql_proxy,,a.out',
     '500,com.docker.backend,com.docker.backend,Developer ID Application: Docker Inc (9BNSXJN65R),com.docker.docker',
+    '500,com.docker.build,com.docker.build,Developer ID Application: Docker Inc (9BNSXJN65R),com.docker',
+    '500,copilot-language-server,copilot-language-server,Developer ID Application: GitHub (VEKTX9H2N7),copilot-language-server',
+    '500,Fleet,~/Library/Caches/JetBrains/Fleet',
+    '500,TextExpander,TextExpander,Developer ID Application: SmileOnMyMac, LLC (7PKJ6G4DXL),com.smileonmymac.textexpander',
     '500,gh,gh,,gh',
+    '500,core,core,Developer ID Application: TPZ Solucoes Digitais Ltda (X37R283V2T),com.topaz.warsaw.core',
     '500,git-remote-http,git-remote-http,,git-remote-http-55554944748a32c47cdc35cfa7f071bb69a39ce4',
     '500,goland,goland,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.goland',
+    '500,IterableRichNotifications,IterableRichNotifications,Apple iPhone OS Application Signing,com.plexapp.plex.IterableRichNotifications',
     '500,java,java,Developer ID Application: Oracle America, Inc. (VB5E2TV963),com.oracle.java.8u401.java',
+    '500,Java Updater,Java Updater,Developer ID Application: Oracle America, Inc. (VB5E2TV963),com.oracle.java.Java-Updater',
     '500,jcef Helper,jcef Helper,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),org.jcef.jcef.helper',
+    '500,Kindle,Kindle,TestFlight Beta Distribution,com.amazon.Lassen',
     '500,krisp Helper,krisp Helper,Developer ID Application: Krisp Technologies, Inc. (U5R26XM5Z2),ai.krisp.krispMac.helper',
     '500,krisp,krisp,Developer ID Application: Krisp Technologies, Inc. (U5R26XM5Z2),ai.krisp.krispMac',
     '500,kubectl,kubectl,Developer ID Application: Docker Inc (9BNSXJN65R),kubectl',
     '500,melange,melange,,a.out',
     '500,ngrok,ngrok,Developer ID Application: ngrok LLC (TEX8MHRDQ9),a.out',
     '500,node,node,Developer ID Application: Node.js Foundation (HX7739G8FX),node',
+    '500,Paintbrush,Paintbrush,Developer ID Application: Michael Schreiber (G966ML7VBG),com.soggywaffles.paintbrush',
+    '500,PlexMobile,PlexMobile,Apple iPhone OS Application Signing,com.plexapp.plex',
+    '500,Plex,Plex,Developer ID Application: Plex Inc. (K4QJ56KR4A),tv.plex.desktop',
+    '500,PowerPoint,PowerPoint,Apple Development: Zack Hoherchak (SS9PSPF8UF),PowerPoint',
     '500,process-agent,process-agent,Developer ID Application: Datadog, Inc. (JKFCB4CN7C),process-agent',
     '500,pycharm,pycharm,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.pycharm',
+    '500,Realm,Realm,Apple iPhone OS Application Signing,camera.youpi.metareal',
     '500,sdaudioswitch,sdaudioswitch,,sdaudioswitch',
+    '500,Skitch,Skitch,Developer ID Application: Skitch Inc (J8RPQ294UB),com.skitch.skitch',
+    '500,Sky Go,Sky Go,Developer ID Application: Sky UK Limited (GJ24C8864F),com.bskyb.skygoplayer',
     '500,snyk-ls_darwin_arm64,snyk-ls_darwin_arm64,,a.out',
     '500,syncthing,syncthing,,syncthing',
+    '500,.Telegram-wrapped,.Telegram-wrapped,,Telegram',
     '500,trunk,trunk,Developer ID Application: Trunk Technologies, Inc. (LDR5F9BL92),trunk-cli',
+    '500,WebexHelper,WebexHelper,Developer ID Application: Cisco (DE8Y96K9QP),Cisco-Systems.SparkHelper',
     '500,zed,zed,Developer ID Application: Zed Industries, Inc. (MQ55VZLNZQ),dev.zed.Zed'
   )
   AND NOT alt_exception_key IN (
@@ -164,6 +169,7 @@ WHERE
     '500,crane,crane,0u,500g',
     '500,crane,crane,500u,80g',
     '500,docker-scout,docker-scout,500u,20g',
+    '500,Emacs,Emacs,500u,80g',
     '500,gh-dash,gh-dash,500u,20g',
     '500,git-credential-osxkeychain,git-credential-osxkeychain,500u,80g',
     '500,git,git,0u,500g',
@@ -178,6 +184,7 @@ WHERE
     '500,log-streaming,log-streaming,500u,80g',
     '500,.man-wrapped,.man-wrapped,0u,500g',
     '500,nami,nami,0u,0g',
+    '500,nix,nix,0u,500g',
     '500,nodegizmo,nodegizmo,500u,20g',
     '500,pprof,pprof,500u,80g',
     '500,pulumi-resource-gcp,pulumi-resource-gcp,500u,20g',
@@ -236,30 +243,34 @@ WHERE
   )
   AND NOT alt_exception_key LIKE '500,terraform-provider-%,terraform-provider-%,500u,20g'
   AND NOT alt_exception_key LIKE '500,plugin_host-%,plugin_host-%,500u,20g'
+  AND NOT alt_exception_key LIKE '500,sm-agent-%,sm-agent-%,500u,20g'
   AND NOT p0.path LIKE '/private/var/folders/%/T/GoLand/%'
   AND NOT (
     exception_key IN (
-      '500,Python,Python,,org.python.python',
-      '500,Python,Python,,Python',
-      '500,Python,Python,,',
-      '500,Python,Python,Developer ID Application: Python Software Foundation (BMM5U3QVKW),org.python.python',
-      '500,Python,Python,0u,80g',
       '500,python3.11,python3.11,,python3.11',
       '500,python3.12,python3.12,,python3.12',
-      '500,Python,Python,Developer ID Application: Ned Deily (DJ3H93M7VJ),org.python.python'
+      '500,Python,Python,,',
+      '500,Python,Python,0u,80g',
+      '500,Python,Python,Developer ID Application: Ned Deily (DJ3H93M7VJ),org.python.python',
+      '500,Python,Python,Developer ID Application: Python Software Foundation (BMM5U3QVKW),org.python.python',
+      '500,Python,Python,,org.python.python',
+      '500,Python,Python,,Python'
     )
     AND (
       p0_cmd LIKE '%/gcloud.py%'
       OR p0_cmd LIKE '%/google-cloud-sdk/bin/%'
       OR p0_cmd LIKE '%/google-cloud-sdk/platform/%'
       OR p0_cmd LIKE '%pip install%'
+      OR p0_cmd LIKE '%pip3 install%'
       OR p0_cmd LIKE '%googlecloudsdk/core/metrics_reporter.py%'
       OR p0_cmd LIKE '%/bin/aws%'
       OR p0_cmd LIKE "%/gsutil/gsutil %"
       OR p0_cwd LIKE "/Users/%/github/%"
       OR p0_cwd LIKE "/Users/%/src/%"
       OR p0_cmd LIKE '%bin/chaingpt %'
       OR p0_cmd LIKE '%fetch_commits%'
+      OR p0_cmd LIKE '%/Python update_plugins.py'
+      OR p0_cmd LIKE '%/pydevd.py'
     )
   ) -- theScore and other iPhone apps
   AND NOT (

diff --git a/detection/c2/unexpected-libcurl-user-linux.sql b/detection/c2/unexpected-libcurl-user-linux.sql
@@ -68,8 +68,7 @@ WHERE
   AND pmm.path LIKE '%libcurl%'
   AND NOT exception_key IN (
     '0,0,/var/run/ublue-update.lock,regular,0755',
-    'rpm-ostree,/usr/bin/rpm-ostree,0,system.slice,rpm-ostreed.service,0755',
-    'rpm-ostree,/usr/bin/rpm-ostree,0,system.slice,ublue-update.service,0755',
+    'apache2,/usr/sbin/apache2,0,system.slice,apache2.service,0755',
     'dnf-automatic,/usr/bin/python3.12,0,system.slice,dnf-automatic-install.service,0755',
     'dnf-automatic,/usr/bin/python__VERSION__,0,system.slice,dnf-automatic-install.service,0755',
     'dnf,/usr/bin/python__VERSION__,0,system.slice,dnf-makecache.service,0755',
@@ -78,13 +77,15 @@ WHERE
     'fwupd,/usr/libexec/fwupd/fwupd,0,system.slice,fwupd.service,0755',
     'fwupd,/usr/lib/fwupd/fwupd,0,system.slice,fwupd.service,0755',
     'libvirtd,/usr/bin/libvirtd,0,system.slice,libvirtd.service,0755',
-    'sddm-helper,/usr/libexec/sddm-helper,0,user.slice,user-1000.slice,0755',
     'NetworkManager,/usr/bin/NetworkManager,0,system.slice,NetworkManager.service,0755',
     'NetworkManager,/usr/sbin/NetworkManager,0,system.slice,NetworkManager.service,0755',
     'nix-daemon,/nix/store/__VERSION__/bin/nix,0,system.slice,nix-daemon.service,0555',
     'ostree,/usr/bin/ostree,0,system.slice,ostree-finalize-staged-hold.service,0755',
     'packagekitd,/usr/libexec/packagekitd,0,system.slice,packagekit.service,0755',
     'pacman,/usr/bin/pacman,0,user.slice,user-1000.slice,0755',
+    'rpm-ostree,/usr/bin/rpm-ostree,0,system.slice,rpm-ostreed.service,0755',
+    'rpm-ostree,/usr/bin/rpm-ostree,0,system.slice,ublue-update.service,0755',
+    'sddm-helper,/usr/libexec/sddm-helper,0,user.slice,user-1000.slice,0755',
     'sddm-helper,/usr/lib/sddm/sddm-helper,0,user.slice,user-1000.slice,0755',
     'sddm,/usr/bin/sddm,0,system.slice,sddm.service,0755',
     'virtlogd,/usr/bin/virtlogd,0,system.slice,virtlogd.service,0755',

diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql
@@ -86,6 +86,8 @@ WHERE
   AND NOT exception_key IN (
     '123,17,500,chronyd,0u,0g,chronyd',
     '4070,6,500,spotify,u,g,spotify',
+    '49152,6,500,ContinuityCaptureAgent,Software Signing',
+    '67,17,0,NetworkManager,0u,0g,NetworkManager',
     '8000,6,500,brave,0u,0g,brave',
     '8000,6,500,chrome,0u,0g,chrome',
     '8000,6,500,firefox,0u,0g,firefox',
@@ -99,43 +101,42 @@ WHERE
     '80,6,0,pacman,0u,0g,pacman',
     '80,6,0,pdftex,0u,0g,pdftex',
     '80,6,0,python3.10,0u,0g,dnf',
-    '9,17,0,launcher,0u,0g,launcher',
-    '80,6,500,thunderbird-bin,u,g,thunderbird-bin',
-    '80,6,500,http,u,g,http',
     '80,6,0,python3.10,0u,0g,dnf-automatic',
     '80,6,0,python3.10,0u,0g,yum',
     '80,6,0,python3.11,0u,0g,dnf',
     '80,6,0,python3.11,0u,0g,dnf-automatic',
     '80,6,0,python3.11,0u,0g,yum',
+    '80,6,0,python3.12,0u,0g,dnf',
     '80,6,0,python3.12,0u,0g,yum',
-    '80,6,500,firefox-bin,0u,0g,firefox-bin',
     '80,6,0,python3.9,u,g,yum',
+    '80,6,0,rpm-ostree,0u,0g,rpm-ostree',
     '80,6,0,sort,0u,0g,sort',
     '80,6,0,systemd-hwdb,0u,0g,systemd-hwdb',
     '80,6,0,tailscaled,0u,0g,tailscaled',
     '80,6,0,wget,0u,0g,wget',
-    '80,6,500,wget,0u,0g,wget',
     '80,6,0,zstd,0u,0g,zstd',
     '80,6,100,http,0u,0g,http',
     '80,6,105,http,0u,0g,http',
     '80,6,42,http,0u,0g,http',
     '80,6,500,aws-iam-authenticator,0u,0g,aws-iam-authent',
-    '67,17,0,NetworkManager,0u,0g,NetworkManager',
     '80,6,500,brave,0u,0g,brave',
     '80,6,500,chrome,0u,0g,chrome',
     '80,6,500,chrome,u,g,chrome',
     '80,6,500,cloud_sql_proxy,0u,0g,cloud_sql_proxy',
     '80,6,500,code,0u,0g,code',
+    '80,6,500,code-oss,u,g,code-oss',
     '80,6,500,copilot-agent-linux,500u,500g,copilot-agent-l',
     '80,6,500,curl,0u,0g,curl',
     '80,6,500,electron,0u,0g,electron',
     '80,6,500,firefox,0u,0g,firefox',
     '80,6,500,firefox,0u,0g,.firefox-wrappe',
+    '80,6,500,firefox-bin,0u,0g,firefox-bin',
     '80,6,500,firefox-bin,500u,500g,firefox-bin',
     '80,6,500,firefox-bin,u,g,firefox-bin',
     '80,6,500,flatpak,0u,0g,flatpak',
     '80,6,500,git-remote-http,0u,0g,git-remote-http',
     '80,6,500,gnome-software,0u,0g,gnome-software',
+    '80,6,500,http,u,g,http',
     '80,6,500,java,0u,0g,java',
     '80,6,500,java,u,g,java',
     '80,6,500,main,500u,500g,main',
@@ -151,6 +152,7 @@ WHERE
     '80,6,500,python3.11,0u,0g,yum',
     '80,6,500,python3.12,0u,0g,pull-lp-source',
     '80,6,500,qemu-system-x86_64,0u,0g,qemu-system-x86',
+    '80,6,500,qemu-system-x86_64,500u,500g,qemu-system-x86',
     '80,6,500,rpi-imager,0u,0g,rpi-imager',
     '80,6,500,signal-desktop,0u,0g,signal-desktop',
     '80,6,500,signal-desktop,u,g,signal-desktop',
@@ -166,8 +168,10 @@ WHERE
     '80,6,500,terraform,0u,0g,terraform',
     '80,6,500,terraform,500u,500g,terraform',
     '80,6,500,thunderbird,0u,0g,thunderbird',
+    '80,6,500,thunderbird-bin,u,g,thunderbird-bin',
     '80,6,500,thunderbird,u,g,thunderbird',
     '80,6,500,WebKitNetworkProcess,0u,0g,WebKitNetworkPr',
+    '80,6,500,wget,0u,0g,wget',
     '80,6,500,wine64-preloader,0u,0g,control.exe',
     '80,6,500,zoom,0u,0g,zoom',
     '80,6,500,zoom.real,u,g,zoom.real',
@@ -182,6 +186,7 @@ WHERE
     '8801,17,500,zoom.real,u,g,zoom.real',
     '88,6,500,syncthing,0u,0g,syncthing',
     '8987,6,500,whois,0u,0g,whois',
+    '9,17,0,launcher,0u,0g,launcher',
     '9418,6,500,git,0u,0g,git',
     '993,6,500,evolution,0u,0g,evolution',
     '993,6,500,thunderbird,0u,0g,thunderbird',
@@ -250,8 +255,7 @@ WHERE
   AND NOT (
     exception_key = '32768,6,500,ssh,0u,0g,ssh'
     AND s.remote_port = 40022
-  )
-  -- Qualys
+  ) -- Qualys
   AND NOT (
     exception_key = '80,6,0,curl,0u,0g,curl'
     AND p.cgroup_path = '/system.slice/qualys-cloud-agent.service'