Merge pull request #458 from tstromberg/fpr-feb18

fpr: re-add missing Chrome extensions, more Linux adjustments
chainguard-dev · Feb 19, 2025 · 0dbda14 · 0dbda14
2 parents 186f2a1 + dce0ead
commit 0dbda14
Show file tree

Hide file tree

Showing 7 changed files with 35 additions and 9 deletions.
diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql
@@ -132,6 +132,7 @@ WHERE
     '80,6,0,python3.12,500u,500g,dnf-automatic',
     '80,6,0,python3.9,u,g,yum',
     '80,6,0,rpm-ostree,0u,0g,rpm-ostree',
+    '32520,6,0,rpm-ostree,0u,0g,rpm-ostree',
     '80,6,0,sort,0u,0g,sort',
     '80,6,0,systemd-hwdb,0u,0g,systemd-hwdb',
     '80,6,0,tailscaled,0u,0g,tailscaled',

diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql
@@ -107,6 +107,7 @@ WHERE
     '500,Developer ID Application: Autodesk (XXKJ396S2Y)',
     '500,Developer ID Application: Blackmagic Design Inc (9ZGFBWLSYP)',
     '500,Developer ID Application: Cisco (DE8Y96K9QP)',
+    '500,Developer ID Application: Azul Systems, Inc. (TDTHCUPYFR)',
     '500,Developer ID Application: David Kocher (G69SCX94XU)',
     '500,Developer ID Application: Google LLC (EQHXZ8M8AV)',
     '500,Developer ID Application: Microsoft Corporation (UBF8T346G9)',

diff --git a/detection/evasion/unexpected-process-extension-linux.sql b/detection/evasion/unexpected-process-extension-linux.sql
@@ -88,6 +88,7 @@ WHERE
     'ext',
     'nox',
     'real',
+    'smp',
     'test',
     'tiny'
   )

diff --git a/detection/evasion/unexpected-tmp-executables-linux.sql b/detection/evasion/unexpected-tmp-executables-linux.sql
@@ -157,6 +157,7 @@ WHERE -- Optimization: don't join things until we have a whittled down list of f
     AND (
       magic.data IN (
         "POSIX shell script, ASCII text executable",
+        "Bourne-Again shell script, ASCII text executable",
         "libtool library file, ASCII text",
         "ASCII text",
         "JSON data"

diff --git a/detection/exfil/yara-exec-connect-process-linux.sql b/detection/exfil/yara-exec-connect-process-linux.sql
@@ -1,5 +1,5 @@
 -- Currently running program with Linux red flags
--- 
+--
 -- reference:
 --   * bpfdoor (old)
 --
@@ -53,7 +53,7 @@ WHERE
     GROUP BY
       path
   )
-  AND yara.sigrule = '    
+  AND yara.sigrule = '
     rule syscalls {
     strings:
         $inet_ntoa = "inet_ntoa"
@@ -67,6 +67,7 @@ WHERE
   AND yara.path NOT IN (
     '/usr/bin/dbus-broker-launch',
     '/usr/bin/sudo',
+    '/usr/sbin/greetd',
     '/usr/lib/git-core/git-remote-https',
     '/usr/sbin/auditd',
     '/usr/sbin/mcelog'

diff --git a/detection/persistence/unexpected-chrome-extensions.sql b/detection/persistence/unexpected-chrome-extensions.sql
@@ -87,16 +87,23 @@ WHERE
     OR perms LIKE '%desktopCapture%'
   )
   AND NOT exception_key IN (
+    "true,GEN Digital Inc.,I don't care about cookies,fihnjjcciajhdojfnbdddfaoknhalnja",
+    "true,OhMyGuus and Community (originally Daniel Kladnik),I still don't care about cookies,edibdbjcniadpccecjdfdjjppcpchdlm",
     'false,[email protected],Privacy Badger,mkejgcgkdlddbggjhhflekkondicpnop',
     'true,,Adobe Acrobat: PDF edit, convert, sign tools,efaidnbmnnnibpcajpcglclefindmkaj',
+    'true,,Allow CORS: Access-Control-Allow-Origin,lhobafahddgcelffkeicbaginigeejlf',
     'true,,Amplitude Event Explorer,acehfjhnmhbmgkedjmjlobpgdicnhkbp',
     'true,,Application Launcher For Drive (by Google),lmjegmlicamnimmfhcmpkclmigmmcbeh',
     'true,,Boomerang for Gmail,mdanidgdpmkimeiiojknlnekblgmpdll',
     'true,,Capital One Shopping: Save Now,nenlahapcbofgnanklpelkaejcehkggg',
     'true,,Chrome Capture - screenshot & GIF,ggaabchcecdbomdcnbahdfddfikjmphe',
     'true,,Chrome Remote Desktop,inomeogfingihgjfjlpeplalcfajhgai',
+    'true,,Cisco Umbrella Chromebook client (Ext),jcdhmojfecjfmbdpchihbeilohgnbdci',
     'true,,Cisco Webex Extension,jlhmfgmfgeifomenelglieieghnjghma',
     'true,,Copper CRM for Gmail,hpfmedbkgaakgagknibnonpkimkibkla',
+    'true,,Coupert - Automatic Coupon Finder & Cashback,mfidniedemcgceagapgdekdbmanojomk',
+    'true,,DuckDuckGo Privacy Essentials,bkdgflcldnnnapblkhphbgpggdiikppg',
+    'true,,EditThisCookie,fngmhnnpilhplaeedifhccceomclgfbg',
     'true,,Endpoint Verification,callobklhcbilhphinckomhgkigmfocg',
     'true,,Gem,bnbpceglddpnehbopmdjegpfinikcaoh',
     'true,,Go Links,gojgbkejhelijlkgpmlbbkklljgmfljj',
@@ -112,13 +119,17 @@ WHERE
     'true,,Kagi Search,cdglnehniifkbagbbombnjghhcihifij',
     'true,,Live Stream Downloader,looepbdllpjgdmkpdcdffhdbmpbcfekj',
     'true,,Loom – Screen Recorder & Screen Capture,liecbddmkiiihnedobmlmillhodjkdmb',
+    'true,,Media Hint,akipcefbjlmpbcejgdaopmmidpnjlhnb',
     'true,,Mettl Tests : Enable Screen Sharing,hkjemkcbndldepdbnbdnibeppofoooio',
     'true,,Microsoft Single Sign On,ppnbnpeolgkicgegkbkbjmhlideopiji',
+    'true,,Moesif Origin/CORS Changer & API Logger,digfbfaphojjndkpccljibejjbppifbc',
     'true,,Newsletter Creator for Gmail - Flashissue,cihaednhfbocfdiflmpccekcmjepcnmb',
     'true,,Nooks,kbbdibmbjngifdgbmlleelghocpeimhe',
     'true,,NordVPN - VPN proxy for privacy and security,fjoaledfpmneenckfbpdfhkmimnjocfa',
+    'true,,NoScript,doojmbjmlfjjnbmnoijecmcbfeoakpjm',
     'true,,Okta Browser Plugin,glnpjglilkicbckjpbgcfkogebgllemb',
     'true,,Outreach Optimization on LinkedIn & Gmail,ngeodglgpmplepchhghijjncnikifaed',
+    'true,,Page Analytics (by Google),fnbdnhhicmebfgdgglcdacdapkcihcoh',
     'true,,Poshmark | PosherVA,ofacfijogapplfgkoolmdojoieiemihl',
     'true,,Privacy Badger,pkehgijcmpdhfbdbbnkijodmdjhbjlgp',
     'true,,ProctorU,goobgennebinldhonaajgafidboenlkl',
@@ -135,6 +146,7 @@ WHERE
     'true,,Solitaire,lkbhppfbabandkdmgjmifahoabeodiep',
     'true,,Surfshark VPN Extension,ailoabdmgclmfmhdagmlohpjlbpffblp',
     'true,,Talend API Tester - Free Edition,aejoelaoggembcahagimdiliamlcdmfm',
+    'true,,Tamper Chrome (extension),hifhgpdkfodlpnlmlnmhchnkepplebkb',
     'true,,Tampermonkey,dhdgffkkebhmkfjojejmpbldmpobfkfo',
     'true,,TextExpander: Keyboard Shortcuts & Templates,mmfhhfjhpadoefoaahomoakamjcfcoil',
     'true,,Touch VPN - Secure and unlimited VPN proxy,bihmplhobchoageeokmgbdihknkjbknd',
@@ -147,11 +159,14 @@ WHERE
     'true,,Wistia Video Downloader,acbiaofoeebeinacmcknopaikmecdehl',
     'true,,Yesware Sales Engagement,gkjnkapjmjfpipfcccnjbjcbgdnahpjp',
     'true,,Zoom,hmbjbjdpkobdjplfobhljndfdfdipjhg',
+    'true,,Zotero Connector,ekhagklcjbdpajgpjgmbionohlpdbjgc',
     'true,Adblock, Inc.,AdBlock — block ads across the web,gighmmpiobklfepjocnamgkkbiglidom',
+    'true,Adguard Software Ltd,AdGuard AdBlocker,bgnkhhnnamicmpeenaelnjfhikgbkllg',
     'true,AgileBits,1Password Nightly – Password Manager,gejiddohjgogedgjnonbofjigllpkmbf',
     'true,AgileBits,1Password – Password Manager,aeblfdkhhhdcdjpifhhbdiojplfjncoa',
     'true,AwardWallet LLC,AwardWallet,lppkddfmnlpjbojooindbmcokchjgbib',
     'true,Benjamin Hollis,JSONView,gmegofmjomhknnokphhckolhcffdaihd',
+    'true,Bitwarden Inc.,Bitwarden - Free Password Manager,nngceckbapebfimnlniiiahkandclblb',
     'true,Bitwarden Inc.,Bitwarden Password Manager,nngceckbapebfimnlniiiahkandclblb',
     'true,Cartera,American Airlines AAdvantage® eShopping℠,dcdiajifnnbipfljbggcbbheipfdmgpo',
     'true,Cartera,United Airlines MileagePlus Shopping℠,apcjkhjbhapedgbekhlhdkidpohpkfne',
@@ -166,13 +181,16 @@ WHERE
     'true,Keepa GmbH,Keepa - Amazon Price Tracker,neebplgakaahbhdphmkckjjcegoiijjo',
     'true,Keeper Security, Inc.,Keeper® Password Manager & Digital Vault,bfogiafebfohielmmehodmfbbebbbpei',
     'true,LastPass,LastPass: Free Password Manager,hdokiejnpimakedhajhdlcegeplioahd',
+    'true,Microsoft Corporation,Microsoft Autofill,fiedbfgcleddlbcmgdigjgdfcggjcion',
+    'true,modhader@,ModHeader - Modify HTTP headers,idgpnmonknjnojddfkpgkljpfnnfcklj',
     'true,Opera Software AS,Rich Hints Agent,enegjkbbakeegngfapepobipndnebkdk',
     'true,Opera,Cashback Assistant,ompjkhnkeoicimmaehlcmgmpghobbjoj',
     'true,Quantier, LLC,Vim for Google Docs™,aphmodfjbhofkpibocbggkdfnpbpjmpp',
     'true,Rakuten,Rakuten: Get Cash Back For Shopping,chhjbpecpncaggjpdakmflnfcopglcmi',
     'true,Raymond Hill & contributors,uBlock Origin,cjpalhdlnbpafiamejdnhcphjbkeiagm',
     'true,Reddit Enhancement Suite contributors,Reddit Enhancement Suite,kbmfpngjjgdllneeigpgjifpgocmfgmb',
     'true,Symantec Corporation,Norton Password Manager,admmjipmmciaobhojoghlmleefbicajg',
+    'true,Thomas Rientjes,Decentraleyes,ldpochfccmkkmhdbclfhpagapcfdljkj',
     'true,Wappalyzer,Wappalyzer - Technology profiler,gppongmhjkpfnbhagpmjfkannfbllamg',
     'true,Yuri Konotopov <[email protected]>,GNOME Shell integration,gphhapmejobijbbhgpjhcjognlahblep',
     'true,Zinlab <sebastian@Zinlab>,Better History,egehpkpgpgooebopjihjmnpejnjafefi'

diff --git a/detection/persistence/unexpected-uid0-daemon-linux.sql b/detection/persistence/unexpected-uid0-daemon-linux.sql
@@ -83,7 +83,6 @@ WHERE
     'abrt-dump-journ,/usr/bin/abrt-dump-journal-oops,0,system.slice,abrt-oops.service,0755',
     'abrt-dump-journ,/usr/bin/abrt-dump-journal-xorg,0,system.slice,abrt-xorg.service,0755',
     'abrtd,/usr/sbin/abrtd,0,system.slice,abrtd.service,0755',
-    'sddm-helper,/usr/lib/x__VERSION___64-linux-gnu/sddm/sddm-helper,0,user.slice,user-1000.slice,0755',
     'accounts-daemon,/nix/store/__VERSION__/libexec/accounts-daemon,0,system.slice,accounts-daemon.service,0555',
     'accounts-daemon,/usr/lib/accounts-daemon,0,system.slice,accounts-daemon.service,0755',
     'accounts-daemon,/usr/libexec/accounts-daemon,0,system.slice,accounts-daemon.service,0755',
@@ -190,6 +189,8 @@ WHERE
     'gpg-agent,/usr/bin/gpg-agent,0,system.slice,fwupd.service,0755',
     'gpg-agent,/usr/bin/gpg-agent,0,system.slice,packagekit.service,0755',
     'gpg-agent,/usr/bin/gpg-agent,0,user.slice,user-1000.slice,0755',
+    'greetd,/usr/sbin/greetd,0,user.slice,user-1000.slice,0755',
+    'greetd,/usr/sbin/greetd,0,system.slice,greetd.service,0755',
     'group-admin-dae,/usr/libexec/group-admin-daemon,0,system.slice,group-admin-daemon.service,0755',
     'gssproxy,/usr/sbin/gssproxy,0,system.slice,gssproxy.service,0755',
     'gvfsd,/usr/libexec/gvfsd,0,user.slice,user-1000.slice,0755',
@@ -246,6 +247,7 @@ WHERE
     'metalauncher,/var/vanta/metalauncher,0,system.slice,vanta.service,0755',
     'ModemManager,/usr/sbin/ModemManager,0,system.slice,ModemManager.service,0755',
     'mount.ntfs,/usr/bin/ntfs-3g,0,system.slice,udisks2.service,0755',
+    'mpris-proxy,/usr/bin/mpris-proxy,0,user.slice,user-0.slice,0755',
     'multipassd,/snap/multipass/__VERSION__/bin/multipassd,0,system.slice,snap.multipass.multipassd.service,0755',
     'multipathd,/usr/sbin/multipathd,0,system.slice,multipathd.service,0755',
     'nessus-service,/opt/nessus/sbin/nessus-service,0,system.slice,nessusd.service,0755',
@@ -291,6 +293,7 @@ WHERE
     'pwrstatd,/usr/sbin/pwrstatd,0,system.slice,pwrstatd.service,0700',
     'python3,/usr/bin/python__VERSION__,0,system.slice,dbus.service,0755',
     'python3,/usr/bin/python__VERSION__,0,system.slice,system-dbus\x2d:1.1\x2dorg.pop_os.transition_system.slice,0755',
+    'python3,/usr/bin/python__VERSION__,0,system.slice,system-dbus\x2d:1.2\x2dorg.pop_os.transition_system.slice,0755',
     'python3,/usr/bin/python__VERSION__,0,system.slice,ubuntu-advantage.service,0755',
     'qemu-ga,/usr/bin/qemu-ga,0,system.slice,qemu-guest-agent.service,0755',
     'qemu-nbd,/usr/bin/qemu-nbd,0,user.slice,user-1000.slice,0755',
@@ -306,6 +309,7 @@ WHERE
     'sddm,/usr/bin/sddm,0,system.slice,sddm.service,0755',
     'sddm-helper,/usr/lib/sddm/sddm-helper,0,user.slice,user-1000.slice,0755',
     'sddm-helper,/usr/lib/x86_64-linux-gnu/sddm/sddm-helper,0,user.slice,user-1000.slice,0755',
+    'sddm-helper,/usr/lib/x__VERSION___64-linux-gnu/sddm/sddm-helper,0,user.slice,user-1000.slice,0755',
     'sddm-helper,/usr/libexec/sddm-helper,0,user.slice,user-1000.slice,0755',
     'sedispatch,/usr/sbin/sedispatch,0,system.slice,auditd.service,0755',
     'sg,/usr/bin/newgrp,1000,user.slice,user-1000.slice,4755',
@@ -326,7 +330,9 @@ WHERE
     'sshd,/usr/sbin/sshd,0,system.slice,sshd.service,0755',
     'sshd,/usr/sbin/sshd,0,user.slice,user-1000.slice,0755',
     'sshd,/usr/sbin/sshd,0,user.slice,user-501.slice,0755',
+    'sshd-session,/usr/lib/openssh/sshd-session,0,user.slice,user-1000.slice,0755',
     'sssd_kcm,/usr/libexec/sssd/sssd_kcm,0,system.slice,sssd-kcm.service,0755',
+    'su,/usr/bin/su,0,user.slice,user-0.slice,4755',
     'su,/usr/bin/su,0,user.slice,user-1000.slice,4755',
     'su,/usr/bin/su,1000,user.slice,user-0.slice,4755',
     'sudo,/usr/bin/sudo,1000,user.slice,user-1000.slice,4111',
@@ -335,7 +341,9 @@ WHERE
     'supergfxd,/usr/bin/supergfxd,0,system.slice,supergfxd.service,0755',
     'switcheroo-cont,/usr/libexec/switcheroo-control,0,system.slice,switcheroo-control.service,0755',
     'system76-power,/usr/bin/system76-power,0,system.slice,com.system76.PowerDaemon.service,0755',
+    'system76-power,/usr/bin/system__VERSION__-power,0,system.slice,com.system76.PowerDaemon.service,0755',
     'system76-schedu,/usr/bin/system76-scheduler,0,system.slice,com.system76.Scheduler.service,0755',
+    'system76-schedu,/usr/bin/system__VERSION__-scheduler,0,system.slice,com.system76.Scheduler.service,0755',
     'systemd,/usr/lib/systemd/systemd,0,user.slice,user-0.slice,0755',
     'systemd-coredum,/nix/store/__VERSION__/lib/systemd/systemd-coredump,0,,,0555',
     'systemd-homed,/usr/lib/systemd/systemd-homed,0,system.slice,systemd-homed.service,0755',
@@ -390,15 +398,9 @@ WHERE
     'xdg-permission-,/usr/libexec/xdg-permission-store,0,user.slice,user-0.slice,0755',
     'xdg-permission-,/usr/libexec/xdg-permission-store,0,user.slice,user-1000.slice,0755',
     'Xorg,/usr/lib/Xorg,0,system.slice,lightdm.service,0755',
-    'sshd-session,/usr/lib/openssh/sshd-session,0,user.slice,user-1000.slice,0755',
     'Xorg,/usr/lib/Xorg,0,system.slice,sddm.service,0755',
-    'system76-power,/usr/bin/system__VERSION__-power,0,system.slice,com.system76.PowerDaemon.service,0755',
-    'system76-schedu,/usr/bin/system__VERSION__-scheduler,0,system.slice,com.system76.Scheduler.service,0755',
-    'python3,/usr/bin/python__VERSION__,0,system.slice,system-dbus\x2d:1.2\x2dorg.pop_os.transition_system.slice,0755',
     'Xorg,/usr/lib/xorg/Xorg,0,system.slice,lightdm.service,0755',
     'Xorg,/usr/lib/xorg/Xorg,0,system.slice,sddm.service,0755',
-    'su,/usr/bin/su,0,user.slice,user-0.slice,4755',
-    'mpris-proxy,/usr/bin/mpris-proxy,0,user.slice,user-0.slice,0755',
     'yum,/usr/bin/python__VERSION__,0,user.slice,user-1000.slice,0755',
     'zed,/nix/store/__VERSION__/bin/zed,0,system.slice,zfs-zed.service,0555',
     'zed,/usr/sbin/zed,0,system.slice,zfs-zed.service,0755',
@@ -408,6 +410,7 @@ WHERE
     'zfs-auto-snapsh,/nix/store/__VERSION__/bin/ruby,0,system.slice,zfs-snapshot-frequent.service,0555',
     'zfs-auto-snapsh,/nix/store/__VERSION__/bin/ruby,0,system.slice,zfs-snapshot-hourly.service,0555'
   )
+  AND NOT exception_key LIKE 'dhcpcd,/usr/sbin/dhcpcd,0,system.slice,ifup@en%.service,0755'
   AND NOT exception_key LIKE '%beat,%/opt/Elastic/Agent/data/elastic-%/components/%beat,0,system.slice,elastic-agent.service,%'
   AND NOT exception_key LIKE 'abrt-dbus,/usr/sbin/abrt-dbus,0,system.slice,system-dbus%org.freedesktop.problems.slice,%'
   AND NOT exception_key LIKE 'containerd,/var/lib/rancher/k3s/data/%/bin/k3s,0,system.slice,k3s.service,0755'
-Original file line number
+Diff line change
@@ Expand Up / @@ -88,6 +88,7 @@ WHERE @@
         'ext',
         'nox',
         'real',
+        'smp',
         'test',
         'tiny'
       )
@@ Expand Down @@