Merge pull request #446 from chainguard-dev/lorimor/FPs20250121

fpr: qemu, cargo-install, adguard, ankerwork, talos, nbd, expressvpn, vim, passwd

detection/credentials/unexpected-dev-opener-linux.sql

@@ -139,6 +139,7 @@ WHERE
     '/dev/net,tailscaled',
     '/dev/net,.tailscaled-wrapped',
     '/dev/net/tun,qemu-system-x86_64',
+    '/dev,qemu-nbd',
     '/dev/shm,1password',
     '/dev/shm,Brackets',
     '/dev/shm,chrome',
@@ -206,6 +207,7 @@ WHERE
     '/dev/net/tun,qemu-system-x86_64',
     '/dev/net/tun,slirp4netns',
     '/dev/pts,incusd',
+    '/dev/nbd,qemu-nbd',
     '/dev/sda,ntfs-3g',
     '/dev/shm/envoy_shared_memory_1,envoy',
     '/dev/tpmrm,launcher',

detection/evasion/touched-executable-linux.sql

@@ -44,6 +44,7 @@ WHERE
   AND f.path NOT LIKe '/var/home/%'
   AND f.path NOT LIKE '/snap/%'
   AND f.path NOT LIKE '/tmp/%go-build%/exe/%'
+  AND f.path NOT LIKE '/tmp/cargo-install%/%'
   AND f.path NOT LIKE '/usr/local/bin/%'
   AND f.path NOT LIKE '/opt/rapid7/ir_agent/%'
   AND f.path NOT LIKE '/var/home/linuxbrew/.linuxbrew/%'

detection/execution/unexpected-env-values-linux.sql

@@ -65,7 +65,8 @@ WHERE -- This time should match the interval
       '/usr/lib/libjemalloc.so',
       '/usr/lib/libsnmallocshim.so',
       '/usr/lib/libsnmallocshim-checks-memcpy-only.so',
-      '/usr/local/lib/libmimalloc.so'
+      '/usr/local/lib/libmimalloc.so',
+      '/run/host/usr/lib/extest/libextest.so'
     )
     AND NOT pe.value LIKE ':/home/%/.local/share/Steam'
     AND NOT pe.value LIKE ':/home/%/.var/app/com.valvesoftware.Steam/%'

detection/initial_access/unexpected-diskimage-source-macos.sql

@@ -38,10 +38,12 @@ WHERE
   AND file.btime > (strftime('%s', 'now') -86400)
   AND domain NOT IN (
     'adobe.com',
+    'adguard.com',
     'akmedia.digidesign.com',
     'alfredapp.com',
     'amazon.com',
     'android.com',
+    'ankerwork.com',
     'ankiweb.net',
     'apple.com',
     'arc.net',
@@ -146,6 +148,7 @@ WHERE
     'steampowered.com',
     'synaptics.com',
     'tableplus.com',
+    'talos.dev',
     'teams.cdn.office.net',
     'techsmith.com',
     'tweaknews.eu',
@@ -244,14 +247,17 @@ WHERE
     'superkey.app',
     'superhuman.com',
     'tableplus.com',
+    'www.talos.dev',
     'textexpander.com',
     'tosmediaserver.schwab.com',
     'transmissionbt.com',
     'ubuntu.com',
     'ultimaker.com',
     'universal-blue.discourse.group',
+    'us.ankerwork.com',
     'warp-releases.storage.googleapis.com',
     'wavebox.io',
+    'welcome.adguard.com',
     'www.google.com',
     'www.messenger.com',
     'zed.dev',
@@ -271,7 +277,7 @@ WHERE
   AND host NOT LIKE 'driver.%'
   AND host NOT LIKE 'support%'
   AND host NOT LIKE 's3.%.amazonaws.com'
-  AND host NOT LIKe '%.s3.%.amazonaws.com'
+  AND host NOT LIKE '%.s3.%.amazonaws.com'
   AND host NOT LIKE 'software%'
   AND host NOT LIKE 'www.google.%'
   AND host NOT LIKE '%release%.storage.googleapis.com'

detection/persistence/unexpected-device-linux.sql

@@ -163,6 +163,8 @@ WHERE
     '/dev/ngn,character',
     '/dev/ntsync,character',
     '/dev/null,character',
+    '/dev/nbd,block',
+    '/dev/nbdp,block',
     '/dev/nvidia,character',
     '/dev/nvidiactl,character',
     '/dev/nvidia-modeset,character',

detection/persistence/unexpected-launchd-program-arguments.sql

@@ -43,6 +43,7 @@ WHERE
     'Developer ID Application: Corsair Memory, Inc. (Y93VXCB8Q5)',
     'Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z)',
     'Developer ID Application: EnterpriseDB Corporation (26QKX55P9K)',
+    'Developer ID Application: Expressco Services, LLC (TC292Y5427)', -- Express VPN
     'Developer ID Application: Foxit Corporation (8GN47HTP75)',
     'Developer ID Application: Fumihiko Takayama (G43BCU2T37)',
     'Developer ID Application: Google, Inc. (EQHXZ8M8AV)',
@@ -84,6 +85,7 @@ WHERE
   )
   AND program_arguments NOT IN (
     '/Applications/AeroSpace.app/Contents/MacOS/AeroSpace --started-at-login',
+    '/Applications/ExpressVPN.app/Contents/MacOS/expressvpnd',
     '/Applications/RODE Virtual Channels.app/Contents/MacOS/RODE Virtual Channels',
     '/Applications/Stream Deck.app/Contents/MacOS/Stream Deck --runinbk',
     '/Applications/Tunnelblick.app/Contents/Resources/launchAtLogin.sh',

detection/persistence/unexpected-uid0-daemon-linux.sql

@@ -285,6 +285,7 @@ WHERE
     'python3,/usr/bin/python3.12,0,system.slice,dbus.service,0755',
     'python3,/usr/bin/python__VERSION__,0,system.slice,ubuntu-advantage.service,0755',
     'qemu-ga,/usr/bin/qemu-ga,0,system.slice,qemu-guest-agent.service,0755',
+    'qemu-nbd,/usr/bin/qemu-nbd,0,user.slice,user-1000.slice,0755',
     'qualys-cloud-ag,/usr/local/qualys/cloud-agent/bin/qualys-cloud-agent,0,system.slice,qualys-cloud-agent.service,0700',
     'rapid7_endpoint,/opt/rapid7/ir_agent/components/endpoint_broker/__VERSION__/rapid7_endpoint_broker,0,system.slice,ir_agent.service,0744',
     'rpm-ostree,/usr/bin/rpm-ostree,0,system.slice,rpm-ostreed.service,0755',
@@ -373,6 +374,7 @@ WHERE
     '/usr/bin/monito,/usr/bin/perl,0,system.slice,monitorix.service,0755',
     'v4l2-relayd,/usr/bin/v4l2-relayd,0,system.slice,v4l2-relayd.service,0755',
     'velociraptor_cl,/usr/local/bin/velociraptor,0,system.slice,velociraptor_client.service,0700',
+    'vim,/usr/bin/vim.basic,0,user.slice,user-1000.slice,0755',
     'virtiofsd,/opt/incus/bin/virtiofsd,0,system.slice,incus.service,0755',
     'virtlockd,/usr/sbin/virtlockd,0,system.slice,virtlockd.service,0755',
     'virtlogd,/usr/bin/virtlogd,0,system.slice,virtlogd.service,0755',

detection/privesc/unexpected-setxid-process.sql

@@ -43,6 +43,7 @@ WHERE
     '/usr/bin/fusermount',
     '/usr/bin/fusermount3',
     '/usr/bin/newgrp',
+    '/usr/bin/passwd',
     '/usr/bin/schroot',
     '/usr/bin/keybase-redirector',
     '/usr/bin/login',