Merge pull request #465 from tstromberg/fpr25

fpr: datadog, nordvpn, claude, minecraftlauncher, eksctl

detection/c2/1-unexpected-dns-traffic-events.sql

@@ -89,20 +89,22 @@ WHERE
     'CapCut',
     'cg',
     'chainctl',
-    'chromium',
     'ChatGPT',
     'chrome',
+    'chromium',
     'Code Helper (Plugin)',
     'com.apple.WebKit.Networking',
     'com.docker.backend',
     'com.docker.buil',
     'com.docker.build',
     'com.docker.vpnkit',
+    'com.nordvpn.macos.helper',
     'containerd',
     'coredns',
     'Creative Cloud Content Manager.node',
     'distnoted',
     'dockerd',
+    'eksctl',
     'EpicWebHelper',
     'go',
     'grype',
@@ -148,6 +150,7 @@ WHERE
   -- Chromium/Electron apps seem to send stray packets out like nobodies business
   AND basename NOT LIKE '% Helper'
   AND basename NOT LIKE 'terraform-provider-%'
+  AND p.name != 'terraform-provi'
   AND p.path NOT LIKE '/snap/%'
   AND pp.path NOT IN ('/usr/bin/containerd-shim-runc-v2')
   -- Workaround for the GROUP_CONCAT subselect adding a blank ent

detection/c2/1-unexpected-https-linux.sql

@@ -82,6 +82,7 @@ WHERE
     '0,flatpak,0u,0g,flatpak',
     '0,flatpak-system-helper,0u,0g,flatpak-system-',
     '0,git-remote-http,0u,0g,git-remote-http',
+    '500,git,500u,500g,git',
     '0,go,0u,0g,go',
     '0,gtk4-update-icon-cache,0u,0g,gtk-update-icon',
     '0,http,0u,0g,https',
@@ -266,8 +267,10 @@ WHERE
     '500,melange,500u,500g,melange',
     '500,melange,u,g,melange',
     '500,Melvor Idle,500u,500g,exe',
+    '500,minecraft-launcher,500u,500g,minecraft-launc',
     '500,minikube,0u,0g,minikube',
     '500,msedge,0u,0g,msedge',
+    '500,git-remote-http,500u,500g,git-remote-http',
     '500,nami,500u,500g,nami',
     '500,nautilus,0u,0g,nautilus',
     '500,nerdctl,500u,500g,nerdctl',
@@ -277,8 +280,10 @@ WHERE
     '500,node,0u,0g,npm install',
     '500,node,500u,500g,npm run start',
     '500,node,u,g,node',
+    '500,zig,500u,500g,zig',
     '500,node,u,g,npm ci',
     '500,nuclei,500u,500g,nuclei',
+    '500,apkoaas,500u,500g,apkoaas',
     '500,obs,0u,0g,obs',
     '500,obs,u,g,obs',
     '500,obs-browser-page,0u,0g,obs-browser-pag',

detection/c2/1-unexpected-https-macos.sql

@@ -139,6 +139,7 @@ WHERE
     '500,kubectl,kubectl,Developer ID Application: Docker Inc (9BNSXJN65R),kubectl',
     '500,melange,melange,,a.out',
     '500,nami,nami,,a.out',
+    '500,art,art,,a.out',
     '500,ngrok,ngrok,Developer ID Application: ngrok LLC (TEX8MHRDQ9),a.out',
     '500,node,node,Developer ID Application: Node.js Foundation (HX7739G8FX),node',
     '500,odo-darwin-amd64-b4853e1fa,odo-darwin-amd64-b4853e1fa,500u,20g',

detection/c2/1-unexpected-talkers-linux.sql

@@ -92,10 +92,13 @@ WHERE
     '19305,6,500,msedge,0u,0g,msedge',
     '21,6,0,rpm-ostree,0u,0g,rpm-ostree',
     '25565,6,500,java,500u,500g,java',
+    '25567,6,500,java,500u,500g,java',
     '27018,6,500,pasta.avx2,0u,0g,pasta.avx2',
+    '32520,6,0,rpm-ostree,0u,0g,rpm-ostree',
+    '32768,6,0,registry,u,g,registry',
+    '32768,6,0,tailscaled,0u,0g,tailscaled',
     '32768,6,500,mumble,0u,0g,mumble',
     '32768,6,500,slirp4netns,0u,0g,slirp4netns',
-    '32768,6,0,tailscaled,0u,0g,tailscaled',
     '4070,6,500,spotify,0u,0g,spotify',
     '4070,6,500,spotify,u,g,spotify',
     '4433,6,500,openssl,0u,0g,openssl',
@@ -111,7 +114,6 @@ WHERE
     '80,6,0,incusd,0u,0g,incusd',
     '80,6,0,kmod,0u,0g,depmod',
     '80,6,0,kubelet,u,g,kubelet',
-    '8080,6,500,goland,u,g,goland',
     '80,6,0,ldconfig,0u,0g,ldconfig',
     '80,6,0,melange,500u,500g,melange',
     '80,6,0,NetworkManager,0u,0g,NetworkManager',
@@ -133,7 +135,6 @@ WHERE
     '80,6,0,python3.12,500u,500g,dnf-automatic',
     '80,6,0,python3.9,u,g,yum',
     '80,6,0,rpm-ostree,0u,0g,rpm-ostree',
-    '32520,6,0,rpm-ostree,0u,0g,rpm-ostree',
     '80,6,0,sort,0u,0g,sort',
     '80,6,0,systemd-hwdb,0u,0g,systemd-hwdb',
     '80,6,0,tailscaled,0u,0g,tailscaled',
@@ -147,6 +148,7 @@ WHERE
     '80,6,500,brave,0u,0g,brave',
     '80,6,500,chrome,0u,0g,chrome',
     '80,6,500,chrome,u,g,chrome',
+    '80,6,500,chromium,0u,0g,chromium',
     '80,6,500,cloud_sql_proxy,0u,0g,cloud_sql_proxy',
     '80,6,500,code,0u,0g,code',
     '80,6,500,code-oss,u,g,code-oss',
@@ -160,16 +162,15 @@ WHERE
     '80,6,500,firefox-bin,0u,0g,firefox-bin',
     '80,6,500,firefox-bin,500u,500g,firefox-bin',
     '80,6,500,firefox-bin,u,g,firefox-bin',
+    '80,6,500,firefox-esr,0u,0g,firefox-esr',
     '80,6,500,flatpak,0u,0g,flatpak',
     '80,6,500,git-remote-http,0u,0g,git-remote-http',
     '80,6,500,gnome-software,0u,0g,gnome-software',
     '80,6,500,http,0u,0g,http',
     '80,6,500,http,u,g,http',
     '80,6,500,java,0u,0g,java',
     '80,6,500,java,u,g,java',
-    '80,6,500,firefox-esr,0u,0g,firefox-esr',
     '80,6,500,main,500u,500g,main',
-    '8080,6,500,speedtest,0u,0g,speedtest',
     '80,6,500,mateweather-applet,0u,0g,mateweather-app',
     '80,6,500,mconvert,500u,500g,mconvert',
     '80,6,500,mediawriter,u,g,mediawriter',
@@ -213,7 +214,6 @@ WHERE
     '80,6,500,wine64-preloader,0u,0g,control.exe',
     '80,6,500,zen,u,g,zen',
     '80,6,500,zoom,0u,0g,zoom',
-    '80,6,500,chromium,0u,0g,chromium',
     '80,6,500,zoom.real,u,g,zoom.real',
     '80,6,500,ZoomWebviewHost,0u,0g,ZoomWebviewHost',
     '8000,6,500,brave,0u,0g,brave',
@@ -224,12 +224,14 @@ WHERE
     '8080,6,500,chrome,0u,0g,chrome',
     '8080,6,500,firefox,0u,0g,firefox',
     '8080,6,500,goland,500u,500g,goland',
+    '8080,6,500,goland,u,g,goland',
     '8080,6,500,idea,0u,0g,idea',
     '8080,6,500,java,u,g,java',
     '8080,6,500,msedge,0u,0g,msedge',
     '8080,6,500,pycharm,500u,500g,pycharm',
     '8080,6,500,python3.11,0u,0g,speedtest-cli',
     '8080,6,500,python3.12,u,g,hass',
+    '8080,6,500,speedtest,0u,0g,speedtest',
     '8080,6,500,speedtest,500u,500g,speedtest',
     '8443,6,500,chrome,0u,0g,chrome',
     '8443,6,500,firefox,0u,0g,firefox',

detection/credentials/1-unexpected-dev-opener-macos.sql

@@ -85,19 +85,19 @@ WHERE
     '/dev/auditsessions,securityd,Software Signing,com.apple.securityd',
     '/dev/auditsessions,TouchBarServer,Software Signing,com.apple.touchbarserver',
     '/dev/autofs,automountd,Software Signing,com.apple.automountd',
+    '/dev/bpf,agentbeat,Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z),agentbeat',
     '/dev/bpf,airportd,Software Signing,com.apple.airport.airportd',
     '/dev/bpf,BDLDaemon,Developer ID Application: Bitdefender SRL (GUNFMW623Y),com.bitdefender.epsecurity.BDLDaemonApp',
     '/dev/bpf,com.bjango.istatmenus.daemon,Developer ID Application: Bjango Pty Ltd (Y93TK974AT),com.bjango.istatmenus',
     '/dev/bpf,core,Developer ID Application: TPZ Solucoes Digitais Ltda (X37R283V2T),com.topaz.warsaw.core',
     '/dev/bpf,MHLinkServer,Developer ID Application: Metric Halo Distribution, Inc. (X7EY8SFM86),com.mhlabs.mhlink.server',
     '/dev/bpf,packetbeat,Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z),packetbeat',
-    '/dev/bpf,agentbeat,Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z),agentbeat',
     '/dev/bus/usb/001/01,scdaemon',
     '/dev/console,Arc,Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G),company.thebrowser.Browser',
     '/dev/console,dbeaver,Developer ID Application: DBeaver Corporation (42B6MDKMW8),org.jkiss.dbeaver.core.product',
     '/dev/console,kernelmanagerd,Software Signing,com.apple.kernelmanagerd',
-    '/dev/console,launchd_sim,Software Signing,com.apple.xpc.launchd',
     '/dev/console,launchd,Software Signing,com.apple.xpc.launchd',
+    '/dev/console,launchd_sim,Software Signing,com.apple.xpc.launchd',
     '/dev/cu.BLTH,bluetoothd,Software Signing,com.apple.bluetoothd',
     '/dev/cu.debug-console,ZwiftAppSilicon,Developer ID Application: Zwift, Inc (C2GM8Y9VFM),ZwiftAppSilicon',
     '/dev/cu.usbmodem10,serial-monitor,,a.out',
@@ -128,6 +128,7 @@ WHERE
     '/dev/oslog,logd,Software Signing,com.apple.logd',
     '/dev/pf,CloudflareWARP,Developer ID Application: Cloudflare Inc. (68WVV388M8),CloudflareWARP',
     '/dev/pf,mullvad-daemon,Developer ID Application: Mullvad VPN AB (CKG9MXH72F),mullvad-daemon',
+    '/dev/rdisk,etcher-util,Developer ID Application: Balena Ltd (66H43P8FRG),etcher-util',
     '/dev/shm,python3',
     '/dev/tty.usbmodem21430,Bazecor Helper (Renderer),,',
     '/dev/xcpm,PerfPowerServices,Software Signing,com.apple.PerfPowerServices',

detection/discovery/2-unexpected-pcap-user-linux.sql

@@ -44,6 +44,8 @@ WHERE
     '/usr/sbin/libvirtd',
     '/usr/bin/tcpdump',
     '/usr/libexec/UserEventAgent',
+    '/opt/datadog-agent/bin/agent/agent',
+    '/opt/datadog-agent/embedded/bin/system-probe',
     '/usr/sbin/cupsd',
     '/usr/sbin/systemstats'
   )

detection/evasion/1-old-binaries-running.sql

@@ -94,6 +94,7 @@ WHERE
     'Vimari Extension'
   )
   AND f.path NOT LIKE '/private/var/folders/%/T/AppTranslocation/%/d/Skitch.app/Contents/MacOS/Skitch'
+  AND f.filename NOT LIKE 'protoc-%'
   AND p.cgroup_path NOT LIKE '/system.slice/docker-%'
   AND p.cgroup_path NOT LIKE '/user.slice/user-%.slice/user@%.service/user.slice/nerdctl-%'
   AND p.cgroup_path NOT LIKE '/user.slice/user-%.slice/user@%.service/user.slice/podman-%'

detection/evasion/2-unexpected-var-run-linux.sql → detection/evasion/1-unexpected-var-run-linux.sql

@@ -40,6 +40,7 @@ WHERE
     'bluetooth.blocked',
     'bootupd-lock',
     'dmeventd.pid',
+    'do-not-hibernate',
     'greetd.run',
     'com.rapid7.cnchub.pid',
     'com.rapid7.component_insight_agent.pid',

detection/evasion/1-unusual-executable-name-linux.sql

@@ -91,6 +91,7 @@ WHERE
   AND NOT pname LIKE '__Test%.test'
   AND pname NOT IN (
     "acpid",
+    "cpu_sup",
     "akonadi_followupreminder_agent",
     "gmenudbusmenuproxy",
     "irqbalance",

detection/evasion/2-unexpected-hidden-system-paths.sql

@@ -252,6 +252,7 @@ WHERE
   AND file.path NOT LIKE '/tmp/.wine-%'
   AND file.path NOT LIKE '/tmp/.X1%-lock'
   AND file.path NOT LIKE '/tmp/.gradle%'
+  AND file.path NOT LIKE '/tmp/.git_signing_key%'
   AND file.path NOT LIKE '/tmp/.xfsm-ICE-%'
   AND file.path NOT LIKE '/usr/lib/jvm/.java-%-openjdk-%.jinfo'
   AND file.path NOT LIKE '/usr/local/%/.keepme'

detection/evasion/2-unexpected-user-executables-macos.sql

@@ -211,6 +211,8 @@ WHERE
     '~/Library/Calendars/Calendar.sqlitedb-wal',
     '~/Library/Calendars/Calendar.sqlitedb',
     '~/Library/com.apple.iTunesCloud/play_activity.sqlitedb-wal',
+    '~/Library/Group Containers/group.com.apple.calendar/Calendar.sqlitedb-wal',
+    '~/Library/Group Containers/group.com.apple.calendar/Calendar.sqlitedb',
     '~/Library/Finance/finance_cloud.db-wal',
     '~/Library/Finance/finance_cloud.db',
     '~/Library/Group Containers/group.com.docker/unleash-repo-schema-v1-Docker Desktop.json',

detection/execution/1-unexpected-fetcher-parents.sql

@@ -84,6 +84,7 @@ WHERE -- NOTE: The remainder of this query is synced with unexpected-fetcher-par
     'curl,500,zsh,mc',
     'curl,500,zsh,sh',
     'curl,500,zsh,zellij',
+    'wget,500,bootstrap,sh',
     'wget,500,env,env',
     'wget,500,invoke,sh',
     'wget,500,sh,bwrap',

detection/execution/2-tiny-executable.sql

@@ -32,7 +32,11 @@ WHERE
   AND NOT file.path LIKE '/home/%/.local/share/Steam/ubuntu%'
   AND NOT file.path LIKE '/home/%/.zsh/completion'
   AND NOT file.path LIKE '/Users/%/.zsh/completion'
-  AND NOT file.path IN ('/', '/usr/bin/ruby')
+  AND NOT file.path IN (
+    '/',
+    '/usr/bin/ruby',
+    '/Applications/OpenOffice.app/Contents/MacOS/soffice'
+  )
   AND NOT (
     file.path = '/sbin/ldconfig'
     AND pp.euid = 1000

detection/execution/2-unexpected-long-running-security-framework-macos.sql

@@ -113,6 +113,7 @@ WHERE -- Focus on longer-running programs
   AND NOT exception_key LIKE '500,nvim,bob-%,'
   AND NOT exception_key LIKE '500,package-version-server-v%,package_version_server-%,'
   AND NOT exception_key LIKE '500,rust-analyzer,rust_analyzer-%,'
+  AND NOT exception_key LIKE '500,gopls_%_go_%,a.out,'
   AND NOT exception_key LIKE '500,sm-agent,sm_agent-%'
 GROUP BY
   p0.pid

detection/execution/2-unexpected-packet-sniffer.sql

@@ -42,6 +42,7 @@ WHERE
     'agentbeat',
     'dhclient',
     'dhcpcd',
+    'dockerd',
     'NetworkManager',
     'packetbeat',
     'systemd-network',

detection/exfil/1-high_disk_bytes_read.sql

@@ -61,8 +61,8 @@ WHERE
     'apko',
     'Autodesk Fusion 360',
     'Autodesk Identity Manager',
-    'baloo_file_extr',
     'baloo_file',
+    'baloo_file_extr',
     'bash',
     'BDLDaemon',
     'bincapz',
@@ -73,6 +73,7 @@ WHERE
     'code',
     'com.apple.MobileSoftwareUpdate.UpdateBrainService',
     'com.apple.NRD.UpdateBrainService',
+    'com.apple.WebKit.Networking',
     'cpptools',
     'Disk Inventory X',
     'dnf',
@@ -83,14 +84,15 @@ WHERE
     'emacs',
     'factorio',
     'Fedora Media Writer',
-    'firefox-bin',
     'firefox',
+    'firefox-bin',
     'fish',
     'fleet_backend',
     'fsdaemon',
     'fsnotifier',
     'gnome-software',
     'go',
+    'containerd-shim',
     'goland',
     'golangci-lint',
     'Google Chrome',
@@ -115,18 +117,19 @@ WHERE
     'Microsoft Update Assistant',
     'nautilus',
     'nessusd',
-    'nix-daemon',
     'nix',
+    'nix-daemon',
     'nvim',
-    'ollama_llama_server',
-    'ollama-runer',
     'ollama',
+    'ollama-runer',
+    'ollama_llama_server',
     'osqueryd',
     'osqueryi',
     'plasmashell',
+    'pycharm',
     'qemu-system-aarch64',
-    'qemu-system-x86-64',
     'qemu-system-x86',
+    'qemu-system-x86-64',
     'rpi-imager',
     'rpm-ostree',
     'rsync',
@@ -136,12 +139,12 @@ WHERE
     'slack',
     'snapd',
     'spotify',
-    'steam_osx',
     'steam',
+    'steam_osx',
     'systemd',
+    'terraform',
     'terraform-ls',
     'terraform-provider-apko',
-    'terraform',
     'thunderbird',
     'tilt',
     'unattended-upgr',
@@ -161,6 +164,8 @@ WHERE
   AND NOT p0.path IN (
     '/app/libexec/mediawriter/helper',
     '/usr/libexec/syspolicyd',
+    '/usr/libexec/logd',
+    '/usr/libexec/packagekitd',
     '/Library/Application Support/Adobe/Adobe Desktop Common/HDBox/Setup',
     '/Library/Elastic/Endpoint/elastic-endpoint',
     '/System/Volumes/Preboot/Cryptexes/App/System/Applications/Safari.app/Contents/XPCServices/com.apple.Safari.BrowserDataImportingService.xpc/Contents/MacOS/com.apple.Safari.BrowserDataImportingService',

detection/initial_access/1-unexpected-diskimage-source-macos.sql

@@ -66,6 +66,7 @@ WHERE
     'boxcdn.net',
     'brave.com',
     'byfly.by',
+    'claude.ai',
     'c-wss.com',
     'canon.co.uk',
     'cdn.mozilla.net',

detection/initial_access/2-sketchy-mounted-diskimage.sql

@@ -144,6 +144,7 @@ WHERE
         "Developer ID Application: Bose Corporation (QC9P7FKWH6)",
         "Developer ID Application: Justin Clift (C34AV33YLK)",
         "Developer ID Application: Logitech Inc. (QED4VVPZWA)",
+        "Developer ID Application: Google LLC (EQHXZ8M8AV)",
         "Developer ID Application: Oracle America, Inc. (VB5E2TV963)",
         "Developer ID Application: Orbital Labs, LLC (U.S.) (HUAQ24HBR6)",
         "Developer ID Application: Roblox Corporation (2CFABCH843)",

detection/persistence/2-unexpected-chrome-extensions.sql → detection/persistence/1-unexpected-chrome-extensions.sql

@@ -168,6 +168,7 @@ WHERE
     'true,AgileBits,1Password – Password Manager,aeblfdkhhhdcdjpifhhbdiojplfjncoa',
     'true,AwardWallet LLC,AwardWallet,lppkddfmnlpjbojooindbmcokchjgbib',
     'true,Benjamin Hollis,JSONView,gmegofmjomhknnokphhckolhcffdaihd',
+    'true,BetterLogic <Dev@betterlogic>,Better History | Blacklist Mode,egehpkpgpgooebopjihjmnpejnjafefi',
     'true,Bitwarden Inc.,Bitwarden - Free Password Manager,nngceckbapebfimnlniiiahkandclblb',
     'true,Bitwarden Inc.,Bitwarden Password Manager,nngceckbapebfimnlniiiahkandclblb',
     'true,Cartera,American Airlines AAdvantage® eShopping℠,dcdiajifnnbipfljbggcbbheipfdmgpo',

detection/persistence/2-unexpected-global-lock.sql → detection/persistence/1-unexpected-global-lock.sql

@@ -53,6 +53,7 @@ WHERE
     '500,0,/tmp/write.lock,regular,0644',
     '500,1000,/tmp/1000-nwg-bar.lock,regular,0600',
     '500,1000,/tmp/golangci-lint.lock,regular,0600',
+    '500,1000,/tmp/minecraftlauncher.1000.pid.lock,regular,0664',
     '500,1001,/tmp/nwg-dock.lock,regular,0600',
     '74,0,/tmp/mysql.sock.lock,regular,0600',
     '74,0,/tmp/mysqlx.sock.lock,regular,0600'
@@ -61,3 +62,4 @@ WHERE
   AND NOT exception_key LIKE '500,1000,/tmp/keepassxc-%.lock,regular,0644'
   AND NOT exception_key LIKE '500,1000,/tmp/keepassxc-%.lock,regular,0664'
   AND NOT exception_key LIKE '500,1000,/tmp/vscode-remote-ssh-%-install.lock,regular,0664'
+  AND NOT exception_key LIKE '500,1000,/tmp/%.eksctl.lock,regular,0600'

detection/privesc/1-unexpected-privileged-containers.sql

@@ -41,3 +41,4 @@ WHERE
   AND image NOT LIKE 'k3d-k3d.localhost:%'
   AND image NOT LIKE 'melange-%'
   AND command NOT LIKE '/usr/bin/melange build %'
+  AND command != '/bin/k3s server'