diff --git a/detection/c2/1-unexpected-dns-traffic-events.sql b/detection/c2/1-unexpected-dns-traffic-events.sql index f87788b6..2082f2a0 100644 --- a/detection/c2/1-unexpected-dns-traffic-events.sql +++ b/detection/c2/1-unexpected-dns-traffic-events.sql @@ -89,20 +89,22 @@ WHERE 'CapCut', 'cg', 'chainctl', - 'chromium', 'ChatGPT', 'chrome', + 'chromium', 'Code Helper (Plugin)', 'com.apple.WebKit.Networking', 'com.docker.backend', 'com.docker.buil', 'com.docker.build', 'com.docker.vpnkit', + 'com.nordvpn.macos.helper', 'containerd', 'coredns', 'Creative Cloud Content Manager.node', 'distnoted', 'dockerd', + 'eksctl', 'EpicWebHelper', 'go', 'grype', @@ -148,6 +150,7 @@ WHERE -- Chromium/Electron apps seem to send stray packets out like nobodies business AND basename NOT LIKE '% Helper' AND basename NOT LIKE 'terraform-provider-%' + AND p.name != 'terraform-provi' AND p.path NOT LIKE '/snap/%' AND pp.path NOT IN ('/usr/bin/containerd-shim-runc-v2') -- Workaround for the GROUP_CONCAT subselect adding a blank ent diff --git a/detection/c2/1-unexpected-https-linux.sql b/detection/c2/1-unexpected-https-linux.sql index 630be878..f34c9514 100644 --- a/detection/c2/1-unexpected-https-linux.sql +++ b/detection/c2/1-unexpected-https-linux.sql @@ -82,6 +82,7 @@ WHERE '0,flatpak,0u,0g,flatpak', '0,flatpak-system-helper,0u,0g,flatpak-system-', '0,git-remote-http,0u,0g,git-remote-http', + '500,git,500u,500g,git', '0,go,0u,0g,go', '0,gtk4-update-icon-cache,0u,0g,gtk-update-icon', '0,http,0u,0g,https', @@ -266,8 +267,10 @@ WHERE '500,melange,500u,500g,melange', '500,melange,u,g,melange', '500,Melvor Idle,500u,500g,exe', + '500,minecraft-launcher,500u,500g,minecraft-launc', '500,minikube,0u,0g,minikube', '500,msedge,0u,0g,msedge', + '500,git-remote-http,500u,500g,git-remote-http', '500,nami,500u,500g,nami', '500,nautilus,0u,0g,nautilus', '500,nerdctl,500u,500g,nerdctl', @@ -277,8 +280,10 @@ WHERE '500,node,0u,0g,npm install', '500,node,500u,500g,npm run start', '500,node,u,g,node', + '500,zig,500u,500g,zig', '500,node,u,g,npm ci', '500,nuclei,500u,500g,nuclei', + '500,apkoaas,500u,500g,apkoaas', '500,obs,0u,0g,obs', '500,obs,u,g,obs', '500,obs-browser-page,0u,0g,obs-browser-pag', diff --git a/detection/c2/1-unexpected-https-macos.sql b/detection/c2/1-unexpected-https-macos.sql index f283c1aa..3f2cf669 100644 --- a/detection/c2/1-unexpected-https-macos.sql +++ b/detection/c2/1-unexpected-https-macos.sql @@ -139,6 +139,7 @@ WHERE '500,kubectl,kubectl,Developer ID Application: Docker Inc (9BNSXJN65R),kubectl', '500,melange,melange,,a.out', '500,nami,nami,,a.out', + '500,art,art,,a.out', '500,ngrok,ngrok,Developer ID Application: ngrok LLC (TEX8MHRDQ9),a.out', '500,node,node,Developer ID Application: Node.js Foundation (HX7739G8FX),node', '500,odo-darwin-amd64-b4853e1fa,odo-darwin-amd64-b4853e1fa,500u,20g', diff --git a/detection/c2/1-unexpected-talkers-linux.sql b/detection/c2/1-unexpected-talkers-linux.sql index 66b46ffe..510853af 100644 --- a/detection/c2/1-unexpected-talkers-linux.sql +++ b/detection/c2/1-unexpected-talkers-linux.sql @@ -92,10 +92,13 @@ WHERE '19305,6,500,msedge,0u,0g,msedge', '21,6,0,rpm-ostree,0u,0g,rpm-ostree', '25565,6,500,java,500u,500g,java', + '25567,6,500,java,500u,500g,java', '27018,6,500,pasta.avx2,0u,0g,pasta.avx2', + '32520,6,0,rpm-ostree,0u,0g,rpm-ostree', + '32768,6,0,registry,u,g,registry', + '32768,6,0,tailscaled,0u,0g,tailscaled', '32768,6,500,mumble,0u,0g,mumble', '32768,6,500,slirp4netns,0u,0g,slirp4netns', - '32768,6,0,tailscaled,0u,0g,tailscaled', '4070,6,500,spotify,0u,0g,spotify', '4070,6,500,spotify,u,g,spotify', '4433,6,500,openssl,0u,0g,openssl', @@ -111,7 +114,6 @@ WHERE '80,6,0,incusd,0u,0g,incusd', '80,6,0,kmod,0u,0g,depmod', '80,6,0,kubelet,u,g,kubelet', - '8080,6,500,goland,u,g,goland', '80,6,0,ldconfig,0u,0g,ldconfig', '80,6,0,melange,500u,500g,melange', '80,6,0,NetworkManager,0u,0g,NetworkManager', @@ -133,7 +135,6 @@ WHERE '80,6,0,python3.12,500u,500g,dnf-automatic', '80,6,0,python3.9,u,g,yum', '80,6,0,rpm-ostree,0u,0g,rpm-ostree', - '32520,6,0,rpm-ostree,0u,0g,rpm-ostree', '80,6,0,sort,0u,0g,sort', '80,6,0,systemd-hwdb,0u,0g,systemd-hwdb', '80,6,0,tailscaled,0u,0g,tailscaled', @@ -147,6 +148,7 @@ WHERE '80,6,500,brave,0u,0g,brave', '80,6,500,chrome,0u,0g,chrome', '80,6,500,chrome,u,g,chrome', + '80,6,500,chromium,0u,0g,chromium', '80,6,500,cloud_sql_proxy,0u,0g,cloud_sql_proxy', '80,6,500,code,0u,0g,code', '80,6,500,code-oss,u,g,code-oss', @@ -160,6 +162,7 @@ WHERE '80,6,500,firefox-bin,0u,0g,firefox-bin', '80,6,500,firefox-bin,500u,500g,firefox-bin', '80,6,500,firefox-bin,u,g,firefox-bin', + '80,6,500,firefox-esr,0u,0g,firefox-esr', '80,6,500,flatpak,0u,0g,flatpak', '80,6,500,git-remote-http,0u,0g,git-remote-http', '80,6,500,gnome-software,0u,0g,gnome-software', @@ -167,9 +170,7 @@ WHERE '80,6,500,http,u,g,http', '80,6,500,java,0u,0g,java', '80,6,500,java,u,g,java', - '80,6,500,firefox-esr,0u,0g,firefox-esr', '80,6,500,main,500u,500g,main', - '8080,6,500,speedtest,0u,0g,speedtest', '80,6,500,mateweather-applet,0u,0g,mateweather-app', '80,6,500,mconvert,500u,500g,mconvert', '80,6,500,mediawriter,u,g,mediawriter', @@ -213,7 +214,6 @@ WHERE '80,6,500,wine64-preloader,0u,0g,control.exe', '80,6,500,zen,u,g,zen', '80,6,500,zoom,0u,0g,zoom', - '80,6,500,chromium,0u,0g,chromium', '80,6,500,zoom.real,u,g,zoom.real', '80,6,500,ZoomWebviewHost,0u,0g,ZoomWebviewHost', '8000,6,500,brave,0u,0g,brave', @@ -224,12 +224,14 @@ WHERE '8080,6,500,chrome,0u,0g,chrome', '8080,6,500,firefox,0u,0g,firefox', '8080,6,500,goland,500u,500g,goland', + '8080,6,500,goland,u,g,goland', '8080,6,500,idea,0u,0g,idea', '8080,6,500,java,u,g,java', '8080,6,500,msedge,0u,0g,msedge', '8080,6,500,pycharm,500u,500g,pycharm', '8080,6,500,python3.11,0u,0g,speedtest-cli', '8080,6,500,python3.12,u,g,hass', + '8080,6,500,speedtest,0u,0g,speedtest', '8080,6,500,speedtest,500u,500g,speedtest', '8443,6,500,chrome,0u,0g,chrome', '8443,6,500,firefox,0u,0g,firefox', diff --git a/detection/credentials/1-unexpected-dev-opener-macos.sql b/detection/credentials/1-unexpected-dev-opener-macos.sql index 9f9b45c4..67e52875 100644 --- a/detection/credentials/1-unexpected-dev-opener-macos.sql +++ b/detection/credentials/1-unexpected-dev-opener-macos.sql @@ -85,19 +85,19 @@ WHERE '/dev/auditsessions,securityd,Software Signing,com.apple.securityd', '/dev/auditsessions,TouchBarServer,Software Signing,com.apple.touchbarserver', '/dev/autofs,automountd,Software Signing,com.apple.automountd', + '/dev/bpf,agentbeat,Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z),agentbeat', '/dev/bpf,airportd,Software Signing,com.apple.airport.airportd', '/dev/bpf,BDLDaemon,Developer ID Application: Bitdefender SRL (GUNFMW623Y),com.bitdefender.epsecurity.BDLDaemonApp', '/dev/bpf,com.bjango.istatmenus.daemon,Developer ID Application: Bjango Pty Ltd (Y93TK974AT),com.bjango.istatmenus', '/dev/bpf,core,Developer ID Application: TPZ Solucoes Digitais Ltda (X37R283V2T),com.topaz.warsaw.core', '/dev/bpf,MHLinkServer,Developer ID Application: Metric Halo Distribution, Inc. (X7EY8SFM86),com.mhlabs.mhlink.server', '/dev/bpf,packetbeat,Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z),packetbeat', - '/dev/bpf,agentbeat,Developer ID Application: Elasticsearch, Inc (2BT3HPN62Z),agentbeat', '/dev/bus/usb/001/01,scdaemon', '/dev/console,Arc,Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G),company.thebrowser.Browser', '/dev/console,dbeaver,Developer ID Application: DBeaver Corporation (42B6MDKMW8),org.jkiss.dbeaver.core.product', '/dev/console,kernelmanagerd,Software Signing,com.apple.kernelmanagerd', - '/dev/console,launchd_sim,Software Signing,com.apple.xpc.launchd', '/dev/console,launchd,Software Signing,com.apple.xpc.launchd', + '/dev/console,launchd_sim,Software Signing,com.apple.xpc.launchd', '/dev/cu.BLTH,bluetoothd,Software Signing,com.apple.bluetoothd', '/dev/cu.debug-console,ZwiftAppSilicon,Developer ID Application: Zwift, Inc (C2GM8Y9VFM),ZwiftAppSilicon', '/dev/cu.usbmodem10,serial-monitor,,a.out', @@ -128,6 +128,7 @@ WHERE '/dev/oslog,logd,Software Signing,com.apple.logd', '/dev/pf,CloudflareWARP,Developer ID Application: Cloudflare Inc. (68WVV388M8),CloudflareWARP', '/dev/pf,mullvad-daemon,Developer ID Application: Mullvad VPN AB (CKG9MXH72F),mullvad-daemon', + '/dev/rdisk,etcher-util,Developer ID Application: Balena Ltd (66H43P8FRG),etcher-util', '/dev/shm,python3', '/dev/tty.usbmodem21430,Bazecor Helper (Renderer),,', '/dev/xcpm,PerfPowerServices,Software Signing,com.apple.PerfPowerServices', diff --git a/detection/discovery/2-unexpected-pcap-user-linux.sql b/detection/discovery/2-unexpected-pcap-user-linux.sql index fd28ead0..12082739 100644 --- a/detection/discovery/2-unexpected-pcap-user-linux.sql +++ b/detection/discovery/2-unexpected-pcap-user-linux.sql @@ -44,6 +44,8 @@ WHERE '/usr/sbin/libvirtd', '/usr/bin/tcpdump', '/usr/libexec/UserEventAgent', + '/opt/datadog-agent/bin/agent/agent', + '/opt/datadog-agent/embedded/bin/system-probe', '/usr/sbin/cupsd', '/usr/sbin/systemstats' ) diff --git a/detection/evasion/1-old-binaries-running.sql b/detection/evasion/1-old-binaries-running.sql index 2dfa7c3b..fd71bda7 100644 --- a/detection/evasion/1-old-binaries-running.sql +++ b/detection/evasion/1-old-binaries-running.sql @@ -94,6 +94,7 @@ WHERE 'Vimari Extension' ) AND f.path NOT LIKE '/private/var/folders/%/T/AppTranslocation/%/d/Skitch.app/Contents/MacOS/Skitch' + AND f.filename NOT LIKE 'protoc-%' AND p.cgroup_path NOT LIKE '/system.slice/docker-%' AND p.cgroup_path NOT LIKE '/user.slice/user-%.slice/user@%.service/user.slice/nerdctl-%' AND p.cgroup_path NOT LIKE '/user.slice/user-%.slice/user@%.service/user.slice/podman-%' diff --git a/detection/evasion/2-unexpected-var-run-linux.sql b/detection/evasion/1-unexpected-var-run-linux.sql similarity index 98% rename from detection/evasion/2-unexpected-var-run-linux.sql rename to detection/evasion/1-unexpected-var-run-linux.sql index 573919e2..a60fb13c 100644 --- a/detection/evasion/2-unexpected-var-run-linux.sql +++ b/detection/evasion/1-unexpected-var-run-linux.sql @@ -40,6 +40,7 @@ WHERE 'bluetooth.blocked', 'bootupd-lock', 'dmeventd.pid', + 'do-not-hibernate', 'greetd.run', 'com.rapid7.cnchub.pid', 'com.rapid7.component_insight_agent.pid', diff --git a/detection/evasion/1-unusual-executable-name-linux.sql b/detection/evasion/1-unusual-executable-name-linux.sql index bdc1fa6e..f9b6d329 100644 --- a/detection/evasion/1-unusual-executable-name-linux.sql +++ b/detection/evasion/1-unusual-executable-name-linux.sql @@ -91,6 +91,7 @@ WHERE AND NOT pname LIKE '__Test%.test' AND pname NOT IN ( "acpid", + "cpu_sup", "akonadi_followupreminder_agent", "gmenudbusmenuproxy", "irqbalance", diff --git a/detection/evasion/2-unexpected-hidden-system-paths.sql b/detection/evasion/2-unexpected-hidden-system-paths.sql index ca161e07..d3fd7dbe 100644 --- a/detection/evasion/2-unexpected-hidden-system-paths.sql +++ b/detection/evasion/2-unexpected-hidden-system-paths.sql @@ -252,6 +252,7 @@ WHERE AND file.path NOT LIKE '/tmp/.wine-%' AND file.path NOT LIKE '/tmp/.X1%-lock' AND file.path NOT LIKE '/tmp/.gradle%' + AND file.path NOT LIKE '/tmp/.git_signing_key%' AND file.path NOT LIKE '/tmp/.xfsm-ICE-%' AND file.path NOT LIKE '/usr/lib/jvm/.java-%-openjdk-%.jinfo' AND file.path NOT LIKE '/usr/local/%/.keepme' diff --git a/detection/evasion/2-unexpected-user-executables-macos.sql b/detection/evasion/2-unexpected-user-executables-macos.sql index 420f4049..4863cc66 100644 --- a/detection/evasion/2-unexpected-user-executables-macos.sql +++ b/detection/evasion/2-unexpected-user-executables-macos.sql @@ -211,6 +211,8 @@ WHERE '~/Library/Calendars/Calendar.sqlitedb-wal', '~/Library/Calendars/Calendar.sqlitedb', '~/Library/com.apple.iTunesCloud/play_activity.sqlitedb-wal', + '~/Library/Group Containers/group.com.apple.calendar/Calendar.sqlitedb-wal', + '~/Library/Group Containers/group.com.apple.calendar/Calendar.sqlitedb', '~/Library/Finance/finance_cloud.db-wal', '~/Library/Finance/finance_cloud.db', '~/Library/Group Containers/group.com.docker/unleash-repo-schema-v1-Docker Desktop.json', diff --git a/detection/execution/1-unexpected-fetcher-parents.sql b/detection/execution/1-unexpected-fetcher-parents.sql index 1a42171b..f0500a52 100644 --- a/detection/execution/1-unexpected-fetcher-parents.sql +++ b/detection/execution/1-unexpected-fetcher-parents.sql @@ -84,6 +84,7 @@ WHERE -- NOTE: The remainder of this query is synced with unexpected-fetcher-par 'curl,500,zsh,mc', 'curl,500,zsh,sh', 'curl,500,zsh,zellij', + 'wget,500,bootstrap,sh', 'wget,500,env,env', 'wget,500,invoke,sh', 'wget,500,sh,bwrap', diff --git a/detection/execution/2-tiny-executable.sql b/detection/execution/2-tiny-executable.sql index 9fa513ab..f352603c 100644 --- a/detection/execution/2-tiny-executable.sql +++ b/detection/execution/2-tiny-executable.sql @@ -32,7 +32,11 @@ WHERE AND NOT file.path LIKE '/home/%/.local/share/Steam/ubuntu%' AND NOT file.path LIKE '/home/%/.zsh/completion' AND NOT file.path LIKE '/Users/%/.zsh/completion' - AND NOT file.path IN ('/', '/usr/bin/ruby') + AND NOT file.path IN ( + '/', + '/usr/bin/ruby', + '/Applications/OpenOffice.app/Contents/MacOS/soffice' + ) AND NOT ( file.path = '/sbin/ldconfig' AND pp.euid = 1000 diff --git a/detection/execution/2-unexpected-long-running-security-framework-macos.sql b/detection/execution/2-unexpected-long-running-security-framework-macos.sql index 7ef073dc..7c4c6c39 100644 --- a/detection/execution/2-unexpected-long-running-security-framework-macos.sql +++ b/detection/execution/2-unexpected-long-running-security-framework-macos.sql @@ -113,6 +113,7 @@ WHERE -- Focus on longer-running programs AND NOT exception_key LIKE '500,nvim,bob-%,' AND NOT exception_key LIKE '500,package-version-server-v%,package_version_server-%,' AND NOT exception_key LIKE '500,rust-analyzer,rust_analyzer-%,' + AND NOT exception_key LIKE '500,gopls_%_go_%,a.out,' AND NOT exception_key LIKE '500,sm-agent,sm_agent-%' GROUP BY p0.pid diff --git a/detection/execution/2-unexpected-packet-sniffer.sql b/detection/execution/2-unexpected-packet-sniffer.sql index fd376aa2..8c41e853 100644 --- a/detection/execution/2-unexpected-packet-sniffer.sql +++ b/detection/execution/2-unexpected-packet-sniffer.sql @@ -42,6 +42,7 @@ WHERE 'agentbeat', 'dhclient', 'dhcpcd', + 'dockerd', 'NetworkManager', 'packetbeat', 'systemd-network', diff --git a/detection/exfil/1-high_disk_bytes_read.sql b/detection/exfil/1-high_disk_bytes_read.sql index 4268f1e6..d55d91bf 100644 --- a/detection/exfil/1-high_disk_bytes_read.sql +++ b/detection/exfil/1-high_disk_bytes_read.sql @@ -61,8 +61,8 @@ WHERE 'apko', 'Autodesk Fusion 360', 'Autodesk Identity Manager', - 'baloo_file_extr', 'baloo_file', + 'baloo_file_extr', 'bash', 'BDLDaemon', 'bincapz', @@ -73,6 +73,7 @@ WHERE 'code', 'com.apple.MobileSoftwareUpdate.UpdateBrainService', 'com.apple.NRD.UpdateBrainService', + 'com.apple.WebKit.Networking', 'cpptools', 'Disk Inventory X', 'dnf', @@ -83,14 +84,15 @@ WHERE 'emacs', 'factorio', 'Fedora Media Writer', - 'firefox-bin', 'firefox', + 'firefox-bin', 'fish', 'fleet_backend', 'fsdaemon', 'fsnotifier', 'gnome-software', 'go', + 'containerd-shim', 'goland', 'golangci-lint', 'Google Chrome', @@ -115,18 +117,19 @@ WHERE 'Microsoft Update Assistant', 'nautilus', 'nessusd', - 'nix-daemon', 'nix', + 'nix-daemon', 'nvim', - 'ollama_llama_server', - 'ollama-runer', 'ollama', + 'ollama-runer', + 'ollama_llama_server', 'osqueryd', 'osqueryi', 'plasmashell', + 'pycharm', 'qemu-system-aarch64', - 'qemu-system-x86-64', 'qemu-system-x86', + 'qemu-system-x86-64', 'rpi-imager', 'rpm-ostree', 'rsync', @@ -136,12 +139,12 @@ WHERE 'slack', 'snapd', 'spotify', - 'steam_osx', 'steam', + 'steam_osx', 'systemd', + 'terraform', 'terraform-ls', 'terraform-provider-apko', - 'terraform', 'thunderbird', 'tilt', 'unattended-upgr', @@ -161,6 +164,8 @@ WHERE AND NOT p0.path IN ( '/app/libexec/mediawriter/helper', '/usr/libexec/syspolicyd', + '/usr/libexec/logd', + '/usr/libexec/packagekitd', '/Library/Application Support/Adobe/Adobe Desktop Common/HDBox/Setup', '/Library/Elastic/Endpoint/elastic-endpoint', '/System/Volumes/Preboot/Cryptexes/App/System/Applications/Safari.app/Contents/XPCServices/com.apple.Safari.BrowserDataImportingService.xpc/Contents/MacOS/com.apple.Safari.BrowserDataImportingService', diff --git a/detection/initial_access/1-unexpected-diskimage-source-macos.sql b/detection/initial_access/1-unexpected-diskimage-source-macos.sql index c08c3562..7dab29e1 100644 --- a/detection/initial_access/1-unexpected-diskimage-source-macos.sql +++ b/detection/initial_access/1-unexpected-diskimage-source-macos.sql @@ -66,6 +66,7 @@ WHERE 'boxcdn.net', 'brave.com', 'byfly.by', + 'claude.ai', 'c-wss.com', 'canon.co.uk', 'cdn.mozilla.net', diff --git a/detection/initial_access/2-sketchy-mounted-diskimage.sql b/detection/initial_access/2-sketchy-mounted-diskimage.sql index 77bfa496..d6164577 100644 --- a/detection/initial_access/2-sketchy-mounted-diskimage.sql +++ b/detection/initial_access/2-sketchy-mounted-diskimage.sql @@ -144,6 +144,7 @@ WHERE "Developer ID Application: Bose Corporation (QC9P7FKWH6)", "Developer ID Application: Justin Clift (C34AV33YLK)", "Developer ID Application: Logitech Inc. (QED4VVPZWA)", + "Developer ID Application: Google LLC (EQHXZ8M8AV)", "Developer ID Application: Oracle America, Inc. (VB5E2TV963)", "Developer ID Application: Orbital Labs, LLC (U.S.) (HUAQ24HBR6)", "Developer ID Application: Roblox Corporation (2CFABCH843)", diff --git a/detection/persistence/2-unexpected-chrome-extensions.sql b/detection/persistence/1-unexpected-chrome-extensions.sql similarity index 99% rename from detection/persistence/2-unexpected-chrome-extensions.sql rename to detection/persistence/1-unexpected-chrome-extensions.sql index 63f76276..3b79ee99 100644 --- a/detection/persistence/2-unexpected-chrome-extensions.sql +++ b/detection/persistence/1-unexpected-chrome-extensions.sql @@ -168,6 +168,7 @@ WHERE 'true,AgileBits,1Password – Password Manager,aeblfdkhhhdcdjpifhhbdiojplfjncoa', 'true,AwardWallet LLC,AwardWallet,lppkddfmnlpjbojooindbmcokchjgbib', 'true,Benjamin Hollis,JSONView,gmegofmjomhknnokphhckolhcffdaihd', + 'true,BetterLogic ,Better History | Blacklist Mode,egehpkpgpgooebopjihjmnpejnjafefi', 'true,Bitwarden Inc.,Bitwarden - Free Password Manager,nngceckbapebfimnlniiiahkandclblb', 'true,Bitwarden Inc.,Bitwarden Password Manager,nngceckbapebfimnlniiiahkandclblb', 'true,Cartera,American Airlines AAdvantage® eShopping℠,dcdiajifnnbipfljbggcbbheipfdmgpo', diff --git a/detection/persistence/2-unexpected-global-lock.sql b/detection/persistence/1-unexpected-global-lock.sql similarity index 93% rename from detection/persistence/2-unexpected-global-lock.sql rename to detection/persistence/1-unexpected-global-lock.sql index fa6032be..ffffbee8 100644 --- a/detection/persistence/2-unexpected-global-lock.sql +++ b/detection/persistence/1-unexpected-global-lock.sql @@ -53,6 +53,7 @@ WHERE '500,0,/tmp/write.lock,regular,0644', '500,1000,/tmp/1000-nwg-bar.lock,regular,0600', '500,1000,/tmp/golangci-lint.lock,regular,0600', + '500,1000,/tmp/minecraftlauncher.1000.pid.lock,regular,0664', '500,1001,/tmp/nwg-dock.lock,regular,0600', '74,0,/tmp/mysql.sock.lock,regular,0600', '74,0,/tmp/mysqlx.sock.lock,regular,0600' @@ -61,3 +62,4 @@ WHERE AND NOT exception_key LIKE '500,1000,/tmp/keepassxc-%.lock,regular,0644' AND NOT exception_key LIKE '500,1000,/tmp/keepassxc-%.lock,regular,0664' AND NOT exception_key LIKE '500,1000,/tmp/vscode-remote-ssh-%-install.lock,regular,0664' + AND NOT exception_key LIKE '500,1000,/tmp/%.eksctl.lock,regular,0600' diff --git a/detection/privesc/1-unexpected-privileged-containers.sql b/detection/privesc/1-unexpected-privileged-containers.sql index 36f98014..60f723fa 100644 --- a/detection/privesc/1-unexpected-privileged-containers.sql +++ b/detection/privesc/1-unexpected-privileged-containers.sql @@ -41,3 +41,4 @@ WHERE AND image NOT LIKE 'k3d-k3d.localhost:%' AND image NOT LIKE 'melange-%' AND command NOT LIKE '/usr/bin/melange build %' + AND command != '/bin/k3s server'