Merge pull request #424 from tstromberg/fpr-nov13

fpr: mc, colima, webfilterproxyd, headlamp, record it, etc

detection/c2/unexpected-dns-traffic-events.sql

@@ -73,7 +73,6 @@ WHERE
     '185.125.190.31', -- Canonical
     '185.125.190.77' -- Canonical
   )
-
   -- Exceptions that specifically talk to one server
   AND exception_key NOT IN (
     'adguard_dns,1.0.0.1,53',
@@ -84,6 +83,7 @@ WHERE
     'ChatGPT,8.8.8.8,53',
     'com.docker.backend,8.8.8.8,53',
     'com.docker.vpnkit,8.8.8.8,53',
+    'Creative Cloud Content Manager.node,8.8.4.4,53',
     'coredns,0.0.0.0,53',
     'coredns,8.8.8.8,53',
     'distnoted,8.8.8.8,53',

detection/c2/unexpected-root-libcurl-proc-linux.sql

@@ -77,6 +77,7 @@ WHERE
     'fwupd,/usr/libexec/fwupd/fwupd,0,system.slice,fwupd.service,0755',
     'fwupd,/usr/lib/fwupd/fwupd,0,system.slice,fwupd.service,0755',
     'libvirtd,/usr/bin/libvirtd,0,system.slice,libvirtd.service,0755',
+    'implicitclass,/usr/lib/cups/backend/implicitclass,0,system.slice,cups.service,0744',
     'NetworkManager,/usr/bin/NetworkManager,0,system.slice,NetworkManager.service,0755',
     'NetworkManager,/usr/sbin/NetworkManager,0,system.slice,NetworkManager.service,0755',
     'nix-daemon,/nix/store/__VERSION__/bin/nix,0,system.slice,nix-daemon.service,0555',

detection/c2/unexpected-talkers-linux.sql

@@ -8,7 +8,8 @@
 --
 -- tags: transient state net rapid
 -- platform: linux
-SELECT s.remote_address,
+SELECT
+  s.remote_address,
   s.remote_port,
   s.local_port,
   s.local_address,
@@ -39,12 +40,14 @@ SELECT s.remote_address,
     'g,',
     p.name
   ) AS exception_key
-FROM process_open_sockets s
+FROM
+  process_open_sockets s
   LEFT JOIN processes p ON s.pid = p.pid
   LEFT JOIN processes pp ON p.parent = pp.pid
   LEFT JOIN file f ON p.path = f.path
   LEFT JOIN hash ON p.path = hash.path
-WHERE protocol > 0
+WHERE
+  protocol > 0
   AND s.remote_port > 0 -- See unexpected-https-client
   AND NOT (
     s.remote_port = 443
@@ -108,11 +111,13 @@ WHERE protocol > 0
     '80,6,0,python3.12,500u,500g,dnf-automatic',
     '80,6,0,python3.10,0u,0g,yum',
     '80,6,0,python3.11,0u,0g,dnf',
+    '123,17,106,chronyd,0u,0g,chronyd',
     '5222,6,500,msedge,0u,0g,msedge',
     '80,6,0,python3.11,0u,0g,dnf-automatic',
     '80,6,0,python3.11,0u,0g,yum',
     '80,6,0,python3.12,0u,0g,dnf',
     '80,6,0,python3.12,0u,0g,yum',
+    '80,6,0,python3.12,0u,0g,dnf-automatic',
     '89,6,500,chrome,0u,0g,chrome',
     '80,6,0,python3.9,u,g,yum',
     '80,6,0,rpm-ostree,0u,0g,rpm-ostree',
@@ -294,4 +299,5 @@ WHERE protocol > 0
       OR p.cgroup_path LIKE '/user.slice/user-%.slice/user@%.service/user.slice/nerdctl-%'
     )
   )
-GROUP BY p.cmdline
+GROUP BY
+  p.cmdline

detection/c2/unexpected-talkers-macos.sql

@@ -5,7 +5,8 @@
 --
 -- tags: transient state net often
 -- platform: macos
-SELECT pos.protocol,
+SELECT
+  pos.protocol,
   pos.local_port,
   pos.remote_port,
   remote_address,
@@ -40,17 +41,24 @@ SELECT pos.protocol,
   p1.euid AS p1_euid,
   p1.cmdline AS p1_cmd,
   p1_hash.sha256 AS p1_sha256
-FROM process_open_sockets pos
+FROM
+  process_open_sockets pos
   LEFT JOIN processes p0 ON pos.pid = p0.pid
   LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
   LEFT JOIN processes p1 ON p0.parent = p1.pid
   LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
   LEFT JOIN file f ON p0.path = f.path
   LEFT JOIN signature s ON p0.path = s.path
-WHERE pos.pid IN (
-    SELECT pid
-    from process_open_sockets
-    WHERE protocol > 0
+WHERE
+  pos.pid IN (
+    SELECT
+      pid
+    from
+      process_open_sockets
+    WHERE
+      protocol > 0
+      AND local_port > 0
+      AND remote_port > 0
       AND NOT (
         remote_port IN (53, 443)
         AND protocol IN (6, 17)
@@ -124,4 +132,5 @@ WHERE pos.pid IN (
     AND remote_port = 0
     AND protocol = 0
   )
-GROUP BY p0.cmdline
+GROUP BY
+  p0.cmdline

detection/collection/spotlight-database-export-macos.sql

@@ -32,4 +32,5 @@ WHERE
   AND f.path NOT LIKE '%mysql-test/suite/%'
   AND f.path NOT LIKE '%.json'
   AND f.path NOT LIKE '%.log'
+  AND f.path NOT LIKE '%/testdata/%'
   AND f.size > 32768

detection/credentials/macos_keyboard_sniffer.sql

@@ -57,6 +57,7 @@ FROM
   LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
 WHERE
   et.event_tapped IN ('EventKeyDown', 'EventKeyUp')
+  AND et.enabled != 0
   AND s.authority != 'Software Signing' -- Popular programs that sniff keyboard events, but do not appear to be malware.
   AND NOT exception_key IN (
     'Alfred,com.runningwithcrayons.Alfred,Developer ID Application: Running with Crayons Ltd (XZZXE9SED4)',

detection/credentials/unexpected-dev-opener-linux.sql

@@ -238,6 +238,8 @@ WHERE
     '/dev/video,zoom',
     '/dev/video,zoom.real',
     '/dev/wwan0mbim,mbim-proxy',
+    '/dev/udmabuf,xdg-desktop-portal-gnome',
+    '/dev/udmabuf,nautilus',
     '/dev/zfs,',
     '/dev/zfs,zed',
     '/dev/zfs,zfs',

detection/credentials/unexpected-dev-opener-macos.sql

@@ -108,6 +108,7 @@ WHERE
     '/dev/io8log,WiFiAgent,Software Signing,com.apple.wifi.WiFiAgent',
     '/dev/io8log,WirelessRadioManagerd,Software Signing,com.apple.WirelessRadioManagerd',
     '/dev/io8log,airportd,Software Signing,com.apple.airport.airportd',
+    '/dev/cu.debug-console,ZwiftAppSilicon,Developer ID Application: Zwift, Inc (C2GM8Y9VFM),ZwiftAppSilicon',
     '/dev/io8log,symptomsd,Software Signing,com.apple.symptomsd',
     '/dev/io8logmt,airportd,Software Signing,com.apple.airport.airportd',
     '/dev/io8logtemp,ControlCenter,Software Signing,com.apple.controlcenter',

detection/evasion/hidden-cwd.sql

@@ -8,7 +8,8 @@
 --
 -- tags: transient often
 -- platform: posix
-SELECT REPLACE(p0.cwd, u.directory, '~') AS dir,
+SELECT
+  REPLACE(p0.cwd, u.directory, '~') AS dir,
   REGEX_MATCH (
     REPLACE(p0.cwd, u.directory, '~'),
     '([/~].*?/.*?)/',
@@ -55,7 +56,8 @@ SELECT REPLACE(p0.cwd, u.directory, '~') AS dir,
   p2.path AS p2_path,
   p2.cmdline AS p2_cmd,
   p2_hash.sha256 AS p2_sha256
-FROM processes p0
+FROM
+  processes p0
   LEFT JOIN file f ON p0.path = f.path
   LEFT JOIN users u ON p0.uid = u.uid
   LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
@@ -64,10 +66,14 @@ FROM processes p0
   LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
   LEFT JOIN processes p2 ON p1.parent = p2.pid
   LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
-WHERE p0.pid IN (
-    SELECT DISTINCT pid
-    FROM processes
-    WHERE cwd LIKE '%/.%'
+WHERE
+  p0.pid IN (
+    SELECT DISTINCT
+      pid
+    FROM
+      processes
+    WHERE
+      cwd LIKE '%/.%'
       AND NOT name IN (
         'apfsd',
         'bindfs',
@@ -94,6 +100,7 @@ WHERE p0.pid IN (
       'bash,~/.Trash',
       'bash,~/.local/share',
       'bash,~/go/src',
+      'telegram-deskto,~/snap/telegram-desktop',
       'c++,~/.cache/yay',
       'cc1,/home/build/.cache',
       'cc1plus,~/.cache/yay',
@@ -119,6 +126,7 @@ WHERE p0.pid IN (
       'rust-analyzer-p,~/.cargo/registry',
       'rustc,/home/build/.cargo',
       'vet,/home/build/.cache',
+      'npm install,/home/build/.npm',
       'zsh,/private/tmp/workspace',
       'zsh,~/.Trash'
     )
@@ -129,6 +137,7 @@ WHERE p0.pid IN (
     OR dir IN (
       '~/.config',
       '~/.local/bin',
+      '/home/build',
       '/var/home/linuxbrew/.linuxbrew/Cellar',
       '~/.vim',
       '~/dev/extra-packages/.chainguard',
@@ -144,12 +153,7 @@ WHERE p0.pid IN (
       '~/.hunter/_Base',
       '~/.zsh'
     )
-    OR top_dir IN (
-      '~/Sync',
-      '~/src',
-      '~/workspace',
-      '~/dev'
-    )
+    OR top_dir IN ('~/Sync', '~/src', '~/workspace', '~/dev')
     OR dir LIKE '/Library/Apple/System/Library/InstallerSandboxes/.PKInstallSandboxManager-SystemSoftware/%'
     OR dir LIKE '/opt/homebrew/%/.cache/%'
     OR dir LIKE '~/%enterprise-packages/.chainguard'
@@ -190,4 +194,5 @@ WHERE p0.pid IN (
       AND p0.euid = 0
     )
   )
-GROUP BY p0.pid
+GROUP BY
+  p0.pid

detection/evasion/hidden-executable.sql

@@ -5,7 +5,8 @@
 --
 -- tags: transient
 -- platform: posix
-SELECT f.directory,
+SELECT
+  f.directory,
   f.btime,
   p0.start_time,
   RTRIM(
@@ -51,15 +52,17 @@ SELECT f.directory,
   p2.path AS p2_path,
   p2.cmdline AS p2_cmd,
   p2_hash.sha256 AS p2_sha256
-FROM processes p0
+FROM
+  processes p0
   LEFT JOIN file f ON p0.path = f.path
   LEFT JOIN users u ON f.uid = u.uid
   LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
   LEFT JOIN processes p1 ON p0.parent = p1.pid
   LEFT JOIN hash p1_hash ON p1.path = p1_hash.path
   LEFT JOIN processes p2 ON p1.parent = p2.pid
   LEFT JOIN hash p2_hash ON p2.path = p2_hash.path
-WHERE (
+WHERE
+  (
     p0.name LIKE '.%'
     OR f.filename LIKE '.%'
     OR f.directory LIKE '%/.%'
@@ -88,6 +91,7 @@ WHERE (
     '~/.terraform',
     '~/.tflint.d',
     '~/.vs-kubernetes',
+    '~/chainguard-images',
     '~/Code',
     '~/Projects',
     '~/code',
@@ -116,7 +120,7 @@ WHERE (
   AND NOT f.directory LIKE '%/Applications/PSI Bridge Secure Browser.app/Contents/Resources/.apps/darwin/%'
   AND NOT f.directory LIKE '/var/home/linuxbrew/.linuxbrew/Cellar/%'
   AND NOT f.directory LIKE '/Volumes/com.getdropbox.dropbox-%'
-  AND NOT f.directory LIKE '/var~/Code/cgr/private/.terraform/%'
+  AND NOT f.directory LIKE '%/.terraform/%'
   AND NOT f.path LIKE '/nix/store/%/%-wrapped'
   AND NOT (
     f.path LIKE '/nix/store/%'
@@ -127,4 +131,5 @@ WHERE (
   AND NOT homedir LIKE '~/Library/Application Support/Code/User/globalStorage/ms-dotnettools.vscode-dotnet-runtime/.dotnet/%'
   AND NOT homedir LIKE '%/.Trash/1Password %.app/Contents/Library/LoginItems/1Password Extension Helper.app/Contents/MacOS'
   AND NOT homedir LIKE '%/.Trash/Logi Options.app/Contents/Support/LogiMgrDaemon.app/Contents/MacOS'
-GROUP BY f.path
+GROUP BY
+  f.path

detection/evasion/old-binaries-running.sql

@@ -65,6 +65,7 @@ WHERE
     '/usr/bin/pavucontrol',
     '/usr/bin/espeak',
     '/usr/bin/unpigz',
+    '/usr/bin/xsettingsd',
     '/usr/bin/xss-lock',
     '/usr/bin/i3lock',
     '/usr/bin/xbindkeys',

detection/evasion/parent-missing-from-disk-linux.sql

@@ -53,9 +53,11 @@ WHERE
     '/usr/lib/electron22',
     '/usr/bin',
     '/opt/google/chrome',
+    '/opt/microsoft/msedge',
     '/usr/libexec',
     '/usr/lib/systemd',
     '/usr/lib',
+    '/usr/lib/go/bin',
     '/usr/share/code'
   ) -- long-running launchers
   AND NOT p1.name IN (

detection/evasion/unexpected-hidden-system-paths.sql

@@ -114,8 +114,10 @@ WHERE
     '/tmp/.SIGN.RSA.local-melange.rsa.pub',
     '/tmp/.SIGN.RSA.wolfi-signing.rsa.pub',
     '/tmp/.s.PGSQL.5432',
+    '/var/root/.nx/',
     '/tmp/.s.PGSQL.5432.lock',
     '/tmp/.terraform/',
+    '/.cache/',
     '/tmp/.terraform.lock.hcl',
     '/tmp/.Test-unix/',
     '/tmp/.touchpaddefaults',
@@ -156,6 +158,7 @@ WHERE
     '/var/root/.bash_history',
     '/var/root/.bash_profile',
     '/var/root/.cache/',
+    '/var/root/.config/',
     '/var/root/.CFUserTextEncoding',
     '/var/root/.docker/',
     '/var/root/.forward',

detection/evasion/unexpected-process-extension-linux.sql

@@ -93,3 +93,4 @@ WHERE
   AND NOT basename LIKE 'terraform-provider%'
   AND NOT basename LIKE 'ld-%.so'
   AND NOT basename LIKE 'unison-%'
+  AND NOT basename IN ('io.elementary.appcenter')

detection/evasion/unexpected-var-run-macos.sql

@@ -54,6 +54,9 @@ WHERE
     'kdc.pid',
     'prl_disp_service.pid',
     'prl_naptd.pid',
+    'prl_desktop_services.lock',
+    'prl_desktop_services_foreground.lock',
+    'prl_disp_service.urgent',
     'prl_watchdog-ebdba5702a20.pid',
     'resolv.conf',
     'rtadvd.pid',

detection/evasion/unusual-process-name-linux.sql

@@ -120,6 +120,7 @@ WHERE
     "xdg-desktop-portal-gnome",
     "xdg-desktop-portal-gtk",
     "xdg-desktop-portal-kde",
+    "xdg-desktop-portal-xapp",
     "xdg-document-portal",
     "xdg-permission-store",
     "xwaylandvideobridge"

detection/execution/exotic-commands-linux.sql

@@ -127,6 +127,9 @@ WHERE
         'goland',
         'java',
         'pycharm',
+        'zsh',
+        'bash',
+        'jetbrains',
         'sh',
         'vim',
         'vim.nox'