fpr: Debian Linux, Nix, and Chromium snaps

detection/c2/1-unexpected-dns-traffic-events.sql

@@ -26,8 +26,7 @@ SELECT
   s.pid,
   p.parent AS parent_pid,
   pp.cmdline AS parent_cmd,
-  hash.sha256,
-  CONCAT (p.name, ',', remote_address, ',', remote_port) AS exception_key
+  hash.sha256
 FROM
   socket_events s
   LEFT JOIN processes p ON s.pid = p.pid
@@ -75,105 +74,78 @@ WHERE
     '68.105.28.13', -- Cox
     '75.75.75.75', -- Comcast
     '75.75.76.76', -- Comcast
-    '80.248.7.1', -- 21st Century (NG)
-    '8.8.4.4', -- Google (backup)
-    '8.8.8.8' -- Google
-  )
-  -- Exceptions that specifically talk to one server
-  AND exception_key NOT IN (
-    'adguard_dns,1.0.0.1,53',
-    'AssetCacheLocatorService,0.0.0.0,53',
-    'brave,8.8.8.8,53',
-    'CapCut,8.8.8.8,53',
-    'cg,108.177.98.95,53',
-    'ChatGPT,8.8.8.8,53',
-    'Code Helper (Plugin),1.0.0.1,53',
-    'com.docker.backend,8.8.8.8,53',
-    'com.docker.buil,35.190.88.7,53', -- licensing exfil via Bugsnag?
-    'com.docker.vpnkit,8.8.8.8,53',
-    'coredns,0.0.0.0,53',
-    'coredns,8.8.8.8,53',
-    'Creative Cloud Content Manager.node,8.8.4.4,53',
-    'Creative Cloud Content Manager.node,8.8.8.8,53',
-    'distnoted,8.8.4.4,53',
-    'distnoted,8.8.8.8,53',
-    'dockerd,162.159.140.238,53',
-    'EpicWebHelper,8.8.4.4,53',
-    'EpicWebHelper,8.8.8.8,53',
-    'gvproxy,170.247.170.2,53',
-    'helm,185.199.108.133,53',
-    'io.tailscale.ipn.macsys.network-extension,8.8.8.8,53',
-    'limactl,8.8.8.8,53',
-    'Meeting Center,8.8.8.8,53',
-    'msedge,8.8.4.4,53',
-    'msedge,8.8.8.8,53',
-    'node,149.22.90.225,5353',
-    'nuclei,1.0.0.1,53',
-    'ollama,104.21.75.227,53', -- registry.olama.ai (2025-01-27)
-    'Pieces OS,208.67.222.222,53',
-    'Pieces OS,8.8.4.4,53',
-    'plugin-container,8.8.8.8,53',
-    'ServiceExtension,8.8.8.8,53',
-    'Signal Helper (Renderer),8.8.8.8,53',
-    'signal-desktop,8.8.8.8,53',
-    'slack,8.8.8.8,53',
-    'snapd,185.125.188.54,53',
-    'snapd,185.125.188.55,53',
-    'snapd,185.125.188.58,53',
-    'snapd,185.125.188.59,53',
-    'Socket Process,8.8.8.8,53',
-    'syncthing,46.162.192.181,53',
-    'Telegram,8.8.8.8,53',
-    'vunnel,8.8.8.8,53',
-    'WebexHelper,8.8.8.8,53',
-    'WhatsApp,1.1.1.1,53',
-    'yum,208.67.222.222,53',
-    'ZaloCall,8.8.8.8,53',
-    'zed,8.8.8.8,53',
-    'ZoomPhone,200.48.225.130,53',
-    'ZoomPhone,200.48.225.146,53',
-    'ZoomPhone,8.8.8.8,53'
+    '80.248.7.1' -- 21st Century (NG)
   )
   -- Local DNS servers and custom clients go here
   AND basename NOT IN (
     'adguard_dns',
     'agentbeat',
     'apk',
     'apko',
+    'AssetCacheLocatorService',
+    'brave',
     'buildkitd',
     'canonical-livep',
+    'CapCut',
     'cg',
-    'containerd',
     'chainctl',
+    'ChatGPT',
     'chrome',
+    'Code Helper (Plugin)',
     'com.apple.WebKit.Networking',
     'com.docker.backend',
+    'com.docker.buil',
+    'com.docker.build',
+    'com.docker.vpnkit',
+    'containerd',
+    'coredns',
+    'Creative Cloud Content Manager.node',
+    'distnoted',
+    'dockerd',
+    'EpicWebHelper',
     'go',
     'grype',
     'gvproxy',
     'helm',
-    'com.docker.build',
     'incusd',
     'io.tailscale.ipn.macsys.network-extension',
     'IPNExtension',
     'Jabra Direct Helper',
     'java',
     'limactl',
     'mDNSResponder',
+    'Meeting Center',
     'melange',
+    'msedge',
     'nessusd',
+    'node',
     'nuclei',
+    'ollama',
+    'Pieces OS',
+    'plugin-container',
+    'ServiceExtension',
+    'Signal Helper (Renderer)',
+    'signal-desktop',
+    'slack',
+    'snapd',
+    'Socket Process',
     'syncthing',
     'systemd-resolved',
     'tailscaled',
+    'Telegram',
     'terraform-ls',
     'terraform-provi',
+    'vunnel',
+    'WebexHelper',
     'WhatsApp',
-    'wolfictl'
+    'wolfictl',
+    'yum',
+    'ZaloCall',
+    'zed',
+    'ZoomPhone'
   )
-  AND p.name NOT IN ('Jabra Direct Helper', 'terraform-provi')
   -- Chromium/Electron apps seem to send stray packets out like nobodies business
-  AND p.path NOT LIKE '%/%.app/Contents/MacOS/% Helper'
+  AND basename NOT LIKE '% Helper'
   AND p.path NOT LIKE '/snap/%'
   AND pp.path NOT IN ('/usr/bin/containerd-shim-runc-v2')
   -- Workaround for the GROUP_CONCAT subselect adding a blank ent

detection/c2/1-unexpected-https-linux.sql

@@ -6,7 +6,7 @@
 -- references:
 --   * https://attack.mitre.org/techniques/T1071/ (C&C, Application Layer Protocol)
 --
--- tags: transient state net often extra
+-- tags: transient state net often
 -- platform: linux
 SELECT
   s.remote_address,

detection/c2/1-unexpected-https-macos.sql

@@ -3,7 +3,7 @@
 -- references:
 --   * https://attack.mitre.org/techniques/T1071/ (C&C, Application Layer Protocol)
 --
--- tags: transient state net often extra
+-- tags: transient state net often
 -- platform: macos
 SELECT
   pos.protocol,

detection/c2/2-unexpected-icmp-socket.sql

@@ -3,7 +3,7 @@
 -- references:
 --   *https://attack.mitre.org/techniques/T1095/ (C2: Non-Application Layer Protocol)
 --
--- tags: transient state net extra
+-- tags: transient state net
 SELECT
   pop.pid AS p0_pid,
   pop.socket,

detection/collection/1-high-disk-bytes-written.sql

@@ -10,7 +10,7 @@
 -- references:
 --   * https://attack.mitre.org/tactics/TA0009/ (Collection)
 --
--- tags: transient process extra
+-- tags: transient process
 SELECT
   -- WARNING: Writes to tmpfs are not reflected against this counter
   p0.disk_bytes_written AS bytes_written,

detection/credentials/1-unexpected-dev-opener-linux.sql

@@ -132,8 +132,9 @@ WHERE
     '/dev/input,Hyprland',
     '/dev/input,keyd',
     '/dev/input,kwin_wayland',
-    '/dev/input,systemd-logind',
+    '/dev/input,sway',
     '/dev/input,systemd',
+    '/dev/input,systemd-logind',
     '/dev/input,thermald',
     '/dev/input,touchegg',
     '/dev/input,upowerd',
@@ -156,7 +157,6 @@ WHERE
     '/dev/shm,Melvor Idle',
     '/dev/shm,msedge',
     '/dev/shm,osqueryd',
-    '/dev/input,sway',
     '/dev/shm,reaper',
     '/dev/shm,slack',
     '/dev/shm,spotify',
@@ -198,6 +198,7 @@ WHERE
     '/dev/kmsg,systemd-journald',
     '/dev/kvm,qemu-system-x86_64',
     '/dev/mapper/control,dockerd',
+    '/dev/mapper/control,dmeventd',
     '/dev/mapper/control,gpartedbin',
     '/dev/mapper/control,multipathd',
     '/dev/mcelog,mcelog',
@@ -255,6 +256,7 @@ WHERE
     '/dev/zfs,zfs',
     '/dev/zfs,zpool'
   )
+  AND path_exception NOT LIKE '/dev/dm-%,qemu-system-%'
   AND path_exception NOT LIKE '/dev/bus/usb/%,scdaemon'
   AND path_exception NOT LIKE '/dev/cpu_dma_latency,python%'
   AND path_exception NOT LIKE '/dev/shm/%'

detection/evasion/1-touched-executable-macos.sql

@@ -9,7 +9,7 @@
 -- references:
 --   * https://attack.mitre.org/techniques/T1070/006/ (Timestomping)
 --
--- tags: transient seldom filesystem state extra
+-- tags: transient seldom filesystem state
 -- platform: darwin
 SELECT
   p.path,
@@ -55,7 +55,7 @@ WHERE
       AND path NOT LIKE '/usr/sbin/%'
       AND path NOT LIKE '/Volumes/%'
   )
-  AND f.btime == f.mtime
+  AND f.btime = f.mtime
   AND (
     -- change time is older than birth time
     btime_ctime_days_diff > 0 -- change time is older than birth time, but not 1970
@@ -110,6 +110,7 @@ WHERE
         '/usr/local/bin/node'
       )
       OR p.path LIKE '/Applications/%.app/Contents/Frameworks/%/Versions/A/Resources/%'
+      OR p.path LIKE '/Users/%/.cache/gitstatus/gitstatusd-darwin-arm64'
       OR p.path LIKE '/Applications/%.app/Contents/MacOS/%'
       OR p.path LIKE '/opt/homebrew/Caskroom/%/bin/%'
       OR p.path LIKE '/opt/homebrew/Cellar/%/bin/%'

detection/evasion/1-unusual-process-name-linux.sql

@@ -95,6 +95,7 @@ WHERE
   AND NOT p1_pid = 2
   AND NOT p0_pid = 2
   AND NOT pname LIKE '.%-wrap%'
+  AND NOT pname IN ('xdg-open')
   AND p0.path NOT LIKE "/nix/store/%"
   AND basename NOT IN (
     "acpid",

detection/evasion/2-hidden-executable.sql

@@ -78,24 +78,25 @@ WHERE
   AND NOT homepath LIKE '~/%arm64%'
   AND NOT homepath LIKE '~/%x86_64%'
   AND NOT top2_dir IN (
+    '/nix/store/.links',
+    '/var~/.local',
+    '~/.goenv',
+    '~/.vs-kubernetes',
     '~/chainguard-images',
     '~/code',
     '~/Code',
-    '~/.goenv',
-    '~/repos',
-    '/nix/store/.links',
     '~/Projects',
-    '~/src',
-    '/var~/.local',
-    '~/.vs-kubernetes'
+    '~/repos',
+    '~/src'
   )
   AND NOT top3_dir IN (
     '/home/linuxbrew/.linuxbrew',
     '/var~/.local/share',
     '~/.cache/gitstatus',
+    '~/.cache/go-build',
     '~/.cache/JetBrains',
-    '~/.cache/selenium',
     '~/.cache/rod',
+    '~/.cache/selenium',
     '~/.config/bluejeans-v2',
     '~/.config/Code',
     '~/.config/nvm',

detection/evasion/2-unexpected-dev-entries.sql

@@ -30,7 +30,7 @@ WHERE
     OR file.path LIKE '/dev/%/.%'
     OR file.path LIKE '/dev/%%/.%/%'
     OR file.path LIKE '/dev/mqueue/%%'
-  ) -- We should also use uid for making decisions here
+  )
   AND NOT (
     file.uid > 499
     AND (
@@ -46,6 +46,7 @@ WHERE
       OR file.path LIKE '/dev/shm/u1000-Shm%'
       OR file.path LIKE '/dev/shm/u1000-Valve%'
       OR file.path LIKE '/dev/shm/wayland.mozilla.%'
+      OR file.path LIKE '/dev/shm/xapp-tmp-%'
     )
   )
   AND NOT (

detection/evasion/2-unexpected-hidden-system-paths.sql

@@ -190,6 +190,8 @@ WHERE
     '/var/root/.PenTablet/',
     '/var/root/.provisio',
     '/var/root/.ssh/',
+    '/.vim/',
+    '/.viminfo',
     '/var/root/.Trash/',
     '/var/root/.viminfo',
     '/var/root/.zsh_history',

detection/evasion/2-unexpected-user-executables-macos.sql

@@ -231,5 +231,6 @@ WHERE
   AND NOT f.directory LIKE '/var/root/Library/Caches/%/org.sparkle-project.Sparkle/%/Sparkle.framework%'
   AND NOT f.path LIKE '/Users/%/Library/Fonts/%.otf'
   AND NOT f.path LIKE '/Users/%/Library/Fonts/%.ttf'
+  AND NOT f.path LIKE '/Users/%/result/activate'
 GROUP BY
   f.path

detection/evasion/2-unexpected-var-executables-linux.sql

@@ -59,6 +59,12 @@ WHERE
     '/var/run/lima-boot-done',
     '/var/run/lima-ssh-ready'
   )
+  AND NOT (
+    file.directory = '/var/spool/postfix/incoming'
+    AND size < 1024
+    AND mode = '07000'
+    AND gid = 0
+  )
   AND (
     magic.data IS NULL
     OR magic.data != 'JSON data'

detection/evasion/2-unexpected-var-run-linux.sql

@@ -39,6 +39,8 @@ WHERE
     'auditd.pid',
     'bluetooth.blocked',
     'bootupd-lock',
+    'dmeventd.pid',
+    'greetd.run',
     'com.rapid7.cnchub.pid',
     'com.rapid7.component_insight_agent.pid',
     'com.rapid7.ir_agent.pid',

detection/execution/1-exotic-commands-linux.sql

@@ -144,7 +144,7 @@ WHERE
       p0.cmdline LIKE '%tail -f /dev/null%'
       AND NOT p0.cmdline LIKE 'docker run%'
       AND NOT p0.cgroup_path LIKE '/system.slice/docker-%'
-      AND NOT p1.pid == 0
+      AND NOT p1.pid = 0
     )
   )
   AND NOT p0.cmdline like '%socat UNIX-LISTEN:%com.discordapp%discord-ipc%'

detection/execution/1-exotic-commands-macos.sql

@@ -3,7 +3,7 @@
 -- false positives:
 --   * possible, but none known
 --
--- tags: transient process state extra
+-- tags: transient process state
 -- platform: darwin
 SELECT
   s.authority AS p0_auth,