chainguard-dev · tstromberg · Feb 24, 2025 · Feb 24, 2025
diff --git a/detection/c2/1-unexpected-https-linux.sql b/detection/c2/1-unexpected-https-linux.sql
@@ -66,7 +66,6 @@ WHERE
     '0,apk,u,g,apk',
     '0,applydeltarpm,0u,0g,applydeltarpm',
     '0,bash,0u,0g,bash',
-    '0,multipassd,0u,0g,multipassd',
     '0,bash,0u,0g,mkinitcpio',
     '0,bash,0u,0g,sh',
     '0,canonical-livepatchd,0u,0g,canonical-livep',
@@ -86,7 +85,6 @@ WHERE
     '0,go,0u,0g,go',
     '0,gtk4-update-icon-cache,0u,0g,gtk-update-icon',
     '0,http,0u,0g,https',
-    '500,firefox-bin,0u,0g,firefox-bin',
     '0,ir_agent,0u,0g,ir_agent',
     '0,kmod,0u,0g,depmod',
     '0,launcher,0u,0g,launcher',
@@ -95,6 +93,7 @@ WHERE
     '0,make,0u,0g,make',
     '0,melange,500u,500g,melange',
     '0,metricbeat,0u,0g,metricbeat',
+    '0,multipassd,0u,0g,multipassd',
     '0,nessusd,0u,0g,nessusd',
     '0,nix,0u,0g,nix',
     '0,nix,0u,0g,nix-daemon',
@@ -118,13 +117,11 @@ WHERE
     '120,fwupdmgr,0u,0g,fwupdmgr',
     '128,fwupdmgr,0u,0g,fwupdmgr',
     '129,fwupdmgr,0u,0g,fwupdmgr',
-    '500,transmission-daemon,500u,500g,transmission-da',
     '42,http,0u,0g,https',
     '500,1password,0u,0g,1password',
     '500,___go_build_main_go,500u,500g,___go_build_mai',
     '500,abrt-action-generate-core-backtrace,0u,0g,abrt-action-gen',
     '500,accountwizard,u,g,accountwizard',
-    '500,thunderbird-bin,0u,0g,thunderbird-bi',
     '500,act,0u,0g,act',
     '500,apk,500u,500g,apk',
     '500,apk,u,g,apk',
@@ -133,7 +130,6 @@ WHERE
     '500,armcord,u,g,armcord',
     '500,aws,0u,0g,aws',
     '500,aws,500u,500g,aws',
-    '500,node,u,g,npm ci',
     '500,bash,0u,0g,bash',
     '500,beeper,u,g,beeper',
     '500,bitwarden,u,g,bitwarden',
@@ -184,6 +180,7 @@ WHERE
     '500,docker,0u,0g,docker',
     '500,docker-buildx,0u,0g,docker-buildx',
     '500,drkonqi,0u,0g,drkonqi',
+    '500,dropbox,500u,500g,dropbox',
     '500,eksctl,0u,0g,eksctl',
     '500,eksctl,500u,500g,eksctl',
     '500,electron,0u,0g,electron',
@@ -280,6 +277,7 @@ WHERE
     '500,node,0u,0g,npm install',
     '500,node,500u,500g,npm run start',
     '500,node,u,g,node',
+    '500,node,u,g,npm ci',
     '500,nuclei,500u,500g,nuclei',
     '500,obs,0u,0g,obs',
     '500,obs,u,g,obs',
@@ -351,11 +349,13 @@ WHERE
     '500,terraform-ls,500u,500g,terraform-ls',
     '500,thunderbird,0u,0g,thunderbird',
     '500,thunderbird,u,g,thunderbird',
+    '500,thunderbird-bin,0u,0g,thunderbird-bi',
     '500,thunderbird-bin,u,g,thunderbird-bin',
     '500,tidal-hifi,u,g,tidal-hifi',
     '500,tilt,500u,500g,tilt',
     '500,TJPP8_Vulkan,500u,500g,TJPP8_Vulkan',
     '500,todoist,0u,0g,todoist',
+    '500,transmission-daemon,500u,500g,transmission-da',
     '500,trivy,0u,0g,trivy',
     '500,trivy,500u,500g,trivy',
     '500,ubuntu-report,0u,0g,ubuntu-report',
@@ -364,8 +364,6 @@ WHERE
     '500,wget,0u,0g,wget',
     '500,wine64-preloader,500u,500g,DaveTheDiver.ex',
     '500,wine64-preloader,500u,500g,Root.exe',
-    '500,wolfi-package-status,500u,500g,wolfi-package-s',
-    '500,wolfictl,500u,500g,wolfictl',
     '500,WPILibInstaller,500u,500g,WPILibInstaller',
     '500,writerside,500u,500g,writerside',
     '500,xmobar,0u,0g,xmobar',
@@ -375,6 +373,7 @@ WHERE
     '500,zoom,0u,0g,zoom',
     '500,zoom.real,u,g,zoom.real'
   ) -- Exceptions where we have to be more flexible for the process name
+  AND NOT exception_key LIKE '500,wolfi%,500u,500g,wolfi%'
   AND NOT exception_key LIKE '0,python3.%,0u,0g,dnf-automatic'
   AND NOT exception_key LIKE '0,python3.%,0u,0g,dnf'
   AND NOT exception_key LIKE '0,python3.%,0u,0g,yum'

diff --git a/detection/c2/1-unexpected-https-macos.sql b/detection/c2/1-unexpected-https-macos.sql
@@ -108,13 +108,14 @@ WHERE
   AND NOT exception_key IN (
     '0,AGSService,AGSService,Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.ags',
     '0,chainctl,chainctl,,a.out',
-    '0,licenseDaemon,licenseDaemon,Developer ID Application: PACE Anti-Piracy, Inc. (TFZ8226T6X),com.paceap.eden.licenseDaemon',
     '0,com.nordvpn.macos.helper,com.nordvpn.macos.helper,Developer ID Application: Nordvpn S.A. (W5W395V82Y),com.nordvpn.macos.helper',
+    '0,licenseDaemon,licenseDaemon,Developer ID Application: PACE Anti-Piracy, Inc. (TFZ8226T6X),com.paceap.eden.licenseDaemon',
     '500,.Telegram-wrapped,.Telegram-wrapped,,Telegram',
     '500,agent,agent,Developer ID Application: Datadog, Inc. (JKFCB4CN7C),agent',
     '500,apko,apko,,a.out',
-    '500,proctor,proctor,500u,20g',
+    '500,apkoaas,apkoaas,,a.out',
     '500,Arc Helper,Arc Helper,Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G),company.thebrowser.browser.helper',
+    '500,art,art,,a.out',
     '500,Authy,Authy,Apple iPhone OS Application Signing,com.authy',
     '500,bash,bash,,bash',
     '500,cloud_sql_proxy,cloud_sql_proxy,,a.out',
@@ -138,7 +139,6 @@ WHERE
     '500,kubectl,kubectl,Developer ID Application: Docker Inc (9BNSXJN65R),kubectl',
     '500,melange,melange,,a.out',
     '500,nami,nami,,a.out',
-    '500,art,art,500u,20g',
     '500,ngrok,ngrok,Developer ID Application: ngrok LLC (TEX8MHRDQ9),a.out',
     '500,node,node,Developer ID Application: Node.js Foundation (HX7739G8FX),node',
     '500,odo-darwin-amd64-b4853e1fa,odo-darwin-amd64-b4853e1fa,500u,20g',
@@ -148,6 +148,7 @@ WHERE
     '500,podman,podman,Developer ID Application: Red Hat, Inc. (HYSCB8KRL2),podman',
     '500,PowerPoint,PowerPoint,Apple Development: Zack Hoherchak (SS9PSPF8UF),PowerPoint',
     '500,process-agent,process-agent,Developer ID Application: Datadog, Inc. (JKFCB4CN7C),process-agent',
+    '500,proctor,proctor,,a.out',
     '500,pycharm,pycharm,Developer ID Application: JetBrains s.r.o. (2ZEFAR8TH3),com.jetbrains.pycharm',
     '500,Realm,Realm,Apple iPhone OS Application Signing,camera.youpi.metareal',
     '500,sdaudioswitch,sdaudioswitch,,sdaudioswitch',

diff --git a/detection/execution/1-recently-created-executables-long-lived-linux.sql b/detection/execution/1-recently-created-executables-long-lived-linux.sql
@@ -188,7 +188,7 @@ WHERE
     AND p0.cmdline LIKE './%'
   )
   AND NOT p1.path IN ('/usr/bin/gnome-shell') -- Filter out developers working on their own code
-  AND NOT p1.name = 'makepkg'
+  AND NOT p1.name IN ('makepkg', 'make')
   AND NOT p2.path = '/usr/bin/yay'
   AND NOT p2.cmdline LIKE '/usr/bin/yay %'
   AND NOT (

diff --git a/detection/execution/1-recently-created-executables-long-lived-macos.sql b/detection/execution/1-recently-created-executables-long-lived-macos.sql
@@ -151,6 +151,8 @@ WHERE
       OR homepath LIKE '~/%/pkg/%.test'
       OR homepath LIKE '~/%/src/%.test'
       OR homepath LIKE '~/%/terraform-provider-%'
+      OR homepath LIKE '~/chainguard-dev/%'
+      OR homepath LIKE '~/repos/%'
       OR homepath LIKE '~/github/%'
       OR homepath LIKE '~/go/%/bin'
       OR homepath LIKE '~/go/src/%'
@@ -245,6 +247,7 @@ WHERE
     AND p0.path NOT LIKE '%/.%'
     AND p0.path NOT LIKE '%Cache%'
   )
+  AND NOT p1.name IN ('makepkg', 'make')
   -- Arc
   AND NOT (
     p0.path LIKE '/Users/%/Library/Caches/%/org.sparkle-project.Sparkle/Launcher/%'

diff --git a/...persistence/2-unexpected-device-linux.sql → ...persistence/1-unexpected-device-linux.sql b/...persistence/2-unexpected-device-linux.sql → ...persistence/1-unexpected-device-linux.sql
@@ -166,6 +166,8 @@ WHERE
     '/dev/ngn,character',
     '/dev/ntsync,character',
     '/dev/null,character',
+    '/dev/nvidia-caps/,directory',
+    '/dev/nvidia-caps/nvidia-cap,character',
     '/dev/nvidia-modeset,character',
     '/dev/nvidia-uvm-tools,character',
     '/dev/nvidia-uvm,character',