Merge pull request #333 from tstromberg/fpr-nov2

fpr: dbeaver, AwesomeScreenshot, Hyper, etc

detection/c2/unexpected-https-macos.sql

@@ -171,6 +171,7 @@ WHERE
     '0,velociraptor,velociraptor,0u,80g',
     '500,apko,apko,0u,0g',
     '500,apko,apko,500u,20g',
+    '500,istioctl,istioctl,500u,20g',
     '500,aws,aws,0u,0g',
     '500,cargo,cargo,500u,80g',
     '500,chainctl,chainctl,0u,0g',

detection/c2/unexpected-talker-events.sql

@@ -48,7 +48,7 @@ SELECT
 FROM
   socket_events AS s
   LEFT JOIN process_events pe ON s.pid = pe.pid
-  AND pe.time > (strftime('%s', 'now') -660)
+  AND pe.time > (strftime('%s', 'now') -7200)
   LEFT JOIN processes p ON s.pid = p.pid
   LEFT JOIN file f ON s.path = f.path
   LEFT JOIN users u ON f.uid = u.uid
@@ -91,7 +91,9 @@ WHERE
     '/usr/local',
     '/usr/bin',
     '/usr/sbin',
+    '/snap/firefox',
     '~/.provisio',
+    '~/homebrew',
     '~/Applications',
     '~/Apps',
     '~/bin',
@@ -109,78 +111,85 @@ WHERE
     '500,0,110,syncthing',
     '500,0,1234,spotify',
     '500,0,123,sntp',
-    '500,500,32768,Code Helper',
-    '500,0,443,Authy',
     '500,0,20480,io.tailscale.ipn.macsys.network-extension',
     '500,0,22,ssh',
     '500,0,31488,sntp',
     '500,0,32768,com.apple.NRD.UpdateBrainService',
+    '500,0,32768,firefox',
     '500,0,32768,io.tailscale.ipn.macsys.network-extension',
     '500,0,32768,ksfetch',
     '500,0,32768,networkQuality',
     '500,0,32768,syncthing',
+    '500,0,4070,spotify',
     '500,0,43,whois',
+    '500,0,443,Authy',
     '500,0,443,Brackets',
     '500,0,443,chrome',
     '500,0,443,chrome_crashpad_handler',
     '500,0,443,com.apple.MobileSoftwareUpdate.UpdateBrainService',
     '500,0,443,com.apple.NRD.UpdateBrainService',
-    '500,500,32768,Chromium Helper',
+    '500,0,443,com.fortinet.forticlient.macos.vpn.nwextension',
     '500,0,443,com.google.one.NetworkExtension',
     '500,0,443,curl',
     '500,0,443,electron',
     '500,0,443,firefox',
     '500,0,443,fwupdmgr',
     '500,0,443,git-remote-http',
     '500,0,443,gnome-software',
-    '500,0,53,electron',
-    '500,0,443,kioslave5',
     '500,0,443,http',
     '500,0,443,io.tailscale.ipn.macsys.network-extension',
+    '500,0,443,kioslave5',
     '500,0,443,ksfetch',
     '500,0,443,launcher',
     '500,0,443,nessusd',
     '500,0,443,networkQuality',
     '500,0,443,node',
     '500,0,443,OneDriveStandaloneUpdater',
+    '500,0,443,pingsender',
     '500,0,443,slack',
     '500,0,443,snapd',
-    '500,500,32768,Code Helper',
     '500,0,443,spotify',
     '500,0,443,ssh',
     '500,0,443,syncthing',
     '500,0,443,velociraptor',
     '500,0,443,wget',
     '500,0,5228,chrome',
     '500,0,53,chrome',
+    '500,0,53,electron',
     '500,0,53,git',
     '500,0,53,launcher',
+    '500,0,53,nessusd',
     '500,0,53,NetworkManager',
     '500,0,53,slack',
-    '500,0,443,com.fortinet.forticlient.macos.vpn.nwextension',
     '500,0,53,spotify',
+    '500,500,32768,G2MUpdate',
     '500,0,53,wget',
     '500,0,5632,ssh',
+    '500,0,53,nessusd',
     '500,0,80,chrome',
     '500,0,80,com.apple.NRD.UpdateBrainService',
     '500,0,80,electron',
     '500,0,80,firefox',
     '500,0,80,http',
     '500,0,80,io.tailscale.ipn.macsys.network-extension',
     '500,0,80,ksfetch',
+    '500,500,53,gitsign',
     '500,0,9,launcher',
     '500,500,13568,Code Helper',
     '500,500,20480,Code Helper',
     '500,500,20480,GoogleUpdater',
-    '500,0,4070,spotify',
     '500,500,20480,ksfetch',
     '500,500,22,ssh',
     '500,500,2304,cloud_sql_proxy',
+    '500,500,2304,terraform-provider-google_v4.37.0_x5',
+    '500,500,32768,Chromium Helper',
     '500,500,32768,cloud-sql-proxy',
+    '500,500,32768,Code Helper',
     '500,500,32768,Electron',
     '500,500,32768,GoogleUpdater',
     '500,500,32768,java',
     '500,500,32768,ksfetch',
+    '500,500,32768,melange',
     '500,500,32768,node',
     '500,500,4318,Code Helper (Plugin)',
     '500,500,443,apk',
@@ -200,16 +209,15 @@ WHERE
     '500,500,443,git-remote-http',
     '500,500,443,gitsign',
     '500,500,443,GitX',
-    '500,500,32768,melange',
     '500,500,443,go',
     '500,500,443,Google Chrome Helper',
     '500,500,443,GoogleUpdater',
     '500,500,443,grype',
+    '500,500,443,istioctl',
     '500,500,443,ksfetch',
     '500,500,443,kubectl',
     '500,500,443,minikube',
     '500,500,443,node',
-    '500,500,2304,terraform-provider-google_v4.37.0_x5',
     '500,500,443,old',
     '500,500,443,Signal',
     '500,500,443,Signal Helper (Renderer)',
@@ -221,6 +229,7 @@ WHERE
     '500,500,80,Code Helper (Plugin)',
     '500,500,80,copilot-agent-macos-arm64',
     '500,500,80,Google Chrome Helper',
+    '500,500,80,GoogleUpdater',
     '500,500,80,ksfetch',
     '500,500,80,node'
   )
@@ -231,6 +240,7 @@ WHERE
   AND NOT p0_path LIKE '/Users/%/go/%'
   AND NOT p0_path LIKE '/Users/%/src/%'
   AND NOT p0_path LIKE '/Users/%/dev/%'
+  AND NOT p0_path LIKE '/private/var/folders/%/T/AppTranslocation/%/%.app/Contents/MacOS/%'
   AND NOT (
     basename = "Python"
     AND (

detection/c2/unexpected-talkers-macos.sql

@@ -218,29 +218,31 @@ WHERE
       OR pos.remote_port > 1024
     )
     AND id_exception_key IN (
+      'Apple Mac OS Application Signing,com.microsoft.OneDrive-mac',
+      'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.Reader',
       'Developer ID Application: Bookry Ltd (4259LE8SU5),com.bookry.wavebox.helper',
-      'Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension',
       'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4),com.brave.Browser.helper',
-      'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.Chrome.helper',
-      'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker',
-      'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.Reader',
+      'Developer ID Application: Adobe Inc. (JQ525L2MZD),com.adobe.AdobeResourceSynchronizer',
       'Developer ID Application: Cloudflare Inc. (68WVV388M8),CloudflareWARP',
-      'Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D),com.googlecode.iterm2',
-      'Developer ID Application: TechSmith Corporation (7TQL462TU8),com.techsmith.snagit.capturehelper2020',
-      'Apple Mac OS Application Signing,com.microsoft.OneDrive-mac',
-      'Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL),com.tinyspeck.slackmacgap.helper',
+      'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker',
       'Developer ID Application: Epic Games International, S.a.r.l. (96DBZ92D3Y),com.epicgames.EpicGamesLauncher',
       'Developer ID Application: Fortinet, Inc (AH4XFXJ7DK),fctupdate',
-      'Developer ID Application: Skype Communications S.a.r.l (AL798K98FX),com.skype.skype.Helper',
+      'Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D),com.googlecode.iterm2',
       'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.Chrome.helper',
+      'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.GoogleUpdater',
       'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.one.NetworkExtension',
       'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.edgemac.helper',
       'Developer ID Application: Microsoft Corporation (UBF8T346G9),net.java.openjdk.java',
       'Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.firefox',
       'Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.firefoxdeveloperedition',
       'Developer ID Application: Opera Software AS (A2P9LX4JPN),com.operasoftware.Opera.helper',
+      'Developer ID Application: Parallels International GmbH (4C6364ACXT),com.parallels.naptd',
+      'Developer ID Application: Skype Communications S.a.r.l (AL798K98FX),com.skype.skype.Helper',
+      'Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL),com.tinyspeck.slackmacgap.helper',
       'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client',
       'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client.helper',
+      'Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension',
+      'Developer ID Application: TechSmith Corporation (7TQL462TU8),com.techsmith.snagit.capturehelper2020',
       'Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G),company.thebrowser.browser.helper',
       'Developer ID Application: Valve Corporation (MXGJJ98X76),com.valvesoftware.steam',
       'Developer ID Application: Vladimir Prelovac (TFVG979488),com.apple.WebKit.Networking'

detection/evasion/hidden-cwd-events-linux.sql

@@ -13,67 +13,78 @@
 -- platform: linux
 -- interval: 600
 SELECT
-    COALESCE(REGEX_MATCH(TRIM(pe.cwd, '"'), "/(\..*?)\/", 1), REGEX_MATCH(TRIM(pe.cwd, '"'), "/(\..*)", 1)) AS hidden_base,
-    REGEX_MATCH(TRIM(pe.cwd, '"'), "/(\..*)", 1) AS hidden_part,
-    COALESCE(REGEX_MATCH (TRIM(pe.cwd, '"'), '.*/(.*)', 1), pe.cwd) AS basename,
-    CONCAT (
-        COALESCE(REGEX_MATCH (TRIM(pe.path, '"'), '.*/(.*)', 1), pe.path),
-        ',',
-        REGEX_MATCH(TRIM(pe.cwd, '"'), "/(\..*?)\/", 1), REGEX_MATCH(TRIM(pe.cwd, '"'), "/(\..*)", 1)
-    ) AS exception_key,
-    -- Child
-    pe.path AS p0_path,
-    COALESCE(REGEX_MATCH (pe.path, '.*/(.*)', 1), pe.path) AS p0_name,
-    TRIM(pe.cmdline) AS p0_cmd,
-    TRIM(pe.cwd, '"') AS p0_cwd,
-    pe.status AS p0_status,
-    pe.time AS p0_time,
-    pe.pid AS p0_pid,
-    pe.euid AS p0_euid,
-    -- Parent
-    pe.parent AS p1_pid,
-    TRIM(COALESCE(p1.cmdline, pe1.cmdline)) AS p1_cmd,
-    p1.cwd AS p1_cwd,
-    COALESCE(p1.path, pe1.path) AS p1_path,
-    COALESCE(p_hash1.sha256, pe_hash1.sha256) AS p1_hash,
-    REGEX_MATCH (COALESCE(p1.path, pe1.path), '.*/(.*)', 1) AS p1_name
+  COALESCE(
+    REGEX_MATCH (TRIM(pe.cwd, '"'), "/(\..*?)\/", 1),
+    REGEX_MATCH (TRIM(pe.cwd, '"'), "/(\..*)", 1)
+  ) AS hidden_base,
+  REGEX_MATCH (TRIM(pe.cwd, '"'), "/(\..*)", 1) AS hidden_part,
+  COALESCE(
+    REGEX_MATCH (TRIM(pe.cwd, '"'), '.*/(.*)', 1),
+    pe.cwd
+  ) AS basename,
+  CONCAT (
+    COALESCE(
+      REGEX_MATCH (TRIM(pe.path, '"'), '.*/(.*)', 1),
+      pe.path
+    ),
+    ',',
+    REGEX_MATCH (TRIM(pe.cwd, '"'), "/(\..*?)\/", 1),
+    REGEX_MATCH (TRIM(pe.cwd, '"'), "/(\..*)", 1)
+  ) AS exception_key,
+  -- Child
+  pe.path AS p0_path,
+  COALESCE(REGEX_MATCH (pe.path, '.*/(.*)', 1), pe.path) AS p0_name,
+  TRIM(pe.cmdline) AS p0_cmd,
+  TRIM(pe.cwd, '"') AS p0_cwd,
+  pe.status AS p0_status,
+  pe.time AS p0_time,
+  pe.pid AS p0_pid,
+  pe.euid AS p0_euid,
+  -- Parent
+  pe.parent AS p1_pid,
+  TRIM(COALESCE(p1.cmdline, pe1.cmdline)) AS p1_cmd,
+  p1.cwd AS p1_cwd,
+  COALESCE(p1.path, pe1.path) AS p1_path,
+  COALESCE(p_hash1.sha256, pe_hash1.sha256) AS p1_hash,
+  REGEX_MATCH (COALESCE(p1.path, pe1.path), '.*/(.*)', 1) AS p1_name
 FROM
-    process_events pe
-    LEFT JOIN users u ON pe.uid = u.uid
-    LEFT JOIN processes p ON pe.pid = p.pid -- Parents (via two paths)
-    LEFT JOIN processes p1 ON pe.parent = p1.pid
-    LEFT JOIN hash p_hash1 ON p1.path = p_hash1.path
-    LEFT JOIN process_events pe1 ON pe.parent = pe1.pid
-    AND pe1.time > (strftime('%s', 'now') -60660)
-    AND pe1.cmdline != ''
-    LEFT JOIN hash pe_hash1 ON pe1.path = pe_hash1.path
+  process_events pe
+  LEFT JOIN users u ON pe.uid = u.uid
+  LEFT JOIN processes p ON pe.pid = p.pid -- Parents (via two paths)
+  LEFT JOIN processes p1 ON pe.parent = p1.pid
+  LEFT JOIN hash p_hash1 ON p1.path = p_hash1.path
+  LEFT JOIN process_events pe1 ON pe.parent = pe1.pid
+  AND pe1.time > (strftime('%s', 'now') -60660)
+  AND pe1.cmdline != ''
+  LEFT JOIN hash pe_hash1 ON pe1.path = pe_hash1.path
 WHERE
-    pe.time > (strftime('%s', 'now') -60600)
-    AND pe.cwd LIKE '%/.%'
-    AND NOT (
-        hidden_base IN (
-            '.cache',
-            '.cargo',
-            '.gradle',
-            '.kotlin',
-            '.npm',
-            '.git',
-            '.gimme',
-            '.vscode',
-            '.vim',
-            '.config',
-            '.github',
-            '.provisio',
-            '.terraform.d',
-            '.emacs.d',
-            '.gmailctl',
-            '.oh-my-zsh',
-            '.zsh'
-        )
-        OR exception_key LIKE '%sh,~/.Trash'
+  pe.time > (strftime('%s', 'now') -60600)
+  AND pe.cwd LIKE '%/.%'
+  AND NOT (
+    hidden_base IN (
+      '.cache',
+      '.cargo',
+      '.gradle',
+      '.kotlin',
+      '.npm',
+      '.git',
+      '.gimme',
+      '.vscode',
+      '.vim',
+      '.config',
+      '.github',
+      '.provisio',
+      '.terraform.d',
+      '.emacs.d',
+      '.gmailctl',
+      '.oh-my-zsh',
+      '.zsh'
     )
-    AND NOT pe.cwd LIKE '%/build/%'
-    AND NOT pe.cwd LIKE '%/out/%'
+    OR exception_key LIKE '%sh,~/.Trash'
+    OR exception_key IN ('git,.test')
+  )
+  AND NOT pe.cwd LIKE '%/build/%'
+  AND NOT pe.cwd LIKE '%/out/%'
 GROUP BY
-    p.cmdline,
-    p.cwd;
+  p.cmdline,
+  p.cwd;

detection/evasion/hidden-cwd.sql

@@ -105,6 +105,7 @@ WHERE
       'rustc,/home/build/.cargo',
       'fish,~/.Trash',
       'git,~/.local/share',
+      'fileproviderd,~/Library/Mobile Documents',
       'java,/home/build/.gradle',
       'java,~/.gradle/daemon',
       'java,/home/build/.kotlin',

detection/evasion/hidden-home-library-dir.sql

@@ -37,21 +37,21 @@ WHERE
   AND file.path NOT LIKE '%/./%'
   AND NOT homedir IN (
     '~/Library/Accessibility/.com.apple.RTTTranscripts_SUPPORT/_EXTERNAL_DATA',
-    '~/Library/Finance/.finance_cloud_SUPPORT/_EXTERNAL_DATA',
-    '~/Library/Finance/.finance_local_SUPPORT/_EXTERNAL_DATA',
+    '~/Library/Caches/.sigstore/gitsign',
     '~/Library/com.apple.groupkitd/.syncedGroupStore_SUPPORT/_EXTERNAL_DATA',
-    '~/Library/Finance/.finance_dropbox_SUPPORT/_EXTERNAL_DATA',
     '~/Library/com.apple.groupkitd/.syncedGroupStore_SUPPORT/_EXTERNAL_DATA/',
-    '~/Library/Preferences/.wrangler',
-    '~/Library/Mobile Documents/.Trash%',
-    '~/Library/Group Containers/.SiriTodayViewExtension/Library',
+    '~/Library/Finance/.finance_cloud_SUPPORT/_EXTERNAL_DATA',
+    '~/Library/Finance/.finance_dropbox_SUPPORT/_EXTERNAL_DATA',
+    '~/Library/Finance/.finance_local_SUPPORT/_EXTERNAL_DATA',
+    '~/Library/GroupContainersAlias/.SiriTodayViewExtension',
+    '~/Library/GroupContainersAlias/.SiriTodayViewExtension/Library',
     '~/Library/Group Containers/.SiriTodayViewExtension',
-    '~/Library/Saved Searches/.DockTags',
-    '~/Library/Preferences/.wrangler/config',
-    '~/Library/HomeKit/.core-cloudkit_SUPPORT/_EXTERNAL_DATA',
+    '~/Library/Group Containers/.SiriTodayViewExtension/Library',
     '~/Library/HomeKit/.core-cloudkit-shared_SUPPORT/_EXTERNAL_DATA',
-    '~/Library/Caches/.sigstore/gitsign',
-    '~/Library/GroupContainersAlias/.SiriTodayViewExtension/Library',
-    '~/Library/GroupContainersAlias/.SiriTodayViewExtension'
+    '~/Library/HomeKit/.core-cloudkit_SUPPORT/_EXTERNAL_DATA',
+    '~/Library/Preferences/.wrangler',
+    '~/Library/Preferences/.wrangler/config',
+    '~/Library/Saved Searches/.DockTags'
   )
   AND NOT homedir LIKE '~/Library/.icedove/%'
+  AND NOT homedir LIKE '~/Library/Mobile Documents/.Trash%'

detection/evasion/unexpected-hidden-system-paths.sql

@@ -104,6 +104,7 @@ WHERE
     '/tmp/.last_survey_prompt.yaml',
     '/tmp/.last_update_check.json',
     '/tmp/.metrics-agent/',
+    '/tmp/.touchpaddefaults',
     '/tmp/.searcher.tmp/',
     '/tmp/.bazelci/',
     '/tmp/.settings-agent/',