Overdue False Positive Reduction

detection/c2/unexpected-dns-traffic-events.sql

@@ -102,6 +102,7 @@ WHERE
     'Jabra Direct Helper',
     'nessusd',
     'apko',
+    'nuclei',
     'adguard_dns',
     'IPNExtension',
     'mDNSResponder',

detection/c2/unexpected-talkers-macos.sql

@@ -239,29 +239,31 @@ WHERE pos.protocol > 0
       'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4),com.brave.Browser.helper',
       'Developer ID Application: Brave Software, Inc. (KL8N8XSYF4),com.brave.Browser.nightly.helper',
       'Developer ID Application: Cloudflare Inc. (68WVV388M8),CloudflareWARP',
-      'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker.docker',
-      'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker.docker',
       'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker',
+      'Developer ID Application: Docker Inc (9BNSXJN65R),com.docker.docker',
       'Developer ID Application: Epic Games International, S.a.r.l. (96DBZ92D3Y),com.epicgames.EpicGamesLauncher',
       'Developer ID Application: Epic Games International, S.a.r.l. (96DBZ92D3Y),com.epicgames.UE4EditorServices',
       'Developer ID Application: Fortinet, Inc (AH4XFXJ7DK),fctupdate',
+      'Developer ID Application: WhatsApp Inc. (57T9237FN3),net.whatsapp.WhatsApp',
       'Developer ID Application: GEORGE NACHMAN (H7V7XYVQ7D),com.googlecode.iterm2',
       'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.Chrome.helper',
       'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.GoogleUpdater',
       'Developer ID Application: Google LLC (EQHXZ8M8AV),com.google.one.NetworkExtension',
+      'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode.helper',
       'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.edgemac.helper',
       'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.teams2.helper',
-      'Developer ID Application: Microsoft Corporation (UBF8T346G9),com.microsoft.VSCode.helper',
       'Developer ID Application: Microsoft Corporation (UBF8T346G9),net.java.openjdk.java',
       'Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.firefox',
       'Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.firefoxdeveloperedition',
       'Developer ID Application: Mozilla Corporation (43AQ936H96),org.mozilla.thunderbird',
       'Developer ID Application: Opera Software AS (A2P9LX4JPN),com.operasoftware.Opera.helper',
       'Developer ID Application: Parallels International GmbH (4C6364ACXT),com.parallels.naptd',
+      'Developer ID Application: Loom, Inc (QGD2ZPXZZG),com.loom.desktop',
+      'Developer ID Application: Red Hat, Inc. (HYSCB8KRL2),gvproxy',
       'Developer ID Application: Skype Communications S.a.r.l (AL798K98FX),com.skype.skype.Helper',
       'Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL),com.tinyspeck.slackmacgap.helper',
-      'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client.helper',
       'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client',
+      'Developer ID Application: Spotify (2FNC3A47ZF),com.spotify.client.helper',
       'Developer ID Application: Tailscale Inc. (W5364U7YZB),io.tailscale.ipn.macsys.network-extension',
       'Developer ID Application: TechSmith Corporation (7TQL462TU8),com.techsmith.snagit.capturehelper2020',
       'Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G),company.thebrowser.browser.helper',

detection/collection/high-disk-bytes-written.sql

@@ -144,6 +144,7 @@ WHERE
     'docker-index',
     'esbuild',
     'firefox',
+    'logioptionsplus_updater',
     'fsdaemon',
     'go',
     'goland',

detection/credentials/unexpected-dev-opener-linux.sql

@@ -174,10 +174,10 @@ WHERE
     '/dev/hidraw,chrome',
     '/dev/hvc,agetty',
     '/dev/hwrng,rngd',
-    '/dev/wwan0mbim,mbim-proxy',
     '/dev/input/event,Xorg',
     '/dev/input/event,thermald',
     '/dev/input/event,touchegg',
+    '/dev/kmsg,_k3s-inner',
     '/dev/kmsg,bpfilter_umh',
     '/dev/kmsg,dmesg',
     '/dev/kmsg,k3s',
@@ -198,6 +198,7 @@ WHERE
     '/dev/net/tun,qemu-system-x86_64',
     '/dev/net/tun,slirp4netns',
     '/dev/pts,incusd',
+    '/dev/sda,ntfs-3g',
     '/dev/shm/envoy_shared_memory_1,envoy',
     '/dev/tpmrm,launcher',
     '/dev/tty,Xorg',
@@ -223,11 +224,13 @@ WHERE
     '/dev/video,pipewire',
     '/dev/video,signal-desktop',
     '/dev/video,slack',
+    '/dev/video,v4l2-relayd',
     '/dev/video,vlc',
     '/dev/video,wireplumber',
     '/dev/video,zoom',
     '/dev/video,zoom.real',
     '/dev/video0,chrome',
+    '/dev/wwan0mbim,mbim-proxy',
     '/dev/zfs,',
     '/dev/zfs,zed',
     '/dev/zfs,zfs',

detection/discovery/unexpected-bpf-user.sql

@@ -38,7 +38,8 @@ WHERE
   )
   AND p.path NOT IN (
     '/usr/bin/qemu-system-x86_64',
-    '/usr/lib/systemd/systemd'
+    '/usr/lib/systemd/systemd',
+    '/opt/Elastic/Endpoint/elastic-endpoint'
   )
   AND p.cmdline != '/usr/bin/python3 /usr/sbin/execsnoop-bpfcc'
   AND p.path NOT LIKE '/nix/store/%/lib/systemd/systemd'

detection/evasion/executables-from-the-future.sql

@@ -4,7 +4,7 @@
 --   * https://attack.mitre.org/techniques/T1070/006/ (Indicator Removal on Host: Timestomp)
 --
 -- false positives:
---   * None observed
+--   * Badly distributed software
 --
 -- tags: persistent state process
 SELECT
@@ -37,6 +37,12 @@ FROM
   LEFT JOIN processes pp ON p.parent = pp.pid
   LEFT JOIN hash ON p.path = hash.path
 WHERE
-  mtime_newer == 1
-  OR ctime_newer == 1
-  OR btime_newer == 1
+  (
+    mtime_newer == 1
+    OR ctime_newer == 1
+    OR btime_newer == 1
+  )
+  AND NOT p.path LIKE '/Applications/Signal.app%'
+  AND NOT p.path LIKE '/private/var/db/com.apple.xpc.roleaccountd.staging/%'
+  -- 2038
+  AND NOT f.mtime > 2153484373

detection/evasion/hidden-executable.sql

@@ -62,6 +62,7 @@ WHERE
   AND NOT f.directory LIKE '%/.steampipe/db/%'
   AND NOT f.directory LIKE '%/.docker/cli-plugins'
   AND NOT f.directory LIKE '%/.cursor/%'
+  AND NOT f.directory LIKE '/Applications/Corsair iCUE5 Software/.cuepkg-%'
   AND NOT f.directory LIKE '%/.tflint.d/%'
   AND NOT f.directory LIKE '%/.vs-kubernetes/%'
   AND NOT f.directory LIKE '%/.vscode/extensions/%'

detection/evasion/old-binaries-running.sql

@@ -59,6 +59,7 @@ WHERE
     '/usr/bin/xclip',
     '/usr/bin/xss-lock',
     '/usr/bin/i3lock',
+    '/usr/bin/xbindkeys',
     '/usr/local/bin/dive'
   )
   AND p.name NOT IN (
@@ -72,7 +73,7 @@ WHERE
     'Pandora Helper',
     'dlv'
   )
-  AND f.path NOT LIKE '/private/var/folders/%/T/AppTranslocation/AC5EE427-8F66-4F1D-BDE1-852E8C1D17FB/d/Skitch.app/Contents/MacOS/Skitch'
+  AND f.path NOT LIKE '/private/var/folders/%/T/AppTranslocation/%/d/Skitch.app/Contents/MacOS/Skitch'
   AND p.cgroup_path NOT LIKE '/system.slice/docker-%'
   AND p.cgroup_path NOT LIKE '/user.slice/user-%.slice/user@%.service/user.slice/nerdctl-%'
 GROUP BY

detection/evasion/touched-executable-macos.sql

@@ -111,6 +111,7 @@ WHERE
       OR p.path LIKE '/opt/homebrew/Cellar/%/bin/%'
       OR p.path LIKE '/opt/homebrew/Caskroom/%/bin/%'
       OR p.path LIKE '/Users/%/google-cloud-sdk/bin/%'
+      OR p.path LIKE '/Users/%/J8RPQ294UB.com.skitch.SkitchHelper'
     )
   )
   AND NOT (

detection/evasion/unexpected-alf-exceptions-macos.sql

@@ -98,6 +98,8 @@ WHERE -- Filter out stock exceptions to decrease overhead
     'Developer ID Application: Evernote Corporation (Q79WDW8YH9),com.evernote.Evernote,/Applications/Evernote.app/,501',
     'Developer ID Application: Python Software Foundation (BMM5U3QVKW),org.python.python,/Library/Frameworks/Python.framework/Versions/3.11/Resources/Python.app/,0',
     'Software Signing,com.apple.Music,/System/Applications/Music.app/,0',
+    'Software Signing,com.apple.rpc,/usr/sbin/rpc.lockd,0',
+    'Software Signing,com.apple.Terminal,/System/Applications/Utilities/Terminal.app/,0',
     'Software Signing,com.apple.WebKit.Networking,/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/,0',
     'Software Signing,com.apple.WebKit.Networking,/System/Volumes/Preboot/Cryptexes/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/,0',
     'Software Signing,com.apple.audio.InfoHelper,/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.InfoHelper.xpc/,0',
@@ -106,6 +108,7 @@ WHERE -- Filter out stock exceptions to decrease overhead
     'Software Signing,com.apple.python3,/Applications/Xcode.app/Contents/Developer/Library/Frameworks/Python3.framework/Versions/3.9/Resources/Python.app/,0',
     'Software Signing,com.apple.python3,/Library/Developer/CommandLineTools/Library/Frameworks/Python3.framework/Versions/3.9/Resources/Python.app/,0',
     'Software Signing,com.apple.xartstorageremoted,/usr/libexec/xartstorageremoted,0',
+    'Developer ID Application: Zed Industries, Inc. (MQ55VZLNZQ),dev.zed.Zed,/Applications/Zed.app/,501',
     'qbittorrent macos,org.qbittorrent.qBittorrent,/Applications/qbittorrent.app/,501'
   )
   AND NOT exception_key LIKE ',a.out,/Users/%/dev/%,501'

detection/evasion/unexpected-dev-entries.sql

@@ -41,6 +41,7 @@ WHERE
       OR file.path LIKE '/dev/shm/shm-%-%-%'
       OR file.path LIKE '/dev/shm/pulse-shm-%'
       OR file.path LIKE '/dev/shm/u1000-Shm%'
+      OR file.path LIKE '/dev/shm/sem.%autosave'
       OR file.path LIKE '/dev/shm/u1000-Valve%'
       OR file.path LIKE '/dev/shm/aomshm.%'
       OR file.path LIKE '/dev/shm/jack_db%'

detection/evasion/unexpected-hidden-system-paths.sql

@@ -124,6 +124,7 @@ WHERE
     '/var/db/.InstallerTMExcludes.plist',
     '/var/db/.LastGKApp',
     '/var/db/.LastGKReject',
+    '/tmp/.wsdl/',
     '/var/db/.MASManifest',
     '/var/db/.EntReg',
     '/var/db/.RunLanguageChooserToo',
@@ -142,6 +143,7 @@ WHERE
     '/var/root/.docker/',
     '/var/root/.forward',
     '/var/root/.lesshst',
+    '/etc/.bootcount',
     '/var/root/.nix-channels',
     '/var/root/.nix-defexpr/',
     '/var/root/.nix-profile/',
@@ -165,6 +167,7 @@ WHERE
   )
   AND file.path NOT LIKE '/%bin/bootstrapping/.default_components'
   AND file.path NOT LIKE '/tmp/.#%'
+  AND file.path NOT LIKE '/lib/jvm/.java-%.jinfo'
   AND file.path NOT LIKE '/tmp/.lark_cache_%'
   AND file.path NOT LIKE '/tmp/.cdx.json%'
   AND file.path NOT LIKE '/tmp/.wine-%'

detection/evasion/unexpected-user-executables-macos.sql

@@ -194,6 +194,7 @@ WHERE
   )
   AND NOT f.directory LIKE '/Users/%/.docker/cli-plugins'
   AND NOT f.directory LIKE '/Users/%/.nix-profile/bin'
-  AND NOT f.path LIKE '	/Users/%/Library/Fonts/%.ttf'
+  AND NOT f.path LIKE '/Users/%/Library/Fonts/%.ttf'
+  AND NOT f.path LIKE '/Users/%/Library/Fonts/%.otf'
 GROUP BY
   f.path

detection/evasion/unusual-process-name-macos.sql

@@ -111,6 +111,7 @@ WHERE
   AND NOT pname LIKE '%-macos-arm64'
   AND NOT pname LIKE 'debug.test%'
   AND NOT pname LIKE '__%go_build%'
+  AND NOT pname LIKE 'BetterTouchToolAppleScriptRunner%'
   AND NOT s.authority IN (
     "Software Signing",
     "Apple Mac OS Application Signing"

detection/execution/recently-created-executables-long-lived-macos.sql

@@ -195,6 +195,7 @@ WHERE
     'Developer ID Application: Parallels International GmbH (4C6364ACXT)',
     'Developer ID Application: Rapid7 LLC (UL6CGN7MAL)',
     'Developer ID Application: RescueTime, Inc (FSY4RB8H39)',
+    'Developer ID Application: Wizards of OBS LLC (2MMRE5MTB8)',
     'Developer ID Application: SUSE LLC (2Q6FHJR3H3)',
     'Developer ID Application: Seiko Epson Corporation (TXAEAV5RN4)',
     'Developer ID Application: SteelSeries (6WGL6CHFH2)',

detection/execution/relative-exec-low-uid.sql

@@ -49,6 +49,7 @@ WHERE
       euid < 500
       AND cmdline LIKE './%'
       AND NOT cmdline LIKE './out/osqtool-% %'
+      AND NOT cmdline LIKE './OneDrivePkgTelemetry%'
       AND NOT cgroup_path LIKE '/system.slice/docker-%'
   )
 GROUP BY

detection/execution/tiny-executable-events.sql

@@ -41,7 +41,7 @@ WHERE
   AND p.path NOT LIKE '%.sh'
   AND p.path NOT LIKE '%.py'
   AND p.path NOT LIKE '%.rb'
-  AND p.path != '/sbin/ldconfig'
+  AND p.path NOT IN ('/sbin/ldconfig', '/usr/sbin/ldconfig')
   AND NOT (
     p.path LIKE '/Users/%'
     AND magic.data LIKE 'POSIX shell script%'

detection/execution/unexpected-execdir-macos.sql

@@ -141,6 +141,7 @@ WHERE
     '/Library/Developer/Xcode/',
     '/opt/rapid7/ir_agent',
     '~/.local/share/bob/',
+    '~/.local/share/nvim/',
     '~/.terraform.d/plugin-cache/registry.terraform.io/',
     '~/Library/Arduino15/packages/',
     '~/Library/Caches/Cypress/',

detection/execution/unexpected-fetcher-parents.sql

@@ -71,6 +71,7 @@ WHERE -- NOTE: The remainder of this query is synced with unexpected-fetcher-par
     'curl,500,node-cve-count.,bash',
     'curl,500,nvim,nvim',
     'curl,500,ruby,zsh',
+    'curl,500,endpoint-instal,bash',
     'curl,500,ShellLauncher,',
     'curl,500,ShellLauncher,login',
     'curl,500,Slack,launchd',

detection/execution/unexpected-security-framework-program-macos.sql

@@ -150,6 +150,8 @@ WHERE
     '500,cpu,cpu-555549441132dc6b7af538428ce3359ae94eab37,',
     '500,crane,a.out,',
     '500,nvim,,',
+    '500,J8RPQ294UB.com.skitch.SkitchHelper,J8RPQ294UB.com.skitch.SkitchHelper,Developer ID Application: Skitch Inc (J8RPQ294UB)',
+    '500,AeroSpace,bobko.aerospace,aerospace-codesign-certificate',
     '500,debug.test,a.out,',
     '500,dive,a.out,',
     '500,dlv,a.out,',
@@ -239,6 +241,8 @@ WHERE
   AND NOT exception_key LIKE '500,rust-analyzer,rust_analyzer-%,'
   AND NOT exception_key LIKE '500,nvim,bob-%'
   AND NOT exception_key LIKE '500,nvim,%.out,'
+  AND NOT exception_key LIKE '500,rzls,apphost-%,'
+  AND NOT exception_key LIKE '500,sg-nvim-agent,sg_nvim_agent-%,'
   AND NOT exception_key LIKE '500,taplo-full-darwin-%,taplo-%,'
 GROUP BY
   p0.pid

detection/exfil/high_disk_bytes_read.sql

@@ -145,6 +145,7 @@ WHERE
     '/usr/bin/darktable',
     '/usr/bin/dockerd',
     '/usr/bin/gnome-shell',
+    '/Library/Application Support/Adobe/Adobe Desktop Common/HDBox/Setup',
     '/usr/bin/gnome-software',
     '/usr/bin/rsync',
     '/usr/bin/teskdisk',

detection/exfil/yara-unexpected-go-crypt-exec-process.sql

@@ -3,7 +3,7 @@
 -- reference:
 --   * https://github.com/Neo23x0/signature-base/blob/master/yara/pua_cryptocoin_miner.yar
 --
--- tags: persistent
+-- tags: persistent extra
 -- interval: 3600
 -- platform: posix
 SELECT

detection/initial_access/unexpected-shell-parent-events.sql

@@ -256,6 +256,7 @@ WHERE
       'bash,0,pia-daemon,launchd',
       'sh,500,viddy,zsh',
       'bash,500,plasmashell,systemd',
+      'zsh,500,rubymine,launchd',
       'sh,500,splunkd,splunkd',
       'bash,0,udevadm,udevadm',
       'bash,500,.man-wrapped,zsh',

detection/persistence/listening-from-unusual-location.sql

@@ -96,5 +96,5 @@ WHERE
     '/Applications/Keybase.app/Contents/SharedSupport/bin',
     '/opt/docker-desktop/bin'
   )
-  AND NOT exception_key IN ('16620,6,500,psi-bastion')
+  AND NOT exception_key IN ('16620,6,500,psi-bastion', '32768,6,500,java')
   AND NOT p0.path LIKE '/nix/store/%'

detection/persistence/minimal-socket-client-macos.sql

@@ -6,7 +6,7 @@
 -- references:
 --   * https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game
 --
--- tags: persistent process state seldom
+-- tags: persistent process state seldom extra
 -- platform: macos
 SELECT
   p.uid,
@@ -61,27 +61,30 @@ WHERE
   AND pmm.path LIKE "%.dylib"
   AND exception_key NOT IN (
     '500,Bitwarden,/Applications/Bitwarden.app/Contents/MacOS/Bitwarden',
-    '500,Final Cut Pro,/Applications/Final Cut Pro.app/Contents/MacOS/Final Cut Pro',
     '500,Clipy,/Applications/Clipy.app/Contents/MacOS/Clipy',
     '500,Evernote,/Applications/Evernote.app/Contents/MacOS/Evernote',
-    '500,Skitch,/Applications/Skitch.app/Contents/MacOS/Skitch',
-    '500,Macdown,/Applications/MacDown.app/Contents/MacOS/MacDown',
-    '500,monday.com,/Applications/monday.com.app/Contents/MacOS/monday.com',
+    '500,Final Cut Pro,/Applications/Final Cut Pro.app/Contents/MacOS/Final Cut Pro',
     '500,J8RPQ294UB.com.skitch.SkitchHelper,/Applications/Skitch.app/Contents/Library/LoginItems/J8RPQ294UB.com.skitch.SkitchHelper.app/Contents/MacOS/J8RPQ294UB.com.skitch.SkitchHelper',
-    '500,Revolt,/Applications/Revolt.app/Contents/MacOS/Revolt',
-    '500,Revolt Helper,/Applications/Revolt.app/Contents/Frameworks/Revolt Helper.app/Contents/MacOS/Revolt Helper',
+    '500,Lightshot Screenshot,/Applications/Lightshot Screenshot.app/Contents/MacOS/Lightshot Screenshot',
+    '500,Macdown,/Applications/MacDown.app/Contents/MacOS/MacDown',
     '500,Revolt Helper (GPU),/Applications/Revolt.app/Contents/Frameworks/Revolt Helper (GPU).app/Contents/MacOS/Revolt Helper (GPU)',
-    '500,Slack,/Applications/Slack.app/Contents/MacOS/Slack',
+    '500,Revolt Helper,/Applications/Revolt.app/Contents/Frameworks/Revolt Helper.app/Contents/MacOS/Revolt Helper',
+    '500,Revolt,/Applications/Revolt.app/Contents/MacOS/Revolt',
+    '500,Skitch,/Applications/Skitch.app/Contents/MacOS/Skitch',
     '500,Slack Helper (GPU),/Applications/Slack.app/Contents/Frameworks/Slack Helper (GPU).app/Contents/MacOS/Slack Helper (GPU)',
     '500,Slack Helper (Renderer),/Applications/Slack.app/Contents/Frameworks/Slack Helper (Renderer).app/Contents/MacOS/Slack Helper (Renderer)',
+    '500,Slack,/Applications/Slack.app/Contents/MacOS/Slack',
     '500,Snagit 2020,/Applications/Snagit 2020.app/Contents/MacOS/Snagit 2020',
     '500,SnagitHelper2020,/Applications/Snagit 2020.app/Contents/Library/LoginItems/SnagitHelper2020.app/Contents/MacOS/SnagitHelper2020',
+    '500,Speedtest,/Applications/Speedtest.app/Contents/MacOS/Speedtest',
     '500,Todoist,/Applications/Todoist.app/Contents/MacOS/Todoist',
-    '500,WhatsApp Helper (GPU),/Applications/WhatsApp.app/Contents/Frameworks/WhatsApp Helper (GPU).app/Contents/MacOS/WhatsApp Helper (GPU)'
+    '500,WhatsApp Helper (GPU),/Applications/WhatsApp.app/Contents/Frameworks/WhatsApp Helper (GPU).app/Contents/MacOS/WhatsApp Helper (GPU)',
+    '500,monday.com,/Applications/monday.com.app/Contents/MacOS/monday.com'
   )
   AND exception_key NOT LIKE '500,MacVim,/%/MacVim.app/Contents/MacOS/MacVim'
   AND exception_key NOT LIKE '500,PrinterProxy,/Users/%/Library/Printers/Brother %.app/Contents/MacOS/PrinterProxy'
   AND exception_key NOT LIKE '500,Steam Helper,/Users/%/Library/Application Support/Steam/Steam.AppBundle/Steam/Contents/MacOS/Frameworks/Steam Helper.app/Contents/MacOS/Steam Helper'
+  AND exception_key NOT LIKE '500,Skitch,/private/var/folders/%/d/Skitch.app/Contents/MacOS/Skitch'
 GROUP BY
   pos.pid
 HAVING