Merge pull request #431 from r0cketlad/main

fpr: fuscript, linuxbrew, snapd, msedge

detection/c2/unexpected-dns-traffic-events.sql

@@ -95,6 +95,7 @@ WHERE
     'limactl,8.8.8.8,53',
     'Meeting Center,8.8.8.8,53',
     'msedge,8.8.8.8,53',
+    'msedge,8.8.4.4,53',
     'node,149.22.90.225,5353',
     'nuclei,1.0.0.1,53',
     'plugin-container,8.8.8.8,53',
@@ -105,6 +106,8 @@ WHERE
     'slack,8.8.8.8,53',
     'snapd,185.125.188.54,53',
     'snapd,185.125.188.55,53',
+    'snapd,185.125.188.59,53',
+    'snapd,185.125.188.58,53',
     'Socket Process,8.8.8.8,53',
     'syncthing,46.162.192.181,53',
     'Telegram,8.8.8.8,53',

detection/c2/unexpected-talkers-linux.sql

@@ -106,6 +106,7 @@ WHERE
     '80,6,0,ldconfig,0u,0g,ldconfig',
     '80,6,0,NetworkManager,0u,0g,NetworkManager',
     '80,6,0,packagekitd,0u,0g,packagekitd',
+    '80,6,0,packagekit-dnf-refresh-repo,0u,0g,packagekit-dnf-',
     '80,6,0,pacman,0u,0g,pacman',
     '80,6,0,pdftex,0u,0g,pdftex',
     '80,6,0,python2.7,500u,500g,yum',

detection/c2/unexpected-talkers-macos.sql

@@ -133,7 +133,9 @@ WHERE
       '500,0,0,,',
       '500,0,0,.Telegram-wrapped,.Telegram-wrapped',
       '500,6,443,cloud_sql_proxy,cloud_sql_proxy',
-      '500,6,32768,cloud_sql_proxy,cloud_sql_proxy'
+      '500,6,32768,cloud_sql_proxy,cloud_sql_proxy',
+      '500,0,0,jspawnhelper,jspawnhelper',
+      '500,6,0,fuscript,fuscript'
   )
 GROUP BY
   p0.cmdline

detection/evasion/hidden-cwd.sql

@@ -100,6 +100,7 @@ WHERE
       'bash,~/.Trash',
       'bash,~/.local/share',
       'bash,~/go/src',
+      'bash,/var/home/linuxbrew',
       'telegram-deskto,~/snap/telegram-desktop',
       'c++,~/.cache/yay',
       'cc1,/home/build/.cache',