Flush out more false positives across the stack

2025-03-11 05:07:40 +00:00 · 2023-01-06 10:36:48 -05:00 · 2023-01-06 10:36:48 -05:00 · 05a39a78d3
commit 05a39a78d3
parent 7455c22e3c
14 changed files with 31 additions and 15 deletions
--- a/detection/collection/high-disk-bytes-written.sql
+++ b/detection/collection/high-disk-bytes-written.sql
@ -139,3 +139,4 @@ WHERE
  AND p.path NOT LIKE '/System/Library/%'
  AND p.path NOT LIKE '/usr/local/kolide-k2/bin/osqueryd-updates/%/osqueryd'
  AND p.path NOT LIKE '/nix/store/%kolide-launcher-%/bin/launcher'
+  AND NOT cgroup_path LIKE '/system.slice/docker-%'
--- a/detection/evasion/empty_root_environ_linux.sql
+++ b/detection/evasion/empty_root_environ_linux.sql
@ -44,6 +44,7 @@ WHERE
    'nginx',
    'sshd',
    'ssh',
+    'sedispatch',
    'zypak-sandbox'
  )
  AND NOT (
--- a/detection/evasion/name_path_mismatch.sql
+++ b/detection/evasion/name_path_mismatch.sql
@ -65,6 +65,7 @@ WHERE
    'name=iptables,file=xtables-nft-mu,0',
    'name=Isolated,file=firefox,500',
    'name=Isolated,file=thunderbird,500',
+    'name=main,file=pyrogenesis,500',
    'name=MainThread,file=plugin-contain,500',
    'name=mount,file=ntfs-3g,0',
    'name=mysqld,file=mariadbd,500',
@ -76,6 +77,7 @@ WHERE
    'name=osqueryi,file=osqueryd,500',
    'name=phpstorm,file=dash,500',
    'name=pidof,file=killall5,0',
+    'name=pipewire-pulse,file=pipewire,125',
    'name=pipewire-pulse,file=pipewire,500',
    'name=Privileged,file=firefox,500',
    'name=RDD,file=firefox,500',
@ -85,7 +87,6 @@ WHERE
    'name=sh,file=busybox,0',
    'name=sh,file=dash,0',
    'name=sh,file=dash,500',
-    'name=pipewire-pulse,file=pipewire,125',
    'name=slic3r_main,file=prusa-slicer,500',
    'name=Socket,file=firefox,500',
    'name=streamdeck,file=python3,500',
--- a/detection/evasion/unexpected-tmp-executables.sql
+++ b/detection/evasion/unexpected-tmp-executables.sql
@ -92,7 +92,7 @@ WHERE
    AND (strftime('%s', 'now') - ctime) < 30
  ) -- macOS updates
  AND NOT file.directory LIKE '/tmp/msu-target-%' -- I don't know man. I don't work here.
-  AND NOT file.directory LIKE '/tmp/UpdateBrain-%/AssetData/com.apple.MobileSoftwareUpdate.UpdateBrainService.xpc/Contents/MacOS/'
+  AND NOT file.directory LIKE '/tmp/UpdateBrain-%/AssetData/com.apple.MobileSoftwareUpdate.UpdateBrainService.xpc/Contents/MacOS'
  -- terraform
  AND NOT (
    uid > 500
--- a/detection/execution/unexpected-execdir-macos.sql
+++ b/detection/execution/unexpected-execdir-macos.sql
@ -113,6 +113,7 @@ WHERE
    '~/code/',
    '~/Code/',
    '~/.config/',
+    '~/dev/',
    '~/git/',
    '~/go/',
    '~/google-cloud-sdk/',
@ -130,6 +131,7 @@ WHERE
    '~/.tflint.d/',
    '~/.vscode/',
    '~/.vs-kubernetes/'
+
  )
  -- Locally built executables
  AND NOT (
--- a/detection/execution/unexpected-fetcher-parent-events.sql
+++ b/detection/execution/unexpected-fetcher-parent-events.sql
@ -57,9 +57,11 @@ WHERE
  child_name IN ('curl', 'wget', 'ftp', 'tftp')
  AND pe.time > (strftime('%s', 'now') -900) -- Ignore partial table joins
  AND NOT exception_key IN (
-    'curl,500,fish,gnome-terminal-',
-    'curl,500,env,env',
    'curl,500,bash,zsh',
+    'curl,500,env,env',
+    'curl,500,fish,gnome-terminal-',
+    'curl,0,nm-dispatcher,',
+    'curl,500,ShellLauncher,login',
    'curl,500,zsh,login'
  )
  AND NOT (
--- a/detection/execution/unexpected-fetcher-parents.sql
+++ b/detection/execution/unexpected-fetcher-parents.sql
@ -40,9 +40,10 @@ WHERE
  -- NOTE: The remainder of this query is synced with unexpected-fetcher-parent-events
  child_name IN ('curl', 'wget', 'ftp', 'tftp') -- And not a regular local user
  AND NOT exception_key IN (
-    'curl,500,fish,gnome-terminal-',
-    'curl,500,env,env',
    'curl,500,bash,zsh',
+    'curl,500,env,env',
+    'curl,500,fish,gnome-terminal-',
+    'curl,500,ShellLauncher,login',
    'curl,500,zsh,login'
  )
  AND NOT (
--- a/detection/execution/unexpected-gatekeeper-approvals-macos.sql
+++ b/detection/execution/unexpected-gatekeeper-approvals-macos.sql
@ -32,5 +32,6 @@ WHERE
  AND gap.path NOT LIKE '/Users/%/scorecard-darwin-amd64'
  AND gap.path NOT LIKE '/Users/%/scorecard-darwin-amd64'
  AND gap.path NOT LIKE '/Users/%/configure'
+  AND gap.path NOT LIKE '/Users/%/trivy'
 GROUP BY
  gap.requirement
--- a/detection/execution/unexpected-osascript-calls.sql
+++ b/detection/execution/unexpected-osascript-calls.sql
@ -54,7 +54,7 @@ WHERE
    ',,osascript',
    ',,osascript openChrome.applescript https://localhost.ch'
  )
-  AND exception_key NOT LIKE 'install,Developer ID Application: Docker Inc (9BNSXJN65R),/usr/bin/osascript -e property exit_code: 0\x0Aproperty '
+  AND exception_key NOT LIKE 'install,Developer ID Application: Docker Inc (9BNSXJN65R),/usr/bin/osascript -e property exit_code%'
  AND cmd NOT IN ('osascript -e user locale of (get system info)')
  AND cmd NOT LIKE '/usr/bin/osascript /Users/%/Library/Caches/com.runningwithcrayons.Alfred/Workflow Scripts/%'
  -- We don't want to allow all of Python as an exception
--- a/detection/execution/unexpected-root-signer-macos.sql
+++ b/detection/execution/unexpected-root-signer-macos.sql
@ -43,6 +43,7 @@ WHERE
    'Developer ID Application: Dropbox, Inc. (G7HH3F8CAK)',
    'Developer ID Application: Foxit Corporation (8GN47HTP75)',
    'Developer ID Application: Fumihiko Takayama (G43BCU2T37)',
+    'Developer ID Application: Google LLC (EQHXZ8M8AV)',
    'Developer ID Application: Kolide Inc (YZ3EM74M78)',
    'Developer ID Application: Logitech Inc. (QED4VVPZWA)',
    'Developer ID Application: Mersive Technologies (63B5A5WDNG)',
--- a/detection/initial_access/unexpected-shell-parent-events.sql
+++ b/detection/initial_access/unexpected-shell-parent-events.sql
@ -40,7 +40,7 @@ FROM
  LEFT JOIN processes gp ON gp.pid = pp.parent
  LEFT JOIN process_events gpe ON ppe.parent = gpe.pid
 WHERE
-  child_name IN ('sh', 'fish', 'zsh', 'bash', 'dash', 'osascript')
+  child_name IN ('sh', 'fish', 'zsh', 'bash', 'dash')
  AND pe.time > (strftime('%s', 'now') -300) -- Ignore partial table joins
  AND NOT (
    parent_name IN (
@ -57,27 +57,27 @@ WHERE
      'conmon',
      'containerd-shim',
      'dash',
-      'docker-credential-desktop',
      'demoit',
      'direnv',
      'doas',
+      'docker-credential-desktop',
+      'env',
      'erl_child_setup',
      'find',
      'FinderSyncExtension',
      'fish',
-      'go',
      'git',
+      'go',
      'goland',
      'helm',
      'i3bar',
      'i3blocks',
      'java',
      'kitty',
-      'login',
-      'env',
      'ko',
      'kubectl',
      'lightdm',
+      'login',
      'make',
      'monorail',
      'ninja',
@ -94,12 +94,13 @@ WHERE
      'sdk',
      'sdzoomplugin',
      'sh',
-      'snyk',
      'skhd',
+      'snyk',
      'sshd',
      'sudo',
      'swift',
      'systemd',
+      'systemd-sleep',
      'terminator',
      'test2json',
      'tmux',
@ -114,6 +115,7 @@ WHERE
      'yum',
      'zellij',
      'zsh'
+
    )
    OR parent_name LIKE 'terraform-provider-%'
    -- Do not add shells to this list if you want your query to detect
--- a/detection/initial_access/unexpected-shell-parents.sql
+++ b/detection/initial_access/unexpected-shell-parents.sql
@ -26,7 +26,7 @@ FROM
  LEFT JOIN processes pp ON pp.pid = p.parent
  LEFT JOIN hash ON pp.path = hash.path
 WHERE
-  p.name IN ('sh', 'fish', 'zsh', 'bash', 'dash', 'osascript')
+  p.name IN ('sh', 'fish', 'zsh', 'bash', 'dash')
  -- Ignore partial table joins
  AND parent_path != ''
  -- Editors & terminals mostly.
@ -100,6 +100,7 @@ WHERE
  )
  AND parent_path NOT IN (
    '/Applications/Docker.app/Contents/MacOS/Docker',
+    '/Applications/Docker.app/Contents/MacOS/install',
    '/Applications/Docker.app/Contents/Resources/bin/docker-credential-desktop',
    '/bin/dash',
    '/bin/sh',
--- a/detection/persistence/unexpected-active-systemd-units.sql
+++ b/detection/persistence/unexpected-active-systemd-units.sql
@ -145,6 +145,7 @@ WHERE
        'iio-sensor-proxy.service,IIO Sensor Proxy service,,400',
        'import-state.service,Import network configuration from initramfs,,400',
        'integritysetup.target,Local Integrity Protected Volumes,,400',
+        'irqbalance.service,irqbalance daemon,,400',
        'irqbalance.service,irqbalance daemon,,500',
        'iscsid.socket,Open-iSCSI iscsid Socket,,100',
        'iscsiuio.socket,Open-iSCSI iscsiuio Socket,,100',
@ -226,6 +227,7 @@ WHERE
        'packagekit.service,PackageKit Daemon,root,300',
        'paths.target,Path Units,,400',
        'pcscd.service,PC/SC Smart Card Daemon,,200',
+        'smartd.service,Self Monitoring and Reporting Technology (SMART) Daemon,,400',
        'pcscd.socket,PC/SC Smart Card Daemon Activation Socket,,100',
        'phpsessionclean.timer,Clean PHP session files every 30 mins,,100',
        'plocate-updatedb.service,Update the plocate database,,200',
@ -253,6 +255,7 @@ WHERE
        'rpc_pipefs.target,rpc_pipefs.target,,0',
        'rpc-statd-notify.service,Notify NFS peers of a restart,,300',
        'rsyslog.service,System Logging Service,,400',
+        'rsyslog.service,System Logging Service,,500',
        'rtkit-daemon.service,RealtimeKit Scheduling Policy Service,,1000',
        'setvtrgb.service,Set console scheme,,300',
        'shadow.service,Verify integrity of password and group files,,300',
--- a/detection/persistence/unexpected-launchd-program.sql
+++ b/detection/persistence/unexpected-launchd-program.sql
@ -43,6 +43,6 @@ WHERE
  AND NOT (
    l.path = '/Library/LaunchDaemons/com.docker.socket.plist'
    AND program_authority = 'Software Signing'
-    AND program_identifier = 'com.apple.ln'
+    AND program_identifier IN ('com.apple.ln', 'com.apple.link')
    AND program_arguments LIKE '/bin/ln -s -f /Users/%/run/docker.sock /var/run/docker.sock'
  )