From 066d8aec1dcf4c95a2919830991726a705541bd5 Mon Sep 17 00:00:00 2001 From: Thomas Stromberg Date: Sat, 29 Oct 2022 14:11:33 -0400 Subject: [PATCH] Add exceptions for zellij & warp --- detection/c2/unexpected-talkers-macos.sql | 7 ++++--- detection/initial_access/unexpected-shell-parents.sql | 1 + 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql index 4421de8..ae64441 100644 --- a/detection/c2/unexpected-talkers-macos.sql +++ b/detection/c2/unexpected-talkers-macos.sql @@ -130,7 +130,6 @@ WHERE '22,6,500,ssh,,', '22,6,500,ssh,com.apple.openssh,Software Signing', '22,6,500,ssh,com.apple.ssh,Software Signing', - '443,6,500,release-notes,a.out,', '22,6,500,ssh,ssh,', '22,6,500,ssh,ssh-55554944fbf65684ab9b37c2bad3a27ef78b23f4,', '30004,6,500,java,net.java.openjdk.java,Developer ID Application: Microsoft Corporation (UBF8T346G9)', @@ -174,6 +173,7 @@ WHERE '443,6,500,docker-credential-gcr,a.out,', '443,6,500,Electron,com.microsoft.VSCode,Developer ID Application: Microsoft Corporation (UBF8T346G9)', '443,6,500,emacs-28.2,emacs-28.2,', + '443,6,500,Evernote Helper,,', '443,6,500,Evernote Helper,com.evernote.Evernote.helper,Apple Mac OS Application Signing', '443,6,500,figma_agent,com.figma.agent,Developer ID Application: Figma, Inc. (T8RA8NE3B7)', '443,6,500,FlyDelta,com.delta.iphone.ver1,Apple iPhone OS Application Signing', @@ -208,6 +208,7 @@ WHERE '443,6,500,ngrok,darwin_amd64,Developer ID Application: ngrok LLC (TEX8MHRDQ9)', '443,6,500,nix,nix,', '443,6,500,node,node,Developer ID Application: Node.js Foundation (HX7739G8FX)', + '443,6,500,old,dev.warp.Warp-Stable,Developer ID Application: Denver Technologies, Inc (2BBY89MBSN)', '443,6,500,OneDriveStandaloneUpdater,com.microsoft.OneDriveStandaloneUpdater,Developer ID Application: Microsoft Corporation (UBF8T346G9)', '443,6,500,prober,a.out,', '443,6,500,provisio,,', @@ -220,6 +221,7 @@ WHERE '443,6,500,Python,Python,', '443,6,500,Reflect,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)', '443,6,500,Reflect Helper,app.reflect.ReflectDesktop,Developer ID Application: Reflect App, LLC (789ULN5MZB)', + '443,6,500,release-notes,a.out,', '443,6,500,sample,com.apple.dt.SamplingTools.sample,Software Signing', '443,6,500,scorecard-darwin-amd64,,', '443,6,500,Slack Helper,,', @@ -232,14 +234,13 @@ WHERE '443,6,500,syft,syft,Developer ID Application: ANCHORE, INC. (9MJHKYX5AT)', '443,6,500,terraform-ls,terraform-ls,Developer ID Application: Hashicorp, Inc. (D38WU7D763)', '443,6,500,terraform,terraform,Developer ID Application: Hashicorp, Inc. (D38WU7D763)', + '443,6,500,trivy,a.out,', '443,6,500,vegeta,a.out,', '443,6,500,vim,vim,', '443,6,500,zoom.us,us.zoom.xos,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)', '443,6,500,zsh,com.apple.zsh,Software Signing', '53,17,500,docker-credential-gcr,a.out,', '53,17,500,trivy,,', - '443,6,500,Evernote Helper,,', - '443,6,500,trivy,a.out,', '6000,6,500,ssh,,', '6000,6,500,ssh,com.apple.openssh,Software Signing', '6000,6,500,ssh,ssh-55554944fbf65684ab9b37c2bad3a27ef78b23f4,', diff --git a/detection/initial_access/unexpected-shell-parents.sql b/detection/initial_access/unexpected-shell-parents.sql index 1aaa9fa..eff33b6 100644 --- a/detection/initial_access/unexpected-shell-parents.sql +++ b/detection/initial_access/unexpected-shell-parents.sql @@ -85,6 +85,7 @@ WHERE 'xcrun', 'xfce4-terminal', 'yum', + 'zellij', 'zsh' ) AND parent_path NOT IN (