diff --git a/detection/c2/unexpected-https-client-linux.sql b/detection/c2/unexpected-https-client-linux.sql index a1404d6..e24b3ad 100644 --- a/detection/c2/unexpected-https-client-linux.sql +++ b/detection/c2/unexpected-https-client-linux.sql @@ -60,9 +60,16 @@ WHERE AND s.remote_address NOT LIKE 'fc00:%' AND p.path != '' AND NOT exception_key IN ( + '0,/usr/flatpak-system-helper,0u,0g,flatpak-system-', -- fedoraproject.org '0,/usr/launcher,0u,0g,launcher', + '0,/usr/dockerd,0u,0g,dockerd', + '0,/usr/packagekitd,0u,0g,packagekitd', + '0,/usr/packagekitd,0u,0g,packagekitd', -- Google + '0,/usr/tailscaled,0u,0g,tailscaled', '0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra', '500,/app/slack,u,g,slack', + '500,/home/chainctl,500u,500g,chainctl', + '500,/ko-app/chainctl,u,g,chainctl', '500,/ko-app/controlplane,u,g,controlplane', '500,/opt/chrome,0u,0g,chrome', '500,/opt/spotify,0u,0g,spotify', @@ -70,10 +77,14 @@ WHERE '500,/usr/code,0u,0g,code', '500,/usr/firefox,0u,0g,firefox', '500,/usr/firefox,0u,0g,.firefox-wrappe', + '500,/usr/flatpak-oci-authenticator,0u,0g,flatpak-oci-aut', -- fedoraproject.org '500,/usr/geoclue,0u,0g,geoclue', '500,/usr/gnome-software,0u,0g,gnome-software', + '500,/usr/kubectl,500u,500g,kubectl', '500,/usr/slack,0u,0g,slack', + '500,/app/zoom.real,u,g,zoom.real', '500,/usr/syncthing,0u,0g,syncthing' + ) GROUP BY p.cmdline diff --git a/detection/c2/unexpected-talkers-linux.sql b/detection/c2/unexpected-talkers-linux.sql index d486678..3820475 100644 --- a/detection/c2/unexpected-talkers-linux.sql +++ b/detection/c2/unexpected-talkers-linux.sql @@ -86,10 +86,12 @@ WHERE '5228,6,500,/opt/chrome,0u,0g,chrome', '8000,6,500,/opt/chrome,0u,0g,chrome', '8000,6,500,/usr/firefox,0u,0g,firefox', + '80,6,0,/usr/NetworkManager,0u,0g,NetworkManager', -- fedoraproject.org '80,6,0,/usr/tailscaled,0u,0g,tailscaled', '80,6,0,/usr/.tailscaled-wrapped,0u,0g,.tailscaled-wra', '80,6,500,/opt/chrome,0u,0g,chrome', '80,6,500,/usr/firefox,0u,0g,firefox', + '5228,6,500,/usr/chrome,0u,0g,chrome', -- Android Market/GCM '8080,6,500,/opt/chrome,0u,0g,chrome', '8080,6,500,/usr/firefox,0u,0g,firefox', '8443,6,500,/opt/chrome,0u,0g,chrome', diff --git a/detection/c2/unexpected-talkers-macos.sql b/detection/c2/unexpected-talkers-macos.sql index 90ed4ef..5339a21 100644 --- a/detection/c2/unexpected-talkers-macos.sql +++ b/detection/c2/unexpected-talkers-macos.sql @@ -162,8 +162,10 @@ WHERE '443,6,500,cosign,a.out,', '443,6,500,cosign,cosign,', '443,6,500,crane,,', + '443,6,500,GitHub.UI,GitHub,Developer ID Application: Microsoft Corporation (UBF8T346G9)', '443,6,500,crane,a.out,', '443,6,500,ctclient,a.out,', + '53,17,500,trivy,,', '443,6,500,curl,com.apple.curl,Software Signing', '443,6,500,docker-credential-gcr,a.out,', '443,6,500,Electron,com.microsoft.VSCode,Developer ID Application: Microsoft Corporation (UBF8T346G9)', @@ -171,6 +173,7 @@ WHERE '443,6,500,Evernote Helper,com.evernote.Evernote.helper,Apple Mac OS Application Signing', '443,6,500,figma_agent,com.figma.agent,Developer ID Application: Figma, Inc. (T8RA8NE3B7)', '443,6,500,gh,a.out,', + '443,6,500,git-remote-http,,', '443,6,500,gh,gh,', '443,6,500,git,com.apple.git,Software Signing', '443,6,500,git,git,',