From 1d7a67da0f7d9d4920f14a22a3ca31a21e43a50a Mon Sep 17 00:00:00 2001 From: egibs <20933572+egibs@users.noreply.github.com> Date: Wed, 30 Oct 2024 13:06:38 -0500 Subject: [PATCH] Add cg to unexpected-dns-traffic-events, add ubuntu-advantage Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- .../c2/unexpected-dns-traffic-events.sql | 53 ++++++++++--------- .../unexpected-uid0-daemon-linux.sql | 1 + 2 files changed, 28 insertions(+), 26 deletions(-) diff --git a/detection/c2/unexpected-dns-traffic-events.sql b/detection/c2/unexpected-dns-traffic-events.sql index 3a83f32..213523e 100644 --- a/detection/c2/unexpected-dns-traffic-events.sql +++ b/detection/c2/unexpected-dns-traffic-events.sql @@ -76,37 +76,38 @@ WHERE -- Exceptions that specifically talk to one server AND exception_key NOT IN ( - 'coredns,0.0.0.0,53', - 'syncthing,46.162.192.181,53', - 'Socket Process,8.8.8.8,53', - 'com.docker.backend,8.8.8.8,53', - 'ZoomPhone,8.8.8.8,53', - 'ZoomPhone,200.48.225.130,53', - 'gvproxy,170.247.170.2,53', + 'AssetCacheLocatorService,0.0.0.0,53', 'CapCut,8.8.8.8,53', - 'ZaloCall,8.8.8.8,53', - 'Telegram,8.8.8.8,53', - 'com.docker.vpnkit,8.8.8.8,53', - 'WebexHelper,8.8.8.8,53', - 'Meeting Center,8.8.8.8,53', - 'ServiceExtension,8.8.8.8,53', - 'nuclei,1.0.0.1,53', - 'distnoted,8.8.8.8,53', - 'limactl,8.8.8.8,53', - 'msedge,8.8.8.8,53', - 'brave,8.8.8.8,53', - 'adguard_dns,1.0.0.1,53', - 'helm,185.199.108.133,53', - 'coredns,8.8.8.8,53', - 'signal-desktop,8.8.8.8,53', - 'slack,8.8.8.8,53', - 'zed,8.8.8.8,53', 'EpicWebHelper,8.8.4.4,53', 'EpicWebHelper,8.8.8.8,53', + 'Meeting Center,8.8.8.8,53', + 'ServiceExtension,8.8.8.8,53', 'Signal Helper (Renderer),8.8.8.8,53', - 'plugin-container,8.8.8.8,53', + 'Socket Process,8.8.8.8,53', + 'Telegram,8.8.8.8,53', + 'WebexHelper,8.8.8.8,53', 'WhatsApp,1.1.1.1,53', - 'AssetCacheLocatorService,0.0.0.0,53' + 'ZaloCall,8.8.8.8,53', + 'ZoomPhone,200.48.225.130,53', + 'ZoomPhone,8.8.8.8,53', + 'adguard_dns,1.0.0.1,53', + 'brave,8.8.8.8,53', + 'cg,108.177.98.95,53', + 'com.docker.backend,8.8.8.8,53', + 'com.docker.vpnkit,8.8.8.8,53', + 'coredns,0.0.0.0,53', + 'coredns,8.8.8.8,53', + 'distnoted,8.8.8.8,53', + 'gvproxy,170.247.170.2,53', + 'helm,185.199.108.133,53', + 'limactl,8.8.8.8,53', + 'msedge,8.8.8.8,53', + 'nuclei,1.0.0.1,53', + 'plugin-container,8.8.8.8,53', + 'signal-desktop,8.8.8.8,53', + 'slack,8.8.8.8,53', + 'syncthing,46.162.192.181,53', + 'zed,8.8.8.8,53' ) -- Local DNS servers and custom clients go here AND basename NOT IN ( diff --git a/detection/persistence/unexpected-uid0-daemon-linux.sql b/detection/persistence/unexpected-uid0-daemon-linux.sql index 7401ab1..9d5c80a 100644 --- a/detection/persistence/unexpected-uid0-daemon-linux.sql +++ b/detection/persistence/unexpected-uid0-daemon-linux.sql @@ -313,6 +313,7 @@ WHERE 'tcpdump,/usr/bin/tcpdump,0,user.slice,user-1000.slice,0755', 'thermald,/usr/sbin/thermald,0,system.slice,thermald.service,0755', 'tuned,/usr/bin/python3.12,0,system.slice,tuned.service,0755', + 'ubuntu-advantag,/usr/libexec/ubuntu-advantage-desktop-daemon,0,system.slice,ubuntu-advantage-desktop-daemon.service,0755', 'udisksd,/nix/store/__VERSION__/libexec/udisks2/udisksd,0,system.slice,udisks2.service,0555', 'udisksd,/usr/libexec/udisks2/udisksd,0,system.slice,udisks2.service,0755', 'udisksd,/usr/lib/udisks2/udisksd,0,system.slice,udisks2.service,0755',