Merge pull request #418 from egibs/20241031-exceptions

More exceptions to cut down on alert noise

detection/c2/unexpected-dns-traffic-events.sql

@@ -76,38 +76,40 @@ WHERE
 
   -- Exceptions that specifically talk to one server
   AND exception_key NOT IN (
-    'AssetCacheLocatorService,0.0.0.0,53',
-    'CapCut,8.8.8.8,53',
-    'EpicWebHelper,8.8.4.4,53',
-    'EpicWebHelper,8.8.8.8,53',
-    'Meeting Center,8.8.8.8,53',
-    'ServiceExtension,8.8.8.8,53',
-    'Signal Helper (Renderer),8.8.8.8,53',
-    'Socket Process,8.8.8.8,53',
-    'Telegram,8.8.8.8,53',
-    'WebexHelper,8.8.8.8,53',
-    'WhatsApp,1.1.1.1,53',
-    'ZaloCall,8.8.8.8,53',
-    'ZoomPhone,200.48.225.130,53',
-    'ZoomPhone,8.8.8.8,53',
     'adguard_dns,1.0.0.1,53',
+    'AssetCacheLocatorService,0.0.0.0,53',
     'brave,8.8.8.8,53',
+    'CapCut,8.8.8.8,53',
     'cg,108.177.98.95,53',
+    'ChatGPT,8.8.8.8,53',
     'com.docker.backend,8.8.8.8,53',
     'com.docker.vpnkit,8.8.8.8,53',
     'coredns,0.0.0.0,53',
     'coredns,8.8.8.8,53',
     'distnoted,8.8.8.8,53',
+    'EpicWebHelper,8.8.4.4,53',
+    'EpicWebHelper,8.8.8.8,53',
     'gvproxy,170.247.170.2,53',
     'helm,185.199.108.133,53',
     'limactl,8.8.8.8,53',
+    'Meeting Center,8.8.8.8,53',
     'msedge,8.8.8.8,53',
     'nuclei,1.0.0.1,53',
     'plugin-container,8.8.8.8,53',
+    'ServiceExtension,8.8.8.8,53',
+    'Signal Helper (Renderer),8.8.8.8,53',
     'signal-desktop,8.8.8.8,53',
     'slack,8.8.8.8,53',
+    'Socket Process,8.8.8.8,53',
     'syncthing,46.162.192.181,53',
-    'zed,8.8.8.8,53'
+    'Telegram,8.8.8.8,53',
+    'WebexHelper,8.8.8.8,53',
+    'WhatsApp,1.1.1.1,53',
+    'ZaloCall,8.8.8.8,53',
+    'zed,8.8.8.8,53',
+    'ZoomPhone,200.48.225.130,53',
+    'ZoomPhone,200.48.225.146,53',
+    'ZoomPhone,8.8.8.8,53'
   )
   -- Local DNS servers and custom clients go here
   AND basename NOT IN (

detection/c2/unexpected-talkers-linux.sql

@@ -188,6 +188,7 @@ WHERE protocol > 0
     '8080,6,500,brave,0u,0g,brave',
     '8080,6,500,chrome,0u,0g,chrome',
     '8080,6,500,firefox,0u,0g,firefox',
+    '8080,6,500,idea,0u,0g,idea',
     '8080,6,500,python3.11,0u,0g,speedtest-cli',
     '8080,6,500,speedtest,500u,500g,speedtest',
     '8443,6,500,chrome,0u,0g,chrome',

detection/c2/unexpected-talkers-macos.sql

@@ -104,6 +104,7 @@ WHERE pos.pid IN (
   )
   AND NOT (
     unsigned_exception IN (
+      '500,6,0,gvproxy,gvproxy',
       '500,6,32768,gvproxy,gvproxy',
       '500,17,123,gvproxy,gvproxy'
     )
@@ -115,4 +116,10 @@ WHERE pos.pid IN (
     AND remote_port = 0
     AND protocol = 0
   )
+  AND NOT (
+    unsigned_exception = '500,0,0,.Telegram-wrapped,.Telegram-wrapped'
+    AND p0.path LIKE '/nix/store/%-telegram-desktop-%'
+    AND remote_port = 0
+    AND protocol = 0
+  )
 GROUP BY p0.cmdline

detection/evasion/hidden-executable.sql

@@ -115,6 +115,7 @@ WHERE (
   AND NOT f.directory LIKE '/Applications/Corsair iCUE5 Software/.cuepkg-%'
   AND NOT f.directory LIKE '%/Applications/PSI Bridge Secure Browser.app/Contents/Resources/.apps/darwin/%'
   AND NOT f.directory LIKE '/var/home/linuxbrew/.linuxbrew/Cellar/%'
+  AND NOT f.directory LIKE '/Volumes/com.getdropbox.dropbox-%'
   AND NOT f.path LIKE '/nix/store/%/%-wrapped'
   AND NOT (
     f.path LIKE '/nix/store/%'
@@ -124,4 +125,5 @@ WHERE (
   AND NOT homedir LIKE '~/.local/share/AppImage/ZenBrowser.AppImage'
   AND NOT homedir LIKE '~/Library/Application Support/Code/User/globalStorage/ms-dotnettools.vscode-dotnet-runtime/.dotnet/%'
   AND NOT homedir LIKE '%/.Trash/1Password %.app/Contents/Library/LoginItems/1Password Extension Helper.app/Contents/MacOS'
+  AND NOT homedir LIKE '%/.Trash/Logi Options.app/Contents/Support/LogiMgrDaemon.app/Contents/MacOS'
 GROUP BY f.path

detection/evasion/unexpected-hidden-system-paths.sql

@@ -218,6 +218,7 @@ WHERE
   AND file.path NOT LIKE '%/.build-id/'
   AND file.path NOT LIKE '%/.dwz/'
   AND file.path NOT LIKE '%/.updated'
+  AND file.path NOT LIKE '/tmp/.dropbox-dist-%'
   AND file.filename NOT LIKE '.%.swo'
   AND file.filename NOT LIKE '.%.swp'
   AND file.path NOT LIKE '%/google-cloud-sdk/.install/'

detection/execution/unexpected-long-running-security-framework-macos.sql

@@ -97,4 +97,5 @@ WHERE -- Focus on longer-running programs
   AND NOT exception_key LIKE '500,___Test%.test,a.out'
   AND NOT exception_key LIKE '500,nvim,bob-%,'
   AND NOT exception_key LIKE '500,sm-agent,sm_agent-%'
+  AND NOT exception_key LIKE '500,___2go_build_main_go,a.out,'
 GROUP BY p0.pid

detection/initial_access/unexpected-diskimage-source-macos.sql

@@ -235,6 +235,7 @@ WHERE
     'superhuman.com',
     'tableplus.com',
     'textexpander.com',
+    'tosmediaserver.schwab.com',
     'transmissionbt.com',
     'ubuntu.com',
     'ultimaker.com',

detection/persistence/unexpected-chrome-extensions.sql

@@ -157,6 +157,7 @@ WHERE state = 1
     'true,,Endpoint Verification,callobklhcbilhphinckomhgkigmfocg',
     'true,,Eno® from Capital One®,clmkdohmabikagpnhjmgacbclihgmdje',
     'true,,Espruino Web IDE,bleoifhkdalbjfbobjackfdifdneehpo',
+    'true,,Evaboot,edccjhikjlfoakbbijgomgnoflcjgfjh',
     'true,,Event Merge for Google Calendar™,idehaflielbgpaokehlhidbjlehlfcep',
     'true,Evernote,Evernote Web Clipper,pioclpoplcdbaefihamjohnefbikjilc',
     'true,ExpressVPN,ExpressVPN: VPN proxy for a better internet,fgddmllnllkalaagkghckoinaemmogpe',
@@ -381,4 +382,4 @@ WHERE state = 1
     )
     AND chrome_extensions.path LIKE '%/Microsoft Edge/%'
   )
-GROUP BY exception_key
+GROUP BY exception_key

detection/persistence/unexpected-uid0-daemon-linux.sql

@@ -211,6 +211,7 @@ WHERE
     'lxcfs,/usr/bin/lxcfs,0,system.slice,lxcfs.service,0755',
     'lxc-monitord,/usr/libexec/lxc/lxc-monitord,0,system.slice,lxc-monitord.service,0755',
     'lxc-monitord,/usr/lib/x86_64-linux-gnu/lxc/lxc-monitord,0,system.slice,lxc-monitord.service,0755',
+    'make,/usr/bin/make,0,user.slice,user-1000.slice,0755',
     'mbim-proxy,/usr/libexec/mbim-proxy,0,system.slice,ModemManager.service,0755',
     'mcelog,/usr/sbin/mcelog,0,system.slice,mcelog.service,0755',
     'ModemManager,/usr/sbin/ModemManager,0,system.slice,ModemManager.service,0755',