false positive reduction: apt, auditd, dockerd, etc.

2024-11-07 10:00:40 -05:00 · 2024-11-07 10:00:40 -05:00 · 335aca58b7
parent 12019d4ae1
commit 335aca58b7
5 changed files with 10 additions and 0 deletions
--- a/detection/c2/unexpected-dns-traffic-events.sql
+++ b/detection/c2/unexpected-dns-traffic-events.sql
@ -87,6 +87,7 @@ WHERE
    'coredns,0.0.0.0,53',
    'coredns,8.8.8.8,53',
    'distnoted,8.8.8.8,53',
+    'dockerd,162.159.140.238,53',
    'EpicWebHelper,8.8.4.4,53',
    'EpicWebHelper,8.8.8.8,53',
    'gvproxy,170.247.170.2,53',
--- a/detection/c2/unexpected-talkers-macos.sql
+++ b/detection/c2/unexpected-talkers-macos.sql
@ -95,6 +95,7 @@ WHERE pos.pid IN (
    '500,Developer ID Application: Zoom Video Communications, Inc. (BJ4HAAB9B3)',
    '500,Developer ID Application: Cisco (DE8Y96K9QP)',
    '500,Developer ID Application: Google LLC (EQHXZ8M8AV)',
+    '500,Developer ID Application: Sky UK Limited (GJ24C8864F)',
    '500,Developer ID Application: Valve Corporation (MXGJJ98X76)',
    '500,Developer ID Application: The Browser Company of New York Inc. (S6N382Y83G)'
  )
--- a/detection/evasion/unexpected-hidden-system-paths.sql
+++ b/detection/evasion/unexpected-hidden-system-paths.sql
@ -64,6 +64,7 @@ WHERE
    '/dev/.mdadm/',
    '/.equarantine/',
    '/etc/.bootcount',
+    '/dev/.blkid.tab',
    '/etc/.clean',
    '/etc/.java/',
    '/etc/.resolv.conf.systemd-resolved.bak',
--- a/detection/persistence/unexpected-device-linux.sql
+++ b/detection/persistence/unexpected-device-linux.sql
@ -143,6 +143,7 @@ WHERE (
    '/dev/kmsg,character',
    '/dev/kvm,character',
    '/dev/libmtp--.,character',
+    '/dev/libmtp--,character',
    '/dev/log,socket',
    '/dev/loop,block',
    '/dev/loop-control,character',
--- a/detection/persistence/unexpected-uid0-daemon-linux.sql
+++ b/detection/persistence/unexpected-uid0-daemon-linux.sql
@ -92,11 +92,13 @@ WHERE
    'anacron,/usr/sbin/anacron,0,system.slice,crond.service,0755',
    'apache2,/usr/sbin/apache2,0,system.slice,apache2.service,0755',
    'apcupsd,/usr/bin/apcupsd,0,system.slice,apcupsd.service,0755',
+    'apt,/usr/bin/apt,0,user.slice,user-1000.slice,0755',
    'atd,/usr/sbin/atd,0,system.slice,atd.service,0755',
    'atopacctd,/usr/sbin/atopacctd,0,system.slice,atopacct.service,0755',
    'atop,/usr/bin/atop,0,system.slice,atop.service,0755',
    'auditd,/usr/bin/auditd,0,system.slice,auditd.service,0755',
    'auditd,/usr/sbin/auditd,0,system.slice,auditd.service,0755',
+    'auditd,/usr/sbin/auditd,0,system.slice,auditd.service,0750',
    'bash,/usr/bin/bash,0,user.slice,user-1000.slice,0755',
    'blueman-mechanism.service,Bluetooth management mechanism,,200',
    'blueman-mechani,/usr/bin/python3.10,0,system.slice,blueman-mechanism.service,0755',
@ -134,6 +136,7 @@ WHERE
    'doas,/usr/bin/doas,1000,user.slice,user-1000.slice,4755',
    'dockerd,/nix/store/__VERSION__/libexec/docker/dockerd,0,system.slice,docker.service,0555',
    'dockerd,/usr/bin/dockerd,0,system.slice,docker.service,0755',
+    'dockerd,/usr/sbin/dockerd,0,system.slice,docker.service,0755',
    'docker-proxy,/usr/bin/docker-proxy,0,system.slice,docker.service,0755',
    'docker-proxy,/usr/libexec/docker/docker-proxy,0,system.slice,docker.service,0755',
    'docker,/usr/bin/docker,0,user.slice,user-1000.slice,0755',
@ -292,6 +295,7 @@ WHERE
    'sudo,/usr/bin/sudo,1000,user.slice,user-1000.slice,4755',
    'supergfxd,/usr/bin/supergfxd,0,system.slice,supergfxd.service,0755',
    'su,/usr/bin/su,0,user.slice,user-1000.slice,4755',
+    'su,/usr/bin/su,1000,user.slice,user-0.slice,4755',
    'switcheroo-cont,/usr/libexec/switcheroo-control,0,system.slice,switcheroo-control.service,0755',
    'systemd-coredum,/nix/store/__VERSION__/lib/systemd/systemd-coredump,0,,,0555',
    'systemd-homed,/usr/lib/systemd/systemd-homed,0,system.slice,systemd-homed.service,0755',
@ -302,6 +306,7 @@ WHERE
    'systemd-logind,/nix/store/__VERSION__/lib/systemd/systemd-logind,0,system.slice,systemd-logind.service,0555',
    'systemd-logind,/usr/lib/systemd/systemd-logind,0,system.slice,systemd-logind.service,0755',
    'systemd-machine,/usr/lib/systemd/systemd-machined,0,system.slice,systemd-machined.service,0755',
+    'systemd-nsresou,/usr/lib/systemd/systemd-nsresourcework,0,system.slice,systemd-nsresourced.service,0755',
    'systemd-sleep,/usr/lib/systemd/systemd-sleep,0,system.slice,systemd-suspend.service,0755',
    'systemd-udevd,/nix/store/__VERSION__/bin/udevadm,0,system.slice,systemd-udevd.service,0555',
    'systemd-udevd,/usr/bin/udevadm,0,system.slice,systemd-udevd.service,0755',
@ -330,6 +335,7 @@ WHERE
    'velociraptor_cl,/usr/local/bin/velociraptor,0,system.slice,velociraptor_client.service,0700',
    'virtiofsd,/opt/incus/bin/virtiofsd,0,system.slice,incus.service,0755',
    'virtlogd,/usr/bin/virtlogd,0,system.slice,virtlogd.service,0755',
+    'whiptail,/usr/bin/whiptail,0,user.slice,user-1000.slice,0755',
    'wpa_supplicant,/usr/bin/wpa_supplicant,0,system.slice,wpa_supplicant.service,0755',
    'wpa_supplicant,/usr/sbin/wpa_supplicant,0,system.slice,wpa_supplicant.service,0755',
    'xdg-desktop-por,/usr/libexec/xdg-desktop-portal,0,user.slice,user-1000.slice,0755',